HIPAA compliance isn’t just for hospitals — are you aware of the shifting conditions that may mean your organization needs to learn how to be HIPAA compliant? In the wake of COVID-19 and the subsequent rapid rise of telemedicine, healthcare organizations and their associates face changes that make more organizations beholden to the Health Insurance Portability and Accountability Act (HIPAA).
A May 2020 McKinsey survey showed an exponential increase in consumer demand for telemedicine at the start of the COVID-19 pandemic. They predicted post-COVID spending on virtual medicine could skyrocket from $3 billion annually to over $250 billion on virtual medicine. With the increased use of conferencing platforms like Zoom and Doxy.me, organizations who might not have needed to think about HIPAA compliance in the past may have some learning to do.
Our short guide to HIPAA compliance will help you identify whether your organization needs to be HIPAA compliant, teach you how to make a plan of action for achieving HIPAA compliance, and present a checklist for the steps you need to take to stay compliant in 2021 and beyond.
What Is HIPAA Compliance?
In short, HIPAA compliance is adherence to the rules, regulations, and standards of HIPAA, and is enforced by the United States’ Department of Health and Human Services (HHS) for the Office of Civil Rights (OCR). Congress passed HIPAA in 1996 to protect patients’ and consumers’ individually identifiable private health information. Under HIPAA, this information became classified as protected health information (PHI). PHI includes personal medical records, billing and payment information, and any information about health services rendered to an individual or an individual’s past, present, or future health status.
Since the mid-1990s, HIPAA has undergone numerous amendments and changes, as legislation adapted to new technologies, systems of information sharing, and global events. The complexity of HIPAA legislation means that organizations need a strong compliance and IT risk management strategy in order to prevent possible leaks and breaches, and to stay on top of any legislative changes. A proactive plan will help you protect your clients and avoid costly fines and penalties.
Who Needs To Be HIPAA Compliant?
The HIPAA privacy rule, outlined in greater detail below, defines two different categories of organizations which need to maintain HIPAA compliance: “covered entities” and “business associates”:
Covered entities are health organizations who collect, transmit, and store PHI. HHS identifies three categories of covered entities: healthcare providers, health plans, and health clearinghouses.
Business associates include any individual or organization outside of the covered entity’s workforce who even temporarily hold or process PHI as part of their work, including legal services, accountants, third-party billing and payment services, email service providers, and cloud computing services.
Any covered entity or business associate who holds an individual’s PHI is responsible for maintaining HIPAA compliant procedures while they are in possession of that data. If your organization falls under these categories, you’ll need to learn how to be HIPAA compliant.
What Are the 3 Rules of HIPAA?
HIPAA has three core rules: the privacy rule, the security rule, and the breach notification rule. Here are the basics:
Rule #1: The Privacy Rule
The HIPAA Privacy Rule consists of a series of regulations that prevent covered entities and business associates from disclosing patients’ sensitive protected health information (PHI) without their consent or knowledge. The privacy rule defines covered entities and business associates, and outlines patients’ rights to accessing and correcting their personal medical records.
Rule #2: The Security Rule
The HIPAA Security Rule extends the privacy rule to cover electronic protected health information (ePHI). This rule sets standards for how health data and PHI is shared via email and mobile systems, housed in servers, and stored in the cloud. The security rule includes three types of safeguards that organizations must implement in order to remain HIPAA compliant: physical, technical, and administrative.
Rule #3: The Breach Notification Rule
The HIPAA Breach Notification Rule outlines the actions that covered entities and business associates must take in the event of a data breaches or leaks. The rule provides timelines for notifying the OCR and individuals whose PHI has been impacted by the breach.
An additional “Final Omnibus Rule” houses updates and amendments to HIPAA legislation since its inception. Far from being a mere add-on, this final rule incorporates the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2008 which simultaneously incentivized the adoption of electronic health records (EHR) and fleshed out HIPAA legislation around Health IT and Cybersecurity. Most importantly, HITECH tightened HIPAA requirements for business associates, making them legally, not just contractually, obligated to follow HIPAA privacy and security rules.
How Do You Become HIPAA compliant?
Becoming HIPAA compliant requires investment from all areas of your organization, and relies on consistent, transparent communication between covered entities and their business associates. While this may seem daunting, we’ve made it simpler by providing a concrete checklist that you can follow to make sure you’ve covered your bases. Read on, and learn how to be HIPAA compliant.
The 8 Step HIPAA Compliant Checklist You’ll Need
1. Choose Internal HIPAA Experts
Staying on top of changes to HIPAA is challenging, and it behooves a covered entity or business associate to select a HIPAA compliance officer, or officers, who will act as an internal expert who creates, manages, and maintains HIPAA policies and trains your staff. You can select a Privacy Officer and a Security Officer or can choose to have a single individual cover both roles. Some organizations select an officer from their existing staff and others hire someone new to take the position full-time. It all depends on the complexity of your HIPAA compliance needs and the size of your organization.
2. Train Your Staff
Your HIPAA compliance officer(s) will be responsible for teaching your staff how to be HIPAA compliant prior to their handling PHI or ePHI. HHS does not offer any official certification for HIPAA compliance, but it will still benefit your organization to pursue security and compliance certifications. A number of institutions have designed HIPAA training programs, some of which count towards continuing education credits for health professionals. Be careful of training programs that say they are endorsed by HHS — they probably aren’t.
When it comes to training your staff, it helps to choose a simple, comprehensive program and keep records that staff have completed the training. Strong HIPAA training helps to prevent data leaks by ensuring that PHI doesn’t show up in a break room waste basket or a personal email between associates.
3. Conduct Regular Self-Audits
The OCR regularly conducts audits of covered entities and their business associates. Be prepared by conducting your own self-audits on at least an annual basis, so that your company is aware of its vulnerabilities, risks, and pain points. Develop a HIPAA audit checklist to make the process easier to operationalize, but adaptable to new HIPAA features.
4. Stay in Touch with Your Business Associates
Building strong relationships with business associates can help to ensure that privacy, security, and breach notification rules are being followed by all of your partners. When entering into a partnership with a business associate, covered entities must create a business associate agreement (BAA), in which the business associate documents the steps they will take to maintain HIPAA compliance. BAAs should be part of your HIPAA self-audit and should be reviewed annually.
As part of the HIPAA privacy rule, HHS requires that covered entities create and distribute a Notice of Privacy Practices (NPP) for patients to review and sign. NPPs disclose the steps that the organization takes to protect the privacy of the patient’s data and informs the patient of their right to access and transfer their medical records at any time. HHS has collected a number of helpful sample policies — choose one that works best for your organization.
6. Implement Security Safeguards
Make sure you have systems in place to enact the physical, administrative, and technical safeguards that the HIPAA Security Rule requires. These safeguards depend on the complexity of your organization’s systems. They cover actions as simple as shredding physical copies of PHI to making sure your information systems enable encryption, unique user identification, and session recording. HHS last updated its Security Risk Assessment (SRA) Tool in 2018 as a starting point for covered entities and business associates who need to identify potential gaps in their adherence to the HIPAA security rule — it’s a great resource for figuring out your specific security safeguard needs.
7. Plan for a Possible Breach
While following the rest of these steps will make it far less likely that your organization will have a breach, you’ll still want to have a strong plan in place if a breach were to occur, so that you’re properly adhering to HIPAA’s breach notification rules. The Breach Notification Rule requires that organizations draft a written plan for how they will handle a breach if it does occur.
8. Keep Records
All HIPAA documentation should be well-organized and easy to access in case of an OCR audit. Keep an organized record of staff training, certifications, business associate agreements, policies, internal audits, breach notification protocol, remediation plans, and any other relevant documentation. An auditing spreadsheet can help you keep track of the documentation and have it readily accessible whenever you need a reference.
What Is the Primary Purpose of HIPAA Regulations?
Prior to the introduction of the Health Insurance Portability and Accountability Act in 1996, there were no protections in place for individually identifiable health data. While professional organizations like the American Medical Association and American Psychological Association set ethical requirements for their fields, there were no federal laws regarding the confidentiality, integrity, and privacy of individuals’ PHI. Amendments to HIPAA, like the HITECH Act, have ushered HIPAA into the 21st century. In 2021, the potential for data breaches makes HIPAA compliance increasingly important when it comes to protecting your clients’ privacy and your company from liability and penalty. HIPAA regulations are there to provide a balance between accessibility and privacy; protecting individuals’ PHI while making sure it is readily accessible to those providing health care, coordinating payment for services, and maintaining records.
What Happens If I Violate HIPAA Regulations?
HIPAA compliance is crucial to retaining client trust, and the consequences of noncompliance can be severe. Ignorance of the rules does not protect an organization from facing fines or even criminal charges for HIPAA noncompliance — make sure you are not caught unaware or uninformed. Covered entities and business associates must notify HHS of any HIPAA violations or data breaches, no matter how small, as soon as they happen. Even a minor unreported violation could trigger a fine and larger audit. An unreported data breach, however, could incite criminal charges. Again, this is where conducting regular self-audits, maintaining organized (and copious) records, and keeping HHS’ contact info handy, is in your organization’s best interest.
How to Remain HIPAA Compliant
This checklist should help you better understand how to be HIPAA compliant, but HIPAA is complicated and the OCR regularly updates procedures and policies.. The right compliance software can streamline HIPAA compliance strategies, saving you time and reducing your risk for costly fines and noncompliance charges. Learn how AuditBoard’s integrated compliance management software can help you achieve compliance and scale your compliance program as federal requirements are updated and as your organization grows.