What is HIPAA Compliance?
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was established to improve the healthcare system’s storage and use of patient data. As health insurance and healthcare services modernize and digitalize, more health information is stored, transferred, and updated digitally. While this streamlines many administrative and care delivery functions, it also poses a massive threat to health records and personal information, which are at risk of hacking, leaks, and unauthorized alteration.
In the service of making healthcare insurance safer and more reliable for everyone, Congress recognized the need to secure patients’ personal information and regulate its disclosure. Per this mission, the Privacy Rule and Security Rule under HIPAA apply to all protected health information (PHI) and guide the measures needed to guard the privacy and integrity of health data in the digital age.
To enforce these laws, HIPAA can leverage huge fines even for accidental violation. Clearly, IT departments must understand how HIPAA applies to their work—in order to correctly handle sensitive information, demonstrate their compliance with the law, and protect both patients and the organization.
Who is Liable for HIPAA Compliance?
Before reviewing the law itself, it’s helpful to know what organizations are responsible for implementing HIPAA standards. Covered entities (CE) under HIPAA include healthcare providers, health plans, and healthcare clearinghouses. Most components of HIPAA also apply to any business associate (BA) of a covered entity, meaning any third party who handles PHI in providing a service for a CE. A BA, for example, could be an external administrator who processes claims or a CPA firm that must access protected data to execute its accounting services.
Failing to understand or properly implement HIPAA standards doesn’t absolve your company of the consequences. In fact, under HIPAA, institutions can be fined up to $50,000 per offense for a “Tier 1” violation, meaning the non-compliant organization was “unaware of the HIPAA violation and by exercising due diligence would not have known HIPAA Rules had been violated.” The Tiers increase in proportion to the severity—and the willfulness—of the violation. A Tier 4 offense bears a penalty of $50,000 per violation with a maximum of $1.5 million per year.
All of which is to say: if you fulfill the functions of a covered entity or a business associate, you need to know your relationship to PHI, the regulations to which you are beholden, and the processes you must perform in a HIPAA audit.
To follow HIPAA, organizations essentially must make a context-appropriate effort to protect patient data, according to the law’s guidelines. The administrative component of HIPAA specifies that organizations must be in accordance with transaction and code sets regulations for electronic health records (EHR), have a unique National Provider Identifier (NPI), protect patient privacy, and ensure health information security.
For the most part, these stipulations affect IT departments through the Privacy Rule and the Security Rule. The Office of Civil Rights (OCR), an agency nestled within the U.S. Department of Health & Human Services (HHS), is charged with enforcing these two rules through HIPAA audits, which ensure compliance through HIPAA reporting submitted by any CE or BA organizations.
Given the wide range in health insurance and healthcare provider organizations, not every covered entity demonstrates compliance in the same way. HIPAA § 164.306(b)(1) specifically references this “flexibility of approach,” by which CEs or BAs “may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified.”
This language may seem circuitous and vague, but in reality, it recognizes that most of these organizations have different operations and therefore different security needs. Consequently, organizations may follow different security and privacy measures, provided they have the proper documentation to prove that they have used their best judgment to uphold HIPAA regulations.
HIPAA Compliance Checklist
Before we dive into the more IT-related aspects of HIPAA privacy and security standards, it’s good to have a fundamental understanding of general best practices. The Office of Inspector General (OIG) under HHS released this HIPAA compliance checklist detailing the seven integral parts of effective compliance implementation.
According to the OIG, organizations must:
- Implement written policies, procedures and standards of conduct.
- Designate a compliance officer and committee.
- Conduct effective training and education.
- Develop effective lines of communication.
- Conduct internal monitoring and auditing.
- Enforce standards through well-publicized disciplinary guidelines.
- Respond promptly to detected offenses and undertake corrective action.
HIPAA IT requirements
There are two important IT-related aspects of HIPAA privacy and security standards that you will need to dissect: HIPAA Privacy Rule and HIPAA Security Rule.
Basics of the HIPAA Privacy Rule
According to the HHS, the Privacy Rule requires that “individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare and to protect the public’s health and wellbeing.” This rule suggests there is a balance between protecting the information and using the information for necessary reasons.
In accordance with the Privacy Rule, covered entities and associates must be careful with any “individually identifiable health information” that reveals:
- A person’s physical or mental health status at any point in time, past, present, or future
- Details of the healthcare they received
- Past, present, or future payment information for their care
What is the HIPAA Security Rule?
A logical corollary to the Privacy Rule, the Security Rule establishes standards for how organizations should protect electronic personal health information (ePHI). To secure ePHI, organizations must institute three types of protective measures as specifically outlined by HIPAA: administrative safeguards, physical safeguards, and technical safeguards.
Per § 164.308(a), the administrative safeguards obligate CEs and BAs to “implement policies and procedures to prevent, detect, contain, and correct security violations.” Basically, administrative safeguards serve to prepare organizations, to the best of their ability, against possible data breaches.
HIPAA Security Rule: Administrative Regulations
- Security Management
- Asigned Security
- Workfoce security
- Information access
- Security awareness and training
- Security incident procedures
- Contingency plan
Due to their administrative nature, these safeguards set the cyberthreat intelligence framework that protects sensitive health information:
- Security Management Process: By this standard, organizations beholden to HIPAA are required to assess “the accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” Once the organization has identified weaknesses where an ePHI breach could occur, it’s obligated to implement security measures which mitigate this risk to a reasonable degree and appropriately sanction any non-compliant member of its workforce.
- Assigned Security Responsibility: All liable organizations must designate a security official whose job is to develop and implement HIPAA compliant privacy and security measures.
- Workforce Security: All liable organizations must implement protocol for the proper provisioning of access rights, making sure personnel have the permissions necessary to do their job. In accordance with this standard, authorization, supervision, clearance, and deprovisioning (user termination) processes must be in place.
- Information Access Management: This standard aligns with the “Principle of Least Privilege.” It urges organizations to restrict access rights by only giving necessary permissions and culling unnecessary permissions that could endanger ePHI.
- Security Awareness and Training: Organizations must make their workforce aware of security measures and train them to implement them, perhaps including procedures that regularly update security, protect against malicious software, monitor logins and log reporting, and safeguard passwords.
- Security Incident Procedures: Broadly, this standard requires that organization address security threats, first by responding and mitigating the harmful effects of an incident, and second by documenting and reporting such events.
- Contingency Plan: Liable organizations must have a preset plan to prepare for possible disaster, be it a natural event or a system failure, that damages systems containing ePHI. It requires a data backup plan, by which an organization has retrievable copies of ePHI; a disaster recovery plan to restore lost data; and an emergency mode operation plan so that necessary business processes that protect ePHI can continue despite the circumstances.
- Evaluation: Organizations are responsible for conducting regular “technical and nontechnical” evaluations of their compliance with security policies and procedures.
To uphold the security standards laid out by administrative safeguards, the physical hardware containing ePHI must be secured, as well. As a result, organizations covered by HIPAA must cultivate a safe environment where these physical objects cannot be tampered with in compliance with these standards:
- Facility Access Controls: Organizations must limit access to the physical locations where ePHI are stored, giving access only to the necessary personnel and possibly keeping records of access and maintenance.
- Workstation Use: Organizations must govern the use surroundings of workstations which have access to ePHI to properly oversee the functions performed from workstations and protect data.
- Workstation Security: To this end, organizations must also implement physical safeguards which prevent unauthorized users from accessing ePHI from workstations. A physical safeguard could come in the form of trained security personnel, locked doors, or badge scanners.
- Device and Media Controls: Finally, this standard outline security protocol for devices containing ePHI, which is especially important as mobile and portable devices become more common. This means organizations must dispose of hardware and electronic media containing ePHI carefully, wipe recycled media before redistributing it, make copies of critical data before media movement, and potentially keep records of device distribution.
Finally, the security of electronic protected health information is predicated on the technical means used to safely store and transmit data. While the protocol that fulfills an organization’s security needs varies from case to case, organizations are only compliant with HIPAA insofar as they can demonstrate how they have weighed the cost, benefits, and efficacy of the security measures they’ve chosen to take.
Their decisions must uphold the following standards:
- Access Control: Crucially, organizations must implement procedures to properly confer access rights such that users have only the permissions necessary to do their jobs. In implementing access control, admins should assign users unique identification and leverage user management tools like Active Directory. Automatic logoff and encryption measures are highly recommended to guard ePHI and ensure that only authorized users have access.
- Audit Controls: Integral to HIPAA compliance reporting procedures and the detection of possible breaches, audit controls take the form of hardware, software, or procedures that “record and examine activity in information systems that contain or use electronic protected health information.” Audit trails build documentation of compliance but also create institutional records that can be used to investigate file access and alterations.
- Integrity: Integrity controls ensure ePHI are secured against “improper alteration or destruction,” meaning unauthorized personnel cannot see confidential information, leak data, sabotage it, or delete it. Organizations must have procedures or event log software in place to ensure no unauthorized changes have been made.
- Person or Entity Authentication: In the vein of restricting access to authorized users, organizations must have policies or procedures in place to ensure that users accessing electronic information systems are the authorized users they say they are.
- Transmission Security: Lastly, IT needs to ensure the security of the network. Essentially, it must implement technical security measures that protect ePHI when it’s in transit, ensuring integrity after transmission, and encrypting as necessary.