What is HIPAA Compliance?
HIPAA is the Health Insurance Portability and Accountability Act. Title II of the Act sets the physical, network, and process security standards required of organizations that handle protected health information (PHI). HIPAA compliance is required of health plans, health care clearinghouses, and any health care provider that is electronically transmitting PHI. Under HITECH Act of 2009, business associates must also meet data security standards. Business associates are defined by the Department of Health and Human Services (HHS) as any external person or entity performing an activity that requires the disclosure or use of PHI.
What are the HIPAA Privacy and Security Rules?
The governing body of HIPAA, US Department of Health and Human Services, defines a Privacy Rule and Security Rule. The Privacy Rule is the part of HIPAA that establishes standards for healthcare information protection. The Security Rule specifically sets security standards for protecting health information that is handled in an electronic form. The Security Rule also addresses the technical and non-technical safeguards that compliant organizations must use to secure e-PHI. The Security Rule also applies to business associates while the Privacy Rule does not. These rules are enforced by the HHS Office of Civil Rights (OCR) via voluntary compliance activities and civil monetary penalties.
What are the HIPAA Breach Notification and Omnibus Rules?
In addition to the Privacy and Security Rules, the HHS also defines Breach Notification and Omnibus Rules. The Breach Notification Rule sets standards for how a covered entity must inform the affected individuals and the HHS of a data breach. Data breaches are divided into two categories: Minor and Meaningful.
Minor Breach: fewer than 500 affected individuals
- Inform affected parties within 60 days of breach discovery and inform OCR of all breaches 60 days before the end of calendar year
Meaningful Breach: more than 500 affected individuals
- Inform affected parties, law enforcement, and media immediately and inform OCR within 60 days of breach discovery
- All Meaningful Breaches permanently recorded on the HHS Breach Notification Portal
The Omnibus Rule mandates the compliance of business associates and outlines the rules surrounding Business Associate Agreements (BAAs). BAAs are contracts that must be executed before any PHI can be transferred between a business associate and a covered entity or another business associate.
How is a HIPAA violation different from a breach?
A HIPAA breach occurs when PHI is compromised. A breach becomes a HIPAA violation when the covered entity’s HIPAA policies are violated or when the policies are faulty, outdated, or incomplete. Not every breach will be a violation.
An example of a breach would be if an employee has an unencrypted company laptop with access to medical records stolen.
An example of a HIPAA violation would be if the laptop with medical records is stolen and the company whose laptop has been stolen doesn’t have a policy in place barring laptops being taken offsite or requiring they be encrypted.
Why is HIPAA compliance necessary?
Protected health information is increasingly being handled electronically. CPOE systems, EHR, and smarter healthcare equipment offer improved service and greater efficiency. Unfortunately, electronic transmission also puts PHI at much greater risk of compromise. Strictly enforced security policies are necessary to protect patients in the information era.
While the HIPAA Security Rule was created to help protect patients’ PHI, it is somewhat flexible. The rule leaves room for organizations to implement policies and technologies that are suitable to their own unique structure and degree of risk.
Violating HIPAA compliance, whether knowingly or not, typically results in civil fines. Penalties are made for each individual violation and vary depending on severity and steps taken towards compliance. Individual employees can also be fined if they knowingly violate HIPAA. Criminal charges are also possible in cases of intentional violation.
What technical and physical safeguards are governed by HIPAA compliance?
HIPAA compliance requires both physical and technical safeguards for covered entities. Physical safeguards include:
- Authorized access and limited facility access
- Controls on the transfer, re-use, removal, and disposal of ePHI
- Controlling and limiting access to electronic media and workstations
Technical safeguards focus on access control regarding ePHI. Technical safeguards include:
- Use of unique user identification, automatic log off, encryption/decryption, and emergency access procedures
- Audit reports or tracking logs that record activity on hardware and software
HIPAA compliance technical policies also cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components of integrity control. These components ensure that ePHI is recovered without compromise or alteration by quickly correcting electronic media errors and failures. Another important technical safeguard is transmission security that ensures covered entities protect against unauthorized access to ePHI while it is transmitted. This safeguard addresses all methods of data transmission, including email, internet, and private networks.
The HITECH Act extends HIPAA compliance by raising penalties for health organizations that violate the Privacy and Security Rules. The HITECH Act was put into place due to increased usage, storage, and transmission of ePHI.
Data Protection and HIPAA Compliance
As the sharing of ePHI has grown, so too has the need for data security. Healthcare organizations must meet the increased demand for data while still complying with HIPAA regulations to provide high quality care. Covered entities should have a data protection strategy in place to:
Ensure both access and security of ePHI
Meet HIPAA/HITECH access, audit, device security, data transmission, and integrity control regulations
Improve visibility, integrity, and control of ePHI and other sensitive data
Patient data should be protected in all forms—including emails, stored documents, and scans—even if the data is in an unstructured format. The best data protection solutions will achieve this while allowing healthcare providers to share data and provide the best possible care.
What are the biggest obstacles to HIPAA compliance?
Remote access is a common issue for HIPAA covered organizations. Remote access to cloud and private corporate network resources offers greater mobility for your workforce. However, it also increases the attack surface and introduces the threat of stolen devices accessing private information. If you have a BYOD policy in place, these risks are even greater. Strict password requirements and multi-factor authentication can help with remote access risk. Improving the security of your on-prem servers and cloud environments with technologies like SIEM, Intrusion Detection, and File Integrity Monitoring is also critical. Find out how we can help with that here.
The Office of Civil Rights in the HHS has found that the largest share of data breaches comes from email. Under the Security Rule, all electronic transmission of PHI must be encrypted. This includes all email transmission (AES encryption is recommended by HHS). Beyond encryption and password requirements there are many ways to improve email security. Some of these techniques include Data Loss Prevention and Outbound Scanning, Imposter Email Detection, and URL Scanning.
What are the most common HIPAA violations?
The most common HIPAA violations fall under 5 main categories:
- Improper security safeguards
- Access controls
- Use and disclosure
- The Minimum Necessary Rule
- Notice of Privacy Practices
- These violations include:
- Stolen laptops
- Stolen phones
- Stolen USB devices
- Business associate breaches
- EHR breaches
- Office break-ins
- Malware incidents
- Ransomware attacks
- Sending PHI to the wrong patients/contacts
- Discussing PHI outside of the office
- Social media posts