HIPAA compliance can be one of the most challenging tasks a company undertakes, and failure to comply is the most impactful and punitive in terms of fees and penalties. Many new organizations getting into compliance might, in turn, feel overwhelmed by the requirements of the framework and the three primary HIPAA rules.
Here, we’ll breakdown the basics of HIPAA compliance for new organizations and what they need to think about in preparing for a compliance strategy.
The HIPAA Privacy Rule
The Privacy Rule states that patient data is to remain protected and private. This rule defines Personal Health Information (PHI) and how it should be handled by Covered Entities (hospitals, clinics, insurance companies) and Business Associates (third-party companies that partner with Covered Entities and handle PHI as part of their business). For this rule, PHI is defined as information regarding:
- An individual’s past, present or future physical or mental health,
- The provisioning or administration of care for that individual, or
- Past, present, or future healthcare payments.
Some of the more important aspects of the Privacy Rule are:
- PHI and specifically electronic PHI (ePHI) must be protected to maintain the privacy of the patient. Only authorized agents of Covered Entities or their Business Associates may handle, store, and view such data.
- There are only a very limited set of circumstances where healthcare organizations can use or disclose such data, including in treatment with the patient, for billing or payments, legal proceedings involving the patient, and limited data sets for internal healthcare research.
- Covered entities must disclose their privacy practices in notices to patients and must maintain records or privacy policies and security measures up to 6 years after their last effective date.
There are other compliance and privacy demands that stem from this rule, but they all amount to painting a clear picture of what protected patient data is and the responsibilities of healthcare organizations to maintain privacy.
The HIPAA Security Rule
The Security Rule stems from the Privacy rule as a natural extension of the security and privacy demands outlined in the latter. In it, requirements for securing PHI as part of its storage, use, and transmission are detailed.
We say “detailed” relative, as the Security Rule doesn’t outline specific technologies for HIPAA compliance. Instead, it outlines “appropriate” physical, administrative, and technical safeguards for the protection of ePHI.
- Administrative safeguards include anything involved with policies and procedures in the organization. So, policies regarding maintaining security controls, hiring, business practices with BAs, and training all fall under this category.
- Physical safeguards reference, perhaps obviously, the access allowed for physical locations like buildings, data storage areas, and technologies. Your organization must maintain appropriate protection and security against unlawful access to your physical systems.
- Technology safeguards are what we normally think about in terms of digital protection, namely data encryption, secure transmission protocols, and security controls like authorization and authentication standards.
The last of these items (technology safeguards) is typical of most interest to companies handling ePHI because it highlights the standards for protecting ePHI at rest, in transit, and use.
What is interesting about this rule is that it doesn’t name a specific set of technologies. For example, it doesn’t outright state “use AES-256 encryption for data in transit” or something like that. Instead, it links requisite security standards with risk assessment and the likelihood of data threat or prevention required. What that means is that your organization must employ encryption standards for different types of data usage (AES, TLS or S/MIME for emails, OpenPGP, etc.) that reasonably protect against breach or viewing. Standards that have been compromised or invalidated over time would not fit within this rule.
The HIPAA Breach Notification Rule
The Breach Notification Rule is a bit distinct from the others, as it deals with the event that your organization experiences a data breach. In short, Covered Entities and Business Associates must notify affected patients or other individuals in the event of a breach. There are some specifics to this rule regarding how those notifications work:
- CEs must notify individuals upon the discovery of a breach, including an individual notice via first-class mail or email (if the patient agrees to email communications). This notification will usually include the type of breach, the data affected, and the steps the organization is taking to mitigate the problem. It also identifies steps the patient can take to mitigate any further exposure.
- If the breach affects 10 or more patients without current contact information, the CE must post a notice on its homepage and include a toll-free number in that notification for at least 90 after the breach.
- CEs must also provide a media notice if the breach affects over 500 people in a given state or jurisdiction and must provide this notice to a prominent media outlet within that state or jurisdiction.
- CEs must also notify the office of the Secretary of Health and Human Services regarding the breach.
- Business Associates that experience a breach must provide information to their associated CEs and include contact information for all affected individuals.
The HIPAA Omnibus Rule
The Omnibus Rule is a later addition to HIPAA. This rule, added to the HIPAA framework in 2013, changed a few of the requirements and impacted, most relevantly, the responsibilities of Business Associates.
With the Omnibus Rule, Business Associates became directly liable for non-compliance. Before this ruling, it was CEs that were liable for violations. This rule, therefore, places a significant responsibility for BAs to perform the same compliance auditing and documentation that CEs do.
Likewise, breach rules were modified to better protect ePHI. Before the Omnibus rule, breach notifications were defined as unauthorized use or disclosures of ePHI that would pose significant financial or other harmful risks to individuals. Under the Omnibus Rule, all breaches are considered unauthorized regardless of harm and must be reported.
What Steps do Covered Entities and Business Associated Take to Comply with HIPAA Rules?
HIPAA compliance includes a lot of different regulations, but in terms of security, most CEs will focus on these three rules. To think about compliance for your organization, make sure you are attending to some of these best practices and requirements:
- Always ensure that your staff is fully trained according to the latest HIPAA privacy guidelines, including the handling of ePHI over email or other electronic media. This includes managing mobile devices, properly using email, and managing patient data across multiple organizations.
- Deploy technologies with the latest in encryption and protection. It doesn’t benefit organizations to skimp on protection, so utilize some of the latest encryption technologies available, including:
- AES-256 encryption for data at rest
- TLS-1.1 or higher for email encryption
- S/MIME for encrypting email headers with advanced character sets
- OpenPGP for transactional public-key encryption (including any tech that uses public-key encryption as part of its operation)
- Utilize secure messaging and storage when possible. Email is not the best way to work with ePHI, so when communicating with patients leverage secure messaging that provides the encryption and authentication necessary for HIPAA compliance within a single environment.
- Work with HIPAA-compliant managed service providers. There are plenty of cloud and managed service providers, but not all are HIPAA compliant. Any compliant provider will be able to demonstrate their compliance on paper. Most of the major providers will also have a standing Business Associate Agreement (BAA) that you can view and sign as part of your relationship. Beware providers that advertise themselves as “HIPAA ready” or “HIPAA capable” rather than HIPAA compliant. These designations mean that they have the technologies to be HIPAA compliant, but they are not compliant out of the box.
- Maintain clear physical boundaries to all data centers and workstations. While this may seem self-explanatory, all data centers, work areas, and mobile devices should be in locked and protected areas, with clear security protocols and surveillance measures in place.
- Have a clear plan in place for breach notification. This includes a plan, and potentially a team, to manage patient outreach and PR and notifications for breaches in relevant jurisdictions.
- Work with experienced third-party auditors. HIPAA compliance requires continued maintenance and record-keeping, which can overwhelm smaller organizations. By working with a compliant auditor, you can get the expertise and automation to streamline the process and guarantee accuracy.
If you are an organization that is struggling to manage HIPAA compliance, or if you are just entering the healthcare industry, don’t leave compliance to chance. Violations can run up millions of dollars and fine and easily bankrupt a company within a year. Treat compliance as a priority business strategy and work with experts in the industry to power your training, security, and
Don’t leave your HIPAA compliance in inexperienced hands. Trust the expertise of Continuum GRC to streamline your compliance efforts and empower your team to support healthcare needs around the world. Call us at 1-888-896-6207 or contact us with the form below to learn more.