What Is HIPAA Compliance?Greg Garner
Healthcare organizations are under increased scrutiny when it comes to HIPAA compliance. This is due to the changing regulatory environment surrounding healthcare and data privacy.
HIPAA is crucial to organizational integrity. Unfortunately, most organizations easily reach into non-compliance due to a non-understanding of the requirements for compliance.
In this article, we will explore what HIPAA compliance means for you and your organization. We’ll also discuss some strategies for how to maintain your company’s HIPAA compliance standards in a world of ever-changing regulations.
Whenever you’re ready to learn more about this important topic, keep reading.
What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA is important because it protects the privacy of a patient’s health information. Specifically regarding how that data can be used or who has access to it.
HIPAAs’ protections exist for three purposes:
- To protect you from discrimination in the workplace due to your medical history
- To give you more control over your healthcare decisions by giving you insight into how certain treatments may affect other aspects of your life
- HIPAA ensures that when an organization shares somebody else’s health care record it is secured from prying eyes
The goal here is to make the “search” for medical records more difficult essentially.
The responsibility of being compliant with this act falls on anyone who handles sensitive information. And it’s classified as either a covered entity or business associate. Both are required by law to protect any patient data they come into contact with.
This includes doctors, nurses, hospitals, health insurance companies. Basically, any entity that deals in private medical records are responsible for these guidelines. The type of organization dictates what steps need to be taken when protecting your privacy.
If you’re an employer, much less needs to be done than someone working at a hospital. There will be already existing rules in place. For instance, background checks focus more heavily on personal safety rather than security. It all depends on who you are and what your responsibilities entail.
Covered Entities vs. Business Associates
What’s the difference between a “covered entity” and a “business associate”? A covered entity is an organization that must abide by HIPAA guidelines because they’re legally required to do so – this includes doctors, nurses, hospitals, health insurance companies.
The business associates apply to any person or company that comes into contact with the private medical records of patients.
However, they are not legally obligated to follow these rules such as employers where less needs to be done than at, say, hospital workers. It all depends on who you are and what your role entails.
What Is HIPAA Certification?
HIPAA certification is a requirement for covered entities, as per HIPAA and the corresponding HITECH Act. Certification is only granted to those who can prove their compliance with the required standards of privacy protection, security safeguards, and data integrity.
What does a typical certification process include? Once you’ve met all requirements for your company or organization – including policies that need updating as needed. An in-depth plan needs to be developed outlining how one will protect healthcare information.
This includes procedures such as patient notification when there’s been unauthorized access to private medical records (meaning they’re aware someone has accessed them without authorization).
All covered entities need to have certification because there can be serious consequences if they don’t.
For example, if a patient requests their medical records and the entity doesn’t comply with this request in 45 days (or when it becomes reasonably available), then that person has grounds to sue them up to $100 per day until they do provide access.
Sure, maybe some of these cases are just busy work or minor mistakes. But at the same time, many hospitals still deal with lawsuits every year due to oversight on regulations. Even after paying out massive fines.
What happens when you find yourself working alongside an un-certified company without knowing about it? Well, it’s not as bad as you might think. It doesn’t mean that the company violates anything – they just haven’t taken steps to get certified yet.
It also doesn’t necessarily mean that your work will be un-certified, too. Because hospitals are allowed to provide services from an un-certified entity under circumstances.
And even when administrators know about noncompliance, there is still a liability for negligence. Mostly depending on what happens after working with them.
How to Be Compliant?
To comply with HIPAA, there are four main criteria that one must meet.
- Organizational Requirements
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
For example, if you’re not a nurse or doctor, then it’s most likely that some form will already exist. But if you work at a hospital or company handling private data, then much more needs to be done. For instance, signing paperwork through security cameras to encryption.
This is the first step in becoming compliant with HIPAA, and it’s a big one.
A good way of looking at Organizational Requirements is by thinking about what happens if anything went wrong. Who would be responsible? This is a great way of determining if you’re compliant with HIPAA, and it’s a big one.
Examples of Organizational requirements are Privacy Policies & Procedures. This involves outlining what personal information will be collected from patients/customers. But also how that data can only be used for its intended purposes.
It also has guidelines on when it should be disclosed as well as other various things. All of which is crucial if you want everything to run smoothly with your organization.
There are more steps after this too. But those come down to training employees and deciding where sensitive files go.
There is also a requirement for a Privacy Officer. This person is the go-to for any questions about HIPAA.
Typically, this can either be an internal employee or someone externally hired. It all depends on what works best for you!
The Privacy Officer should also create privacy notices which will tell people of their rights. This is to make sure people understand everything before anything happens.
This is a key component when it comes time to reveal information like Social Security Numbers. Since not everyone knows exactly how strict these laws are nowadays.
Finally, you need personnel procedures. As mentioned earlier, training employees is crucial if you want them to follow protocol.
Employees need to know not only how they should handle themselves but also what is expected of them. This includes maintaining a safe environment for the patient(s). But also keeping records private and away from unauthorized people. Not to mention, following doctor-patient confidentiality at all times.
This means no one can talk about another person’s diagnosis or treatment with anyone outside their specific area.
This is what you have to do to comply with HIPAA, so this is a big thing. You need an Administrative Safeguards Plan that outlines how you’ll protect your private data.
It also covers what will happen if a problem arises. For instance, someone hacking your system or otherwise getting into their records.
This plan also has accountability for everyone involved when handling important medical information. No slacking allowed!
Examples of administrative safeguards are:
- Make data accessible only to those with a need to know and access authorization
- Protect physical documents by storing them in locked, secure containers or rooms and keep key accessibility limited
- Install anti-malware/anti-spyware software on all workstations, including servers hosting medical information systems with restricted access to certain individuals
Physical & Technical Safeguards
This is how you’ll protect the physical records and how to do it in a technologically safe manner. There are many ways one can leak information these days. We’re looking at all different types of data breaches that could happen and what would need to be done if they did.
Also, another thing is that there needs to be employee training when new people come on board. But also when anybody else changes their role within the company. This is because HIPAA compliance is something everyone should know about!
Examples of technical safeguards are things like:
Data encryption, which is the process of transforming information so that unauthorized people can’t read it. Encryption actually means hiding data with a code. But also making sure only certain authorized persons have access to this code.
Password protection for computers or other electronic devices used to handle protected health information (PHI). This includes passwords that are required before someone can use their computer system. As well as preventing an employee from changing his password on his own without company approval.
Using firewalls to keep hackers out of systems containing PHI.
How Does It Protect?
How does HIPAA compliance protect my privacy? For organizations like doctors’ offices, hospitals, insurance providers, pharmacies, and others to comply with HIPAA rules, they must make sure that:
- People’s personal information is not disclosed to unauthorized persons
- Non-public health data are kept private from outsiders
The key component of compliance in the United States comes down to following these six principles:
- privacy (or notice)
- individual rights as well as consent or authorization
- security/safety measures while handling data
- including physical safeguards for paper records and computer files alike
- plus integrity which means that organizations have an accurate accounting of what PHI it possesses
This includes knowing where providers outside their normal network have seen a patient, so one can contact this person if any legal action arises over the course of treatment.
HIPAA protects your privacy by keeping your health information private from unauthorized persons. In addition, nonpublic health data are kept private from outsiders.
Nonpublic Health Data (NPHI) is any personal information or identifiers that relate to medical and/or mental health history, diagnosis, treatment rendered – but excludes individually identifiable genetic information as well as psychotherapy notes.
- the patient’s name
- identifying number when it relates to a specific person such as their social security number or an insurance policy number
- phone numbers, and other contact means, including email addresses where possible
- which may also include IP logs showing who has accessed this site in addition to what pages have been viewed on our website
It also includes economic status like income level and benefits coverage for treatments given out by facilities under our care and such other information that relates to a particular person’s medical or mental health history.
5 HIPAA Rules: Privacy Rule
There are five prominent rules in HIPAA, let’s take a look at them.
The HIPAA privacy rule is divided into four parts: general rules, restrictions, disclosures with written authorization that include waivers of privileges for health care workers to share information about patients in a medical emergency or when necessary to prevent harm.
The last section covers the ban on discrimination against individuals who refuse treatment based on religious beliefs. It also includes genetic data and psychotherapy notes as well – but excludes individually identifiable genetic information as well as psychotherapy notes.
This means your name; identifying number when it relates to a specific person such as their social security number or an insurance policy number; address; phone numbers and other contactable methods including email addresses where possible, which may also include IP logs showing who has accessed this site in addition what pages have been accessed and for how long.
The HIPAA security rule is broken up into two parts – Administrative Safeguards and Physical Safeguards.
Administrative safeguards are the policies, procedures, rules, and laws that govern how healthcare providers treat data they come in contact with daily. It includes things like documenting what happens to their information when it is disposed of and notifying individuals about privacy practices if needed or required by law.
Physical security involves protecting electronic health records from unauthorized access via both physical and logical measures such as securing doors; controlling visitors who have legitimate reasons for entering patient care areas (employees) but also restricting any one person’s ability to roam around the building freely without proper authorization since this may mean accessing sensitive computer systems or cabinets containing protected materials, etc.
The HIPAA transactions rule is a set of additional guidelines established by the HIPAA regulations to protect people’s personal medical information.
One developed the transactions rule focusing on account-based and system-generated health data transmitted electronically via telecommunication or computer networks, so one must encrypt this type of data for security purposes.
The HIPAA identifiers rule is a set of additional guidelines established by the HIPAA regulations to protect people’s personal medical information.
One developed the identifiers rule focusing on account-based and system-generated health data transmitted electronically via telecommunication or computer networks, so one must encrypt this type of data for security purposes.
The HIPAA enforcement rule is developed with a focus on account-based and system-generated health data transmitted electronically via telecommunication or computer networks, so one must encrypt this type of data for security purposes
Furthermore, this rule stipulates that all people involved in transmitting health data must take every precaution necessary to ensure its security.
How to Ensure My Staff Is Compliant?
To ensure the HIPAA compliance of your staff, you must first understand what is required of them.
For example, your staff members must have a thorough understanding of the HIPAA enforcement rule and how it applies to their particular job function; they should be aware that only certain people are allowed access to patient health data, and they need an awareness of every precaution necessary for security purposes.
In addition to that, you must train and enforce HIPAA with your staff by requiring them to sign a statement of understanding, make sure they know not to share patient information without authorization, and have your staff attend HIPAA training sessions.
Awareness of the necessity for taking every precaution necessary for security purposes is just one way to ensure your employees are compliant with HIPAA.
Another thing that you should do is require all members who work closely with patients to take part in an annual privacy review process; this will help identify any potential risks that might be present to be remedied before there is an issue.
Passing these two essential steps on to your employees will go a long way towards ensuring they understand what their responsibilities are regarding HIPAA compliance and helping them stay updated on new developments so that they are always prepared.
You can also help your employees develop a HIPAA policy document and have your staff attend HIPAA training sessions.
These measures will not only ensure that all current members of the team are aware of what is expected, but they will also serve as a reminder to new hires in the future so you can be assured any future projects underway or in development adhere to these standards from start to finish associated risks.
Any violations made by your staff about HIPAA can directly affect your compliance standing; your organization most likely will also hold responsibility for their wrongdoing.
And finally, let’s go over some tips that will make your life easier when it comes to being subject to HIPAA compliance. Of course, this isn’t a one-size-fits-all kind of scenario, but these tips might help you a little down the road.
Here are the most prominent HIPAA tips:
- Never send any personal or private information over unsecured networks
- Follow the instructions on every document you sign, like a release of medical records (if your company provides them)
- Make sure to keep all workstations and desktops free from items that one may use for social media login credentials, such as sticky notes with passwords written in plain sight
- Make sure to store all company-owned devices in a safe and secure location, out of the reach of those not authorized
HIPAA regulations state that information is only considered private if used by someone other than its intended recipient without consent or authorization. This includes any data related to an individual’s personal health history (such as medical records).
Anything else created on work time for work purposes falls under the public domain. This means you don’t have to worry about this when crafting blog posts with personally identifiable details. This is because there will always be some indication that you’re writing content meant for your professional audience.
You should also keep any social media login credentials away from computers, so they aren’t automatically posted to your timeline.
Certain exceptions fulfill the definition of private information, such as:
- In court or grand jury materials
- law enforcement records not public under other provisions of federal or state law
- medical data in personal records unless disclosure could reasonably be expected to identify a specific individual
- personnel and student files subject to confidentiality agreements with no overriding interest
- business customer lists with names removed upon request where their use would violate competitive trade practices laws