HIPAA Overview and Guides

Regulated by the United States Department of Health and Human Services’ Office for Civil Rights (OCR), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

In this post, we will explain the basic concepts involved in the process of becoming HIPAA compliant with the security rule, outline what you can expect as you work towards compliance, and provide guidance based on our cumulative experience working closely with our customers and auditor partners.

What Constitutes Protected Health Information (PHI)?

PHI is any personal health information that potentially identifies an individual that was created, used, or disclosed in the course of providing healthcare services, including, but not limited to:

• Names
• Addresses
• Date of birth
• Social security number
• Payment or billing information
• Medical records (electronic or paper)

Depending on your organization’s function in the healthcare ecosystem, you may be handling PHI either directly or indirectly. While certain organizations have a greater obligation to safeguard patient information under HIPAA, you should be doing your part to ensure that this information is secure and well-protected.

Without getting too existential, before we discuss the specifics of the regulation, we’ll determine whether you are a Covered Entity, a Business Associate, or a Subcontractor.

Covered Entities include:

• Healthcare providers such as hospitals, clinics, doctors offices, pharmacies, and home health agencies.
• Health plans such as government programs that pay for healthcare, health insurance companies, health maintenance programs, and military and veterans’ health programs.
• Healthcare clearinghouses, i.e. organizations that act as the go-betweens for healthcare providers and insurance providers.

If you are a Covered Entity, you are subject to, and legally required to, comply with all the standards set forth by HIPAA.

Particularly given the digital nature of today’s health landscape, Covered Entities do not carry out all their healthcare-related activities and functions by themselves. They often use the services of other organizations, known as Business Associates.

Examples of organizations considered to be Business Associates include:

• Third-party administrators
• Billing companies
• Transcriptionists
• Cloud service providers
• Data storage firms – electronic and physical records
• EHR providers
• Consultants
• Pharmacy benefits managers
• Claims processors
• Collections agencies
• Medical device manufacturers

In case all of this wasn’t complex enough…

A Business Associate may delegate a function, activity, or service to a Subcontractor.

Business Associates are required to ensure that Subcontractors are implementing and maintaining the systems needed to safeguard PHI.

HIPAA Rules Demystified

The HIPAA regulation is composed of four rules: Privacy, Security, Breach Notification, and Omnibus.

Privacy Rule

The Privacy Rule was developed to:

1. Ensure that organizations that create and store health information take appropriate steps to protect this information from misuse or wrongful disclosure.
2. Provide individuals with the ability to understand and control how their health information is being used.

Complying with the Privacy Rule assures individuals seeking care that an organization is committed to keeping their information private and secure. Even if they’re not dealing directly with you, these individuals can rely on the HIPAA framework to ensure the privacy of their data across all relevant parties.

Security Rule

The Security Rule protects a subset of information covered by the privacy rule, and sets the standard for the protection of electronically stored and transmitted PHI (ePHI). It does so by requiring the implementation of administrative, technical, and physical safeguards.

Complying with the security rule demonstrates that you are committed to protecting the confidentiality, integrity, and security of ePHI, and have taken the necessary steps to protect your systems from security threats and unauthorized disclosures.

Breach Notification Rule

Any PHI usage or disclosure that isn’t permitted under the Privacy Rule is considered a breach. When a breach occurs, Covered Entities are required to notify affected individuals.

Whether or not you are required to comply with this rule, you can help your Covered Entity customers maintain their compliance by monitoring any impermissible use or disclosure of PHI, and promptly notifying affected parties when a breach is detected. Being transparent is a great way to build trust with your customers. Trust us on this.

Omnibus Rule

The HIPAA Omnibus Rule, which became effective in 2013, contains modifications and edits to the Security, Privacy, Breach Notification Rules and their enforcement. These modifications are intended to enhance confidentiality and security in data sharing, and strengthen the protection of protected health information, especially in electronic form.

One major change is the Omnibus rule makes Business Associates and Subcontractors liable for non-compliance with HIPAA

How do I know if HIPAA applies to me?

By law, if you are a Covered Entity, you are required to be compliant with the Privacy, Security and Breach Notification Rules.

If you are a Business Associate, you are only required to be compliant with the Security Rule. However, if you’re working with a Covered Entity (or want to), you will need to show reasonable proof that you’re able to safeguard the PHI you receive or create on behalf of the Covered Entity.

A Handy-Dandy Cheat Sheet

That’s a lot to take in. If your head is spinning a little, just identify what type of organization you are, and follow this table:

How do I prove compliance?

HIPAA does not require an assessment to be performed, and there is also no such thing as an official HIPAA certification — the OCR does not endorse or recognize any such “certifications” provided by private organizations. There is no standard or implementation specification that requires a covered entity to “certify” compliance. The OCR does not endorse or recognize the ‘certifications’ provided by private organizations. As long as it is done, the regulating body doesn’t care if the HIPAA assessment is performed internally or by an external organization. Though, being evaluated by an independent third-party is still ideal. Some companies may choose to manage compliance internally and that is fine.

If you are seeking to demonstrate HIPAA compliance to your customers and potential customers, there are several options you can consider:

• Conduct a self-assessment against the HIPAA requirements.
• An independent HIPAA gap assessment with a consultant.
• An independent HIPAA compliance attestation report.

Even though it’s not required, an attestation report holds more weight than a self-assessment, so you may want to consider going down this path if you need to demonstrate the highest level of compliance.

What is a HIPAA violation?

Even after you’ve successfully completed an audit, there is a possibility that you may violate one of the HIPAA rules. A HIPAA violation is the failure to comply with any of the standards outlined in the rules.

The top five common violations that we see in the digital space are:

• Failure to conduct a risk analysis.
• Failure to provide HIPAA and Security Awareness training.
• Failure to maintain and monitor PHI access logs.
• Failure to terminate access rights to PHI when no longer required.
• Failure to document compliance efforts.

What is the cost of a HIPAA violation?

Penalties for HIPAA are applicable to Covered Entities and Business Associates alike. The OCR is currently using a 4 tier system to gauge the level of non-compliance and determine if any financial penalties are to be levied.

Tier 1: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, but they may not have known about a breach and could not have avoided it. Financial penalties could range from $100 – $50,000 per violation, with a maximum penalty of $25,000 per year.

Tier 2: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, and were aware, or should have been aware, that a breach occurred. Financial penalties could range from $1000 – $50,000 per violation, with a maximum penalty of $100,000 per year.

Tier 3: A breach occurred as a result of “willful neglect” on the organization’s part. However, attempts have since been made to correct the violation. Financial penalties for organizations in this tier is $10,000 – $50,000 per violation, with a maximum penalty of $250,000 per year.

Tier 4: A breach has occurred as a result of wilful neglect, but no attempts have been made to correct the violation. The financial penalty for organizations that fall into this tier is $50,000 per violation, with a maximum penalty of $1.5 million per year.

What do I do when I become aware of a breach, and how does this affect my compliance status?

Under the HIPAA Breach Notification Rule, you are required to notify relevant parties of any breach. As a first step, you should evaluate the severity of the breach. Once you have the full picture, you have 60 days to notify affected individuals, the OCR, and any other relevant parties. It’s important to note that you must provide these notifications even if you are unsure whether PHI has been compromised. Any violations of the HIPAA Breach Notification Rule will result in financial penalties and in noncompliance. The OCR publishes a list of cases currently under investigation (a bit of public shaming, if you will), and you should make it your goal to never be on it.

Complying with the HIPAA standards, rules, and regulation is an ongoing effort that requires careful monitoring of your information security program against known, suspected, and unknown threats. Maintaining continuous compliance helps you build trust with your customers, proving that safeguarding their information is in your best interest as well as theirs.

And you’re in luck — it just so happens continuous compliance is what we do

Click to the next article to understand how to get started with HIPAA!

What will this cost me?

Traditionally, a HIPAA security rule audit can cost anywhere from $20,000 to $100,000 when you factor in the cost of the audit firm, as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.

At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. We want to make the readiness and audit process both affordable and simple. We’ve broken the cost down into two areas:

1. Cost of a HIPAA security rule compliance readiness using the TrustCloud platform – FREE for startups… By automating much of the process and  a transparent and straightforward pricing structure we make it easier for you to manage the overall cost of achieving HIPAA readiness
2. An auditor. We’ve developed strong relationships with a number of audit firms. Not only does this mean that they are trained on the platform and know how to evaluate your business, they are also able to pass along sizable discounts as a result of a referral from TrustCloud. HIPAA audit partners in the TrustCloud network charge between $15,000 – $50,000 for HIPAA audits, based on the maturity and complexity of the engagement.

If you think about it, we’ve created a win-win-win scenario.

How long is the HIPAA process going to take?

Without TrustCloud, you would be looking at a very manual and tedious process that could take up to a year. During this time, you would need to understand each requirement and how it applies to your business, conduct the necessary testing, accumulate all the evidence proving your compliance in a single location, and draft the right documentation. This estimate doesn’t include the time an auditor needs to evaluate your business and observe your practices.

Click to the next article to understand how to get started with HIPAA!