WHAT IS HIPAA COMPLIANCE
WHAT IS HIPAA COMPLIANCE AND REQUIREMENTS TO BE HIPAA COMPLIANT
Are you a part of the healthcare industry and concerned about securing your patient's medical record then you must have heard about HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) is basically a law established by the United States, over two decades ago considering the confidentiality involved with the patient's health information, which are at risk of hacking, leaks, and of illegal alteration otherwise.
The most important part is to break down what exactly HIPAA means? In simple terminology, it means “Keep your patient’s healthcare particulars safe and secure”.
HIPAA sets the standards for safeguarding patient's sensitive data and also elaborates over the fact that how and when any professional who wishes to obtain someone's protected healthcare information (PHI) can or cannot use the details. For example: If a patient wishes to permit his/her PHI to be available to anyone outside the hospital, the HIPAA law calls for a signed HIPAA PHI note instructing the doctor’s office to share the required information .
For example: If a patient wishes to permit his/her PHI to be available to anyone outside the hospital, the HIPAA law calls for a signed HIPAA PHI note instructing the doctor’s office to share the required information .
WHAT IS PROTECTED HEALTH INFORMATION (PHI)
We spoke about PHI - Protected Health Information. What is it? PHI is the chief component of HIPAA compliance because it helps the healthcare industry to avoid any violations of data leak of the patients. PHI is not limited to only healthcare data but extends to any minute information that can easily get him identified by any unauthorized organization during their treatment.
Starting from any details about a doctor’s visit to the patient’s name, birth, death or treatment dates, phone numbers, social security numbers, medical record numbers, photographic images on any hospital form, finger and voice prints and even the history of patient’s health conditions and the mode of payment as recorded in the hospital, which could help identify a patient are all stored and shielded under this act.
Details including his job record, his address, vehicle number and any information about a close family member or even the beneficiary’s contact details can also disclose the identity of a patient and this is what PHI refers to.
WHO IS LIABLE TO BE HIPAA COMPLIANT?
Going by the HIPAA compliance act, if you belong to any of these two organizations - ‘Covered entities’ or ‘Business associates’, your business is supposed to be HIPAA compliant.
What are these categories?
Covered Entities: as described by HIPAA, include health plans, health care providers and health care clearinghouses. Let’s further break this down.
Health plans include dental, vision, health and prescription drug insurers, health maintenance organizations, government and church-sponsored health plans, medicare supplement insurers and even the multi-employer health plans.
Health care providers include all providers of services (Institutional providers such as hospitals, a critical care facility, clinics, nursing homes, pharmacies) and
providers of medical or health services (Non-institutional providers such as physicians, surgeons, dentists, podiatrists and other practitioners)
Healthcare clearinghouses are organizations that operate as mediators who forward all the claim details from healthcare institutions to the insurance payers. Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
Business Associates: any organization or an individual that provides certain services to a covered entity (doctor’s office, dental offices, clinics and hospitals) that involve the use or disclosure of individually identifiable health information is called Business associates. They basically perform as a covered entity, which includes claims processing, data analysis, utilization review and billing. Other examples of business associates are medical equipment companies, consultants hired for audits, coding reviews, medical transcription services, external auditors or accountants and electronic health information exchanges. However, those persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information (PHI).
HIPAA RULES & REGULATIONS
There are four major rules, which deny the malicious agents easy access to your HIPAA systems.1. HIPAA Privacy Rule
The primary goal of HIPAA privacy rules is to keep an individual's medical records and all personal health information private. According to the privacy rule, all healthcare, health plan providers and even the healthcare clearinghouses are required to lay down certain precautionary measures to protect the privacy of the 'Protected health information' and these precautionary measures should highlight the circumstances and restrictions on the usage and disclosure of the PHI when patients are not there to authorize.
The Privacy Rule does not apply to business associates. Under this rule, the covered entities must appoint a privacy officer responsible for receiving complaints and the officer must provide training on when PHI can be disclosed, to whom, and under what circumstances. Another objective of the privacy rule is to help patients access their medical information easily. The covered entities should provide a copy of the patient’s healthcare data within 30 days of receiving a written request. The HIPAA Privacy Rule applies to PHI in any form, be it an appointment with a physician or any conversations.
Unlike the privacy rule, which only applies to the covered entities and offers protection to all sorts of electronic or printed health information, the security rule emphasizes on the technical aspects of protecting the electronic health information ( ePHI ) and it applies to both covered entities and the business associates. The security rule generally addresses the administrative security, physical security and technical security. Under the administrative security, an individual is handed over an assignment of security of the health records while under the physical security- electronic system, equipment and the entire data has to be kept under strict protection. Facility access controls, workstation use, workstation security and media controls are the four key areas to be looked at under physical security. Lastly, under the technical security- hospital administrators need to be aware of access controls, audit controls, entity authentication and transmission security.
*What is electronic PHI? – It is explained as all the protected health information that is stored and used electronically.
Any forbidden disclosure of medical records, which compromises the privacy of the protected health information or even the electronic PHI, is considered to be a data breach. Despite all the safeguards and precautionary measures, there are chances that the patient’s PHI or electronic PHI can be compromised, which leads to an illegal disclosure of the patient's health record in any way.
The Breach notification rule says that under such sensitive circumstances, the concerned patient should be informed within 60 days of the discovery of the breach. The breach has to be conveyed through an email or through telephone and if the patient is deceased, then an immediate guardian should be informed. The affected patient should also be warned about the potential harm and the measures he/she should take to protect himself/herself. This rule also differentiates between minor breach and meaningful breach. Minor breach affects fewer than 500 individuals while a meaningful breach affects more than 500 individuals.
This rule brought slight modifications to the existing HIPAA guidelines, further strengthening the patient’s privacy and helping patients to protect their health information by bringing light to the new rights involved in the rule. This rule gave patients the basic right to have control over their own data. The HIPAA Omnibus rule laid down new restrictions as to how the protected health information can be used and disclosed for marketing and fundraising purposes. It also prohibited the sale of an individual’s health record without their permission. According to this rule, when a patient has paid his entire treatment amount, he/she has the right to instruct the concerned health provider to abstain from sharing any details about their treatment. It significantly reinforced HIPAA’s essentials for business associates emphasizing that they should adhere to its restrictions otherwise they can be held directly accountable for failing to do so.
HIPAA COMPLIANT CHECKLIST
Once you are eligible to be HIPAA compliant, you have to make sure that you have set up a well grounded security plan to further help maintain your storage data.
For all the covered entities and business associates, there is a checklist before you get going on becoming a HIPAA compliant:
- To begin with, chart out an entire plan for all the medical records you have and try determining a single platform where you could keep all HIPAA protected files.
- Categorize a list of all those who can retrieve your HIPAA protected files from the same platform where you can monitor them live. Also, monitor all the logins to a system and report discrepancies.
- Like any other data security firm, you need to have your alert notifications on, all the time and a dedicated team for that where you can immediately learn as to who has tried to or got an access to the HIPAA record. This would need stringent guidelines because this is the point where a healthcare industry could lose on some major health records.
- You need to ensure that there are proper methods in place for creating, changing and protecting passwords, timely.
- Another important aspect is to regularly supervise the employees who work with PHI. You should ensure that other employee’s access to PHI might result in the termination of their employment.
- In regards to social media as well, you should have devices to control the policies to determine when and how to remove the health records from electronic media and equipment to avoid any hassles later.
After rules, we now come to “violations” because failure to follow these rules can land your practice in hot water!
WHAT ARE HIPAA VIOLATIONS?
HIPAA violation is any infringement in an organization’s functioning that compromises the uprightness of the PHI or electronic PHI.
It’s convenient to blame the technology or even the hackers when any data breach takes place but unfortunately a majority of HIPAA breaches are user-driven.
Although HIPAA violations arise in a variety of ways; improper mailing or text containing PHI, trying to obtain patient’s information on a home computer, lack of limitations as to who may view PHI, failing to maintain the PHI access logs, social media posts regarding any information related to PHI, stolen phone or the device and even not restricting the access authorization to employees who are no longer a part of the industry are some of the most common HIPAA violations.
DOs AND DON'Ts FOR PROTECTING YOUR COMPANY FROM HIPAA VIOLATIONSHACKS
- Do: Secure your networks using firewalls and multifactor authentication methods.
- Don’t: Employees use any unsecure device they want and share information through any medium.
- Do: Ensure regular training on the law, policies and procedures involved in HIPAA.
- Don’t: Employees have no training related to the procedures involved in the functioning of the organization.
- Do: Make sure to secure the electronic PHI in a safer database, which has difficult passwords.
- Don’t: Put the data on the same digital platform where anyone in the organization can have access to the PHI.
- Do: Ensure that the patients have authorized you to share the PHI to any outsider or any family member.
- Don’t: Provide the entire PHI to any of the patient’s family members, whom he/she has not approved.
- Do: Unauthorized employees should never be allowed to access any information at the request of the authorized employee in or outside the office.
- Don’t: unauthorized employees permitted to use the dedicated PHI devices and allowed to obtain information.
- Do: ensure that employees are using correct disposal methods of the private emails containing PHI. Keep evaluating the email removal procedures.
- Don’t: Employees keep the important emails in the recycle bin and throw any informative paper in regular trash.
- Do: Covered entities should conduct and retain documentation of a risk assessment of their organization.
- Don’t: Do away with risk assessment and don’t bother about the administrative, physical and technical safeguards.
HIPAA NON-COMPLIANCE CONSEQUENCES
As it is said that consequences of not following these HIPAA rules can land your practice in hot water, there are rigid punishments and hefty fines for a violation. Once a breach takes place, your business is at the risk of losing integrity in the entire healthcare industry.
According to HIPAA, any violation, initially leads to civil penalties for an infringement and civil penalty or civil fine is imposed depending on the level of perceived negligence and the concerned organization’s approach towards the incident. The law says that the Office for Civil Rights (OCR) is prohibited from imposing a civil penalty (except in cases of willful neglect), if the violation was corrected within the stipulated time of 30 days.
Under HIPAA, the civil violations have been categorized into four corresponding tiers of penalties.
PENALTY RANGE FOR THE VIOLATIONS
|FIRST HIPAA VIOLATION
|SECOND HIPAA VIOLATION
[Informed entity but did not act with willful neglect]
|$100 - $50,000 per violation, with an annual maximum of $25,000 for repeated violations.||$1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeated violations.|
|THIRD HIPAA VIOLATION
[Acted with willful neglect but corrected the problem in 30 days]
|FOURTH HIPAA VIOLATION
[Acted with willful neglect and did not correct the violation in 30 days]
|$100 - $50,000 per violation, with an annual maximum of $250,000 for repeated violations.||$50,000 per violation, with an annual maximum of $1.5 million.|
After civil penalty, the HIPAA violation invites criminal penalties too under some circumstances, thereby meaning that a breach (Knowingly accessing the protected health information outside of job responsibilities) can even land you in jail.
Criminal penalties are also classified into corresponding tiers, depending on the extent of the severity for criminal violation:
Firstly, when the covered entity (health plans, healthcare cleaning houses, healthcare providers and medicare drug sponsors) specified individuals in the crime knowingly obtain or disclose PHI in violation of the Administrative Simplification Regulations, faces a fine up to $50,000 and up to 1 year in prison.
Secondly, the violations committed under false pretenses permit penalties to be increased to a $100,000 and a potential jail term of five years.
Finally, the breach committed for personal gain (Use individual health record for business advantage) or malicious reasons invites a fine up to $250,000 and in addition, the maximum jail term is 10 years.
WAYS TO LIMIT THE RISK OF A BREACH RESULTING IN HIPAA FINES OR PRISON TIME
There are numerous ways that can help prevent the breach in the first place and then limit the risk of a breach if it has happened and is leading to fines or prison time.
- Immediate action: Try to mitigate the breach by terminating improper access to PHI, and retrieve any PHI illegally disclosed.
- Notify the privacy officer: The workforce team should be well trained to contact the dedicated privacy officer as soon as they learn about the breach so that the required action can be taken.
- Respond promptly: swift action right after the breach may lessen the consequences of a crime. It may be corrected within the stipulated time and can avoid further breaches.
- Pertinent investigation: Consider five Ws and one H while going ahead with the investigation- Who, what, when, where, why and how. Get hold of the essence of the crime and make sure there was no disclosure of PHI and there will be no further disclosure if happened.
- Try alleviating the breach consequences: Destroying improperly disclosed PHI, discontinuing an access of the PHI to the employees or the device, cleaning all devices, retrieving the data and warning the individuals of hefty fines, can help mitigate the breach effects.
- Modify the policy if need be: If you fail to correct the breach, you could at least try that it will not be repeated next time. Try to bring into effect some new safeguarded policies and regularly train the employees.
- Report the breach: You need to learn that if the breach has to be reported to the individual or to the HHS and determine if there was a breach of the privacy rule or if there is a low probability that the data was compromised.