HIPAA Overview and Guides

HIPAA Overview and Guides talk about regulations by the United States Department of Health and Human Services’ Office for Civil Rights (OCR). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

In this post, you will learn the basic concepts involved in the process of becoming HIPAA compliant with the security rule, outline what you can expect as you work towards compliance, and provide guidance based on our cumulative experience working closely with our customers and auditor partners.

What Constitutes Protected Health Information (PHI)?

PHI is any personal health information that potentially identifies an individual that was created, used, or disclosed in the course of providing healthcare services, including, but not limited to:

• Names
• Addresses
• Date of birth
• Social security number
• Payment or billing information
• Medical records (electronic or paper)

Depending on your organization’s function in the healthcare ecosystem, you may be handling PHI either directly or indirectly. While certain organizations have a greater obligation to safeguard patient information under HIPAA, you should be doing your part to ensure that this information is secure and well protected.

Without getting too existential, before we discuss the specifics of the regulation, we’ll determine whether you are a Covered Entity, a Business Associate, or a Subcontractor.

Covered Entities include:

1. Healthcare providers such as hospitals, clinics, doctor’s offices, pharmacies, and home health agencies
2. Health plans such as government programs that pay for healthcare, health insurance companies, health maintenance programs, and military and veterans’ health programs
3. Healthcare clearinghouses, i.e., organizations that act as the go-betweens for healthcare providers and insurance providers

If you are a Covered Entity, you are subject to and legally required to comply with all the standards set forth by HIPAA.

Particularly given the digital nature of today’s health landscape, Covered Entities do not carry out all their healthcare-related activities and functions by themselves. They often use the services of other organizations, known as business Associates.

Examples of organizations considered to be Business Associates include:

1. Third-party administrators
2. Billing companies
3. Transcriptionists
4. Cloud service providers
5. Data storage firms: electronic and physical records
6. EHR providers
7. Consultants
8. Pharmacy benefits managers
9. Claims processors
10. Collections agencies
11. Medical device manufacturers

A Business Associate may delegate a function, activity, or service to a Subcontractor.

Business Associates are required to ensure that Subcontractors are implementing and maintaining the systems needed to safeguard PHI.

HIPAA Rules Demystified

The HIPAA regulation is composed of four rules: Privacy, Security, Breach Notification, and Omnibus.

Privacy Rule

The Privacy Rule was developed to:

1. Ensure that organizations that create and store health information take appropriate steps to protect this information from misuse or wrongful disclosure.
2. Provide individuals with the ability to understand and control how their health information is being used.

Complying with the Privacy Rule assures individuals seeking care that an organization is committed to keeping their information private and secure. Even if they’re not dealing directly with you, these individuals can rely on the HIPAA framework to ensure the privacy of their data across all relevant parties.

Security Rule

The Security Rule protects a subset of information covered by the Privacy Rule and sets the standard for the protection of electronically stored and transmitted PHI (ePHI). It does so by requiring the implementation of administrative, technical, and physical safeguards.

Complying with the security rule demonstrates that you are committed to protecting the confidentiality, integrity, and security of ePHI and have taken the necessary steps to protect your systems from security threats and unauthorized disclosures.

Breach Notification Rule

Any PHI use or disclosure that isn’t permitted under the Privacy Rule is considered a breach. When a breach occurs, Covered Entities are required to notify affected individuals.

Whether or not you are required to comply with this rule, you can help your Covered Entity customers maintain their compliance by monitoring any impermissible use or disclosure of PHI, and promptly notifying affected parties when a breach is detected. Being transparent is a great way to build trust with your customers.

Omnibus Rule

The HIPAA Omnibus Rule, which became effective in 2013, contains modifications and edits to the Security, Privacy, and Breach Notification Rules and their enforcement. These modifications are intended to enhance confidentiality and security in data sharing and strengthen the protection of protected health information, especially in electronic form.

One major change is that the Omnibus rule makes Business Associates and Subcontractors liable for non-compliance with HIPAA.

How do I know if HIPAA applies to me?

By law, if you are a Covered Entity, you are required to be compliant with the Privacy, Security, and Breach Notification Rules.

If you are a Business Associate, you are only required to be compliant with the Security Rule. However, if you’re working with a Covered Entity (or want to), you need to show reasonable proof that you’re able to safeguard the PHI you receive or create on behalf of the Covered Entity.

A Handy-Dandy Cheat Sheet

That’s a lot to take in. If your head is spinning a little, just identify what type of organization you are and follow this table:

	Security Rule	Privacy Rule	Breach Notification Rule	Signing BAA*
Covered Entity	Required	Required	Required
Business Associate	Required	Optional	Optional	Required (with Covered Entity)
Subcontractor	Optional	Optional	Optional	Required (with Business Associate)

How do I prove compliance?

HIPAA does not require an assessment to be performed, and there is also no such thing as an official HIPAA certification; the OCR does not endorse or recognize any such “certifications” provided by private organizations. There is no standard or implementation specification that requires a covered entity to “certify” compliance. The OCR does not endorse or recognize the ‘certifications’ provided by private organizations. The regulating body doesn’t care if the HIPAA assessment is performed internally or by an external organization, as long as it is completed. Being evaluated by an independent third party is ideal; some organizations may choose to manage compliance internally, and that is fine.

If you are seeking to demonstrate HIPAA compliance to your customers and potential customers, there are several options you can consider:

1. Conduct a self-assessment against the HIPAA requirements.
2. An independent HIPAA gap assessment with a consultant.
3. An independent HIPAA compliance attestation report.

Even though it’s not required, an attestation report holds more weight than a self-assessment, so consider choosing attestation if you need to demonstrate the highest level of compliance.

What is a HIPAA violation?

Even after you’ve successfully completed an audit, there is a possibility that you may violate one of the HIPAA rules. A HIPAA violation is the failure to comply with any of the standards outlined in the rules.

The top five common violations that we see in the digital space are:

• Failure to conduct a risk analysis
• Failure to provide HIPAA and Security Awareness training
• Failure to maintain and monitor PHI access logs
• Failure to terminate access rights to PHI when no longer required
• Failure to document compliance efforts

What is the cost of a HIPAA violation?

Penalties for HIPAA are applicable to Covered Entities and Business Associates alike. The OCR is currently using a four-tier system to gauge the level of non-compliance and determine if any financial penalties are to be levied.

Tier 1: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, but they did not know about a breach. Financial penalties can range from $100 to $50,000 per violation, with a maximum penalty of $25,000 per year.

Tier 2: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA and were aware, or should have been aware, that a breach occurred. Financial penalties can range from $1,000 to $50,000 per violation, with a maximum penalty of $100,000 per year.

Tier 3: A breach occurred as a result of “willful neglect” on the organization’s part. However, attempts are made to correct the violation. Financial penalties for organizations in this tier are $10,000 to $50,000 per violation, with a maximum penalty of $250,000 per year.

Tier 4: A breach has occurred as a result of willful neglect, but no attempts have been made to correct the violation. The financial penalty for organizations that fall into this tier is $50,000 per violation, with a maximum penalty of $1.5 million per year.

What do I do when I become aware of a breach, and how does this affect my compliance status?

Under the HIPAA Breach Notification Rule, you are required to notify relevant parties of any breach. As a first step, you should evaluate the severity of the breach. Once you have the full picture, you have 60 days to notify affected individuals, the OCR, and any other relevant parties. It’s important to note that you must provide these notifications even if you are unsure whether PHI is compromised. Any violations of the HIPAA Breach Notification Rule will result in financial penalties and noncompliance. The OCR publishes a list of cases currently under investigation, and you need to make sure to never be on it.

Complying with HIPAA standards, rules, and regulations is an ongoing effort that requires careful monitoring of your information security program against known, suspected, and unknown threats. Maintaining continuous compliance helps you build trust with your customers, proving that safeguarding their information is in your best interest as well as theirs.

And you’re in luck — it just so happens that continuous compliance is what we do

Click on the next article to understand how to get started with HIPAA!

What will this cost me?

Traditionally, a HIPAA security rule audit can cost anywhere from $20,000 to $100,000 when you factor in the cost of the audit firm as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.

At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. TrustCloud wants to make the readiness and audit processes both affordable and simple. So the cost is broken down into two areas:

1. Cost of HIPAA security rule compliance readiness using the TrustCloud platform: FREE for startups! By automating much of the process and providing a transparent and straightforward pricing structure, we make it easier for you to manage the overall cost of achieving HIPAA readiness
2. An auditor. We’ve developed strong relationships with a number of audit firms. This means they are trained on the platform and know how to evaluate your business, and they are also able to pass along sizable discounts as a result of a referral from TrustCloud. HIPAA audit partners in the TrustCloud network charge between $15,000 and $50,000 for HIPAA audits, based on the maturity and complexity of the engagement.

How long is the HIPAA process going to take?

Without TrustCloud, you would be looking at a very manual and tedious process that could take up to a year. During this time, you would need to understand each requirement and how it applies to your business, conduct the necessary testing, accumulate all the evidence proving your compliance in a single location, and draft the right documentation. This estimate doesn’t include the time an auditor needs to evaluate your business and observe your practices.

Click on the next article to understand how to get started with HIPAA!