HIPAA Compliance Guide for Business
When handling personal healthcare information, HIPAA compliance is a must for your business and your client’s privacy.
What is HIPAA compliance? HIPAA compliance follows the Health Insurance Portability and Accountability Act, which specifies the regulations required of individuals and entities that handle protected health information.
What Is HIPAA?
The Health Insurance Portability and Accountability Act is a 1996 law passed by Congress to address national standards around protecting private health information. Before this law, there were no nationwide standards for securing patient information. HIPAA was prompted by a concern in Congress that this kind of information was too important to leave outside of oversight and regulation.
Signed into law by President Bill Clinton on August 21, 1996, HIPAA sets certain requirements and standards for healthcare provider behaviors. These include some basic regulations:
- Healthcare providers must not disclose patient information to third parties under any circumstances outside of explicit patient permission.
- Providers must also implement proper security measures to ensure that patient information is not disclosed in treatment or business operations.
- Traditional paper records must be replaced with 100% digital record-keeping (and appropriate security controls) with the addition of the HITECH Act in 2009.
To govern the healthcare industry, the government sets in place a few basic definitions:
- Protected Health Information: PHI is the cornerstone of all regulations and represents identifiable information about a patient relating to their treatment or payment thereof. It can include medical information, doctor’s notes, pharmacy information, and personal information, such as addresses and payment information rendered as part of treatment. PHI must be protected by healthcare providers through technical and administrative controls. It must never be disclosed by providers without direct patient permission.
- Covered Entities: Covered entities are the regulated organizations in the healthcare industry, subject to governance and penalties under HIPAA. CEs include hospitals, insurance companies, doctors’ offices, and private practices.
- Business Associates: The vendors and third-party partners of CEs that provide services like payment processing, cloud applications, and file storage are business associates. BAs do not directly work with patients, but they provide services that handle PHI. Under modern HIPAA law, BAs are just as responsible for compliance as CEs. This liability is codified in business associate agreements; required contracts between CEs and BAs.
What Are HIPAA Compliance Requirements?
Like any other framework, HIPAA has a series of compliance requirements that CEs and BAs must meet. These requirements are broken down under a few major rules that include the following:
- The Privacy Rule: The Privacy rule is the backbone of healthcare regulations, stating the basic requirements of CEs and BAs to protect the privacy of their patients. Primarily, these organizations are disallowed from disclosing PHI unless under very specific circumstances.
- The Security Rule: The Security Rule outlines the security requirements for CEs and BAs under HIPAA. This rule includes guidelines for the technical, administrative, and physical controls organizations must use to protect PHI.
- The Breach Notification Rule: If a CE’s or BA’s system is breached and PHI is disclosed, these organizations have specific obligations to the public, their patients, and the government regarding how they notify them about it and the steps they take to mitigate the issue.
- The Omnibus Rule: The Omnibus Rule, added to HIPAA in 2013, updated much of the language in HIPAA to address modern challenges. Notably, it also restructured the Breach Notification Rule to better handle notifications. It added expanded requirements and obligations for BAs working with PHI.
What Are the Security Requirements for the HIPAA Security Rule?
The Security Rule governs the technical, administrative, and physical aspects of PHI protection:
- Technical: Pertaining to security controls and measures like encryption, firewalls, malware, network configurations, email, application security, HIPAA-compliant file sharing, etc.
- Administrative: Pertaining to the policies, procedures, and programs in place to maintain and further security efforts, including risk management, training and continuing education, and data governance.
- Physical: Pertaining to location and device protections like cameras and locks on data centers and offices and protections on workstations and mobile devices.
At the heart of these rules are guidelines rather than blueprints. For example, technical security requirements are not specified at a software or version level. Instead, the rule specifies requirements based on best-available and legitimately secure technologies.
Administrative security is often the least concrete of these requirements, however. Organizations need to understand the Security Management Process of administrative controls:
- Risk Analysis: CEs and BAs must conduct accurate and thorough assessments of potential risks and vulnerabilities to PHI.
- Risk Management: Organizations must use risk analysis to inform management policies to manage, mitigate, and reduce risks and vulnerabilities to PHI.
- Sanction Policy: Organizations must have specific policies for sanctions applying to employees that break compliance.
- Information System Activity Review: Organizations must regularly review audit logs, reports, access reports, and security incident reports to inform risk assessment and optimization. Risk assessment is the measurement and addressing of potential risk in IT infrastructure and building policies around those assessments.
These policies also include implementing policies to retain data from patients for a certain period of time, depending on the information and its use.
Furthermore, physical controls are often the most overlooked due to a modern mobile world. For example, in 2017, Concentra Health Services paid roughly $1.7 million to settle violations related to violations around a stolen laptop that was not secured, which exposed PHI. Under HIPAA, employees must control and manage devices, secure those devices against physical access, and all data centers containing PHI must have physical locks and monitoring in place. Finally, any physical media continuing PHI must be properly disposed of so that any remaining PHI cannot be pulled from it.
What Are Requirements Under the Breach Notification Rule?
Compliance includes how a CE or a BA must respond to a HIPAA breach. Namely, these organizations must have in place a plan that allows for widespread notification of affected parties.
Requirements for compliance under the Breach Notification Rule include the following:
- Organizations must notify individuals affected by data breaches. This notification must come in the form of First-Class mail or email (if authorized by the patient). Suppose the organization has out-of-date information for ten or more affected patients. In that case, it must also post breach notifications on its website for at least 90 days, including a toll-free information number.
- Breaches that affect 500 patients within a single jurisdiction must additionally notify prominent media outlets in the form of a press release no later than 60 days from the discovery of the breach.
- In all cases, the organization must notify the office of the Secretary of Health and Human Services (HHS). If the breach affects more than 500 patients, it must do so within 60 days. If it is under 500 patients, the organization may provide breach notifications annually.
- Business Associates must notify partner CEs of any breaches within 60 days of discovery.
- Both CEs and BAs must prove that they have complied with these requirements.
Maintaining HIPAA Compliance With Secure Technology
HIPAA compliance is one of the most stringent compliance regulations in the United States, and organizations working in healthcare as Covered Entities or Business Associates must meet these requirements without fail. These regulations apply to all technology and practices—it is crucial for organizations to use compliant technology.
For sensitive content sent via email, file sharing, managed file transfer, application programming interfaces (APIs), and web forms, Kiteworks provides comprehensive governance, compliance, and security. Schedule a custom-tailored demo to learn more.
Get email updates with our latest blogs news