The Health Insurance Portability and Accountability Act, known as HIPAA, outlines HIPAA compliance requirements concerning how information must be protected, as well as other aspects of acceptable behavior in the healthcare industry. It is of the utmost importance that HIPAA covered entities and their business partners perform their duties in line with the law, but what are the requirements for HIPAA compliance? How can covered entities ensure they follow the rules and remain compliant?
What is HIPAA Compliance?
HIPAA compliance, put simply, means acting in accordance with HIPAA and its associated Rules and Acts, such as the HIPAA Privacy Rule, the HIPAA Security Rule, The HIPAA Breach Notification Rule, the HIPAA Final Omnibus Rule, and the Health Information Technology for Economic and Clinical Health – HITECH – Act.
This is certainly quite a list of Rules and can seem intimidating. The complex nature of HIPAA is another area which some may find daunting. Compliance with HIPAA can be difficult to ensure due to the sometimes vague, sometimes very precise nature of the regulations. For our purposes, we will focus on some of the elements of the Privacy, Security, and Notification Rules that tend to cause the most confusion.
All HIPAA covered entities and their business associates must implement the administrative, technical, and physical safeguards called for by HIPAA’s Security Rule. Steps necessary to ensure the integrity of PHI in line with the HIPAA Privacy Rules must be in place. Should a breach occur, the organization must report the incident in the manner and within the time period established by the HIPAA Breach Notification Rule.
Risk, “Required”, and “Addressable” Specifications
Risk assessments that have been conducted by the organization to identify and categorize the risks they face must be documented. An area related to risk assessments that causes some confusion is the difference between required and addressable implementation specifications under the HIPAA Security Rule.
At its most basic level, this means that certain “required” features or elements are non-negotiable and must be implemented as described in the HIPAA text. There is typically sufficient detail in the law for organizations to clearly know whether they have met the necessary standard or not. “Addressable” specifications are not optional per se, but, as noted by the Department of Health and Human Services on their website, their purpose is to “provide covered entities additional flexibility with respect to compliance with the security standards”. This puts a certain responsibility on the covered entity as they “must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework”. The documented risk assessment study will allow organizations to determine what is prudent and applicable to their own situations. This also forms the explanation for decisions taken on addressable specifications, which can be provided to auditors on request.
Addressable specifications allow HIPAA to remain up-to-date without calling for continual revisions. Written legislation may be too slow to keep pace with technology and practices, but by requiring covered entities to take responsibility that their tools and procedures are in compliance with HIPAA, risks to PHI can be avoided.
The HIPAA Security Rule
Above, we mentioned the technical, physical, and administrative safeguards called for by the HIPAA Security Rule. Here, we examine these in more detail.
Technical safeguards relate to technology and how electronic protected health information (ePHI) is protected and accessed. HIPAA stipulates that ePHI that is stored or shared beyond an organization’s firewall is required to be encrypted to NIST standards. This means that any data that is intercepted would be unreadable, undecipherable and unusable. Organizations then must apply a range of addressable and required safeguards to other technical areas dealing with PHI, such as:
- Implementing a means of access control (required)
- Introducing a mechanism to authenticate ePHI (addressable)
- Implementing tools for encryption and decryption (addressable)
- Introducing activity audit controls (required)
- Facilitating automatic logoff (addressable)
Where Technical safeguards deal mainly with the digital aspects, Physical safeguards are more related to real world security. Among the physical safeguards are elements of facility access management, mobile devices, and workstation layout:
- Implementation of facility access controls (addressable)
- Development of policies relating to workstation use (required)
- Development of policies and procedures for mobile devices (required)
- Inventory of hardware (addressable)
Administrative safeguards cover the more day-to-day operational and procedural issues. Elements of the Security Rule and the HIPAA Privacy Rule are combined in the administrative safeguards. They also include provisions for Privacy and Security Officers to be appointed, risk assessments to be conducted, and other processes to be implemented. The administrative safeguards call for:
- Conducting risk assessments (required)
- Introducing a risk management policy (required)
- Training employees to be secure (addressable)
- Developing a contingency plan (required)
- Testing the contingency plan (addressable)
- Restricting third-party access (required)
- Reporting security incidents (addressable)
The HIPAA Privacy Rule
The HIPAA Privacy Rule requires sufficient protections are put in place to ensure the privacy and safety of PHI. Among other things, it regulates when PHI can legally be shared and gives patients access to their PHI on request. As mentioned, there is some crossover between the Privacy Rule and the Security Rule’s standards, particularly in relation to training employees and maintaining the integrity of PHI. Importantly, the Privacy Rule gives more control to patients on when their PHI is disclosed, for example to health plans or schools.
Organizations often fail to respond to patient request within the required 30 day period, which is a HIPAA violation. Confusion around when and how PHI can be shared or disclosed is another aea where covered entities are often out of compliance with HIPAA
The HIPAA Breach Notification Rule
As might be assumed from the title, this Rule relates to how and when parties are notified of breaches to PHI. In all cases, patients must be notified of breaches within 60 days of the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) must also be notified, however a distinction is made between breaches affecting fewer or greater than 500 people, with more time being given for smaller breaches to be reported, something which may lead to confusion and further HIPAA violationsby healthcare organizations.
The Rule describes the information which must be included in breach notifications to patients, outlined here:
- The nature of the ePHI involved
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known)
- Whether the ePHI was actually acquired or viewed (if known)
- By how much the risk of damage has been addressed or reduced
Mastering and ensuring compliance with these three Rules will go a long way to ensuring compliance with HIPAA as a whole. Covered entities should make note of the requirements set out by these Rules as the first steps in checking or designing HIPAA compliance for their organization.