What is HIPAA Compliance?
If you conduct an online search for What is HIPAA Compliance? many results provide only a partial definition of HIPAA compliance. This may be because the articles were published some time ago – i.e. prior to the release of the HIPAA Omnibus Final Rule – or because they are published by vendors to support their products and services.
A partial definition of HIPAA Compliance is acceptable if the article resolves a specific issue you have discovered in a risk assessment. However, if you know very little about the complexities of HIPAA and need an answer to the question “What is HIPAA compliance?” the information provided by partial articles may guide you towards partial compliance rather than total HIPAA compliance.
Total HIPAA compliance consists of compliance with three specific “rules” – the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Breach Notification Rule. Organizations and individuals subject to the HIPAA rules must also be aware of the HITECH Act (2009) and the Final Omnibus Rule of 2013, plus the HIPAA Enforcement Rule which relates to the penalties for failing to comply with HIPAA.
Who Does HIPAA Apply To?
HIPAA applies to any “covered” organization or individual who transmits “Protected Health Information” (PHI) electronically in connection with a transaction that the Department of Health and Human Services has published standards for. The standards can be found in 45 CFR Part 162 of the HIPAA Administrative Simplification Regulations.
If an organization or individual is subject to HIPAA compliance, they are either a “Covered Entity” or a “Business Associate”. A Covered Entity is an organization or individual that maintain patient healthcare or payment information, or would reasonably be expected to come into contact with PHI in the course of their daily activities – typically healthcare providers, health plans and healthcare clearinghouses.
A Business Associate is an organization or individual who does not maintain PHI as their core activity, but comes into contact with PHI when they perform a service for a Covered Entity. Examples of Business Associates include software providers, storage and collection agencies, message answering services, non-employed consultants and cleaning services. Subcontractors may also be Business Associates.
The First Step to Achieving HIPAA Compliance
The first step to achieving HIPAA compliance involves appointing a Privacy Officer and a Security Officer. In some smaller organizations the roles are performed by the same individual. The roles can also be outsourced to third-party consultants on a temporary or permanent basis. The key responsibilities of Privacy and Security Officers are closely related:
- Conduct risk assessments to identify the potential vulnerabilities and risks to the confidentiality, availability and integrity of PHI.
- Develop policies and procedures to address the potential vulnerabilities and risks, including a sanctions policy for HIPAA compliance violations.
- Train employees on the policies and procedures – advising them of the permitted uses and disclosures of PHI, and the sanctions for HIPAA compliance violations.
- Conduct due diligence on Business Associates and manage Business Associate Agreements to ensure the integrity of PHI when health information is shared with a third party.
- Investigate and report unauthorized disclosures of PHI, reporting them to the affected patient(s), the Department of Health & Human Services, and the media when necessary.
All of the above are ongoing responsibilities. Risk assessments – with potentially revised policies and procedures – have to be conducted whenever there is a change in working practices or when new technology is introduced. HIPAA states that training must be annual – although more frequent training is recommended – and Business Associate Agreements should be reviewed periodically.
The Privacy, Security and Breach Notification Rules
The HIPAA regulations with which Covered Entities and Business Associated must comply are found in the Privacy, Security and Breach Notification Rules. Not every element of the Privacy and Security Rules will apply to every organization or individual. However, every Covered Entity and Business Associate must comply fully with the HIPAA Breach Notification Rule.
The HIPAA Privacy Rule
The HIPAA Privacy Rule sets limits and conditions on permissible uses and disclosures of PHI. It stipulates what constitutes PHI, who has a responsibility to protect it, and when PHI can be used or disclosed without a patient´s consent. The Privacy Rule also gives patients access rights to health or payment information held about them, and the right to correct any errors.
The HIPAA Privacy Rule applies to PHI in any format. This can include patient records kept on paper, dictated notes, conversations, x-rays and scan results. Some articles about HIPAA compliance ignore this important area – focusing instead on electronic PHI (ePHI). However, total HIPAA compliance requires that every element of the HIPAA Privacy Rule is adhered to where applicable.
The HIPAA Security Rule
By comparison, the HIPAA Security Rule relates exclusively to electronic PHI. The majority of the Security Rule consists of the administrative, technical and physical safeguards Covered Entities and Business Associates should adopt in order to protect the unauthorized disclosure of PHI in transit or at rest. These include building security, access controls and device security.
Within the administrative safeguards is an important area of HIPAA compliance often overlooked – contingency planning. If an organization or individual complies with every other element of HIPAA, but fails to implement a data back-up plan, a disaster recovery plan or emergency mode operation plan, they will still be in violation of HIPAA – even if there is no breach of PHI.
The HIPAA Breach Notification Rule
Despite the efforts made to comply with HIPAA, there is always the chance that an unauthorized disclosure of PHI will occur. In these circumstances, it will be necessary for Covered Entities to report the breach to the affected patient(s), the Department of Health & Human Services, and the media within sixty days of the discovery of the breach, unless it can be proven the PHI was not compromised.
If, for example, the breach concerned electronic PHI that had been encrypted, the PHI would be considered of no value to anybody who found or stole it. Breaches committed by Business Associates must be reported to the Covered Entity within sixty days, who must then report the breach to the affected patients and Department of Health & Human Services.
HITECH, the Final Omnibus Rule and the Enforcement Rule
HITECH, the Final Omnibus Rule of 2013 and the HIPAA Enforcement rule all had significant implications for HIPAA compliance. The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – enforced the same legal requirements to protect PHI on Business Associates as applied to Covered Entities and increased the financial penalties that could be issued for a breach of PHI.
The Final Omnibus Rule of 2013 included updates to the HIPAA Security Rule and Breach Notification Rule – the most significant one being that, in order to avoid a fine for a breach of PHI, Covered Entities and Business Associates had to prove that no harm had resulted from the breach. Previously the onus had been on the Department of Health & Social Security to prove harm had occurred.
Although the HIPAA Enforcement Rule dates back to 2006, it was given teeth by the passage of HITECH and the Final Omnibus Rule. In addition to being able to issue fines for breaches of PHI, the Department of Health & Human Services is also now able to issue fines for failings in HIPAA compliance found via its audit program and investigations. This is why total HIPAA compliance is essential.