The Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, is designed to keep individuals’ medical information and health records safe. Healthcare organizations must ensure HIPAA compliance, even — perhaps especially — during the current global pandemic.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is exercising its enforcement discretion during the COVID-19 health emergency and will not impose penalties for certain violations made in good faith. Nevertheless, HIPAA rules remain in effect and any entity found to be noncompliant will still face financial penalties.
This article details the key HIPAA and HITECH requirements and provide a handy checklist so you can make sure your business is HIPAA-compliant and avoid landing in the data breach headlines.
Key HIPAA Provisions
Entities required to comply with HIPAA include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
Covered organizations must ensure the privacy and data security of protected health information (PHI). Examples of PHI include:
- Full face photos and comparable images
- Biometric identifiers
- Email addresses
- Telephone numbers
- FAX numbers
- Geographic data
- Social Security numbers
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate and license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Dates, except year
- IP addresses
- Web URLs
- Any unique identifying number or code
HIPAA Privacy Rule
The HIPAA Privacy Rule describes a set of standards that govern how PHI can be used and disclosed. Privacy Rule requirements include:
1. Privacy policies and procedures: Covered entities must develop and enact a set of policies and procedures to ensure the privacy of PHI.
2. Personnel: Covered entities must:
- Appoint a privacy official responsible for the development and administration of the entity’s privacy practices.
- Establish a point of contact that is responsible for receiving complaints and informing individuals about the entity’s privacy practices.
3. Workforce training and management: Covered entities must train all workforce members on privacy practices so that they may administer their functions in compliance with the Privacy Rule.
4. Mitigation: Covered entities must mitigate any harmful effects caused by use or disclosure of PHI that violates privacy policies or the HIPAA Privacy Rule.
5. Data safeguards: Covered entities must establish and maintain administrative, technical and physical safeguards to prevent both malicious and unintentional breaches of PHI.
6. Complaints: Covered entities must establish channels through which individuals can file complaints regarding privacy compliance.
7. Retaliation and waiver: Covered entities may not retaliate against an individual for:
- Exercising their rights as provisioned by the HIPAA Privacy Rule
- Aiding an investigation carried out by HHS or other relevant authorities
- Refusing to engage in any act believed to be in violation of the HIPAA Privacy Rule
8. Documentation and record retention: Covered entities must maintain all documentation created for the purpose of complying with Privacy Rule regulations (privacy policies and procedures, records of complaints, privacy practices notices, etc.) for at least six years after the creation or last effective date.
9. Exception: Fully insured group health plans are obliged to comply with requirements (7) and (8) only.
HIPAA Security Rule
The HIPAA Security Rule establishes guidelines that safeguard the integrity of electronic health records (EHR) and ensure they remain confidential and available. The National Institutes of Standards and Technology (NIST) has an established set of guidelines to help organizations develop security practices that comply with the HIPAA Security Rule.
In addition, organizations can use the CIA Triad, where “CIA” stands for these three components:
- Confidentiality: Ensure ePHI is not available or disclosed to unauthorized persons or processes.
- Integrity: Ensure ePHI is not altered or destroyed in an unauthorized
- Availability: Ensure ePHI is accessible and usable on demand by authorized persons.
HIPAA Security Rule requirements include the following types of protections for sensitive data:
- Technical safeguards: Access controls, audit controls, integrity controls, person/entity authentication, transmission security
- Physical safeguards: Facility access controls, workstation use, workstation security, device and media controls
- Administrative safeguards: Security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plans, evaluation, business associate plans and other procedures
Organizations often distinguish “required” and “addressable” safeguards:
- Required safeguards must be followed to the letter; there is no room for interpretation.
- Addressable requirements afford organizations some flexibility to account for unique infrastructural or technical limitations — but they are not
The compliance checklist at the end of this article addresses each type of safeguard in detail and provides proven strategies for compliance.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify certain parties when they suffer an unauthorized breach of PHI. Specifically, the HIPAA Breach Notification Rule requires:
- Individual notice: Covered entities are required to notify affected individuals upon discovering a PHI breach.
- Media notice: If a breach is found to have affected more than 500 residents of a state or jurisdiction, the covered entities responsible must notify prominent media outlets serving the state or jurisdiction.
- Notice to the Secretary: Covered entities must notify the Secretary upon discovering a PHI breach.
It is possible for entities to prove their due diligence and demonstrate low probability of PHI compromise based on adequate risk assessment procedures. For more on risk assessment, see the HIPAA risk assessment checklist at the end of this article.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule establishes standards for how to investigate data breaches and outlines a tiered civil money penalty structure imposed on accountable parties.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule:
- Establishes a tiered civil money penalty structure as required by HITECH
- Introduces changes to the harm threshold and includes the final rule on Breach Notification for Unsecured ePHI under the HITECH Act
- Modifies HIPAA to include provisions from the Genetic Information Nondiscrimination Act (GINA), which prohibits disclosure of genetic information for underwriting purposes
- Prevents use of PHI and personal identifiers for marketing purposes
HIPAA Omnibus Rule requirements include the following:
- New Business Associate Agreements (BAAs): Before employing the services of a Business Associate, entities must sign a new HIPAA-compliant
- Business Associate Agreement updates: Existing Business Associate Agreements must be updated to comply with the Omnibus Rule.
- Updated notices of privacy practices: NPPs must be updated to cover information required by the Omnibus Rule.
- Updated HIPAA staff training: Staff training on the Omnibus Rule amendments and definition changes must be provided and documented.
Key HITECH Provisions
The Health Information Technology for Economic and Clinical Health Act (HITECH) enhances HIPAA regulations by incentivizing providers to digitize medical and health records. The law penalizes failures to use electronic health records in meaningful ways and aims to encourage nationwide use of reliable, interoperable and secure electronic health data.
HIPAA Compliance Checklist
Here is a checklist to help your organization ensure compliance with HIPAA regulations.
1) Audits and Assessments
Regularly perform internal audits, security assessments and privacy audits to support data security:
- Determine which of the required annual audits and assessments are applicable to your organization, according to HIPAA Rule SP 800-66, Revision 1, using the NIST
- Conduct the required audits and assessments, analyze the results, and document any issues or deficiencies.
- Create and document thorough remediation plans to address those issues and deficiencies.
- Put the plans into action, review the results, and update the plan if the desired results were not achieved.
2) Risk Analysis
Regularly conduct a risk analysis in accordance with NIST guidelines:
- Perform entity-level risk assessment.
- Conduct risk assessments for systems that house ePHI.
- Develop and implement a risk management policy.
- Evaluate the likelihood and impact of potential risks to ePHI.
- Implement appropriate security measures for sensitive documents and identified risks.
- Establish security standards for best practices and maintenance.
3) Policies and Procedures
Make sure you have policies and procedures in place that follow the HIPAA Privacy Rule, the HIPAA Security Rule and the HIPAA Breach Notification Rule. Keep documentation for annual reviews. In particular, be sure to develop and implement:
- Privacy policies and procedures for data usage, routine and non-routine disclosures, limiting requests for sensitive data, and similar issues.
- Policies for business associates. Make sure to amend existing contracts and agreements to comply with HIPAA regulations. Obtain satisfactory assurances in contracts and document sanctions for non-compliance.
- Procedures and deadline requirements for handling access requests and complaints regarding privacy. Be sure to obtain written permission from patients before using or disclosing PHI for treatment, payment and healthcare operations.
4) Data Safeguards
Implement data safeguards to protect data integrity, availability and confidentiality.
- Integrity controls and auditing: Implement integrity controls to ensure quality and accurate data. Have auditing systems in place that will track file access and modifications and alert you to suspicious activity.
- Encryption: Encrypt ePHI when transmitting over external networks to meet NIST cryptographic standards.
- Access controls, authorization and authentication: Check that only appropriate entities have access to sensitive electronic records. Limit access to passwords and key codes.
- Document disposal: Shred sensitive documents before discarding them.
- Workstation security: Restrict workstations with access to ePHI to specified individuals. Have policies in place that govern how and when these workstations may be used.
- Mobile device and media controls: If ePHI can be accessed from mobile devices, establish policies that govern how to remove ePHI from a device if it is lost or stolen or its owner leaves the organization.
- Security awareness and training for employees: Educate employees on ePHI access governance and cybersecurity best practices, such as how to identify and report malware.
- Contingency plans: Craft a plan to preserve critical business operations during emergencies while still protecting the integrity and confidentiality of ePHI.
5) Employee Training and Communications
Provide adequate cybersecurity training to all employees and educate team members on the importance of HIPAA compliance:
- Distribute privacy policies and procedures to all staff members.
- Ensure all staff members read and attest to the HIPAA policies and procedures you have established.
- Check that all staff members have gone through basic HIPAA compliance training.
- Document all HIPAA compliance training and staff member attestation of HIPAA policies and procedures.
- Develop sanctions and disciplinary policies and procedures in case of privacy violations.
6) Designated Privacy Official
Make an individual or office responsible for privacy-related matters:
- Ensure that the designated HIPAA compliance officer conducts annual HIPAA training for all members of staff.
7) Business Associates
Regularly check that all business associates are in compliance with HIPAA regulations:
- Identify all business associates who may receive, transmit, maintain, process or have access to sensitive ePHI records.
- Ensure that a Business Associate Agreement is in place with each business associate.
- Annually review BAAs and assess HIPAA compliance.
- Prepare written reports to document and prove your due diligence regarding your business associates.
8) Breach Notification Process Checklist
Establish systems and procedures for security incidents or breaches:
- Track and manage investigations of any incidents that impact the security of PHI.
- Establish standards and guidelines for mitigation as well as disciplinary policies and procedures in case of a breach.
- Establish a method to report all breaches and incidents.
- Develop procedures for notifying patients, OCR and (when applicable) the media about breaches.
How to Maintain HIPAA Compliance
Compliance is an ongoing process, not a one-time event. Take extra precautions to monitor and secure your data. Recognize the importance of regular risk assessment, staff training and strong data governance to protect your organization and your clients.
1. Which organizations are subject to HIPAA?
Entities that must comply with HIPAA include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
2. What are the key steps in achieving HIPAA compliance?
- Conduct all required audits and assessments.
- Perform regular risk analysis.
- Establish and enforce all required policies and procedures.
Follow the checklist for more steps on ensuring HIPAA compliance for your organization.
3. Who has authority to enforce HIPAA compliance?
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA compliance.
4. What are the fines associated with violating HIPAA compliance requirements?
Fines for HIPAA violations can range from $100 to $50,000 per violation (or per record). The maximum penalty is $1.5 million per year for violations of the same provision.