The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law designed to protect individual privacy by establishing national standards for maintaining sensitive patient health information and medical records. HIPAA compliance rules incorporate requirements from several other legislative acts, including the Public Health Service Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In this article, we give an in-depth view of HIPAA requirements and provide all the details your organization needs to know from an IT security perspective to ensure HIPAA compliance. To learn more about compliance best practices, check out the HIPAA Compliance Checklist.
What Is HIPAA Compliance?
HIPAA compliance requirements set standards for protecting electronic patient health and medical data. Lawmakers established HIPAA to meet several core goals:
- Improve healthcare
- Protect patient privacy.
- Require entities to provide medical records to patients upon request.
- Improve health insurance portability.
- Ensure patients are notified in the event of health data breaches.
The U.S. Department of Health and Human Services (HHS) oversees HIPAA, and the HHS Office for Civil Rights (OCR) periodically conducts HIPAA audits to assess compliance.
What Is Protected Health Information (PHI)?
To comply with HIPAA, an organization must have appropriate data security measures in place for protected health information.
Protected health information (PHI) is any personally identifiable health information that is transmitted or stored electronically, on paper or verbally. PHI includes any information about an individual that relates to their past, present or future health; details of health care treatments; and payment information that can identify the individual. Examples of PHI include:
- Social Security number
- Dates of birth, death or treatment, and other dates relating to patient care
- Contact information
- Medical record numbers
Who Must Comply with HIPAA?
HIPAA regulates information for two groups that handle patient healthcare data:
- Covered entities
- Business associates
What Is a Covered Entity?
A covered entity is a person or organization that processes and holds PHI for customers. Examples include doctors, pharmacies, nursing homes, clinics and health insurance companies.
However, not every organization that deals with health information is considered a covered entity. One example is research organizations that don’t provide healthcare services and don’t transmit healthcare information in connection to any transactions covered by a HIPAA regulation.
What Is a Business Associate?
A business associate is an organization that provides services to covered entities to assist with healthcare activities and functions. Covered entities may disclose PHI to business associates for assistance with healthcare functions but not for the business associate’s independent purposes or use.
In general, a business associate agreement or contract is necessary when establishing a relationship between a covered entity and a business associate. In some cases, however, an agreement is not needed, so it’s necessary for organizations to do their own research.
How HIPAA Protects Patient Privacy
HIPAA’s primary form of patient protection is its Privacy Rule. The HIPAA Privacy Rule provides standards for the use and disclosure of individuals’ health information. It also sets standards for patients’ privacy rights and controls over the use of their health information.
Patients’ Right to Access their PHI
Individual patients have the right to access their own health information under the Privacy Rule. Individuals can also designate who else can see their PHI with written and signed documentation.
When a patient requests PHI, information is typically delivered in a designated record set, which contains:
- Billing and medical records like lab test results, treatment records and X-rays
- Claims, enrollment and payment information for the patient’s health plan
- Other records used for making decisions about the patient
Some information is excluded from the designated record set, since the information wasn’t used to make decisions. This includes data regarding:
- Patient safety records
- Quality control information
- Information gathered for legal proceedings
Fulfilling PHI Requests
A covered entity might require PHI requests in writing or through electronic communications like email or a web portal. Covered entities may not create unreasonable measures for requests or verification, nor can they reasonably delay a patient from obtaining access.
Requests can be fulfilled in paper or electronic format, depending on what information was requested. A covered entity must provide the requested information within 30 calendar days of the request.
A covered entity can charge fees to recoup costs incurred from:
- Creating copies
- Purchasing supplies for the request
- Preparing summaries of PHI, if agreed to by the individual
In certain cases, a covered entity will deny a PHI request. These circumstances can include:
- Psychotherapy notes
- PHI that is part of an in-progress research study
- Situations when access is reasonably likely to cause harm to someone
EHR Security and Privacy
In September 2013, legislators incorporated the HITECH Act into HIPAA with the Omnibus Rule. The HITECH Act was designed to encourage healthcare providers to use electronic health records (EHRs), also known as electronic protected health information (ePHI). The HITECH Act also stipulated that entities found to not be in HIPAA compliance could be subject to substantial fines.
HIPAA Standard Transactions
HITECH addresses standard transactions in the Transaction and Code Set Rule (TCS). The TCS rule adopts standards for the electronic transmission of healthcare data between providers, health insurers and health insurance customers.
Security Management for HIPAA
The HIPAA Security Rule
To ensure data security for EHRs, the HIPAA Security Rule established safety standards for covered entities and business associates. According to the rule, covered entities must:
- Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
To ensure compliance with the HIPAA Security Rule, an organization can follow guidelines established by the National Institute of Standards and Technology (NIST), which include controls and policy recommendations for organizations to implement for HIPAA compliance.
NIST outlines three categories of EHR safeguards:
- Administrative safeguards
- Technical safeguards
- Physical safeguards
These safeguards can be required (must be implemented) or addressable (should be implemented if reasonable and appropriate for the environment).
- Security management process: Use systems to detect, prevent, contain and correct security violations.
- Assigned security responsibility: Designate official responsible for implementation and development of policies and procedures.
- Workforce security: Grant ePHI access only to employees who need it and prevent unauthorized users from gaining access.
- Information access management: Use security systems for authorizing access to ePHI.
- Security awareness and training: Train all employees on data security practices and awareness.
- Security incident procedures: Establish protocols for security incidents.
- Contingency plans: Develop emergency management plans for system damages.
- Evaluation: Perform periodic system evaluations to gauge data security and reliability.
- Access control: Allow access only to individuals or software programs that have been granted access rights.
- Audit controls: Use systems that record and examine activity regarding ePHI.
- Integrity: Establish ways to prevent mishandling of
- Person or entity authentication: Use security systems with robust verification measures.
- Transmission security: Implement security measures to guard against unauthorized ePHI access during electronic transmission.
- Facility access control: Limit physical access to ePHI.
- Workstation use: Establish workflows and configuration requirements for workstations where ePHI gets accessed.
- Workstation security: Restrict workstation use to authorized users.
- Device and media control: Govern receipt and removal of hardware and media containing ePHI.
Data Risk Analysis
NIST guidance on data risk analysis has multiple steps, which include:
- Identifying vulnerabilities and threats.
- Assessing current data security.
- Determining threat likelihood and potential impacts.
Cost of HIPAA Violations
A breach is any unauthorized use or disclosure of PHI under the Privacy Rule. In some cases, an organization can demonstrate a low probability of compromised PHI based on a risk analysis.
If a data breach occurs, an organization must notify affected individuals by mail or email, alert the media, and file a report to the HHS Secretary through an online form — all within 60 days.
HIPAA Penalties and Fines
When breaches result in HIPAA violations, the HIPAA Enforcement Rule governs investigations, hearings and penalties. Common causes of HIPAA penalties include non-encrypted devices being lost or stolen, lack of employee training, database breaches, and office gossip about patient information.
The HITECH Act outlines four levels of fines for violations:
- Tier A: Violation where a person or entity did not know they committed a violation.
- Tier B: Violation of reasonable cause but not willful neglect.
- Tier C: Violation due to willful neglect but the person or entity can amend the situation.
- Tier D: Tier C violation where the situation is not amended within 30 days.
- In September 2020, Premera Blue Cross was fined $6,850,000 to settle a data breach affecting over 6 million individuals.
- In July 2020, Lifespan Health System was fined over $1 million for a stolen laptop that was not encrypted.
In October 2019, Elite Dental Associates was fined $10,000 for disclosure of patient information over social media.