The Health Insurance Portability and Accountability Act (HIPAA)
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation established to protect the confidentiality of Protected Health Information (PHI). It is the primary federal law for protecting confidential medical information. The laws set fourth by HIPAA only apply to Covered Entities (CEs) and their Business Associates (BAs). As such, HIPAA law requires that these entitles implement and maintain technical, administrative, and physical safeguards to protect sensitive data.
The Privacy and Security Rule
There are three general rules outlined under HIPAA, The Privacy Rule, The Security Rule, and The Breach Notification Rule. The two rules that are the most relevant to data security, however, are The Privacy and Security Rule.
The Privacy Rule:
Did you know that 41% of Americans have never seen their medical records? Moreover, 27% of people are unaware of their right to a copy of that medical information.
The purpose of The Privacy Rule is to give patient’s positive control over what legally belongs to them. Therefore, The Privacy Rule defines what data is sensitive, who can access it, and what rights a patient has regarding that data. It applies to doctors, insurers, and their contractors.
Moreover, a patient has the right to access and change their medical records as per HIPAA’s Privacy Rule.
The Security Rule:
While The Privacy Rule defines what kind of medical information is protected, The Security Rule defines how that medical information needs to be protected. It a set of standards and security measures HIPAA covered entities are required to follow to protect health information. Although standards for securing data may vary- The Security Rule is ultimately enforced to minimize the risk of data breaches.
What is Protected Health Information (PHI)?
To define HIPAA compliance, understanding what Protected Health Information (PHI) means first is crucial. Before a a patient receives medical care, healthcare organizations need to collect a plethora of confidential information from them. This information is personal, but necessary for a physician to know so they can provide proper patient care. It can include a patient’s full name, birthdate, SSN, physical address, employment information, and detailed medical history.
These factors make a patient’s medical information personally identifiable and as such, are protected under HIPAA. Storing this data securely through encryption and access controls is a necessary standard all HIPAA covered entities must comply with.
HIPAA Covered Entities
HIPAA regulations apply exclusively to Covered Entities (CE) and Business Associates (BA). A CE is any kind of healthcare provider or insurance organization that comes into contact with PHI.
A BA, on the other hand, is not directly related to a healthcare organization. Rather, it is a third-party business that provides a service on behalf of a healthcare organization. As a result, the BA may come into contact with PHI while conducting a service for the CE.
To maintain HIPAA compliance, both parties will need to sign a Business Associate Agreement (BAA). This is a legally binding contract that ensures HIPAA compliance is maintained.
Who Enforces HIPAA Compliance?
The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR). This is a branch of the Department of Health and Human Services (HHS). Even though the OCR is the primary enforcer of HIPAA laws, other branches of government can also interfere.
In 2009, the HITECH Act gave state attorney’s general the authority to bring civil lawsuits against healthcare organizations that violate HIPAA.
In addition to overseeing the national standard for data security, the OCR will also investigate complaints for non-HIPAA compliance. Every year, the HHS Office for Civil Rights conducts 3,000 audits for HIPAA compliance. That number will continue to increase as they receive additional funding.
What is a Key to Success for HIPAA Compliance?
HIPAA laws are enforced to positively regulate how healthcare data shared is used. This includes secure emails, HIPAA compliant telehealth, HIPAA compliant cloud storage, etc. Implementing tactics such as encryption and access controls is the best way to maintain HIPAA compliance within your healthcare organization. It will not only make audits from the OCR seamless, but also establish a strong reputation or your medical practice.
Want to take a deep dive into Health Information Privacy? Click Here
HIPAA Compliance FAQs
Q. What is the key to success for HIPAA compliance?
The key to success for HIPAA compliance is to follow the technical, administrative, and physical safeguards outlined under HIPAA laws. These safeguards were set in place to maintain the integrity of a patient’s private medical information. There are a few different ways you, as a HIPAA covered entity, can do this. Encrypting data, for example, is an advanced cyber security tactic that strips PHI of all identifiable factors. Should a hacker gain access to your PHI, encryption renders this data useless. Data encryption is considered to be one of the most effective ways to protect sensitive data because once data is encrypted, it cannot be reversed without the decryption key. Access controls like strong passwords and multi-factor authentication are also ways you can monitor who is handling your sensitive data. Strong passwords should be complex and updated on a consistent basis. In addition to a strong password, multi-factor authentication is highly effective when securing confidential information because it requires a user to verify their identity even if have proper log in credentials. Working with a company that specializes in HIPAA compliant data security company takes the weight of securing data off your shoulders so you can focus on providing your valued patients with quality care.
Q. When does state privacy law supersede HIPAA?
HIPAA laws should be considered the floor, not the ceiling, in regards to privacy and security. This means that HIPAA laws outline the minimum necessary requirements HIPAA covered entities must comply with to secure Protected Health Information (PHI). HIPAA is a federal law. As such, if there is state law that is more extensive than HIPAA laws, then the state law will take precedence in that case. The California Confidentiality of Medical Information Act (CMIA), for example, has more stringent requirements for protecting medical information than HIPAA does. In this case, HIPAA covered entities in California must adhere to the requirements under The CMIA. However, if a state law conflicts with federal legislation, federal law will typically take precedent.
Q. Who enforces HIPAA?
HIPAA laws are enforced by the Office of Civil Rights (OCR). This is a branch for the Department of Health and Human Services (HHS). They investigate complaints regarding potential HIPAA violations and administer penalties for non-HIPAA compliance. In 2009, the HITECH act was passed as a part of the American Recovery and Reinvestment Act. Under the HITECH act, the state’s attorney general also has authority to enforce the Privacy and Security Rules outlined under HIPAA.
Q. Is telling a story about a patient a HIPAA violation?
HIPAA laws do not exclusively apply to written or electronic PHI, but oral transmissions as well. If you reveal a patient's Protected Health Information (PHI) to unauthorized personnel, then you are subject to a HIPAA violation. PHI is personal medical information that is individually identifiable to a specific patient. Health information is protected under HIPAA if there are individually identifiable factors associated with it. These characteristics are broad, and can include a patient’s full name, DOB, SSN, physical address, telephone number, employment information, medical history, and much more. Even if you are discussing PHI with authorized personnel, such as other healthcare providers, your conversation can be overheard by unauthorized personnel. As such, it is best to maintain stringent, HIPAA compliant security practices when discussing PHI.
Q. When should you promote HIPAA awareness?
It is always a good idea to promote HIPAA awareness! Maintaining the best security practices to maintain the integrity of PHI establishes a positive reputation for your practice and avoids hefty fines and penalties for non-HIPAA compliance. Storing your information on a secured network server- whether through an email, website, or chat service- has a proven track record of success in avoiding the detrimental effects of a data breach. Working with a company that specializes in HIPAA compliant data security services takes this responsibility off of your shoulders so you can rest assured that your valued patients will not fall victim to a cyberattack.