Companies from specific industries that deal with health information or patient data must have physical, network and process security measures in place to ensure compliance and data protection. Breaches can result in criminal charges or lawsuits. Compliance failure can at times lead to heavy fines as well. With customers being more cyber aware, health consultations moving to the virtual space and companies becoming better in conducting business, HIPAA compliance is a standard practice for all companies to ensure the safekeeping of crucial information at all times. It is also a great way to keep the company reputation in ship-shape condition.
HIPAA Compliance
Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law. It encompasses standards to avoid sensitive patient health information from being disclosed. Patients have a right to protect their details and this act caters to empowering them to do so. Protected health information (PHI) is the focus of HIPAA.
Benefits of HIPAA Compliance
The rules of HIPAA make it beneficial for the entire ecosystem, as they act as national standards for HIPAA compliance. It helps prevent discrimination and enables safe sharing of data between different parties. Safeguarded data would mean a much more efficient system and streamlined processes on the back of standardized and nationally recognized identifiers. It enforces the usage of strong passwords and creates a pathway to strong data backup plans. Regular audits help everybody enhance their compliance practices.
5 Main Components of HIPAA Compliance
Title 1: HIPAA Health Insurance Reform
It covers health insurance for people who lose their jobs. It also prohibits the denial of coverage in cases of specific illnesses, pre existing conditions or setting specific coverage limits
Title 2: HIPAA Administrative Simplification
This focuses on developing and abiding by national standards for processing e-healthcare transactions. Secure data access and compliance are also covered
Title 3: HIPAA Tax-related Health Provisions
This covers tax-related provisions and specific guidelines for medical care
Title 4: Application and Enforcement of Group health plan Requirements
This again reiterates coverage for individuals with pre-existing conditions or those seeking additional coverage
Title 5: Revenue Offsets
This includes provisions on company-owned life insurance. This also covers insurance for medical treatment of individuals who lose their US citizenship for income tax purposes
HIPAA Compliance Checklist
HIPAA compliance, just like any other compliance, requires a well-thought-through plan. Simple steps like the below can help you get closer to better compliance:
- Set up a HIPAA compliance committee
- Perform a gap analysis to identify potential leakages
- Review the guidelines to look for relevant ones as per your organization
- Document any specific deficiencies
- Build a plan focusing on fixing the gaps
- Take a deep dive into how data is being used, shared, maintained etc.
- Perform audits regularly
- Establish data breach response protocols
- Train your staff/team while also focusing on getting a compliance officer in the team
- Regularly look for updates and upgrade your action plan
- Take assistance from experts and get your plan reviewed
Requirements and Safeguards
A business associate is any organization or person associated with providing services to a covered entity. They have certain responsibilities when it comes to handling or disclosing PHIs. They can be subjected to regular audits and will be liable for penalties too if found to be non-compliant. Some very specific requirements could also be:
- National provider identified standard: Each entity including individuals, employees, health care providers and health plan creators should have a unique 10-digit national provider identifier number
- Transactions and code sets standards: Organizations should follow a well-documented, professionally established standard procedure to submit and process claims
- HIPAA privacy rule: This rule establishes national standards to protect patient health information
- HIPAA security rule: This sets standards for patient data security
- HIPAA enforcement rule: This establishes guidelines for investigations into violations
Some safeguards are also crucial to ensure the secure passage, maintenance and reception of electronic and physical PHI. Three key questions which need answers are:
- Can the sources of PHI and ePHI be identified? This covers creation, maintenance and transmission.
- What are some of the external sources of PHI?
- Are there any specific human, natural or environmental threats in the systems that contain PHI and ePHI?
Based on the answers to the above questions, data backup strategies, encryption methods, authentication techniques and access control rules can be defined and implemented.
Rules Applicable for HIPAA
Some rules that are relevant for HIPAA are:
The privacy rule:
These address the below questions:
- Which organizations must follow HIPAA compliance?
- What constitutes protected health information (PHI)?
- How can PHI data be used and shared between organizations?
- What are the permitted usage and disclosure rules for PHI?
- What are a patient’s rights when it comes to their data?
The entities which are covered under HIPAA include health plan providers, health care clearing houses, health care providers and business associates who conduct healthcare transactions.
The security rule:
This covers the below questions:
- Which organizations must follow the rules?
- What type of health information is protected?
- What safeguards must be implemented?
The entities which are covered include organizations and business associates who must protect ePHI. They must:
- Ensure confidentiality, integrity and availability of the PHI
- Protect the ePHI against all threats and impermissible use / disclosure
- Train employees
- Adapt suitable policies
- Perform risk analysis and create a risk mitigation plan
The breach notification rule:
This rule requires companies to provide alerts and notifications whenever a breach is discovered. The alerts have to be sent to affected individuals, human services and media (if applicable and serious enough) within 60 days of a breach being detected. If the affected individuals are more than 500 people, an immediate notification is to be sent.
Final Thoughts
The pandemic has forced companies to become more vigilant. With patient information out there on the web, companies need to take data protection strategy seriously to be able to cater to an ever-evolving audience. Electronic patient data is all around us, and hence protecting PHI becomes even more crucial. With hackers lurking around the corners, patient data can act as a goldmine of information. Consultations happening remotely and via various mobile apps make the data protection process even more complicated. This is where AppSealing’s cloud-based pay-as-you-go mobile application protection solution comes in handy. It is easy to use and doesn’t require a single line of code. Protect your patients’ data today with AppSealing. Contact us today!
Frequently Asked Questions
1. What are the 4 sets of HIPAA standards?
The HIPAA Security Rule Standards and Implementation Specifications is split into the following 4 sections: 1) Physical; 2) Administrative; 3) Technical, and 4) Policies, Procedures, and Documentation Requirements.
2. What is required for HIPAA compliance?
Here is a checklist to ensure HIPAA compliance:
- Privacy: Upholding patients’ rights to Protected Health Information
- Security: Implementing stringent measures for physical, technical and administrative security
- Enforcement: Conducting thorough investigations into a security breach
- Breach Notification: Taking the prescribed and required steps in the event of a breach
- Omnibus: Providing HIPAA compliance training to personnel
3. Does HIPAA apply to everyone?
No, HIPAA does not apply to everyone. It only applies to HIPAA covered entities (healthcare providers, health plans, and health care clearinghouses), their business associates (legal, accounting, management, administrative, billing, actuarial, etc.), subcontractors, and hybrid entities (organizations that perform both HIPAA covered and non-covered functions).
4. What is a deliberate violation of HIPAA?
HIPAA violations can be unintentional or deliberate, the latter obviously being more nefarious. Here’s an example of a deliberate HIPAA violation: Unnecessary and wilful delay in the issuance of a breach notification letter to the patients, exceeding the maximum permissible time-frame to issue such a notification, i.e. 60 days following breach discovery. Sharing the login credentials to an unauthorized employee is another example of a deliberate violation of HIPAA.
5. What information can be shared without violating HIPAA?
Health data that isn’t considered PHI can be shared without violating HIPAA. Though PHI includes information like names, addresses and phone numbers, it becomes PHI under HIPAA only when health data is linked to it. Healthcare information with no identifiers to identify an individual is called de-identified health information. Deidentified health information can be shared without violating HIPAA. Other exceptions include employee records maintained by a covered entity, appointment inquiries, data collected by wearable devices and fitness apps.