Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires companies that deal with protected health information (PHI) to have physical, network, and process security measures in place and follow them.
Anyone providing treatment, payment, and operations in the field of healthcare are subject to HIPAA compliance rules. Business associates, including anyone who has access to patient information and provides support in treatment, payment, or operations, must also meet HIPAA compliance. Also bound by HIPAA are other entities, such as subcontractors and any other related business associates.[1]
HIPAA Compliance Definition
HIPAA laws are a series of federal regulatory standards that outline the lawful use and disclosure of protected health information in the United States. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
HIPAA compliance is a living culture that health care organisations must implement within their business in order to protect the privacy, security, and integrity of protected health information.[2]
HIPAA Compliance History
The Health Insurance Portability and Accountability Act of 1996 was passed by the U.S. Congress and signed into law by President Bill Clinton.
HIPAA laws were enacted primarily to:
- Modernise the flow of healthcare information.
- Stipulate how personally identifiable information (PII) maintained by the healthcare and health insurance industries should be protected from fraud and theft.
- Address limitations on healthcare insurance coverage, such as portability and the coverage of individuals with pre-existing conditions.[3]
HIPAA mandated national standards to protect sensitive patient health information from being disclosed without the patient’s knowledge or consent. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement this mandate.[4]
The Privacy Rule does have 12 exceptions where patient data can be shared with other entities without the consent of the patient. They include:
- Victims of domestic violence or other assault.
- Judicial and administrative proceedings.
- Cadaveric organ, eye, or tissue donation.
- Workers compensation.[5]
Another key element of HIPAA compliance is the Security Rule, which exists within the Privacy Rule. This subset is all individually identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic form. Key elements of the HIPPA Security Rule include:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information.
- Detect and safeguard against anticipated threats to the security of the information.
- Protect against anticipated impermissible uses or disclosures.
- Certify compliance by their workforce.
Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos, to name a few.[6]
HIPAA Compliance Analysis
Health care providers and other entities dealing with PHI are moving to computerised operations. These include computerised physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Similarly, health plans provide access to claims as well as care management and self-service applications.
While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data.[7] And these new risks make HIPAA compliance more important than ever.
HHS details both the physical and technical safeguards that entities hosting sensitive patient data must follow:
- Limited facility access and control with authorised access in place.
- Policies about use and access to workstations and electronic media.
- Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI.
Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorised personnel to access ePHI. Access control includes:
- Using unique user IDs.
- Emergency access procedures.
- Automatic log off.
- Encryption and decryption.
- Audit reports or tracking logs that record activity on hardware and software.
Other technical policies for HIPAA compliance include the need to cover integrity controls, or measures put in place to confirm that electronic patient health information (ePHI) is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact.
One final technical safeguard is network or transmission security that ensures HIPAA compliant hosts protect against unauthorised access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud.
The best healthcare data protection solutions recognises that data doesn’t lose itself. It’s exposed though people—people who are negligent, malicious or compromised by an outside attacker.
That’s why effective compliance is people-centric, focusing on all the ways people can inadvertently or purposely expose patient data in all forms—including structured and unstructured data, emails, documents, and scans—while allowing healthcare providers to share data securely to ensure the best possible patient care.
Patients entrust their data to healthcare organisations, and it is the duty of these organisations to take care of their protected health information.[5]
The Seven Elements of Effective Compliance
The HHS Office of Inspector General (OIG) created the Seven Elements of an Effective Compliance Program in order to give guidance for organisations to vet compliance solutions or create their own compliance programs.
These are the barebones, absolute minimum requirements that an effective compliance program must address. In addition to addressing the full extent of mandated HIPAA Privacy and Security standards, an effective compliance program must also have the capacity to handle each of the Seven Elements.
The Seven Elements of an Effective HIPAA Compliance Program are as follows:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicised disciplinary guidelines.
- Responding promptly to detected offences and undertaking corrective action.
Over the course of a HIPAA investigation carried out by OCR in response to a HIPAA violation, federal HIPAA auditors will compare your organisation’s compliance program against the Seven Elements to judge its effectiveness.[8]
[1] Digital Guardian. “A Definition of HIPAA Compliance”
[2] Compliancy Group. “What is HIPAA Compliance?”
[3] The HIPAA Guide. “HIPAA for Dummies”
[4] Centers for Disease Control and Prevention
[5] Ibid.
[6] Compliancy Group. “What is Protected Health Information?”
[7] Digital Compliance. “The need for HIPAA compliance”
[8] Compliancy Group. “What are the Seven Elements of an Effective Compliance Program?”
3 Things Businesses Need to Know About Microsoft Teams HIPAA Compliance
If your organisation is among the HIPAA-covered businesses looking to adopt Microsoft Teams, here are three things to keep in mind about using the platform and staying in compliance with HIPAA.
What Is Data Privacy?
Data privacy aims to protect customer data from unethical use and distribution to third parties. Learn what data privacy is and what you need to know.
What Is Regulatory Compliance?
Regulatory compliance is a set of rules organisations must follow to protect sensitive information and human safety. Learn the definition and why it’s important.