The Health Insurance Portability and Accountability Act (HIPAA) is one of the most extensive compliance laws in the United States. What began as a law to solely help U.S. citizens get health insurance coverage has evolved into a comprehensive law that touches many areas of healthcare data — including patient data privacy rights and strict security requirements that organizations need to follow.
Many people think that HIPAA applies only to healthcare facilities, which is not true. Business associates, which could be IT firms, law firms, billing companies, and more, are also responsible for being HIPAA compliant. Here, we cover everything that business organizations need to know about HIPAA compliance.
What is HIPAA?
HIPAA was signed into law on August 21st, 1996. The law was initially enacted to help ensure that U.S. citizens could get health insurance coverage and would not lose health coverage when changing jobs. This act also required the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of pertinent health information. This means that HIPAA has evolved over the years.
Several amendments have been made to HIPAA. Some of the most notable enactments include:
- HIPAA Privacy Rule, effective April 14, 2003
- HIPAA Security Rule, effective April 21, 2005
- HIPAA Enforcement Rule, effective March 2006
- HITECH Act, effective February 17, 2009
- Breach Notification Rule, effective September 23, 2009
- Final Omnibus Rule, effective March 26, 2013
These amendments have shaped HIPAA into the compliance law we know today, which emphasizes the patients’ rights to healthcare data privacy and requires organizations to do their due diligence in safeguarding protected healthcare information (PHI).
Who and what does HIPAA protect?
HIPAA protects U.S. citizens’ PHI and electronic personal healthcare information (ePHI) by requiring organizations to follow privacy guidelines and implement security safeguards on multiple levels (administrative, physical and technical). It also puts the power back into the patients hands. HIPAA requires organizations to provide their patients with easy access to their healthcare information and to receive permission from patients before using their personal data for purposes outside of healthcare services.
PHI and ePHI can be similar — the one difference is that ePHI comes in digital format. For example, a lab test printed on paper is an example of PHI and that same lab test emailed as a .PDF file is considered ePHI. Since there are greater opportunities for unauthorized disclosure or a breach of electronic information, the term ePHI was coined and called out in the HIPAA Security Rule.
HIPAA calls out eighteen specific identifiers that are considered to be PHI:
- Address (including zip code)
- Dates (birth, admission, discharge, death)
- Telephone numbers
- Fax numbers
- E-mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/License numbers
- Vehicle identifiers and serial numbers (including license plate)
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code.
ePHI can contain the information above but is stored or transmitted electronically, such as:
- Emailed lab results, reports or prescriptions
- Appointments stored on an online calendar or booking system
- Stored x-rays, MRIs, scans, or other digital photographs of a patient
- Patient chart notes stored on a mobile device or cloud storage
Organizations that HIPAA affects
HIPAA affects “Covered Entities” and “Business Associates”. Each type of organization can include different industries.
Covered entities are the types of organizations that most people would assume need to be HIPAA-compliant, like medical practices. According to HIPAA law, covered entities fall under one of these three categories:
- Healthcare providers: Organizations and practices that submit HIPAA transactions. These include, but are not limited to, doctors, clinics, psychologists, dentists, chiropractors, pharmacies and nursing homes.
- Healthcare Clearinghouses: These are organizations that interpret transactions and claim data between healthcare provider systems and insurers.
- Health plans: These include, but are not limited to, health insurance companies, HMOs, employer-sponsored health plans, and government-funded healthcare programs like Medicare, Medicaid, and military and veterans’ health programs.
Business associates are also responsible for being HIPAA compliant. Even though they do not directly collect PHI or ePHI from patients, business associates are organizations that engage with covered entities in a manner where they may have access to or come into contact with protected healthcare information. Here are some examples of business associates:
- IT companies
- Software companies
- Law firms
- Accounting firms
- Billing and collections companies
- Answering services
- Third-party administrators
- Document storage or disposal companies
In 2009, the HITECH act was passed which reiterated that business associates of HIPAA-covered entities are directly accountable for HIPAA violations. If an organization performs a function or provides a service that involves the use or access of PHI/ePHI on behalf of a covered-entity, they are equally responsible for becoming HIPAA compliant.
The big takeaway here is that there are far more business associates than there are covered entities. Due to the complex nature of healthcare operations, a single healthcare provider or health plan will likely engage with multiple vendors to smoothly run their organization. So while it’s a given that healthcare companies need to be HIPAA compliant, it’s not as widely known that these third-party vendors, or business associates, also need to take compliance seriously.
What are the requirements of HIPAA compliance?
The two most noteworthy areas of the HIPAA law are the Privacy Rule and Security Rule. These two amendments serve as the foundation for how the HIPAA law has been shaped over the years. Amendments made afterward, like the HIPAA Enforcement Rule or HITECH Act, reinforced core ideas from the Privacy and Security Rules, or helped to fill any gaps and make verbiage clearer.
The HIPAA Privacy Rule
This rule revolves around data privacy standards related to PHI. For starters, the Privacy Rule gives patients easier access to their own personal data. Patients have the right to examine and obtain a copy of information in their medical records, and to request for covered entities to amend their medical record if PHI is inaccurate or incomplete.
The Privacy Rule also limits how covered entities may use and dissolve the PHI they receive. Covered entities can use PHI for treatment, payment and healthcare operations. These are necessary functions that do not require explicit patient permission. However, for purposes outside of that scope, such as marketing, covered entities must first obtain the patient’s authorization to use or disclose their PHI.
The HIPAA Security Rule
This rule defines how covered entities and business associates ensure the integrity, confidentiality and availability of ePHI. Within the Security Rule, there are three major types of safeguards that must be implemented.
- Administrative Safeguards: These are administrative functions or processes that are implemented to meet all security requirements. This may be training employees on security policies and best practices, appointing a HIPAA security officer and creating a system for reporting security incidents as they occur.
- Physical Safeguards: These are mechanisms to protect electronic systems, equipment, and the data they hold, from threats, environmental hazards (like flood or fire) and unauthorized access. Some examples of physical safeguards include backing up ePHI, limiting physical access to information systems that store ePHI (like server rooms), and properly removing epHI from electronic devices before disposing of them.
- Technical Safeguards: These are automated processes used to protect data and control access to data. Some examples include encrypting ePHI, providing users with unique identifiers for accessing ePHI and automatically logging off users after a pre-configured time period or certain period of online inactivity.
The HIPAA Enforcement Rule
In 2006, the HIPAA Enforcement Rule was enacted in response to many covered entities that were not fully complying with the Privacy and Security Rules. The Enforcement Rule allows HHS to investigate any complaints that have been made about covered entities who are not HIPAA compliant. It also gave the Office of Civil Rights (OCR) the power to enforce financial penalties against entities that were found to be non-compliant and remained non-compliant.
When it comes to ePHI, the Enforcement Rule also gave HHS the power to fine covered entities who experienced a data breach that could have been avoided if they had followed the safeguards outlined in the HIPAA Security Rule. This rule did not introduce anything particularly new to the HIPAA act but instead reinforced the significance of the Privacy and Security Rules by raising the consequences of violations. Over the years, there have been many amendments and notices made to strengthen HIPAA enforcement efforts.
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed. This act was intended to encourage healthcare providers to begin using Electronic Health Records (EHRs) in an effort to make healthcare information more accessible for patients.
At the same time, greater financial penalties for HIPAA violations were introduced and it was made more explicit that business associates of HIPAA-covered entities are directly accountable for HIPAA violations. Previously, there were loopholes that business associates could work around. The HITECH Act tightened up that language and made HIPAA violation risks more significant for covered entities and business associates as an extra precaution.
Breach Notification Act
This rule requires HIPAA-covered entities and business associates to provide notification after a breach that may have affected PHI. According to HIPAA law, a breach is unauthorized use or disclosure that compromises the security or privacy of PHI.
There may be some instances in which a covered entity or business associate may argue the need for notification following a breach. They must be able to demonstrate that there’s a low probability that PHI has been compromised after assessing:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated.
If after analyzing those factors it has been demonstrated that the overall probability of compromised PHI is low, the covered entity may be able to bypass notification. Otherwise, notifications must be provided to affected individuals without unreasonable delay no later than 60 days after the breach. The notice must arrive in written form by first-class mail or by email if the affected individual has agreed to receive notices electronically.
The California Confidentiality of Medical Information Act (CMIA) is a state law that institutes more stringent requirements on top of HIPAA law. Similar to HIPAA, the CMIA’s purpose is to protect patients’ healthcare information and prevent unauthorized access of medical information. What makes the CMIA more expansive, is that “medical information” is more widely encompassing than what HIPAA deems as PHI. The CMIA also allows patients to bring legal action for violations, rather than the HHS being responsible for issuing violation fines.
HIPAA data breaches and penalties for non-compliance
The cost of HIPAA non-compliance can be staggering. Data breaches are an obvious violation. Other forms of non-compliance are transmitting unencrypted ePHI, loss or theft of electronic devices, lack of employee training and accessing PHI from an unsecure location. Most of these violations are a result of negligence, which can become very costly for an organization.
If a covered entity or business associate is found in violation of HIPAA, there are four categories used for the penalty structure.
- Tier 1: Minimum fine of $100 per violation up to $50,000.
- Tier 2: Minimum fine of $1,000 per violation up to $50,000.
- Tier 3: Minimum fine of $10,000 per violation up to $50,000.
- Tier 4: Minimum fine of $50,000 per violation.
In addition to financial penalties that an organization may incur, they may also receive sanctions from professional boards like the Office of Civil Rights or the U.S. Department of Health and Human Services.
Depending on the severity of the violation, individuals involved with the violation could face criminal charges. There are three tiers of criminal penalties for HIPAA violations:
- Tier 1: If the individual demonstrates reasonable cause or no knowledge of the violation, they may face up to 1 year in jail.
- Tier 2: If the individual obtained PHI under false pretenses, they could face up to five years in jail.
- Tier 3: If the individual is found to have obtained PHI for personal gain or with malicious intent, they could face up to ten years in jail.
Data classification guidelines for HIPAA
Covered entities and business associates need to ensure that ther protect ePHI from being altered or accessed by unauthorized parties. To make data management easier, all ePHI should be inventoried (ideally through a sensitive data discovery process) and classified based on each piece of data’s level of sensitivity. This will help in determining the necessary security controls and safeguards necessary for each piece of data.
Organizations are free to develop their own set of classifications but for most, this simple three-level classification works great.
- Restricted/Confidential Data: Data if altered, destroyed or disclosed to an unauthorized party could cause significant damage. This data requires the highest level of security.
- Internal Data: Data if altered, destroyed or disclosed to an unauthorized party could cause low to moderate damage. This data should not be released to the public and requires security controls — just not necessarily to the extent of Restricted Data.
- Public Data: Minimal to no risk and does not need protection against unauthorized access. This data may still need protection against alteration or destruction.
HIPAA compliance software
Healthcare information is increasingly moving from physical paper records to electronic records. Naturally, this presents some challenges with how covered entities and business associates manage and protect their ePHI. For example, sensitive ePHI could end up on digital image files, which can be near-impossible to find in an endless vat of digital files and records because it is not easily searchable.
HIPAA compliance software (particularly, DLP software) can significantly take the weight off an organization’s shoulders by cutting out time-consuming manual processes and covering all of your bases, from data discovery to classification to risk management and more.
What is DLP HIPAA software?
Data Loss Prevention (DLP) is a set of tools and processes to ensure that sensitive data is not misused, lost, or accessed by unauthorized users. Below, are a few features, tools or processes you should look for in high-performing DLP HIPAA software options:
- Access controls
- Risk management
- Data classification
- Policy management
- Data monitoring
- Real-time analytics
- Breach reports
- Incident workflows
- Cross-system support
Ensure HIPAA compliance with Spirion
Spirion helps organizations fulfill HIPAA requirements by aiding in all areas of compliance. With data discovery and automated classification tools, your organization’s IT and security teams can cut out countless hours of manual work. Features like encryption, access controls, risk management, auditing, monitoring and automated reporting make it easy for organizations to implement safeguards to become and maintain compliance.
Why Choose Spirion
- Accurate, real-time ePHI inventorying: Keep up with large volumes of data with real-time monitoring and data discovery that finds sensitive information across all platforms and data types, so you can develop timely inventories of ePHI on hand.
- Automated data classification: Implement the right safeguards and precautions for your ePHi by classifying your inventory based on level of sensitivity.
- Privacy impact assessments: Assess and understand the potential risks that may arise from your current or new initiatives, systems, processes and policies.
- Breach notification made simple: Strategize and pre-configure breach notification plans so you can act fast in the event of a data breach.
To see how Spirion can help your organization become HIPAA compliant, you can request a demo here.