What is HIPAA Compliance?
HIPAA stands for The Health Insurance Portability and Accountability Act.
Here at PayGround, we know the amount of grief our healthcare business partners go through when it comes to ensuring HIPAA compliance. If you’re new to HIPAA or just need a refresher, we’ll go through how to navigate these compliance rules in plain English.
Why does HIPAA exist?
Healthcare can be a chaotic business. You need to constantly move sensitive personal information across hospitals, doctor’s offices, insurers, etc. Often, this information even moves across state lines. Before HIPAA came in, this caused a world of headaches because the laws around protecting personal information might be different in each state.
Eventually, lawmakers felt that the way businesses were handling personal health information wasn’t right. Stories of employers or mortgage lenders basing their decisions on a patient’s medical history didn’t sit right with Congress. And they couldn’t count on state laws to protect this privacy.
HIPAA deemed this access of information unlawful, providing a federal safeguard that can establish overarching protection for a patient’s personal information.
What kind of personal information (PHI) is protected?
PHI, also known as Protected Health Information, is any piece of information that can be used to identify a patient. Examples include, but are not limited to:
- Date of Birth
- Telephone Number
- Fax Number
- Social Security Number
- Medical Record Number
- Health Plan Beneficiary Number
- Account Number
- Driver’s License
- Full-face Photos
- IP Address
Collecting personal information is obviously a necessary part of maintaining an individual’s medical record. And much of it is very personal. HIPAA provides safeguards for patients to give them peace of mind that their information is protected by federal law.
Who is required to follow HIPAA compliance?
According to the U.S. Department of Health and Human Services website, HIPAA identifies two groups that must follow HIPAA compliance rules: covered entities and business associates.
We’ll go through what each one means.
A covered entity (aka you) is defined as any organization that collects, creates, or transmits PHI electronically. A covered entity is one (or more) of the following:
- A health plan, including but not limited to:
- Health insurance companies
- Company health plans
- A health care provider, including but not limited to:
- Nursing Homes
- A health care clearinghouse.
A business associate is a person or corporation that creates, receives, maintains, or transmits PHI on behalf of a covered entity to perform any contracted work. A business associate is one (or more) of the following:
- Legal and accounting services
- Claims billing and processing services
- Data analysis services
- Benefit management services
The U.S. Department of Health and Human Services (HHS) denotes the following examples as organizations who are not considered covered entities and therefore aren’t required to comply with HIPAA:
- Life insurers
- Workers compensation carriers
- Most school and school districts
- Most state agencies, i.e., child protective service agencies
- Most law enforcement agencies
- Most municipal offices
Be aware of the HIPAA Privacy Rule.
HIPAA’s enactment was the first of many steps to protect individuals’ personal health information. But several holes in the law needed to be filled in the years that followed. The HIPAA Privacy Rule in 2003 helped fill some of those holes.
In the HIPAA Privacy Rule, The US Department of Health and Human Services outlined the definition of PHI more clearly and defines it as follows: “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
The HIPAA Privacy Rule also provides better instructions on the permissions needed from patients before using their PHI for any form of marketing, fundraising, or research. This way, patients aren’t getting solicited without their authorization.
How does HIPAA apply to electronic data?
The healthcare industry was slow to migrate to online files. Nothing was as ironclad as the old system of paper records in locked filing cabinets. And you can’t hack a filing cabinet unless you’re an excellent lock pick/master thief.
But the Internet has become as inevitable as aging, and businesses in the healthcare industry are rapidly changing to electronic filing.
Electronic health records, or EHRs, became especially popular after the adoption of the HITECH Act in 2009, also known as the Health Information Technology for Economic and Clinical Health Act.
The HITECH Act provided incentives to adopt health information technology. According to HealthIT.gov, 96% of office-based physicians adopted EHRs.
Unfortunately, the convenience of the Internet comes with bigger risks. Outside of an office break-in or word-of-mouth, the most common HIPAA violations are due to ePHI, or electronic personal health information, stored on technology devices or the Internet. Examples of common HIPAA violations that involve ePHI include, but are not limited to:
- A stolen or misplaced laptop, cellphone, or USB device
- Malware incident
- Ransomware attack
- PHI sent to the wrong patient/contact
- Social media posts
Look to the HIPAA Security Rule for specific instructions on ePHI.
In response to everchanging vulnerabilities that have come with the territory of the Internet, the HIPAA Security Rule was passed in 2005 to provide national standards for the protection of electronic personal health information.
The HIPAA Security Rule outlines three security safeguards—administrative, physical, and technical as outlined by the U.S. Department of Health & Human Services health information privacy webpage. We list them below:
- Implement a risk analysis process to evaluate the likelihood and impact of an ePHI breach.
- Outline a security management process to prevent breaches detailed in the risk analysis.
- Designate security personnel to implement the security management process.
- Implement an information access management system to determine the procedures of gating access to ePHI and enabling only authorized users to access the information.
- Provide workforce training to inform individuals of the procedures when dealing with ePHI and the consequences of a data breach.
- Schedule periodic evaluations to assess the entire security infrastructure for ePHI.
- Limit physical facility access and control to authorized users only.
- Implement workstation and device security practices to outline the proper use of work-issued electronic devices or media.
- Limit technical access and control to authorized users only.
- Implement a procedural audit of hardware and software to ensure security and proper use.
- Implement integrity controls to ensure that ePHI is not altered or destroyed without permission.
Implement transmission security measures to ensure that ePHI is not transmitted over an electronic network without proper authorization.
What if you use a third party to store your electronic data?
HIPAA considers any third-party data storage companies as business associates (refer to the section above labeled, “Who is required to follow HIPAA compliance?”).
This means that any cloud storage or SAAS platform needs to follow HIPAA compliance as an extension of your business.
Business Associate Agreements, or BAA, are important provisions for any business to outline the measure of liability in the event of a HIPAA violation.
Who enforces HIPAA compliance?
While HIPAA compliance is regulated by the Department of Health and Human Services (HHS), a specific agency within the HHS called the Office for Civil Rights (OCR) is the enforcer.
The OCR was created as a direct response to several organizations failing to comply with the HIPAA Privacy and Security Rules.
The OCR has the power to investigate breaches to HIPAA and bring criminal charges to repeat offenders.
How does the OCR enforce HIPAA compliance?
According to HHS.gov, the OCR reviews all complaints of HIPAA violations it receives but only takes action if they meet the following requirements:
- The alleged action must have occurred in the past six years.
- The complaint must be filed only against covered entities or business associates (refer to the section above labeled, “Who is required to follow HIPAA compliance?”).
- The complaint must allege an activity that violates HIPAA rules. This may go without saying, but the OCR felt it necessary to stipulate that they cannot investigate any alleged activities that are not HIPAA violations.
- The complaint must be filed within 180 days of the date the accuser knew of the HIPAA violation.
What happens if a PHI breach occurs?
The HIPAA Breach Notification Rule passed in 2009 outlines what to do if a PHI breach occurs. Per the guidelines in the HHS website, you must provide notice to affecting parties, the media, and regulatory bodies.
But the nature of how to report depends on the number of people affected. We break down the rules for you below:
- Affected Individuals
You must provide individual notice to all parties affected by the breach via first-class mail or email.
But sometimes, people move, change email addresses, or provide wrong information. To accompany these unfortunate circumstances, the HHS is very clear on the next steps: If the number of affected individuals who have outdated contact information exceeds 10, you need to do the following:
- You must post a notice on your website’s homepage for at least 90 days or provide notice in major print or broadcast media (the channel depends on the location of the affected individual).
- You must provide a toll-free number for 90 days to provide any additional information.
- The Media
If the breach affects more than 500 residents in a given state or jurisdiction, you don’t have much choice. Unfortunately, you have to notify prominent media outlets in the local markets of the affected individuals.
- The HHS
Unfortunately, you can’t avoid the folks in charge. You must notify the HHS any time a breach of PHI has been made through the Breach Reporting Portal.
However, the nature of when to do so depends on the number of affected individuals. Again, 500 is the magic number:
- If the breach affects more than 500 individuals, you have to report the breach within 60 days of the incident.
- If the breach affects fewer than 500 individuals, you can report it to the HHS no later than 60 days after the end of the calendar year of which the incident was discovered.
What is the “HIPAA Wall of Shame”?
Introduced as part of the HITECH Act in 2009, the OCR places details of any breach that affects more than 500 individuals on public display on what is colloquially known as the “HIPAA Wall of Shame.”
Luckily, regardless of fault, breaches only remain on the listing for a total of two years. However, no breach is truly removed as older breaches remain under the publicly viewable archives.
The “HIPAA Wall of Shame” is quite controversial. Some argue that although it is an adequate punitive measure to an organization’s faulty cybersecurity efforts, it does little to incentivize these organizations to provide corrective, good-faith efforts to improve. Also, some organizations are listed unfairly as their breaches might have been their business associates’ fault.
However, the “HIPAA Wall of Shame” can be a useful tool for both administrators and practitioners to learn about the different types of data breaches to mitigate the same risk for themselves.
Do I always have to report a HIPAA breach?
Not all breaches need to be reported if you can demonstrate a “low probability” that PHI has been compromised. The American Medical Association outlines a 4-factor test to determine the low probability of compromise:
- Is there a high likelihood of reidentification of the affected individuals based on the type of PHI exposed?
- Is there a high risk associated with the unauthorized person or organization that received the PHI? (For example, if the information was disclosed to a HIPAA-covered organization, there’ll be a lower probability that PHI was compromised as they are bound to HIPAA compliance as well.)
- Did the unauthorized person or organization actually acquire or view the PHI? (Being presented with the opportunity to acquire or view PHI is not the same as actually acquiring or viewing the material.)
- Were the steps you took after the breach mitigate the risk significantly? (For example, obtaining confidentiality agreements after an incident to reduce risk).
Depending on your answers, you may need to provide notification of the breach. Otherwise, you just need to demonstrate that an effort of good faith was made to reduce the risk of PHI compromise.
How do business associates report a PHI breach?
In the early stages of HIPAA, the main liability of PHI breaches was focused primarily on covered entities. But with the New Omnibus Rule passed in 2013, HIPAA extended its reach to make affiliated business associates more accountable.
The New Omnibus Rule extends penalties to any contracted or subcontracted business affiliates that use PHI based on negligence. These penalties can range anywhere from $50,000 to $1.5 million per violation.
If a PHI breach occurs on the side of the business associate (See section: “Who is required to follow HIPAA compliance?” to see how a business associate is defined), the business associate must notify the covered entity.
The time of when to report is important. The business associate must notify the covered identity within 60 days of discovery of the breach.
The business associate must also fully cooperate with you and provide the identification of every affected individual and all other important information. Doing so ensures that you can give adequate information in your notification to affected individuals.
How do you prevent HIPAA violations?
- Encrypt your data.
Accidents happen. Mobile devices get left at the airport, or laptops get stolen. But you can help mitigate the risk associated with such accidents by encrypting your data on all your devices.
Data encryption is the process of converting your data into indecipherable symbols. The data can only be decoded using a unique security key.
Data encryption adds an extra layer of protection that passwords alone can’t provide. Hackers can quickly discover passwords with enough time and know-how.
As noted in the 4-factor test in the above section, “Do I always have to report a HIPAA breach?”, if you can demonstrate a low probability that PHI has been compromised in the event of a breach, you do not need to report it. Data encryption is one of the ways that can help lower your risk of compromise.
- Use secure messaging.
Doctors and the good old-fashioned pager seem like an inseparable image. But as frequent as this seemingly archaic piece of technology appears in hospitals, it’s not the best form of technology to maintain HIPAA compliance.
Pager networks mainly rely on the honor code—hoping that no doctors, nurses, or administrators send sensitive PHI over their unsecured networks.
Modern third-party messaging solutions that use a secure database provide the lowest risk of compromise, providing walled communication channels and direct administrator control.
- Designate a compliance officer or committee.
HIPAA compliance is a full-time job. Designating a compliance officer or committee can ensure you’re not just doing the bare minimum to lower your risk.
For example, HIPAA requires covered entities and business associates to conduct annual audits, but why not do it more than once a year?
Compliance officers can also conduct routine training for your staff and stay up-to-date on the latest HIPAA regulations and compliance technology.
- Make sure your third-party partners are HIPAA compliant.
Not all third-party partners in healthcare are considered business associates by HIPAA definition (See “Who Is Required to Follow HIPAA Compliance?” section above).
For example, payment processing companies are not bound by HIPAA compliance as business associates, so the fault of a breach lies entirely on you.
However, that doesn’t mean you should avoid these services. Paying for your medical bill is one of the biggest headaches that can affect your patient satisfaction score.
Instead, many providers prefer to use partners that go above board. Payment systems specifically designed for healthcare, like PayGround, take extra care to ensure HIPAA compliance with their data.
Choosing the right partners who take your HIPAA risks seriously is like picking the right spouse: Trust and security are the foundations of a good relationship.
PayGround makes HIPAA compliance a priority.
PayGround follows all the legal guidelines to ensure patient information is protected and safe because we are built for healthcare transactions.
Simplify Your Healthcare Payments Today.