A Better Way to Manage HIPAA Compliance
What is HIPAA Compliance?
Before discussing the elements of our HIPAA compliance checklist, it is best to answer the question “What is HIPAA compliance?” HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Typically the question following “What is HIPAA compliance?” is “What are the HIPAA compliance requirements?” That question is not so easy to answer as – in places – the requirements of HIPAA are intentionally vague. This is so HIPAA can be applied equally to every different type of Covered Entity or Business Associate that comes into contact with Protected Health Information (PHI). For the sake of clarification:
What is Protected Health Information (PHI)?
Protected Health Information (PHI) is your/my/everyone’s healthcare data. PHI is the content that HIPAA tries to protect and keep private. The Safe Harbor Rule identifies what kind of data you must remove to de-classify PHI.
What is a Covered Entity?
A covered entity is a health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits PHI. There are exceptions. Most health care providers employed by a hospital are not covered entities. The hospital is the covered entity and responsible for implementing and enforcing HIPAA complaint policies.
Employers – despite maintaining health care information about their employees – are not generally covered entities unless they provide self-insured health cover or benefits such as an Employee Assistance Program (EAP). In these cases they are considered to be “hybrid entities” and any unauthorized disclosure of PHI may still be considered a breach of HIPAA.
What is a Business Associate?
A “business associate” is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity. Examples of Business Associates include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, etc.
Before having access to PHI, the Business Associate must sign a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it is to be used, and that it will be returned or destroyed once the task it is needed for is completed. While the PHI is in the Business Associate´s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearinghouses and – from 2013 – the Business Associates of covered entities.
The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information; including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared.
Covered entities are also advised to:
- Provide training to employees to ensure they are aware what information may – and may not – be shared outside of an organization´s security mechanism.
- Ensure appropriate steps are taken to maintain the integrity of ePHI and the individual personal identifiers of patients.
- Ensure written permission is obtained from patients before their health information is used for purposes such as marketing, fundraising or research.
Covered entities should make sure their patient authorization forms have been updated to include the disclosure of immunization records to schools, include the option for patients to restrict disclosure of ePHI to a health plan (when they have paid for a procedure privately) and also the option of providing an electronic copy to a patient when it is requested.
The full content of the HIPAA Privacy Rules can be found on the Department of Health & Human Services website.
What Information Does the Privacy Rule Protect?
The HIPAA Privacy Rule defines PHI as individually “identifiable health information” stored or transmitted by a covered entity or their business associates, in any form or media (electronic, paper, or oral).
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payment information that identifies or for which there is a reasonable basis to believe can be used to identify the individual.”
In simple terms: any and all data having to do with all doctor visits, ever, including (but not limited to):
- Birth, death or treatment dates, and any other dates relating to a patient’s illness or care
- Contact information: telephone numbers, addresses, and more
- Social Security numbers
- Medical record numbers
- Finger and voice prints
- Any other unique identifying number or account number
Whom Does the HIPAA Privacy Rule Apply?
The HIPAA Privacy Rule protects individual PHI by governing the practices of the covered entities.
Covered entities are the people and organizations that hold and process PHI data for their customers – the ones required to report HIPAA violations and who are responsible for paying fines imposed by the Office of Civil Rights if and when a HIPAA violation occurs.
HIPAA defines these individuals and organizations as covered entities:
- Health Care Providers
- Nursing homes
- Health Plan
- Health insurance companies
- Company health plans
- Government provided health care plans
- Health Care Clearinghouse
- These entities process healthcare data from another entity into a standard form.
What is the HIPAA Breach Notification?
The HIPAA Breach Notification Rule requires covered entities to notify an individual of improper access to their PHI within 60 days. It’s important to remember that even if ransomware encrypts ePHI, it’s considered a breach – and therefore falls under the HIPAA breach notification rule.
If there are more than 500 PHI records impacted, you must notify the Department of Health and Human Services (which in turn gets the OCR involved) – and you’re required to issue a press release about the breach.
If you are in the unfortunate situation of reporting a HIPAA violation, here is the information you must initially provide OCR:
- A list of the PHI made available, and an explanation of how the violation occurred.
- Who was the unauthorized person who saw or had access to the data?
- The unauthorized entities/individuals that viewed or accessed the PHI
- Confirmation that the unauthorized entities viewed the PHI, or if the PHI was available but un-accessed.
- Any mitigation steps you have taken
There is good news: if you don’t break that 500 record limit in a single event, you can report all of your smaller violations to HHS in a single batch once per year per the Breach Notification Rules.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.
Fines are imposed per violation category and reflect the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved. Penalties can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be noted that the penalties for willful neglect can also lead to criminal charges being filed. Civil lawsuits for damages can also be filed by victims of a breach. The organizations most commonly subject to enforcement action are private medical practices (solo doctors or dentists, group practices, and so on), hospitals, outpatient facilities such as pain clinics or rehabilitation centers, insurance groups, and pharmacies. The most common disclosures to the HHS are:
- Misuse and unauthorized disclosures of patient records.
- No protection in place for patient records.
- Patients unable to access their patient records.
- Using or disclosing to third parties more than the minimum necessary protected health information
- No administrative or technological safeguards for electronic protected health information.
What is a HIPAA Violation?
There are many ways to violate HIPAA’s requirements. Most commonly, violations come because negligence or incomplete compliance to the HIPAA Privacy and Security Rules leads to a data breach of PHI or unauthorized release or access by unauthorized employees to PHI. Is a stolen laptop containing PHI a HIPAA violation? Not necessarily! A stolen laptop with encrypted PHI is not a HIPAA violation.
The OCR reviews tens of thousands of HIPAA cases every year. In 2018 only 10 cases resulted in HIPAA violations and a civil penalty.
Common HIPAA Violations
Here are some of the most common causes of a data breach that can lead to a HIPAA violation:
- Theft of equipment that stores PHI
- Hacking/ malware/ ransomware
- Office break-in
- Sending PHI to the wrong person or business partner
- Discussing PHI in public
- Posting PHI to social media
Fine Levels for HIPAA Compliance Violations
The Enforcement Rule contains the guidance for fines for HIPAA violations. There are four levels of fines.
The first level is “Did Not Know,” and the fines range from $100–$50,000 per incident with a yearly maximum of $1,500,000. The next level is “Reasonable Cause,” and those fines range from $1,000–$50,000 per incident with the same yearly maximum. The next two levels are for the more egregious violations, where the companies are negligent. If the company took steps to correct their negligent compliance behaviors, the fine is $10,000 – $50,000 per incident. If the Compliance Auditor rules that the company did not take corrective action, they will fine the company $50,000 per incident.
There are several examples of HIPAA resolutions on the OCR website. When you see fines that total over $1.5 million – the yearly maximum in the Enforcement Rule – that means there were several different data breaches or violations that occurred over several years. Talk with one of our HIPAA Compliance Experts Today!
Contact us today so we can discuss how we can help you simplify HIPAA Compliance.
Merced, CA 95340
M-F: 8am - 5pm