Data security and privacy are increasingly top of mind these days, especially regarding sensitive personal data such as our health information. The federal Health Insurance Portability and Accountability Act (HIPAA) addresses these concerns with its privacy and security rules.
Administered by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), HIPAA was one of the first laws to regulate how personal information is handled.
Enacted in 1996 as an administrative rule, HIPAA was originally intended to simplify the administration of health care, eliminate waste, prevent health care fraud, and ensure that employees who left their job could remain covered by their health insurance plan. But the legislation has undergone quite a few changes, evolving with the technologies and the times.
Today, compliance with the privacy, security, and breach notification rules in HIPAA is a must for "covered entities" such as health care providers, hospitals, and medical clinics. Those who fail may pay hefty penalties.
That needn't be you. To help you avoid a data breach and big fines, we've compiled this comprehensive guide to HIPAA and HIPAA compliance. Each of its sections contains information about a different aspect of this important law, with links to more information should you desire a deeper dive.
If you’d like help preparing for your HIPAA audit, we can offer that, as well. And if you’re tired of juggling spreadsheets and want a user-friendly digital solution for worry-free risk and compliance management, we’re the ones to ask for that, as well. Why not make Reciprocity your one-stop HIPAA shop?
What is the Health Insurance Portability and Accountability Act?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law designed to streamline and improve health care as well as, most recently, place safeguards on protected health information (PHI), which includes health records. HIPAA compliance is required for all health care providers and their business associates. Violation can result in fines of up to $25,000 per single record compromised.
- Provide workers the ability to transfer and continue health insurance coverage when they change or lose their jobs
- Target health care fraud and abuse
- Mandate industry-wide standards for health care information on electronic billing and other processes
- Require secure and confidential handling of protected health information
HIPAA’s privacy rule and its security rule work hand-in-hand. They require HIPAA-compliant health care providers and organizations (“covered entities”) plus their business associates to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared.
HIPAA’s requirements apply to all forms of PHI, including paper, oral, and electronic. It directs covered entities to share only the health information necessary to do business.
The History of HIPAA: A Nutshell View
The U.S. Congress in 1996 enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, in 1996, recognizing that technological advances might result in an erosion of health information privacy. It was most recently revised in 2013.
The law as originally written contained an Administrative Simplification Rule requiring the federal Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. HIPAA also mandated federal privacy protections for individually identifiable health information or patient data.
HHS has published additional "rules," or amendments to the original act:
- The HIPAA Privacy Rule, published in December 2000 and modified in August 2002, with compliance required in 2003 (2004 for small health plans)
- The HIPAA Security Rule, with which compliance was required in 2005 (2006 for small health plans)
- The Enforcement Rule
- The Omnibus Rule
- The Breach Notification Rule
What Are the Main HIPAA Rules?
HIPAA contains six rules, four of which are important for compliance:
The HIPAA Privacy Rule, setting national standards for the protection of individually identifiable health information by health plans, health care clearinghouses, and health care providers who conduct standard health care transactions electronically.
The HIPAA Security Rule, setting security standards for protecting the confidentiality, integrity, and availability of electronic protected health information (e-PHI). It requires covered entities to implement technical safeguards including access control—allowing access to PHI only to those persons or software programs that need it; transmission security, encryption; and other security measures.
The Omnibus Rule, which implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen the privacy and security protections for health information established under HIPAA. The penalty portion of HIPAA, the Omnibus Rule establishes accountability for organizations and the individual managing PHI.
The Breach Notification Rule, requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). The rule states that covered entities suffering a data breach must notify affected individuals, the HHS Secretary, and, in certain circumstances, the media. In addition, business associates must notify covered entities in the event of a breach.
What Is the HIPAA Security Rule?
The HIPAA Security Rule is designed to ensure that patient information remains secure while enabling health care providers to use the latest technologies. It is regarded as the most complex and challenging of HIPAA rules with which to comply. The Security Rule comprises three areas:
1. Administrative safeguards.
This area concerns administrative actions as well as policies and procedures for securing electronic protected health information (e-PHI). It comprises seven sections:
- Security management process addresses organizational policies and procedures and training of employees in security and HIPAA compliance. It also spells out expectations for risk assessment/analysis, risk register, and risk management plans.
- Assigned security responsibility requires covered entities to designate someone as responsible for developing and implementing organizational policies and procedures in accordance with the Security Rule.
- Workforce security stipulates that policies and procedures must give employees the access to e-PHI that they need to do their work, and that the access ends with the need to access the PHI.
- Information access management says that covered entities must restrict PHI access to only those that need it.
- Security awareness and training stipulates that covered entities must train employees in security policies, procedures, and practices.
- Security incident procedures require policies and procedures in case of a security incident so that employees know what to do to protect e-PHI.
- Contingency plan addresses outages that aren’t breaches—caused by a loss of power, for instance, or a disaster, and requires policies and procedures for ensuring the confidentiality, availability and integrity in the event of a crisis.
- Evaluation says that covered entities must have up-to-date security monitoring and evaluation plans.
- Business associate contracts and other arrangements require contracts with service providers and other third parties that create, receive, maintain, or transmit PHI to meet certain HIPAA requirements.
This area considers the concrete measures covered entities take to safeguard PHI, including building and equipment security. Sections are:
- Facility access controls, requiring policies and procedures for restricting physical access to the buildings where PHI and the systems containing it—including data centers, IT staff offices, workstations, and peripheral equipment.
- Workstation use and security requires physical security with restricted access for all e-PHI-accessible workstations.
- Device and media controls guide policies for “receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.” Disposal of hardware, software and patient data should also be addressed.
3. Technical (cyber) safeguards.
These protect e-PHI and control technological access to it, requiring access controls, audit controls, integrity controls, authentication controls, and transmission security controls.
- Access controls concerns policies and procedures for restricting electronic access to PHI to certain authorized users and software.
- Audit controls stipulates that systems containing e-PHI must be monitored and their activity recorded as well as audit procedures and frequency, evidence collection, results analysis, and penalties for employee HIPAA violations.
- Integrity controls addresses how to prevent and correct PHI errors as well as prevent unauthorized PHI changes or deletions.
- Person or entity authentication concerns how the identity of people and entities requesting access to PHI is authenticated.
- Transmission security regards protecting e-PHI in transit from compromise, including encryption.
HIPAA Compliance Risk Assessment: Key Elements
The number-one HIPAA violation is failing to have a complete and up-to-date risk assessment or risk management plan. This violation also incurs the highest fines.
The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) issues harsh "willful neglect" penalties for not completing this assessment, whether or not a PHI breach has occurred. HIPAA security requirements allow no excuse for failing to safeguard patient information adequately.
Under HIPAA, a risk assessment should address risks and vulnerabilities in three areas: administrative, physical, and technical safeguards. Although HIPAA contains no risk assessment template per se, it does outline elements that a risk analysis should address.
- Scope of the analysis: Include all electronic media containing, processing, or storing e-PHI
- Data collection: Map the flow of data from start to finish as well as vulnerable areas on that map
- Vulnerabilities/threat identification: Identify and document reasonably anticipated threats to e-PHI as well as vulnerabilities that might create a risk of inappropriate access to, or disclosure of, e-PHI.
- Assessment of current security measures: Assess and document which security measures now safeguard e-PHI, whether they are required by the HIPAA Security Rule, and whether they are configured and used properly.
- Likelihood of threat occurrence: Determine the likely impact of risks to confidentiality, integrity, and availability of e-PHI and assess how great the impact would be if a threat were to trigger or exploit each vulnerability.
- Potential impact of threat: Determine what adverse effects an attack might have on the confidentiality, integrity, and availability of e-PHI and on the organization. Potential impacts should be listed with every vulnerability.
- Risk level: Assign risk levels for the threat and vulnerability combinations you’ve identified. Document the risk levels, including corrective actions to mitigate each level.
- Periodic review/update as needed: Some covered entities may do this yearly; others biannually or every three years, depending on their circumstances.
How to Get HIPAA Compliance: Your 2019 Checklist
Health Insurance Portability and Accountability Act (HIPAA) compliance primarily involves meeting criteria in HIPAA’s Privacy Rule and its Security Rule, which address three areas:
Technical (cyber) security safeguards
The U.S. Department of Health and Humans Services' (HHS) Office for Civil Rights (OCR) administers and enforces HIPAA. It requires that all health care providers and health plans ("covered entities"), as well as their business associates, be HIPAA compliant. A Certified Public Accountant can verify compliance with an audit and compliance report issued under attestation standards AT-C Section 315: Compliance Attestation.
The reports typically express the auditor's opinion regarding how well you comply with HIPAA's Security Rule and breach-notification requirements as well as, when desired, the Privacy Rule. This checklist can help your organization reach compliance with this important regulation.
HIPAA’s Privacy Rule is primarily concerned with the protection of patient health information, including electronic information, or e-PHI, from unauthorized access and use.
- Be sure that your patients have given you permission to process, store, and use their information
- Review your third-party business agreements to make sure they require HIPAA-compliant handling of PHI
- Test your processes for honoring patient requests. If patients ask who has seen their health records and when, can you show them?
- Check your procedures to ensure that you can honor patients’ requests to hide their records from view or remove them from your database
- Provide HIPAA compliance training, educating employees in the proper handling of PHI
- Gather your documents and other evidence to demonstrate that you meet these criteria.
- Set and document your breach protocols, and keep detailed records of PHI breaches noting whom you notified and when, post-breach assessments, and how you remedied the causes of each breach.
HIPAA’s Security Rule sets security standards aimed at protecting e-PHI from breach and theft. The HITECH Act of 2009 also requires HIPAA-covered entities and business associates to promptly report breaches to data owners, OCR, and, in some cases, the media.
- Undertake regular risk assessments of your organization regarding privacy and security of PHI and e-PHI. A HIPAA security risk assessment checklist can help ensure that this assessment meets HIPAA protocols. Mitigate the risks you find, where necessary, or adjust your policies.
- Set texting/smartphone/email policies to restrict internal and provider-patient text messaging and emails to HIPAA-approved applications only.
- Strengthen your controls around the PHI that you store. This might include mobile and email encryption, firewalls, multi-factor authentication, and workforce security training and testing.
- Establish technical safeguards around e-PHI. The HIPAA technical safeguards checklist includes:
- Access control: Limit access to patient information on an as-needed basis
- Authentication: Determine whether PHI data has been altered, destroyed, or used without authorization
- Encryption and Decryption Tools: All ePHI must be encrypted before transmission
- Audit Controls: Have systems in place to record attempts to access PHI, and document responses
- Auto Log-Off Devices: Enable authorized users to remotely log off of their devices in case of loss or theft
- Information system activity review: Implement procedures to regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports. HIPAA requires you to maintain these logs for at least six years.
What Are HIPAA Standards for Transactions?
Under HIPAA, the U.S. Department of Health and Human Services (HHS) set transaction and code set standards establishing rules for electronically submitting, processing, and paying claims ("transactions").
Health plans, health care clearinghouses, and health care providers must comply with the rules when transmitting health information in connection with these transactions, including:
Electronic transmissions using any media, including physical transfer from one place to another of data on magnetic tape, disk, or CD; and
Transmissions over the Internet, extranet, leased lines, dial-up lines, and other private networks.
Transactions to which the standards apply:
- Health claims or similar encounter information
- Health care payment and remittance advice
- Coordination of benefits
- Health claims status
- Enrollment and unenrollment in a health plan
- Eligibility for a health plan
- Health plan premium payments
- Referrals certification and authorizations
What Happens During a HIPAA Audit?
Every covered entity and business associate is subject to a HIPAA audit. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) conducts these audits periodically to check whether covered entities and their business associates comply with HIPAA’s Privacy, Security, and Breath Notification rules. OCR pays the costs of a HIPAA compliance audit.
If your organization is getting a HIPAA audit, it’s typically because one of these things happened:
- OCR selected you for one of its periodic random audits
- You have experienced a breach and reported it to OCR
- Someone has filed a complaint about your PHI practices
Whatever the cause, the process is the same:
OCR will send your organization an email notifying you that an audit is impending, and asking for documentation. You will have only 10 days to provide the documents, so you may wish to start collecting what you need right away.
The agency may conduct a desk audit, in which someone at your organization answers questions to help the OCR to determine whether it is compliant, or an on-site audit. The email notification will tell you which type of audit to expect, introduce the audit team, describe the audit process, and discuss the agency’s expectations.
OCR auditors will examine the documents you submit, and develop draft findings, which the agency will share with you. It will include your responses to the findings in its HIPAA compliance attestation report.
OCR HIPAA audits focus on requirements in Title II of the legislation, which addresses the privacy and security of health-related data. The HIPAA audit protocol in 2019 calls for assessing compliance with Privacy Rule requirements in seven areas:
- Notice of privacy practices for PHI
- Rights to request privacy protection for PHI
- Access of individuals to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
It covers Security Rule requirements, as well, including:
- Access control
- Security controls
- Breach reporting and remediation
- Your risk assessments/analyses, risk register, and risk management plans. Make sure these are complete. In the OCR’s first phase of HIPAA audits, 66 percent of entities did not have thorough and up-to-date risk assessments in place.
- HIPAA and security training manuals and records of training
- Breach policy and response system to show that everyone understands their roles and duties before, during, and after a cybersecurity incident
- Proof of technical controls, including data encryption, systems and network monitoring, and firewalls
- Proof of adequate physical security of your perimeter and premises
- Business continuity plans
- HIPAA access and system audit logs. Auditors will validate that you meet requirements for log maintenance (at least six years), the information recorded, (system activity including audit logs, access reports, and security incident tracking reports), and daily review.
Although the costs of a HIPAA audit are borne by OCR, getting to HIPAA compliance can be a long and expensive process—and if you fail, the fines can be steep. To ensure your readiness come audit time, check out Reciprocity’s HIPAA compliance audit checklist.
What is a HIPAA Violation?
A HIPAA violation is a failure to comply with any of HIPAA’s regulations or standards. The law spans 115 pages, and there are hundreds of ways an organization can violate the rules. The most common infraction, by far, is failing to obtain a risk assessment or analysis. Others involve violating the Notice of Privacy Practices supplied to patients.
Other HIPAA violation examples:
- Discussing protected health information (PHI) in public
- Allowing unauthorized access to PHI (inadequate access controls)
- Disposing of PHI improperly
- Failing to manage risks/implementing improper security safeguards around PHI
- Failing to maintain and monitor PHI access logs
- Failing to sign HIPAA-compliant business associate agreements with vendors
- Not providing patients with copies of their PHI on request
- Not implementing access controls around PHI
- Not terminating access rights to PHI when it’s no longer needed
- Disclosing more PHI than is needed (violating the “minimum necessary” rule)
- Not providing HIPAA training and security awareness training
- Theft of patient records or PHI-storing equipment via office break-ins or other means
- Unauthorized uses, releases, and disclosures of PHI
- Posting PHI online or on social media without permission
- Sending PHI incorrectly, including emailing or texting unencrypted e-PHI
- Failing to encrypt e-PHI or use an alternative method of preventing unauthorized access or disclosure
- Failure to notify an individual (or the Office for Civil Rights) of cyberattacks or breaches involving PHI within 60 days of discovery
- Failure to document compliance efforts
HIPAA Compliance Violations: Fine Levels
HIPAA compliance violations can be costly. The penalties for HIPAA noncompliance depend on the level of negligence and the number of patient records affected: fine levels range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for multiple violations of the same provision. A HIPAA violation or violations can also, in some cases, result in civil lawsuits or jail time.
HIPAA fine levels are as follows:
- First tier—$100 to $50,000 per incident, up to $25,000 per year: The covered entity did not know of, and could not reasonably have known of, the violation.
- Second tier—$1,000 to $50,000 per incident, up to $100,000 per year: The covered entity knew, or by exercising reasonable diligence, would have known, of the violation, though they did not act with willful neglect.
- Third tier—$10,000 to $50,000 per incident, up to $250,000 per year: The covered entity acted with “willful neglect” and corrected the problem within 30 days.
- Fourth tier—$50,000 per incident, up to $1.5 million per year: The covered entity acted with willful neglect and failed to make a timely correction.
Important: An incident constitutes a violation of a single record. In other words, one breach by a malicious hacker that compromises many records would constitute many incidents. Most HIPAA violations include 500 or more incidents—more than 500,000, in some cases.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) handles HIPAA violation reporting and enforces compliance with the HIPAA Privacy and Security Rules by:
- Investigating complaints
- Conducting HIPAA compliance audits
- Providing education and outreach about the HIPAA rules
If the OCR determines that a HIPAA violation has occurred, it will try to resolve the issue within 30 days using one of the following means:
- The covered entity’s voluntary compliance
- OCR corrective action
- A resolution agreement between the agency and the covered entity
State attorneys general can also hold HIPAA-covered entities accountable for the exposure of state residents' PHI, and can file civil actions in federal district courts. Fines can range from $100 to $25,000 per violation category per calendar year. Should a data breach affect residents of multiple states, the covered entity may pay fines to more than one attorney general.
HIPAA violations can also result in lawsuits and criminal penalties for the covered entity or business associate and for the employees deemed responsible for rule breaches.
The OCR usually treats HIPAA violations as a civil offense. However, HIPAA’s Administrative Simplification regulations contain a criminal enforcement provision, as well. health care professionals who mishandle PHI may be prosecuted by the U.S. Department of Justice. Penalties may include restitution of funds received in exchange for PHI, as well as fines and imprisonment as follows:
“Reasonable cause” or “no knowledge” – Up to $50,000 and one year in prison
Obtaining PHI under false pretenses – Up to $100,000 and five years
Obtaining PHI for personal gain or with malicious intent – Up to $250,000 and 10 years
HIPAA Violations Fines in 2019
As of July 31, 2019, the OCR reported levying violation penalties of $102.7 million for improper health data handling or security from 65 health care providers including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
Violations range from unencrypted data to employee errors to data storage on unsecured devices.
The most commonly investigated complaints in 2019 have been:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Lack of administrative safeguards of electronic protected health information
- Use or disclosure of more than the minimum necessary protected health information
The most common types of covered entities required to take corrective action in 2019 have been, in order of frequency:
- General hospitals
- Private practices and physicians
- Outpatient facilities
- Health plans (group health plans and health insurance issuers)
Also, regulators have increasingly focused on the compliance of business associates-third-parties that process or otherwise handle PHI for covered entities.
HIPAA vs. FERPA: What's the Difference?
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education and health records. It requires student or parent permission before school health care providers can release student health information to entities outside the school, and allows students and their parents access to their health information.
FERPA applies to public primary and secondary schools and school districts and most private and public post-secondary institutions, including medical and other professional schools that receive funding from the U.S. Department of Education (DoE).
Non-students' health information, even for those treated at a school or university clinic, falls under the auspices of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule. The U.S. Department of Health and Human Services' (HHS) Office for Civil Rights' (OCR) enforces HIPAA.
How to Choose HIPAA Compliance Software
The Health Insurance Portability and Accountability Act (HIPAA) has 115 pages of requirements and privacy, security, and breach notification rules your organization must be in complete compliance with or risk crippling penalties, even jail time.
Complying with and maintaining all these regulations can seem impossible. The right management tools, though, can make the task much easier.
Spreadsheets aren’t good enough, not in today’s world. So what is the key to HIPAA compliance? The Digital Age calls for digital solutions, such as HIPAA compliance software.
HIPAA software can help your organization demonstrate its due diligence and due practice in implementing and maintaining its HIPAA compliance.
With so many solutions, though, how will you choose? Here are some tips:
- The best HIPAA compliance software is also HIPAA risk assessment software. The number one HIPAA violation is failing to have a risk assessment or analysis done. Many organizations put off this task or neglect it completely because it’s an onerous, time-consuming task. Unless, that is, your software can do it for you. Reciprocity’s ZenGRC software-as-a-service performs HIPAA self-audits, including risk assessments, in just a few clicks, and as often as you like—for up-to-the-minute views of your organization’s security and risk posture.
- The best HIPAA compliance software is user-friendly. To manage, you’ve got to measure, but you also need to comprehend the results. ZenGRC’s color-coded dashboards provide an integrated view of HIPAA-regulated data, compliance, and services, showing where your gaps are and how to fill them.
- The best HIPAA compliance software stays up-to-date. Changes in HIPAA and HITRUST CSF, the framework designed to help with HIPAA compliance, occur at a head-snapping pace. Software that updates itself automatically can ensure that you’re never behind the compliance curve.
- The best HIPAA compliance software keeps track of your compliance efforts. There’s no such thing as HIPAA certification, but the U.S. Department of Health and Human Services’ Office for Civil Rights will likely send an auditor your way to assess your compliance with the law. You know the rule for dealing with auditors: document, document, document. ZenGRC gathers and stores your HIPAA-compliance documents in a “single source of truth” repository for easy retrieval come audit time.
Your patients rely on your organization to keep their health information private and secure. Complying with HIPAA helps ensure that their trust is well placed. Judging from the number of HIPAA violations and the many millions in fines levied in the first half of 2019 alone, however, many health care providers fail to live up to that trust.
Maybe they’re busy. Health care is a demanding field, and no one can do it all. Using a quality compliance software can make the job of HIPAA compliance much easier, enabling you to better do the work for which you entered the field: caring for your patients, and improving their health.