“HIPAA compliance” describes the legal steps taken to ensure the privacy of people’s healthcare data — also known as protected health information (PHI). HIPAA refers to the Health Insurance Portability and Accountability Act; a set of regulations applied to those considered as “covered entities” or “business associates.”
Covered entities are individuals working in the healthcare field with access to PHI, such as doctors, nurses, and insurance companies. Meanwhile, business associates are people who work with covered entities in a non-healthcare capacity, though still have access to PHI. These include lawyers, administrators, or IT staff working in the healthcare industry.
As healthcare organizations handle strictly confidential data, fines for HIPAA noncompliance can cost a company millions of dollars. Just last year, the University of Texas’ cancer center paid $4.3 million in HIPAA violations.
To avoid these steep charges (and potential damage to your business image), ensure your company complies with the following standards.
HIPAA Security Rule
The HIPAA Security Rule addresses the safety and protection of online PHI when stored or in transit. Technical, physical, and administrative safeguards are used to ensure full compliance with this rule.
- Technical safeguards refer to the technology used to protect and authorize access to PHI. Businesses must ensure encryption of any digital PHI leaving their company servers, rendering the data useless and unreadable in case of a breach.
- Physical safeguards address where this information is stored (e.g., the cloud, company servers, remote data centers, etc.) and access to such locations. They also refer to the security of workstations and mobile devices.
- Administrative safeguards focus on the policies that tie technical and physical safeguards together. These include risk assessments and management, developing contingency plans, and training employees in security protocols.
HIPAA Privacy Rule
The HIPAA Privacy Rule refers to the usage and disclosure of PHI. This rule protects the privacy of such information, setting conditions and restrictions on usage without patient authorization.
Under the Privacy Rule, patients also reserve the right to access and examine their health records, requesting corrections if necessary. Covered entities are then required to respond to these access requests within 30 days. Additionally, patients must be issued with Notices of Privacy Practices (NPPs), detailing the circumstances under which their data will be used or distributed.
In the case of using PHI for research or fundraising purposes, covered entities must ensure written permission from the patients involved.
Covered entities are also advised to train their employees in complying with such privacy and security standards.
HIPAA Breach Notification Rule
The Breach Notification Rule contains the necessary steps a covered entity must take in the case of a PHI breach.
Entities are required to immediately notify the Department of Health and Human Services in such circumstances. If the breach affects more than 500 patients, entities must also inform the media. Smaller breaches (those with under 500 affected) must still be reported to the Office for Civil Rights (OCR) of the Department of Health and Human Services.
When notifying others of a breach, entities must outline the nature of the PHI involved (e.g., types of personal identifiers); the unauthorized person who accessed the data; whether the data has actually been accessed or viewed; and the extent to which security risks have been mitigated.
These notifications must also be made no later than 60 days after a breach is discovered.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule addresses the significant changes made to previous HIPAA regulations, including amended definitions and additional restrictions.
These updates include having Business Associates bound by the same Security and Privacy Rules as covered entities, requiring them to implement appropriate safeguards and follow breach notification procedures.
The Omnibus Rule also states that PHI can no longer be used for marketing purposes. Additionally, it expanded the term “workforce” to include employees, volunteers, and trainees.
Businesses must now issue new HIPAA-compliant Business Associate Agreements, and ensure their privacy policies are updated to include such changes. Staff must also be trained to comply with these Omnibus Rule amendments, and have such training documented.
Keeping your business HIPAA-compliant is vital to keeping your healthcare data safe from hackers and identity thieves. As such, it’s important to continually evaluate compliance and apply proper risk management strategies. Safebit Solutions offers Texas-based businesses a wide range of cybersecurity services for protecting your online information. To learn more about our solutions, get in touch with our IT experts today.