Digital technology makes healthcare organizations more effective and efficient, reducing the potential for human error and speeding clinical communications. But it can also threaten patient privacy. Congress recognized this risk in the mid-90s — a decade before smartphones and nearly 15 years before required electronic health records (EHR) — and passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This legislation sets national standards for patient privacy and, eventually, for healthcare data security as well.
Since then, digital technology has rapidly evolved, and so has HIPAA IT compliance.
What is HIPAA compliance? What are the rules and the consequences of breaking those rules? And what are the HIPAA compliance requirements that IT leaders need to understand?
In the beginning, healthcare providers were the only ones who needed to be well-versed on HIPAA requirements. Now, understanding HIPAA compliance is a priority for healthcare IT departments as well.
HIPAA legislation was initially created to “improve the portability and accountability of health insurance coverage” when people changed jobs. It also included Administrative Simplification provisions to reduce healthcare fraud and waste. Since then, the federal government has added a series of rules related to patient privacy and data security. These rules help to ensure that healthcare organizations effectively secure their patients’ protected health information (PHI) — names, phone numbers, birthdates, Social Security Numbers, and any other data that can be used to identify an individual patient.
The U.S. Department of Health and Human Services (HHS) regulates HIPAA compliance, and the HHS Office of Civil Rights (OCR) enforces the HIPAA Rules. OCR provides compliance guidance, investigates possible HIPAA violations, and takes action against non-compliant organizations.
Sometimes that action comes in the form of a written warning or technical assistance, but there’s often a hefty fine. Depending on the severity of the violation, organizations can be fined between $25,000 and $250,000. OCR penalized 10 organizations in 2019, with fines totaling $12.27 million.
HIPAA regulations apply to individuals or organizations that meet the definition of a “Covered Entity” or a “Business Associate.”
Covered Entities are healthcare entities that create, maintain, or transmit PHI, including:
Business Associates are individuals or institutions that perform certain business functions or activities on behalf of covered entities, requiring them to have access to PHI. Business associates might include:
Before business associates can legally handle PHI, they must have a written business associate contract (BAC) with the covered entity. The BAC establishes exactly what the business associate will do with the data and requires strict HIPAA compliance.
What is HIPAA compliance? The answer to that question has changed dramatically in the quarter-century since it was first enacted. Since then, HHS has instituted a series of HIPAA Rules that have little (if anything) to do with health insurance portability. These rules include:
What is HIPAA compliance? It’s more than merely following the rules. HIPAA-beholden entities must also prove they’re following the rules and doing their best to prevent possible data breaches.
To help Covered Entities and Business Associates meet HIPAA IT compliance requirements, HHS has outlined “The Seven Fundamental Elements of an Effective Compliance Program.” These elements include:
Organizations must develop internal HIPAA policies and procedures to ensure compliance with all HIPAA Rules. These policies must be documented and regularly updated. Organizations must document all HIPAA compliance efforts, including HIPAA office guidelines, self-audits, remediation plans, and staff training sessions. OCR will want to see this information during HIPAA investigations or audits.
HIPAA compliance is complicated, and the stakes are high. It helps to have one person overseeing the process, with the support of an interdisciplinary compliance committee that can provide the information and resources needed to meet HIPAA requirements.
Both covered entities and business associates are required to conduct annual staff training on HIPAA office guidelines. Employees must attest (in writing) that they understand HIPAA policies and procedures.
HIPAA compliance is a group effort and must be a priority for everyone in healthcare — from administrative leadership, to medical professionals, to IT departments. Annual training is not enough to ensure it’s top of mind for staff. It must be part of the culture, supported by technology. (For example, instead of just telling employees not to send text messages with PHI, hospitals can provide HIPAA compliant texting solutions.)
Organizations must conduct annual self-audits to assess how well they’re meeting HIPAA standards and identify gaps in their Administrative, Technical, and Physical safeguards. Then they must create written remediation plans to address those gaps and correct any HIPAA violations.
HIPAA requirements are complex and ever-changing, and organizations often learn as they go. By sharing new insights and standards with frontline employees, leaders can help ensure everyone in the organization understands the importance of HIPAA compliance and their role in achieving it.
Organizations must have a documented breach notification process that explains how data breaches will be reported to OCR and how patients will be notified about compromised data.
A HIPAA violation is any data breach that compromises the privacy of PHI or ePHI, but all HIPAA violations are not created equal. They can be minor breaches (a nurse gossiping about a patient and compromising one person’s privacy), major breaches (a hacker accessing thousands of patients’ PHI), and accidental breaches (a doctor discussing PHI with a colleague in an elevator where others can hear).
The most common HIPAA violations fall into the following categories:
HIPAA Privacy Rule “Use and Disclosure” violations are among the most common breaches. This happens anytime a healthcare provider or Business Associate shares PHI with someone who is not permitted to have that information. Sentara Hospitals, for example, was fined $2.175 million last year when the health system sent bills containing PHI to the wrong patients and then failed to accurately report the number of affected individuals.
Just because someone works for a covered entity or business associate doesn’t mean they’re allowed to view all patient data. The HIPAA Privacy Rule includes a “minimum necessary” provision, which basically states PHI should be viewed and shared on a need-to-know basis. For example, an IT technician performing routine updates on the EHR system doesn’t need to access patient records to do the job. A billing clerk needs to know which services were performed but doesn’t need to view the results of patient lab work, while clinicians don’t need to view backend systems with patient billing information or Social Security numbers. That’s why it’s important for HIPAA-beholden entities to leverage strict access controls that limit PHI access based on roles, responsibilities, and relevant care team members.
Medical data is valuable on the black market, making healthcare providers an increasingly popular target for hacking and phishing. In Q4 of last year, ransomware attacks against healthcare providers grew by 350 percent, according to a recent Corvus report. Lost or stolen devices containing PHI and unsecured wireless networks can also compromise PHI. The HIPAA Security Rule lays out administrative, physical, and technical safeguards that organizations must have in place to help protect their data from these attacks. If data is breached and safeguards weren’t in place, organizations can receive hefty fines.
The HIPAA Privacy Rule grants individuals the right to review and obtain copies of their PHI and most of their medical records. When healthcare organizations fail to provide that information in a timely manner or charge patients unreasonable fees for copies of their records, they commit one of the most common HIPAA violations. Fifty-one percent of healthcare organizations are not fully compliant with the HIPAA Right of Access, according to a 2019 Citizen Health study. To address this issue, HHS launched a new HIPAA Right of Access enforcement initiative last year.
While it’s useful for IT leaders to understand the big picture of HIPAA, the Security Rule is by far the most relevant for HIPAA IT compliance. Healthcare organizations are required to do everything possible to secure PHI and protect it from attack. That’s getting harder to do without skilled, experienced IT engineers who understand HIPAA network requirements.
The vast majority (93 percent) of healthcare organizations have experienced a data breach over the past three years, and 57 percent have had more than five, according to a new Black Book Research survey. Worse yet, 96 percent of healthcare IT professionals believe that data attackers are “outpacing their medical enterprises.”
At the same time that healthcare institutions face increased digital threats, their employees are demanding new digital solutions and smartphone-based clinical communications, and their patients are demanding multichannel communication. These tools give organizations a competitive advantage but can also create a security disadvantage.
That’s why healthcare leaders are looking to IT for help — not just securing legacy technology and databases against new threats, but also implementing cutting-edge communication solutions that meet strict HIPAA Messaging Compliance guidelines. This is uncharted and risky territory for health organizations, but a HIPAA-savvy IT department can help see them through.
For more on HIPAA in IT, download below the “How to Become HIPAA Compliant (Step-by-Step Guide).” Plus, learn more about how TigerConnect meets HIPAA approval.
How to Become
Tags: hipaa compliance requirements, health plans, hipaa it compliance, hipaa regulation, how to comply with hipaa, electronic protected health information, what does hipaa compliance mean, hipaa privacy rule, hipaa office guidelines, access controls, hipaa requirements, health insurance portability, hipaa it compliance requirements, portability and accountability act, hipaa it requirements, security standards, understanding hipaa compliance, hipaa compliance rules and regulations, hipaa in it, hipaa it, hipaa network requirements, security measures, hipaa violations, hipaa and compliance, protected health information phi, Covered Entities and Business, Health and Human Services, Department of Health, HIPAA Requires, HIPAA Compliance