What is HIPAA and How to Become Compliant

What is HIPAA

HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA is a U.S. law that was enacted in 1996 to protect sensitive patient health information from being disclosed without the patient's consent or knowledge and is enforced by the Department of Health and Human Services (HHS). The purpose of HIPAA is to protect the privacy of patients’ medical information and secure the handling of health information in the age of electronic health records. HIPAA also helps to prevent the misuse of patient information, making it a critical law for healthcare providers, insurers, and other entities that handle patient data. It has two main components:

1. Privacy Rule: Establishes national standards for the protection of individuals' medical records and other personal health information. It gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
2. Security Rule: Sets national standards for securing electronic protected health information (ePHI). It requires healthcare providers and organizations to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

Understanding how each rule should be approached within an organization is determined by the type of healthcare data that is being exchanged or stored. 

What is the Difference Between ePHI and PHI

PHI (Protected Health Information) and ePHI (Electronic Protected Health Information) are terms used in the context of healthcare data in the United States. To understand how each differ, here's a breakdown of the two:

PHI: PHI refers to any information that can identify an individual and relates to their past, present, or future physical or mental health or condition, healthcare provision, or payment for healthcare services. PHI can exist in any format, including paper records, oral communication, and electronic records. Examples of PHI are:

• Name
• Address (including street, city, county, ZIP code)
• Birthdate
• Social Security Number
• Medical records, lab results, or X-rays
• Billing information

ePHI (Electronic Protected Health Information): ePHI is a subset of PHI that is created, stored, transmitted, or received electronically. ePHI includes:

• Electronic medical records
• Emails containing patient information
• Digital X-rays or MRI scans
• E-prescriptions
• Any other data on electronic devices like computers, servers, or mobile devices

While PHI can exist in any format (paper, oral, electronic), ePHI is limited to electronic formats. Both PHI and ePHI have security requirements, but ePHI is subject to additional safeguards under the HIPAA Security Rule, which specifically addresses the protection of electronic data. In summary, all ePHI is PHI, but not all PHI is ePHI, with the main distinction being the electronic format.

The Requirements for HIPAA Compliance

HIPAA compliance requires physical, network, and process security measures to be in place. This means having secure facilities, networks, and systems; ensuring that only authorized individuals have access to PHI; and having policies and procedures in place to prevent unauthorized access, use, or disclosure of PHI. To be HIPAA compliant, companies must follow three key requirements:

1. The privacy rule
2. The security rule
3. The breach notification rule

Additionally, companies must ensure that the following are in place:

• Business Associate Agreements (BAAs): Companies must establish BAAs with any third-party service providers handling PHI, ensuring they also comply with HIPAA.
• Training and Awareness: Regular training for employees on HIPAA requirements and security practices must be provided.
• Documentation: Companies must maintain comprehensive records of HIPAA compliance efforts, including policies, procedures, and training logs must be in place.

Meeting and maintaining HIPAA compliance requires an ongoing and deliberate effort; organizations that break compliance may be subject to hefty fines. To make sure efforts can be maintained, using a HIPAA checklist is highly suggested. 

Who Needs to Be HIPAA Compliant

Any entity that handles PHI must be HIPAA compliant. This includes healthcare providers, health plans, healthcare clearinghouses, and their business associates who process or access PHI.

How to Become HIPAA Compliant

TLDR; a third-party certification company like HITRUST needs to audit your organization to see if your practices meet HIPAA requirements, and if they do, you’ll get approved.

Any entity managing healthcare data must comply with HIPAA, but what they need to have in place will differ based on the specificities of their environment. HIPAA compliance is not a one-size-fits-all standard. In fact, the Security Rule has a section called "Flexibility of Approach" that encourages organizations to decide which security measures to implement based on the following factors: 

• The size, complexity, and capabilities of your organization
• Your organization's  technical infrastructure, hardware, and software security capabilities
• The costs of security measures
• The likelihood and impact of potential risks to electronic PHI
  

Here’s a list of 7 suggested tips to become and stay compliant:

To follow the above listed tips, an organization needs to be able to:

1. Have total visibility over how its products and systems collect health information
2. Fully understand how and why it discloses health information to third parties
3. Implement privacy and security processes
4. Keep accurate records of its data processing activities
5. Publish up-to-date transparency notices

What are HIPAA Violations and Their Repercussions

What would happen if an entity violated HIPAA? There are categories of repercussions depending on what causes the violation and why it happens. First, it’s important to understand how violations occur. Violations happen when an entity fails to comply with the regulations and may be deliberate or unintentional. Some of the most common HIPAA violations include:

• Unauthorized access
• Lack of encryption
• Improper disposal of PHI
• Failure to conduct risk assessments
• Failure to report data breaches
• Inadequate access controls
• Impermissible uses and disclosures of PHI on social media

The Tiers of HIPAA Violations‍

The repercussions of violating HIPAA requirements are dependent on the severity and cause. To maintain flexibility and standardization, there are 4 violation tiers:

• Tier 1: An unintentional violation that could not have realistically been avoided. The minimum fine per violation is $100 and can reach up to $50,000.
• Tier 2: An unintentional violation occurred that could have been avoided but was not due to willful neglect. The Minimum fine of $1,000 per violation up to $50,000
• Tier 3: A violation due to willful neglect, where an attempt to correct the violation was made within a 30-day window. The minimum fine per violation is $10,000 and can go up to $50,000.
• Tier 4: A violation of willful neglect, where no attempt to correct the violation was made within a 30-day window. The minimum fine is $50,000 per violation.

While violations can be unintentional, they are avoidable and so are the fines. By implementing relevant guardrails, organizations can mitigate risks and costly penalties associated with violating HIPAA requirements. However, making sure the necessary steps are being completed all of the time can be an overwhelming responsibility. Luckily there are companies designed to ease the effort needed to maintain compliance.

Use Riscosity to Maintain HIPAA Compliance

Riscosity enables teams with the tools needed to centrally manage PII, ePHI, and any other sensitive data, as required by HIPAA. Entities can track all of the sensitive data that is being shared with any system and ensure that it never mistakenly goes to the wrong place. Here's how Riscosity helps maintain compliance:

1. Visibility: Riscosity enables a holistic view of all data flows across an entire ecosystem, helping teams understand exactly where and how sensitive information is used.
2. Enforceable policies: Riscosity provides customizable policies to ensure data is always held and used based on individual standards.
3. Data flow governance: Riscosity enables teams to easily set rules on each data flow, ensuring PHI is only sent where necessary.  
4. Violation Detection: Riscosity provides proactive alerts of any observed abnormalities or violations.
5. In-flight Remediation: With Riscosity, any identified violation can be redacted, blocked, and redirected before going to the wrong destination.

Book a time with an expert to see how it works now.