HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring organizations to keep patient data confidential and secure. If you are an organization that handles protected health information (PHI), a HIPAA compliance report will demonstrate you have the required safeguards in place to protect patient information.
There are three major components to HIPAA rules and regulations – the Security Rule, Privacy Rule, and Breach Notification Rule. This article will give background information on these three components and provide a checklist you can use when seeking HIPAA compliance.
What is HIPAA Compliance?
HIPAA compliance is a process for covered entities and business associates to protect and secure PHI in a way that complies with the established Privacy, Security, and Breach Notification Rules. Let’s review what information classifies as protected healthcare information and the professions bound by HIPAA regulations.
- PHI is protected healthcare information. This includes items such as paper documents, X-Rays, and prescription information. Electronic protected health information (ePHI) is PHI that includes digital medical records, electronic MRI scans, names, addresses, and dates (birthdays, hospital admission, discharge dates, etc.) stored or transmitted electronically.
- Covered entities are individuals and organizations working in healthcare who have access to PHI. These include doctors, surgeons, nurses, psychologists, dentists, chiropractors, hospitals, clinics, nursing homes, pharmacies, health plans, health insurance companies, HMOs, and company health plans. They frequently work with sensitive health information and are therefore bound by HIPAA regulations.
- Business associates are individuals and entities that perform activities involving the use or disclosure of protected health information on behalf of, or provide services to, a covered entity. This could include, but is not limited to, lawyers, accountants, administrators, and IT professionals.
Compliance with the HIPAA Security Rule
The HIPAA Security Rule requires covered entities accessing or handling ePHI to follow appropriate technical, physical, and administrative safeguards designed to keep the healthcare data confidential and secure.
- Technical Safeguards refers to the following:
- Access Controls. Only authorized persons may have access to ePHI.
- Audit Controls. Records of those accessing ePHI must be kept for auditing.
- Integrity Controls. Measures must be established to confirm ePHI has not been improperly altered or destroyed.
- Transmission Security. Security measures must be established to guard against unauthorized access to ePHI transmitted electronically.
- Physical Safeguards refers to the following:
- Facility Access and Control. Physical access to facilities must be limited to authorized personnel.
- Workstation and Device Security. Policies and procedures must be established specifying the proper use of and access to workstations and electronic media.
- Administrative Safeguards refers to the following:
- Security Management Process. Potential risks to ePHI must be identified and analyzed, and security measures implemented to reduce these risks.
- Security Personnel. The entity must appoint someone from the organization as the designated security official responsible for developing and implementing its security policies and procedures to assure compliance with the Security Rule.
- Information Access Management. Policies and procedures must be established authorizing access to ePHI only when necessary.
- Workforce Training and Management. Workforce members handling ePHI must be trained on security policies and procedures, supervised, and sanctioned when they violate these policies and procedures.
- Evaluation. Periodic assessment must be conducted to evaluate how well security policies and procedures meet the requirements of the Security Rule.
Compliance with the HIPAA Privacy Rule
The Privacy Rule addresses the use and disclosure of PHI by covered entities and outlines an individual’s privacy rights so they can understand their health information and control how it’s used. This rule covers all personal identifiers handled by a covered entity or its business associates in any media (electronic, paper, or spoken word).
With the exception of disclosure of PHI for treatment, payment, or healthcare operations, complying with the Privacy Rule means that PHI is only disclosed when authorization is given by the patient, patient’s legal representative, or decedents, or:
- When required by law
- When in the patient’s or the public’s interest
- To a third-party HIPAA covered entity where a relationship exists between that party
Additionally, the Privacy Rule limits disclosure of PHI to the minimum necessary for the stated purpose.
Compliance with the Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach, or the impermissible use or disclosure of PHI. Patients and the Department of Health and Human Services must be notified of breaches, as well as the media if the breach affects more than 500 patients. Notification must be reasonably prompt and no later than 60 days following discovery of the breach.
Breaches affecting fewer than 500 individuals must be reported to the Office for Civil Rights (OCR) web portal on an annual basis. Breach notifications should include:
- The nature of the PHI and the types of personal identifiers exposed
- The unauthorized person who accessed or used the PHI or, if known, to whom the disclosure was made
- Whether the PHI was acquired or viewed (if known)
- The extent to which the damage or risk of damage has been mitigated
HIPAA Compliance Checklist
Covered entities and business associates can use the following as a guide to help establish or remain in HIPAA compliance.
- Identify gaps in audits and document deficiencies through a HIPAA gap analysis
- Create and document remediation plans to address deficiencies found in audits
- Update and review these remediation plans annually
- Retain records of documented remediation plans for six years
- Ensure staff completes HIPAA training
- Document their training
- Designate a staff member to be the HIPAA Compliance, Privacy, and/or Security Officer
- Maintain policies and procedures relevant to the annual HIPAA Privacy, Security, and Breach Notification Rules
- Ensure staff reads and legally attests to the policies and procedures
- Maintain documentation of their legal attestation
- Maintain documentation for annual reviews of the policies and procedures
- Identify vendors and business associates who may handle PHI
- Establish agreements with all business associates
- Assess the HIPAA compliance of business associates
- Track and review business associate agreements annually
- Sign confidentiality agreements with non-business associate vendors
- Define a process for incidents and breaches
- Ensure you can track and manage the investigations of all incidents
- Ensure you can provide the required reporting of all breaches or incidents
- Ensure staff members can report incidents anonymously
A-LIGN Specializes in HIPAA Compliance
The fines for HIPAA violations are imposed per violation category and can be severe, reaching up to $1,500,000 per violation category, per calendar year. Authorities can even file criminal charges in the case of willful neglect.
To ensure your organization remains in good standing, it’s often best to have professional assistance. With over 850 healthcare assessments completed, A-LIGN helps organizations achieve HIPAA compliance from readiness to report. Click to explore our HIPAA services.