HIPAA Compliance – Understanding Basic Best Practices

Health Insurance Portability and Accountability Act (HIPAA) compliance is a critical facet of any healthcare organization's security measures. It is essential for businesses to take proactive steps to ensure that they comply with the regulations set forth by HIPAA. To help ensure compliance, it is important to understand the rules and best practices for HIPAA compliance.

The Health Insurance Portability and Accountability Act of 1996 was enacted to help ensure the privacy and security of medical records and other protected health information (PHI). Under HIPAA, covered entities such as health care providers, health plans, health care clearinghouses, and their business associates must adhere to certain requirements to protect the privacy and security of PHI. Compliance with these standards is essential for protecting patient data and avoiding costly penalties, both financially and reputationally. Organizations that suffer a breach of unsecured protected health information affecting 500 or more individuals will find themselves publicly listed on the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, commonly referred to as the HIPAA Wall of Shame. This is meant to serve as a deterrent to poor cybersecurity controls, as being listed on this portal could carry a severe negative affect on a business’ brand. Below are the HIPAA rules we here at Compass IT Compliance are typically asked about as we conduct HIPAA risk assessments and audits for our customers:

Security Rule

The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.

Breach Notification Rule

The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media if there has been a breach of unsecured PHI. If a breach occurs, organizations must take immediate steps to contain the breach and assess its impact. Notifications must be made within 60 days after the discovery of the breach, and should include information on what happened, how it happened, what types of data were exposed, what steps are being taken to prevent similar occurrences in the future, and contact information for questions or additional information.

Enforcement Rule

The HIPAA Enforcement Rule sets forth fines and penalties for violations of HIPAA rules. Violations can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per calendar year for the same type of violation. Organizations must take all necessary steps to protect the privacy and security of PHI, including developing policies and procedures, conducting regular staff training, implementing appropriate physical, technical, and administrative safeguards, and having an incident response plan in place.

There are several best practices healthcare organizations should consider to help ensure complete compliance with HIPAA:

1. Identify Risks and Create Policies: Before you can start actively practicing HIPAA compliance, you need to be able to identify any potential risks. Once you have identified the risks, it’s important to create policies that will limit those risks.
2. Monitor the Use of PHI: The use of PHI is strictly regulated under HIPAA. Make sure that all employees understand how they are supposed to handle and transmit PHI and monitor their usage accordingly.
3. Train Employees on HIPAA Regulations: It is not enough to just tell employees what they should do with PHI — you must also make sure that they are aware of all components of HIPAA. This includes educating them on proper data handling techniques and implementing regular training sessions.
4. Utilize Security Measures: Security is essential for maintaining HIPAA compliance. Install firewalls, password-protect sensitive data, and utilize encryption whenever possible. You should also create backup procedures in case of a breach or power outage.
5. Regularly Review Compliance: Staying compliant is an ongoing process. Review your policies on a regular basis and make sure that everyone is following the rules. Additionally, you should also review any changes to HIPAA regulations to make sure you remain up to date.
6. Protect Physical Documents: Organizations must ensure that they not only protect patient’s digital data, but also their physical data, such as paperwork, charts, and records. These documents should be locked away, safe out of the public's view, and never left unattended. Documents should be properly disposed of (shredded) when they are no longer needed.

By following these best practices, you can help ensure that your business remains HIPAA compliant. While it may require a bit of extra effort, the upside to remaining compliant is worth it. Not only will you save yourself from hefty fines and brand reputation damage, but you will also protect the privacy of your patients. Strong security and privacy controls may also be leveraged from a marketing standpoint as a business advantage you have over your competitors who might not take as many precautions surrounding patient data. Should you have any additional questions regarding achieving and maintaining compliance with HIPAA, please do not hesitate to reach out to our team!