Data security and privacy are increasingly top of mind these days, especially regarding sensitive personal data such as our health information. The federal Health Insurance Portability and Accountability Act (HIPAA) addresses these concerns with privacy and security regulations.
Administered by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services, HIPAA laws were the first attempts to regulate how personal information is handled.
Enacted in 1996 as an administrative rule, HIPAA was initially intended to simplify health care administration, eliminate waste, prevent health care fraud, and ensure that employees who left their job could remain covered by their health insurance plan. But the legislation has undergone quite a few changes, evolving with technology and the times.
Today, compliance with the privacy, security, and breach notification rules in HIPAA is a must for “covered entities” such as healthcare providers, insurance companies, and third parties dealing with data from healthcare and insurance providers. Those who fail may pay hefty penalties.
To help you avoid a data breach and significant fines, we’ve compiled this comprehensive guide to HIPAA and HIPAA compliance. Each section contains information about a different aspect of this vital law, with links to more information should you desire a deeper dive.
What is the Health Insurance Portability and Accountability Act?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law designed to streamline health care and place safeguards on protected health information (PHI). PHI is considered any personally identifiable information, such as name, phone number, address, birthday, social security number, as well as actual medical records.
HIPAA compliance is required for all health care providers and their business associates. Violation can result in fines of up to $25,000 per single record compromised.
- Provide workers the ability to transfer and continue health insurance coverage when they change or lose their jobs
- Prevent health care fraud and abuse
- Mandate standards for health care information on electronic billing
- Require secure and confidential handling of protected health information (PHI)
HIPAA’s privacy rule and security rule work hand-in-hand. They require HIPAA-compliant health care providers and covered entities (including business associates that handle their data) to follow procedures ensuring the confidentiality and security of PHI when it is transferred, received, or shared.
HIPAA’s requirements apply to all forms of PHI, including paper, oral, and electronic. It directs covered entities to share only the specific pieces of PHI data necessary to do business.
The History of HIPAA: A Nutshell View
In 1996, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, recognizing that technological advances might erode health information privacy.
The law, as written initially, contained an Administrative Simplification Rule requiring the federal Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions, unique identifiers, and security. HIPAA also mandated federal privacy protections for individually identifiable health information or patient data.
Over the years, HHS has published additional “rules” or amendments to the original act:
- The HIPAA Privacy Rule, published in December 2000 and modified in August 2002, with compliance required in 2003 (2004 for small health plans)
- The HIPAA Security Rule, with compliance required in 2005 (2006 for small health plans)
- The Enforcement Rule
- The Omnibus Rule
- The Breach Notification Rule
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a proposed modification of the HIPAA Privacy Rule to facilitate “the transition to value-based health care.” The proposal is still in the process of review and approval.
It includes the following fundamental changes:
- Changes to the requirements for the notices of privacy practices (NPP)
- Disclosure of PHI to health-related coordination services
- Broaden the guidelines for the disclosure of PHI
- Strengthens rights for individuals to access their PHI
- Added definitions
Although there is no information on the approval of the proposed modification, it has caused concern to healthcare organizations for several reasons. For starters, there is increased complexity of the new requirements compared to other federal or state laws, making it difficult and costly to implement.
At the same time, there is a reduction in formalities for individuals to share information with third parties that could lead to wrongful forwarding. Lastly, lowering security measures to allow third-party non-HIPAA organizations access to patient data without proper HIPAA safeguards could lead to more frequent data breaches of PHI.
What are the Main HIPAA Rules?
HIPAA contains six rules, four of which are essential for compliance:
The HIPAA Privacy Rule sets the national standards for protecting individually identifiable health information by health plans, healthcare providers, and healthcare clearinghouses who handle standard health care transactions electronically.
The HIPAA Security Rule sets security standards for protecting the confidentiality, integrity, and availability of electronic protected health information (e-PHI). It requires covered entities to implement technical safeguards, transmission security, encryption, and other security measures. For example, access control requirements only allow PHI access to people or software programs that need it.
The Omnibus Rule implements several provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen the security and privacy for health information established under HIPAA. It is also the penalty portion of HIPAA, establishing accountability for organizations and the individual managing PHI.
The Breach Notification Rule requires HIPAA-covered entities and their business associates to perform notifications following a data breach of PHI. The rule states that covered entities must notify affected individuals, the HHS Secretary, and, in certain circumstances, the media. Business associates must also notify covered entities.
What is the HIPAA Security Rule?
The HIPAA Security Rule ensures that patient PHI is secure while allowing health care providers to use the latest technologies. It is regarded as the most complex and challenging HIPAA rule. The Security Rule comprises three areas:
This area concerns administrative actions, policies, and procedures for securing electronic protected health information (e-PHI).
- The security management process addresses organizational policies, procedures, and employee training in security and HIPAA compliance. It also spells out expectations for risk assessments, risk registers, and risk management plans.
- Assigned security responsibility requires covered entities to designate a specific individual to be accountable for developing and implementing organizational policies and procedures related to the Security Rule.
- Workforce security stipulates that policies and procedures must give employees the access to e-PHI that they need to do their work. It also includes requirements to terminate access to PHI if an employee’s role changes or they leave the organization.
- Information access management says that covered entities must restrict PHI access to only those that need it based on specific roles and responsibilities.
- Security awareness and training requirements stipulate that covered entities must train employees in security policies, procedures, and practices.
- Security incident procedures require policies and processes in case of a security incident so that employees know what to do to protect e-PHI.
- Contingency plans address outages that aren’t breaches, for instance, caused by a loss of power or a disaster. It requires policies and procedures for ensuring confidentiality, availability, and integrity in the event of a crisis.
- The evaluation says that covered entities must have up-to-date security monitoring and evaluation plans.
- Business associate contracts and other arrangements require contracts with service providers and other third parties that create, receive, maintain, or transmit PHI to meet specific HIPAA requirements.
This area considers the concrete measures covered entities take to physically safeguard PHI, including building and equipment security. Sections are:
- Facility access controls include policies and procedures for restricting physical access to the buildings where PHI and the systems contain it-including data centers, IT staff offices, workstations, and peripheral equipment.
- Workstation use and security require physical security with restricted access for all e-PHI-accessible workstations.
- Device and media control guide policies for “receipt and removal of hardware and electronic media that contain electronically protected health information into and out of a facility, and the movement of these items within the facility.” Disposal of hardware, software, and records retention of patient data should also be addressed.
Technical (Cyber) Safeguards
These protect e-PHI with access controls, audit controls, integrity controls, authentication controls, and transmission security controls.
- Access controls include policies and procedures for restricting electronic access to PHI to certain authorized users and software.
- Audit controls stipulate that systems containing e-PHI must be monitored and their activity recorded. It also defines requirements for audit procedures, audit frequency, evidence collection, results from analysis, and penalties for employee HIPAA violations.
- Integrity controls address how to prevent and correct PHI errors as well as prevent unauthorized PHI changes or deletions.
- Person or entity authentication defines how the identity of people and entities requesting access to PHI is authenticated.
- Transmission security ensures the protection of e-PHI in transit, including requirements for encryption.
HIPAA Compliance Risk Assessment: Key Elements
The number one HIPAA violation is failing to have a complete and up-to-date risk assessment or risk management plan. This violation also incurs the highest fines.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issues harsh “willful neglect” penalties for not completing this assessment, whether or not a PHI breach has occurred. HIPAA security requirements allow no excuse for failing to safeguard patient information adequately.
Under HIPAA, a risk assessment should address risks and vulnerabilities in three areas: administrative, physical, and technical safeguards. Although HIPAA contains no risk assessment template per se, it does outline elements that a risk analysis should address.
- Scope of the analysis: Include all electronic media containing, processing, or storing e-PHI
- Data collection: Map the flow of data from start to finish and identify vulnerable areas
- Vulnerabilities and threat identification: Identify and document reasonably anticipated threats to e-PHI as well as vulnerabilities that might create a risk of inappropriate access to e-PHI.
- Assessment of current security measures: Assess and document which security measures safeguard e-PHI, whether the HIPAA Security Rule requires them, and whether they are configured and used properly.
- Likelihood of threat occurrence: For each threat, determine how likely they are to occur. Categorize from high potential to low potential so they can be addressed and prioritized accordingly.
- Potential impact of threat: Determine what adverse effects an attack might have on the confidentiality, integrity, and availability of e-PHI and on the organization. Potential impacts should be listed with each vulnerability.
- Risk level: Assign risk levels for the likelihood and impact combinations you’ve identified. Document the risk levels, including corrective actions to mitigate each level.
- Periodically review and update as needed: Some covered entities may review internal policies yearly. Others may perform reviews bi-annually or every three years, depending on the information they manage.
How to Get HIPAA Compliance: Your 2021 Checklist
HIPAA compliance primarily involves meeting the criteria for the Privacy Rule and Security Rule, which address the three areas:
- Administrative safeguards
- Physical security
- Technical (cyber) security safeguards
The U.S. Department of Health and Humans Services (HHS) Office for Civil Rights (OCR) administers and enforces HIPAA. A Certified Public Accountant (CPA) can verify compliance with an audit and compliance report issued under attestation standards AT-C Section 315: Compliance Attestation.
The reports express the auditor’s opinion regarding how well you comply with HIPAA’s Privacy Rule, breach-notification requirements, and the Security Rule.
HIPAA’s Privacy Rule is primarily concerned with protecting PHI from unauthorized access and use. Some of these best practices will help you achieve compliance.
- Be sure your patients have given you permission to process, store, and use their information
- Review your third-party business agreements to make sure they require HIPAA-compliant handling of PHI
- Test your processes for honoring patient requests. If a patient asks who has seen their health records and when, can you show them?
- Check your procedures to verify that you can honor patient requests to hide their records from view or remove them from your database
- Provide HIPAA compliance training to educate employees about the proper handling of PHI
- Gather documents and evidence to demonstrate that you meet these criteria
When a patient’s PHI is breached, the HIPAA Breach Notification Rule requires covered entities to notify affected individuals. Establish and document your breach policies and retain thorough records of PHI breaches, including who you told and when, post-breach investigations, and corrective actions to prevent a recurrence.
Breach notifications should include the following information:
- The nature of the PHI involved, including the types of personal identifiers exposed
- The unauthorized person who accessed or used the PHI or to whom it was disclosed (if known)
- Whether the PHI was acquired or viewed (if known)
- The extent to which the risk of harm has been mitigated
- Breach notifications must be made without unreasonable delay and in no event later than 60 days after discovering the breach
HIPAA’s Security Rule sets security standards for protecting e-PHI from breaches and theft. The HITECH Act of 2009 also requires HIPAA-covered entities and business associates to promptly report breaches to data owners, OCR, and, in some cases, the media.
In January 2020, President Trump signed into law HR 7898, which amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It creates a safe harbor of leniency for healthcare organizations and business associates that have implemented recognized security best practices and still experienced a data breach.
To protect your organization from excessive fines, establish technical safeguards around e-PHI that exhibit due diligence. The HIPAA technical safeguards checklist includes:
- Access control: Limit access to patient information on an as-needed basis.
- Authentication: Determine whether PHI data has been altered, destroyed, or used without authorization.
- Encryption and decryption tools: All ePHI must be encrypted before transmission.
- Audit Controls: Implement systems to record attempts to access PHI and document corrective actions.
- Auto and remote log-off devices: Enable authorized users to remotely log off their devices and accounts in case of loss or theft.
- Information system activity review: Implement procedures to regularly review records of information system activity, including audit logs, access history, and security incident tracking reports. HIPAA requires you to maintain these logs for at least six years.
What are HIPAA Standards for Transactions?
Under HIPAA, the U.S. Department of Health and Human Services (HHS) set transaction and code set standards establishing rules for electronically submitting, processing, and paying claims. In HIPAA regulations, these are defined as “transactions.”
Health plans, health care clearinghouses, and health care providers must comply with the rules when transmitting health information in connection with these transactions. It includes electronic transmissions using any media:
- Physical transfer from one place to another of data on magnetic tape, disk, or CD
- Electronic transmissions over the Internet, extranet, leased lines, dial-up lines, and other private networks
Transactions to which the standards apply:
- Health claims or similar encounter information
- Health care payment and remittance advice
- Coordination of benefits
- Health claims status
- Enrollment and unenrollment in a health plan
- Eligibility application and evaluation for a health plan
- Health plan premium payments
- Referrals certification and authorizations
What Happens During a HIPAA Audit?
Every covered entity and business associate is subject to a HIPAA audit. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) conducts audits periodically to check whether covered entities and their business associates comply with HIPAA’s privacy, security, and breach notification rules.
If your organization is getting a HIPAA audit, it’s typically because one of these things happened:
- OCR selected you for one of its periodic random audits
- You have experienced a breach and reported it to OCR
- Someone has filed a complaint about your PHI practices
Whatever the cause, the process is the same:
- The OCR will email your organization to notify you that an audit is impending and ask for documentation. You only have ten days to provide the documents.
- The agency may conduct a desk audit in which someone at your organization answers questions to help the OCR determine whether it is compliant. Alternatively, the OCR may perform an on-site audit. The email notification will tell you which type of audit to expect, introduce the audit team, describe the audit process, and explain the agency’s expectations.
- OCR auditors will examine the documents you submitted and develop draft findings. The final HIPAA compliance attestation report will include your response to the findings.
The OCR HIPAA audits focus on requirements in Title II of the legislation, which address the privacy and security of health-related data. The HIPAA audit protocol in 2021 calls for assessing compliance with Privacy Rule requirements in seven areas:
- Notice of privacy practices for PHI
- Rights to request privacy protection for PHI
- Individual access to PHI
- Administrative requirements
- Uses and disclosures of PHI
- Amendment of PHI
- Accounting of disclosures
It covers Security Rule requirements, as well, including:
- Access control
- Security controls
- Breach reporting and remediation
Documents the auditor will want to see:
- Complete and recently updated risk assessments, risk register, and risk management plans
- In the OCR’s first phase of HIPAA audits, 66 percent of entities do not have thorough and up-to-date risk assessments
- HIPAA and security training manuals and records of employee training
- Breach policy and response system to show that everyone understands their roles and duties before, during, and after a cybersecurity incident
- Proof of technical controls, including data encryption, systems, network monitoring, and firewalls
- Evidence of adequate physical security of your perimeter and premises
- Business continuity plans
- HIPAA access and system audit logs. Auditors will validate that you meet requirements for log maintenance (at least six years), the information recorded (system activity including audit logs, access reports, and security incident tracking reports), and daily review.
Although the costs of the HIPAA auditor are covered by the OCR, getting to HIPAA compliance can be a long and expensive process-and if you fail, the fines can be steep. To ensure your readiness come audit time, it’s beneficial to leverage online resources from trusted sources.
What is a HIPAA Violation?
A HIPAA violation is a failure to comply with a HIPAA regulation or standard. The law spans 115 pages, and there are hundreds of ways an organization can violate the rules. The most common infraction, by far, is failing to obtain a risk assessment or analysis. Others involve violating the Notice of Privacy Practices supplied to patients.
Other HIPAA violation examples:
- Discussing Protected Health Information (PHI) in public
- Allowing unauthorized access to PHI (inadequate access controls)
- Disposing of PHI improperly
- Failing to manage risks or implementing improper security safeguards around PHI
- Failing to maintain and monitor PHI access logs
- Failing to sign HIPAA-compliant business associate agreements with vendors
- Not providing patients with copies of their PHI on request
- Not implementing access controls around PHI
- Not terminating access rights to PHI when it’s no longer needed
- Disclosing more PHI than is needed (violating the “minimum necessary” rule)
- Not providing HIPAA training and security awareness training
- Theft of patient records or PHI-storing equipment via office break-ins or other means
- Unauthorized uses, releases, and disclosures of PHI
- Posting PHI online or on social media without permission
- Sending PHI incorrectly, including emailing or texting unencrypted e-PHI
- Failing to encrypt e-PHI or use an alternative method of preventing unauthorized disclosure or access
- Failure to notify the respective individuals (or the Office for Civil Rights) of cyberattacks or breaches involving PHI within 60 days of discovery
- Failure to document compliance efforts
HIPAA Compliance Violations: Fine Levels
HIPAA compliance violations can be costly. The penalties for HIPAA noncompliance depend on the level of negligence and the number of patient records affected: fine levels range from $100 to $50,000 per violation (or per record). HIPAA violations can also result in civil lawsuits or jail time.
HIPAA Fine Levels
First-tier – $100 per incident, up to $25,000 per year: The covered entity did not know of and could not have reasonably known of the violation.
Second-tier – $1,000 per incident, up to $100,000 per year: The covered entity did not act with willful neglect, but should have known by exercising reasonable diligence.
Third-tier – $10,000 per incident, up to $250,000 per year: The covered entity acted with “willful neglect” and corrected the problem in 30 days or less.
Fourth tier – $50,000 per incident, up to $1.5 million per year: The covered entity acted with willful neglect and failed to make a timely correction.
Important: An incident constitutes a violation of a single record. In other words, one breach by a malicious hacker that compromises many records would constitute many incidents. Most HIPAA violations include 500 or more incidents – in cases more than 500,000 records.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) handles HIPAA violation reporting and enforces compliance with the HIPAA Privacy and Security Rules by:
- Investigating complaints
- Conducting HIPAA compliance audits
- Providing education and outreach about the HIPAA rules
If the OCR determines that a HIPAA violation has occurred, it will try to resolve the issue within 30 days using one of the following means:
- The covered entity’s voluntary compliance
- OCR corrective action
- A resolution agreement between the covered entity and the agency
State attorneys general can also hold HIPAA-covered entities accountable for the exposure of state residents’ PHI exposure and can file civil actions in federal district courts. Fines range from $100 to $25,000 per violation category per calendar year. If a data breach affects residents of multiple states, the covered entity may pay fines to more than one state.
HIPAA violations can also incur criminal penalties and lawsuits for the covered entity, business associates, and the individual employees deemed responsible for rule breaches.
The OCR usually treats HIPAA violations as a civil offense. However, HIPAA’s Administrative Simplification regulations also contain a criminal enforcement provision. As a result, the U.S. Department of Justice may prosecute health care professionals who mishandle PHI.
Penalties may include restitution of funds received in exchange for PHI, as well as fines and imprisonment as follows:
“Reasonable cause” or “no knowledge” – Up to $50,000 and one year in prison
Obtaining PHI inappropriately – Up to $100,000 and five years in prison
Obtaining PHI with malicious intent or personal gain – Up to $250,000 and 10 years in prison
Fines for HIPAA Violations in 2021
OCR has successfully enforced HIPAA compliance by implementing corrective actions in all cases where an investigation indicates non-compliance by the covered entity or its business associate.
By October 31, 2021, OCR settled or imposed a civil monetary penalty in 101 cases, totaling over $131 million. In addition, OCR has investigated complaints against various entities, including national pharmacy chains, large medical centers, hospital chains, group health plans, and small provider offices.
The most commonly investigated complaints in 2021 have been:
- Impermissible use and disclosure of PHI
- Lack of PHI safeguards
- Lack of patient access to their PHI
- Lack of administrative safeguards of electronic PHI
- Using or disclosing more than the minimum necessary protected health information
The most common types of covered entities required to take corrective action in 2021 have been, in order of frequency:
- Private practices and physicians
- Outpatient facilities
- Community health centers
Regulators have increasingly focused on the compliance of business associates and third parties that process and handle PHI for covered entities.
HIPAA vs. FERPA: What's the Difference?
The Family Educational Rights and Privacy Act (FERPA) is a federal law protecting the privacy of student health records. It requires permission from a parent or student before school health care providers can release student health information to entities outside the school. It also allows students and their parents access to their health information.
FERPA generally applies to schools that receive funding from the U.S. Department of Education (DoE). This includes public primary and secondary schools as well as most private and public post-secondary institutions.
Health information for individuals treated at a university clinic falls under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule instead of FERPA. These records are not considered education or treatment records when the university hospital performs services without regard for whether the individual is a student.
How to Choose HIPAA Compliance Software
The Health Insurance Portability and Accountability Act (HIPAA) has 115 pages of requirements and privacy, security, and breach notification rules. Your organization must be in complete compliance or risk crippling penalties.
Complying with and maintaining these regulations can seem impossible. Spreadsheets are inadequate to track documentation and tasks. Proper management tools are imperative to streamline your efforts. Your organization can utilize HIPAA compliance software to help implement and maintain HIPAA compliance activities.
With so many solutions, it’s essential to consider some critical features. Here are some tips:
The best HIPAA compliance software includes risk assessment features. The number one HIPAA violation is failing to have a recent risk assessment or analysis. Many organizations put off this task or neglect it entirely because it’s an arduous, time-consuming task. Unless that is, your software can do it for you.
For example, Reciprocity’s ZenComply performs HIPAA self-audits and risk assessments. In just a few clicks, you can have up-to-the-minute views of your organization’s security and risk posture.
- World-class compliance software is user-friendly and provides insightful reporting. ZenComply’s color-coded dashboards offer an integrated view of HIPAA-regulated data, compliance, and services, showing where your gaps are and how to fill them.
- The best HIPAA compliance software stays up-to-date. Don’t let changes to HIPAA regulations catch you off guard. Software that automatically updates itself can ensure that you’re never behind the compliance curve.
- The best HIPAA compliance software keeps track of your compliance efforts. The U.S. Department of Health and Human Services’ Office for Civil Rights will likely send an auditor your way to assess your compliance with the law. It’s crucial to have all of your procedures and activities metrics documented. ZenComply stores your HIPAA compliance documents in a “single source of truth” repository for easy retrieval.
Your patients rely on your organization to keep their health information private and secure. Complying with HIPAA helps ensure that their trust is well placed. Using dependable compliance software will make the job of HIPAA compliance more manageable, enabling you to spend more time caring for your patients and improving their health.