HIPAA Compliance, Defined
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to prevent medical fraud and to assure the security of protected health information (PHI), such as names, Social Security numbers, medical records, financial information, electronic health transactions and code sets. The law is managed by the U.S. Department of Health & Human Services (HHS).
PHI that is stored, transmitted, or accessed electronically, also known as electronic protected health information (ePHI), also falls under HIPAA regulations. Regulation of ePHI is especially significant given the modern threat landscape and the increasing number of data breaches hitting the healthcare sector today.
As mentioned in the HIPAA compliance guide, four fundamental rules are required for compliance: the HIPAA Privacy Rule, HIPAA Security Rule, the Omnibus Rule, and the Breach Notification Rule.
HIPAA is enforced by the HHS’ Office for Civil Rights (OCR) in three ways:
- Investigating any filed complaints;
- Conducting compliance reviews to determine whether the covered entities and their business associates remain HIPAA-compliant; and
- Educating on maintaining compliance with the HIPAA Rules.
If the integrity of a covered entity’s PHI or ePHI is compromised as a result of a data breach, the covered entity or its business associates may be in HIPAA violation. Common examples of HIPAA violations include ransomware attacks, physical on-site break-ins, negligence in transmitting PHI or ePHI, and stolen devices or hard drives that contain ePHI. HIPAA violations can result in significant financial penalties, reputational damage, and loss of trust from patients.
Who Must Be HIPAA-Compliant?
All covered entities and their business associates must demonstrate HIPAA compliance. That is, they must demonstrate that they comply with current national standards set and have the necessary access controls in place to maintain data privacy and security. A business associate is any entity or person that discloses protected health information (PHI) or provides services to a covered entity.
More simply: any organization that stores, transmits, or has access to PHI or ePHI must achieve HIPAA compliance.
What Are HIPAA Covered Entities?
According to the HHS, covered entities are any individuals, organizations, and agencies that fall under one of three categories: healthcare provider, health plans, or healthcare clearinghouses.
- Healthcare providers include doctors, clinics, psychologists, dentists, and other medical practitioners, as long as they transmit information electronically “in connection with a transaction for which HHS has adopted a standard.”
- Health plans include health insurance companies, HMOs, company health plans, and any government programs that pay for health care (such as Medicare).
- Healthcare clearinghouses include any entity that processes nonstandard health information received from another entity.
Does My Organization Need to Comply With HIPAA?
If your organization falls under the umbrella of a “covered entity” or its “business associate,” then yes, it must comply with HIPAA.
The term “business associates” can be broadly applied, but in this case, it includes any person or entity that handles PHI or ePHI as part of their products or services. For example, if you are a SaaS provider that has developed a product to help medical clinics build an online patient portal, you must be HIPAA-compliant.
How Has COVID-19 Affected HIPAA Compliance?
The COVID-19 pandemic has forced the healthcare industry to embrace the digital transformation of many business and medical processes. Healthcare providers have been forced to conduct their appointments via telephone or video conferencing, which increases the risk of ePHI being breached.
Covered entities that fall under health plans (health insurance companies, for example) have been especially affected, because the huge number of Covid-19 cases has led to an equally huge number of health claims. As more individuals get sick, more insurance claims are filed, which means that health insurance companies must store significantly more protected health information.
These challenges mean that all covered entities and their business associates must keep on top of any change in HIPAA regulations, and assure that they enforce HIPAA compliance through the external and internal set of policies and controls.
In January 2021, the OCR released its decision not to penalize HIPAA violations specifically related to the good-faith use of web-based schedule applications to book vaccination appointments.
Tools to Manage HIPAA Compliance
Achieving HIPAA compliance isn’t an easy task; there are 115 pages filled with detailed requirements and rules that your business must comply with. While direct healthcare providers are familiar with the intricacies of HIPAA rules, this may not be the case for entities that fall under the health plan umbrella or for business associates that aren’t directly within the healthcare sector, but may have access to PHI as a result of doing business with any covered entities.
As such, there are a number of software applications and tools designed to help your organization maintain HIPAA compliance, such as customer relationship management (CRM) platforms and integrated messaging platforms to transmit ePHI.
Organizations can also, however, engage an all-in-one HIPAA compliance management software to oversee audit management, reporting, policy training, and risk assessment & management.
Reciprocity’s ZenGRC software can perform self-audits for HIPAA, provides intuitive dashboards to showcase gaps in compliance, keeps track of compliance efforts by diligently storing documents in a single repository for easy access during audits, and can auto-update itself with the latest changes in HIPAA regulations to ensure your organization can always maintain compliance.
At the end of the day, your clients are trusting you with their most personal health information, so using a trustworthy HIPAA compliance software solution can help you retain your clients’ trust and save you millions of dollars that may result from potential HIPAA violations.
To see how ZenGRC can help with HIPAA compliance, contact us today for your free consultation.