The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires healthcare organizations, as well as any other “covered entities” that handle electronic protected health information (ePHI), to implement data security protocols that protect health records from unauthorized access or release.
As defined by HIPAA, covered entities include health plans, healthcare clearinghouses, and health care providers.
HIPAA compliance can be a daunting task for businesses. Not only are there more than 100 pages of rules to follow, but HIPAA regulations change constantly to address new aspects of ePHI, patient rights, and cybersecurity.
Daunting or not, however, healthcare organizations and their business associates must perform their due diligence to remain HIPAA-compliant. That means constantly monitoring data activity and improving security measures that protect unauthorized access to medical records.
After all, non-compliance can result in hefty fines and penalties, lost business, and lost trust among patients whose privacy is breached.
To ease the burden, we’ve created this guide to help you better understand documentation requirements for your HIPAA compliance efforts and what you need to obtain HIPAA compliance.
Why Document for HIPAA Compliance
As part of your HIPAA compliance program, it’s necessary to prepare documentation that outlines your implementation specifications. An assessor will use this material to validate your security measures and assure that they meet HIPAA requirements in the event of an audit.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the regulator tasked with enforcing HIPAA. OCR is also the office that performs a compliance review in the event that a claim involving HIPAA is laid against your organization.
If your organization doesn’t have documentation your HIPAA compliance program is essentially worthless, as the program can’t be validated and you will most certainly lose in the complaint.
When done properly, documentation creates the foundation for your security standards around processes, workforce members, and the information systems employed by your organization.
What Are the 5 Rules of HIPAA?
HIPAA compliance has five main rules to put its privacy and security objectives into effect.
1. The HIPAA Privacy Rule
The HIPAA Privacy Rule lists the requirements for protecting ePHI. Therefore, all types of ePHI listed in the rule must be protected with administrative, technical, and physical safeguards.
The privacy rule lists access controls under which certain medical professionals can procure ePHI without authorization.
The rule also defines the rights of patients. Patients can view or request their personal medical records, and request corrections of any inaccurate information.
2. The HIPAA Security Rule
The security rule details the requirements for security measures used to protect patient data and methods for identification, remediation, and prevention of data security breaches.
The security rule also specifies that covered entities must undergo periodic risk assessments and audits to assure that their technical safeguards are reliable.
3. The HIPAA Enforcement Rule
The HIPAA Enforcement Rule defines the penalties for a data breach. Penalty amounts can vary depending on the number of medical records exposed and how many data breaches have occurred within an organization.
Fines can range from $100 to $50,000 for the first violation, but can go as high as $1.5 million for subsequent breaches.
4. The HIPAA Breach Notification Rule
This rule dictates that if a data breach affects fewer than 500 individuals, the organization is required to notify those individuals within 60 days. The affected business must also notify the Office For Civil Rights (OCR) within 60 days of the new year after the breach.
If more than 500 individuals are involved in a data breach, then the organization is required to notify the public through news media channels.
5. The Omnibus Rule
This rule, added in 2013, extends the obligations of “business associates”—that is, third parties that work with companies subject to HIPAA—to comply with the HIPAA rules while dealing with ePHI. This inclusion is especially important for software developers.
How Do I Prove HIPAA Compliance?
There isn’t an entity assigned to validate HIPAA compliance, except for the OCR in the event of a claim. As our prior section laid out, however, ignoring HIPAA compliance can cost you your ability to do business in the event of a claim.
Therefore, to assure that you’re properly prepared in the event of an audit or a claim, you must have documentation in place that attests to the requirements specified in HIPAA regulations.
How to Meet HIPAA Documentation Requirements
What documentation do you need to meet HIPAA requirements? This can be a confusing topic for many organizations.
To begin, every procedure, person, and policy surrounding ePHI should be documented. This includes any associated risks to its data security and your risk mitigation strategies.
Furthermore, your documentation should demonstrate your current HIPAA compliance stance, how it has improved over time, and your plans to prepare for its evolution in the future.
Here are some questions you should have documentation to answer:
- What is our cybersecurity stance?
- Risk analysis: what potential risks are there to the security of the ePHI we handle?
- What risk management strategies do we have in place to mitigate electronic and physical security risks?
- Are our team members trained in strategies to safeguard ePHI?
- What is our stance on BYOD (Bring Your Own Device) and how do we prevent electronic or physical access from unauthorized parties to our information systems?
- How have our processes evolved since self-auditing for HIPAA compliance?
HIPAA Compliance Checklist
If you’re ready to begin documenting your compliance stance as it relates to HIPAA, here is a helpful checklist to get you started.
- Identify and document where your ePHI and HIPAA-related data lives and what security policies are in place to protect it from unauthorized access.
- Map your ePHI and HIPAA-related data to your business processes and workflows. Document how the ePHI is handled, transmitted, and stored, and any team member that plays a part in that process.
- For those who have access to ePHI and HIPAA-related data, assign privilege access to the appropriate parties and remove access for anyone who doesn’t need to have it.
- Create alerts for any ePHI and HIPAA-related data that is accessed so there are audit controls, as well as an alert for any new incoming data that needs to go through any workflow to make it compliant.
- Implement any physical and technical measures necessary, that you don’t already have, to protect your sensitive data. Examples include 2FA (two-factor authentication), file encryption, auto logoff protocols, physical locks, access keypads, and so forth.
- Implement continuous monitoring protocols, both virtual and physical, so that any security incidents are caught and can be remediated as quickly as possible.
- Have contingency plans in place in the event of a breach that implements automatic lockdowns until the damage can be controlled and the risk eliminated.
How ZenGRC Can Help With HIPAA Compliance
With HIPAA requirements expanding constantly, it’s unmanageable for healthcare organizations or their subcontractors to rely on manual processes and spreadsheets to track compliance.
ZenGRC can help to ease the burden of conducting a HIPAA security risk assessment and preparing the necessary documentation to support your compliance stance.
Our easy compliance templates make self-audits a breeze while our central dashboard can tell you where gaps exist in your compliance documentation, and how to fill them.
Furthermore, ZenGRC can audit your compliance documentation across frameworks so you can streamline your efforts whether they be for HIPAA, NIST, HITECH Act, or any other healthcare-related requirements.
Worry-free HIPAA compliance is the Zen way! Learn how ZenGRC can help you achieve compliant software by booking a demo today.