What is HIPAA Compliance?

Stutek HIPAA Compliance Blog Image

A Definition of HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

The HIPAA Privacy and HIPAA Security Rules

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form.

The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

The Need for HIPAA Compliance

HHS points out that as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data.

The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

Physical and Technical Safeguards, Policies, and HIPAA Compliance

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is network, or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private networks, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

Data Protection for Healthcare Organizations and Meeting HIPAA Compliance

The need for data security has grown with the increase in the use and sharing of electronic patient data. Today, high-quality care requires healthcare organizations to meet this accelerated demand for data while complying with HIPAA regulations and protecting PHI. Having a data protection strategy in place allows healthcare organizations to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, integrity controls, data transmission, and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans, while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their data to healthcare organizations, and it is the duty of these organizations to take care of their protected health information.

What are common HIPAA violations?

Some common causes of HIPAA violations and fines are listed here:

  • Stolen laptop
  • Stolen phone
  • Stolen USB device
  • Malware incident
  • Ransomware attack
  • Hacking
  • Business associate breach
  • EHR breach
  • Office break-in
  • Sending PHI to the wrong patient/contact
  • Discussing PHI outside of the office
  • Social media posts

These HIPAA violations commonly fall into several categories:

  • Use and disclosure
  • Improper security safeguards
  • The Minimum Necessary Rule
  • Access controls
  • Notice of Privacy Practices

Use and Disclosure violation occurs when a covered entity or business associate improperly distributes PHI or ePHI to an incorrect party. One example would be if a physician’s office mailed PHI to a patient’s employer without attaining proper permission from the patient. This is exactly the situation that unfolded in May of 2017 when Mount Sinai-St. Luke’s Hospital in New York City was fined $387,000. An HIV clinic within the hospital system sent a patients’ HIV status and medical records to their employer without receiving proper HIPAA authorization. OCR investigated the incident and found that the improper use and disclosure of PHI constituted a HIPAA settlement and related fine.

Improper HIPAA safeguards can result in a HIPAA violation when the standards of the HIPAA Security Rule are not properly followed. In order to maintain compliance with the HIPAA Security Rule, HIPAA-beholden entities must have proper Physical, Administrative, and Technical safeguards in place to keep PHI and ePHI secure. In recent years, ransomware attacks have ramped up against targeted health care organizations. Medical data is worth three times as much as financial data on the black market, meaning that health care organizations are increasingly vulnerable to cybersecurity attacks. HIPAA security safeguards can defend health care organizations against ransomware and prevent HIPAA violations.

The Minimum Necessary Rule is a component of the HIPAA Privacy Rule that is a common cause of HIPAA violations. The Minimum Necessary Rule states that employees of covered entities may only access, use, transmit, or otherwise handle the minimum amount of PHI necessary to complete a given task. If a large portion of a patient’s medical record is exposed to a data breach because the Minimum Necessary Rule was not followed, that can lead to a violation of the HIPAA Privacy Rule and resultant HIPAA fines.

Access controls are an aspect of HIPAA regulation that limit the number of staff members at an organization that have access to PHI. Access to PHI should be limited based on the roles and responsibilities of the employee in question. If access controls are too broad, then PHI is exposed to unnecessary risk. If a health care organization experiences a data breach due to improper HIPAA access controls, that can lead to some major fines for negligence.

Having a Notice of Privacy Practices is a mandatory standard of the HIPAA Privacy Rule. Covered entities must allow patients to review and agree to their organizational Notice of Privacy Practices before beginning treatment. HIPAA regulation mandates that covered entities must have their Notice of Privacy Practices posted in plain sight for patients to review, in addition to paper copies. Common HIPAA violations can result from a covered entity’s failure to properly disclose their Privacy Practices, or a breach thereof. Under the HIPAA Privacy Rule, patients have certain rights to the access, privacy, and integrity of their health care data and PHI.

What does HIPAA not cover?

HIPAA only covers PHI and ePHI in the United States. Therefore, other types of data are not covered by HIPAA, such as login credentials to social media sites, records an employer keeps about employees, or student health records maintained by a school. Some exceptions apply, such as if a university provides medical care to students. In this case, the university would be subject to HIPAA.

What are HIPAA compliance requirements?

Organizations operating in the healthcare industry in the U.S. need to follow the HIPAA Security, Privacy, and Breach Notification Rules to achieve compliance. This includes implementing all of the required administrative, physical, and technical safeguards to protect PHI and ePHI.

If you want to build Healthcare Service with observing HIPAA compliance, please contact to us, Stutek.

Stutek Froontend Testing Blog Image

Frontend Testing

What is frontend testing? Frontend in general covers developing the graphical user interface (GUI) of a website, through the use

Your Comments

Leave a Reply