HIPAA compliance: staying on the right side of regulators

HIPAA compliance

HIPAA. HIPAA compliance. These are terms that you see a lot of in the healthcare industry. But what does it mean and how does it impact healthcare providers and their patients?

HIPAA stands for the Health Insurance Portability and Accountability Act, created in 1996 and governed by the Department of Health and Human Services, it is a series of regulatory standards by which covered entities need to protect and secure a patient’s healthcare data or Protected Health Information (PHI). 

As healthcare becomes more digital, it is more important than ever that HIPAA awareness and compliance are understood and followed. Here’s what you need to know to remain HIPAA compliant.

Who is subject to HIPAA compliance?

At the highest level, any individual or organization who is subject to HIPAA’s Privacy Rule is considered a “covered entity” and consists of four main types:

  • Healthcare providers
    • Doctors
    • Nurses
    • Clinics
    • Psychologists
    • Dentists
    • Chiropractors
    • Nursing Homes
    • Pharmacies
    • Health plans
  • Health insurance companies
    • Company health plans
    • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
  • Healthcare clearinghouses
    • This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
  • Business associates
    • An accountant whose services to a health care provider involve access to protected health information. 
    • An attorney whose legal services to a health plan involve access to protected health information. 
    • An independent medical transcriptionist that provides transcription services to a physician. 
    • A software company that provides additional technology solutions to healthcare providers.

Generally, covered entities provide treatment, perform procedures or accept payments, while business associates are third-party organizations who support providers and have access to PHI, covering most healthcare workers and insurance providers.

To help determine whether or not you are a covered entity, use the decision tool from The Centers for Medicaid and Medicare (CMS).

What data is subject to HIPAA?

As mentioned, any PHI is subject to HIPAA compliance, which means any demographic information that can be used to identify a patient or healthcare provider such as: 

  • Names
  • Dates
  • Contact information
  • Locations
  • Social security number
  • Medical records
  • Photographs
  • Biometric data

Not sure if something is PHI or not? Consider this; if the data in question can be used to identify the patient, it should be treated as an identifier and therefore as PHI. This also applies to old or outdated information like a previous telephone number or address.

Personal Health Information also applies to how the data is shared: the safeguards and rules remain the same whether the information is shared electronically, verbally or written. Some safeguards to keep electronic data protected are to have:

  • Unique accounts for each user
  • Strong passwords and  multi-factor authentication
  • The minimum number of users possible provided access to ePHI
  • Recording all access and changes to ePHI

What electronic data is subject to HIPAA?

As more and more healthcare is delivered and recorded electronically, this means that any PHI that is transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI.

As companies of different sizes use many different types of technology when dealing with ePHI, the Security Rule was written to ensure organizations can use the technologies, processes and procedures that work best for them – it’s not a one size fits all rule. 

How to avoid violating HIPAA

Usually, violations happen internally within organizations and not from data breaches or hackers. Typically, violations consist of:

  • Posting PHI on the internet
  • Discussing PHI in public
  • Sending PHI by accident
  • Office break-ins

The most common cause of a HIPAA violation resulting in financial penalties? The failure to complete an organization-wide risk assessment, delayed breach notifications, and the failure to safeguard PHI. This is why regular reviews are important – the longer a breach continues, the higher the financial penalty. 

Failure to comply with HIPAA, even without a breach – can result in fines. 

So what do you do if you discover a breach? Report it immediately, delaying reporting after 60 days can result in penalties. Let the patient know what information was breached, how to protect themselves and their data, and what you as an organization are doing to rectify the situation and how you will prevent it in the future.

Staying updated with HIPAA

Part of maintaining HIPAA compliance is making sure you are up to date with any changes – both internal and external. For example, many people are now working remotely. What does that mean for data and PHI access? Do employees need to be on secure networks? What if they are working out of the country? These are all questions that need consideration and investigation.

At the end of the day, HIPAA is meant to keep patient data private and secure. Any breach can trigger local privacy laws or come with hefty fines. Stay up to date and stay compliant. 

Canadian? Here’s how to stay compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA), which is broader than HIPAA as it refers to all data – not just that related to healthcare.

PIPEDA’s main goal is to ensure all data collected by organizations is protected and that individuals maintain their right to privacy.  When collecting data, organizations must be transparent about the data they are collecting, why they are collecting it and what they will use it for. Canadians can view any information collected about them and can appeal the validity of that data.

This is a two step proccess: 1) fill out this form, 2) select a convenient time.

Not ready to book a demo but have a question? No problem! Please call or send us your question.