What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act, was passed by Congress in 1996. HIPAA provides mandates and rights covering the following topics:
- Reducing healthcare fraud and unauthorized access of patient data;
- The right for American workers to transfer or continue their health insurance coverage when they lose or change jobs;
- Standards for how healthcare information should be handled, stored, processed, and transmitted; and
- The protection of confidential, protected health information (PHI).
HIPAA violations are a serious matter. Healthcare data breaches of 500 or more records were reported at a rate of around 1 per day in 2018. In 2020, that rate nearly doubled to arate of 1.76 breaches per day.
Overview of HIPAA
When the Health Insurance Portability and Accountability Act of 1996 was passed, it mandated that the U.S. Department of Health and Human Services (HHS) must implement regulations covering the privacy and security of PHI. In response, HHS published several rules requiring healthcare organizations to meet specific requirements. Examples of these rules include the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule sets forth the national standards outlining how certain types of health information must be safeguarded.
The Security Rule contains national standards for safeguarding certain health information held or transmitted in electronic form. This is commonly referred to as electronic protected health information (ePHI).
The Security Rule operationalizes the mandates contained in the Privacy Rule by specifying the safeguards that organizations or “covered entities” must implement to protect individuals ePHI.
The HHS Office for Civil Rights (OCR) is responsible for HIPAA enforcement of these privacy regulations and security standards through compliance activities and monetary and criminal penalties for non-compliance.
Who is responsible for HIPAA compliance?
HIPAA applies to all covered entities operating in the healthcare sector. Covered entities include insurance companies, healthcare clearinghouses, healthcare providers, and their business associates who handle healthcare data or execute healthcare transactions electronically.
This could be health insurers of group health plans, HMOs, Medicaid or Medicare plans, doctors and hospitals, and healthcare systems. However, it also includes those that provide health information technology and software to the healthcare industry.
What are the requirements for the HIPAA Privacy and Security Rules?
The Privacy Rule dictates the conditions in which PHI and ePHI can be shared by a covered entity. Covered entities can lawfully use and disclose medical records and other ePHI under the following conditions:
- To the Individual;
- For treatment, payment, and healthcare operations;
- For the opportunity to agree or object;
- For an otherwise permitted use or disclosure;
- For public interest and benefit activities; and
- On a limited basis for public health, research, or healthcare operations.
The Security Rule requires covered entities to create and maintain appropriate and reasonable technical, administrative, and physical security safeguards to protect e-PHI. Specifically, that they:
- Protect the integrity, confidentiality, and availability of and e-PHI they receive, create, transmit, or maintain;
- Protect and identify anticipated threats to the integrity or security of ePHI;
- Protect against unauthorized access, use, or disclosures; and
- Ensure their workforce maintains compliance with said standards.
How to Pass a HIPAA Audit
To ensure you pass a HIPAA audit, a compliance professional can help you with the following cybersecurity best practices to meet HIPAA regulations:
- Performing risk analysis and internal audit of your systems and operations that handle PHI.
- Documenting your data security, management, training, and incident notification policies.
- Implementing secure access controls and password requirements.
- Encryption for ePHI.
- Using an SSL certificate for digital access of sensitive data.
- Ensuring scanned documents contain no identifiable health information.
- Remote access policies requiring the use of a VPN.
- Documenting your incident response and disaster recovery plans.
- HIPAA data breaches of 500 or more records occurred at a rate of 1.76 per day in 2020.
- The Security Rule directs covered entities to create and maintain appropriate and reasonable technical, administrative, and physical safeguards to protect personal health information.
- HIPAA technical safeguards should ensure the integrity, confidentiality, and availability of e-PHI covered entities that receive, create, transmit, or maintain.
- Covered entities refer to healthcare clearinghouses, health plans, healthcare providers, and their business associates.