Striving for HIPAA compliance may seem like constructing a house without a blueprint.

What does HIPAA compliance entail, and how can you attain it?

What is HIPAA Compliance?

Being HIPAA compliant means adhering to the standards and provisions outlined in the Health Insurance Portability and Accountability Act (HIPAA), a U.S. law enacted in 1996. HIPAA compliance involves several key aspects:

Protecting the Privacy of Health Information: HIPAA sets national standards for the protection of individually identifiable health information or Protected Health Information (PHI). Compliance requires ensuring that PHI is not used or disclosed improperly. This includes implementing policies and procedures that limit access to PHI only to those who need it for legitimate purposes.

Securing Electronic Health Records: The HIPAA Security Rule specifically addresses electronic PHI (e-PHI) and requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of e-PHI. This includes measures like securing computer systems, encrypting e-PHI transmitted over networks, and ensuring that e-PHI is not improperly altered or destroyed.

Implementing Procedures for Reporting and Responding to Data Breaches: HIPAA requires covered entities and business associates to have procedures in place for responding to data breaches involving PHI. This includes notifying affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, if a breach affects a certain number of individuals or more.

Training and Management of Workforce: Entities must train their workforce on HIPAA policies and procedures and must manage and supervise workforce members to ensure compliance. Sanctions should be applied to workforce members who violate these policies and procedures.

Risk Assessment and Management: Regularly conducting risk assessments to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI is a key component of HIPAA compliance. Based on these assessments, entities must implement security measures to mitigate identified risks.

Executing Business Associate Agreements (BAAs): Covered entities must execute BAAs with their business associates. These agreements ensure that business associates who handle PHI also comply with HIPAA’s requirements.

Patient Rights: Ensuring that patients' rights are protected under HIPAA, such as the right to access their health records, request corrections, and receive an account of disclosures of their PHI.

Compliance with the Omnibus Rule: The Omnibus Rule, which was enacted to strengthen privacy and security protections for health information established under HIPAA, must also be adhered to. It extends the requirements of HIPAA to business associates and their subcontractors and includes stricter rules for reporting breaches.

Regular Review and Updating of HIPAA Practices: Entities must regularly review and update their HIPAA practices to ensure ongoing compliance and adapt to any changes in the law or in the healthcare environment.

What organizations are required to be HIPAA compliant?

For Covered Entities

Definition: Covered entities include healthcare providers, health plans, and healthcare clearinghouses that transmit health information in electronic form in connection with standard transactions.

Privacy Rule Compliance: They must comply with HIPAA's requirements to protect the privacy and security of health information, providing individuals with certain rights concerning their health information.

Security Rule Compliance: Covered entities must ensure the confidentiality, integrity, and availability of electronic Protected Health Information (e-PHI), identify and protect against threats, and ensure compliance by their workforce.

Risk Analysis and Management: They are required to perform risk analysis as part of their security management processes, continuously evaluate the effectiveness of security measures, and reevaluate potential risks to e-PHI.

Administrative and Physical Safeguards: This includes designating security officials, managing access to e-PHI, training the workforce, evaluating security policies, and implementing physical safeguards for facility access and workstation/device security​​​​.

Penalties for Non-Compliance: Non-compliance can lead to significant penalties, including fines of up to $1.5 million per year for violating privacy and security rules.

Maintaining Compliance: Covered entities should establish robust policies for safeguarding PHI, including access controls, encryption, risk assessments, and staff training. Regular review and update of BAAs are also crucial to ensure ongoing compliance with HIPAA regulations​​.

For Business Associates

Definition: Business associates are individuals or entities that perform services on behalf of covered entities involving access to PHI, including billing, accounting, legal, consulting services, IT vendors, and other third-party contractors.

Compliance with Privacy and Security Requirements: They must comply with the same privacy and security requirements as covered entities, including implementing appropriate safeguards to protect PHI and adhering to HIPAA’s requirements for reporting and responding to data breaches.

Business Associate Agreements (BAA): They must maintain HIPAA-compliant BAAs with covered entities, establishing their obligations regarding PHI protection, data breach reporting, and ensuring compliance among subcontractors.

Penalties for Non-Compliance: Non-compliance can lead to significant penalties, including fines of up to $1.5 million per year for violating privacy and security rules.

Maintaining Compliance: Business associates should establish robust policies for safeguarding PHI, including access controls, encryption, risk assessments, and staff training. Regular review and update of BAAs are also crucial to ensure ongoing compliance with HIPAA regulations​​.

How TrueSecure Can Help You?

TrueSecure has over 40 years of experience in emerging technology security changes. We have helped our clients meet and exceed strong security compliance postures.

We provide HIPAA compliance support for multiple regional hospitals and a large number of medical specialty entities.

We have brought together industry-leading toolsets and experienced professionals who can help you meet the requirements of the FTC Safeguards rule.

Our solutions are highly cost-effective and focused on the needs of your business. We do not push a one-size-fits-all solution.

New HIPAA Regulations (2023-2024)

  1. Expected Changes: New regulations in 2024 may include changes to the HIPAA Privacy Rule, such as easing restrictions on disclosures of PHI, strengthening patient rights to access their PHI, and requirements for sharing ePHI with other providers.

  2. Proposed Changes: These include allowing patients to inspect their PHI, changing the time to provide access to PHI, limiting requests to transfer ePHI, and creating a pathway for sharing PHI among covered entities​​.

Both covered entities and business associates need to stay updated with the latest HIPAA regulations and ensure ongoing compliance with its requirements.

HIPAA Cybersecurity Considerations

  1. Risk Assessment: Covered Entities and Business Associates must conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.

  2. Implementing Security Measures: Covered Entities and Business Associates must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

  3. Key Cybersecurity Measures: When evaluating a business associate, covered entities should look for strong cybersecurity measures like an information security officer, privacy officer, policies, training, encryption, and cyber insurance.

  4. Written Information Security Policy (WISP): This document describes the covered entities and business associates’s overall approach to protecting the data it handles​​.