HIPAA Compliance

HIPAA compliance is a necessary, yet challenging, process that many organizations in the healthcare and healthcare insurance industry must undertake. To comply with HIPAA, it is essential for organizations subject to its regulations to understand what HIPAA is and what is covered by its rules.

A consequence of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the development of national standards to prevent unauthorized uses and disclosures of sensitive patient health information. HIPAA also provided regulations that gave patients more rights to access, correct, and transfer health information, as well as the ability to know who has access to their information.

HIPAA compliance is mandatory for all organizations that transmit health care or payment information in digital form. These organizations are known as Covered Entities (CEs) and include all health plans, health care clearinghouses and healthcare providers. Additionally, HIPAA standards apply to third-party organizations with whom Protected Health Information (PHI) is shared for the provision of a service.

These third-party organizations are known as Business Associates (BAs). Potential HIPAA BAs include vendors of E-prescribing software, third party disposal services, and Managed Service Providers. For HIPAA compliance, all BAs must sign a contract which clarifies what PHI is being disclosed to the BA and the permissible uses and disclosures of PHI by the BA. This contract is known as a Business Associate Agreement (BAA).

What are the Requirements for HIPAA Compliance?

The requirements for HIPAA compliance consist of complying with the standards and implementation specifications set by the Privacy, Security, and Breach Notification Rules. Implementation specifications are categorized as required and “addressable”. HIPAA offers the opportunity for CEs and BAs to decide whether a given addressable implementation specification is a suitable measure to apply. CEs and BAs can choose to implement an alternative measure that achieves the same objective or to not use the measure at all if justifiable in the given circumstances. The decision will depend on a variety of factors such as the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.

The HIPAA Privacy Rule

The HIPAA Privacy Rule was issued with the intention of protecting the confidentiality of patients’ individually identifiable health information, while allowing for the flow of patient health information when it is required. The HIPAA Privacy Rule stipulates who can have access to PHI, who it can be disclosed to, and the circumstances in which it can be used. Patients have rights over their PHI and must be notified of their rights via a Notice of Privacy Practices. These rights include:

  • The ability for a patient to examine and receive a copy of their health record and request alterations if necessary.
  • The ability to acquire a copy of who their PHI has been disclosed to.
  • The ability to request the transmission of an electronic copy of their PHI by a CE to a third party.

Other than when requested by a patient, the only other time CEs and BAs MUST disclose PHI is when it is requested by an inspector from HHS´ Office for Civil Rights. CEs are PERMITTED to use and disclose PHI for treatment, payment, and healthcare operations; but these uses and disclosures are subject to the Minimum Necessary Standard which stipulates only the minimum necessary to fulfill the intended purpose can be disclosed without patient authorization.

A patient authorization is required for all other uses and disclosures of PHI. The authorization must state what PHI is being disclosed, who it is being disclosed to, and for what reason. The authorization form must also make it clear to the patient (or their representative) that they have the right to withdraw their authorization at any time.

The HIPAA Security Rule

The HIPAA Security Rule was promulgated to support the protection of electronic Protected Health Information (ePHI). While the Privacy Rule primarily applies to CEs, the Security Rule applies to CEs and BAs in its entirety.

The Security Rule required both CEs and BAs to comply with 3 types of safeguards in order to protect and secure the integrity of PHI created, transmitted, used or maintained electronically. These three types are Physical, Administrative, and Technical Safeguards.

The Physical safeguards are measures intended to prevent unauthorized access to a CE’s or BA’s information systems and buildings. Physical HIPAA safeguards provide guidance on the measures, policies, and procedures CEs and BAs should have to secure their ePHI.

The Administrative Safeguards are measures intended to ensure that the necessary administrative actions are taken by CEs and BAs to protect the breach of patient health information. These include the designation of a Security Officer who is responsible for generating a security management program and conducting risk assessments for implementing measures to protect ePHI.

As mentioned previously, the implementation specifications of the Security Rule are categorized as either required or addressable. It is the responsibility of the CE or BA to ensure they implement the correct measures for HIPAA compliance.

The Breach Notification Rule

When there is access to, use of, or disclosure of unsecured sensitive patient information, CEs are required to notify potentially impacted clients. The requirement also applies to BAs, who must inform the CE for whom they are providing a service to when a breach of unsecured PHI occurs. This requirement is known as the HIPAA Breach Notification Rule.

The Department of Health and Human Services maintains that the unauthorized use or disclosure of unsecured PHI is considered to be a breach unless the CE or determines there is a low probability the PHI has been compromised based on a risk assessment consisting of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized individual who accessed the PHI or to whom the admission was made;
  • Whether the PHI was actually acquired or viewed;
  • The extent to which the risk to the PHI has been mitigated

Unless a low probability of compromise can be proven, the HIPAA Breach Notification Rule requires CEs to send a notification of the breach to the HHS’ Office for Civil Rights (OCR) which includes the following:

  • An explanation of the Breach.
  • A list of what information has been exposed.
  • A brief explanation of the actions the CE will take in response to the breach to reduce harm.
  • A summary of the actions the CE will take to prevent future breaches.
  • A summary of the steps breach victims can take to limit harm.

If a breach has occurred and the number of incidents exceeds 500 individuals, a CE must notify the OCR and individuals potentially impacted by the breach no later than 60 days following its detection. If the breach involves less than 500, notifications to individuals potentially impacted must be within 60 days, but notifications to the OCR can wait until the end of the calendar year. CEs are required to report all incidents through the Office for Civil Rights (OCR) portal.

Prior to the enactment of the HIPAA Breach Notification Rule in 2009, CEs had no responsibility to report the exposure of unsecured PHI. The responsibility was the OCR’s to prove whether harm had occurred as a result of the breach before pursuing enforcement action. Since the enactment of the HIPAA Breach Notification Rule, the responsibility has shifted. CEs and BAs must prove that no harm has occurred as a result of a breach if choosing not to report the breach to the OCR or patients.

Subsequent Changes to the HIPAA Requirements

Periodically, HIPAA guidelines are updated to expand the scope of HIPAA compliance, address evolving challenges, and progress towards a more efficient health system. The HITECH Act in 2009 and the enactment of HIPAA related provisions via the Final Omnibus Rule in 2013 are examples of subsequent changes to the HIPAA requirements.

The HITECH Act consists of four subtitles. Subtitle D includes additional provisions for the privacy and security of ePHI. Part 1 concerns the improvement of privacy and security of ePHI while part 2 is regards the relationship between the HITECH Act and other laws. Under this subtitle, some rules took immediate effect – for example, the Breach Notification Rule. he OCR was given the authority to apply penalties to non-compliant CEs and BAs. In addition, state attorneys general were also given the right to pursue civil and criminal action on behalf of affected citizens.

The Final Omnibus Rule reflected the evolution of technology since the effective date of HIPAA in 1996. By 2013, the Final Omnibus Rule was introduced to address some shortcomings of the original Privacy and Security Rules. With these shortcomings addressed, the OCR were given the means to increase enforcement action.

What are the Penalties for Failing to Comply with HIPAA?

Non-compliance with HIPAA can lead to large fines and even criminal penalties. The primary enforcer of HIPAA is the Department of Health and Human Services’ Office for Civil Rights. However, subsequent changes such as the HITECH Act has given state attorney generals the ability to prosecute non-compliant CEs and BAs independently on behalf of citizens. In addition, the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), the Federal Communications Commission (FCC), and the Federal Communications Commission (FCC) all have enforcement powers to some extent.

There are various ways in which the enforcers of HIPAA learn about non-compliance to HIPAA. The use of online reporting portals by employees and the public is typically how violations are identified. Breach notifications made by CEs and BAs to the OCR are another way in which violations are identified by enforcers. The OCR may find violations independent from the assistance of employees or patients of a CE. Prompted by the execution of a Corrective Action Order or technical assistance, the OCR may carry out audits and inspections which regularly result in the OCR identifying violations of HIPAA.

The OCR has the means to punish non-compliance with HIPAA harshly. When a violation of a serious nature occurs, the OCR can issue fines of up to $1,806,757 per violation (2022). The size of the penalty is determined by multiple factors. These include:

  • The amount of harm caused by the violation.
  • The degree of culpability.
  • The efforts made to reduce the impact of the violation.
  • The level of cooperation and the time of notification made by the negligent party.

State Attorneys General have the authority to impose fines, while agencies such as the CMS can fine CEs in receipt of Medicare and Medicaid payments for practices considered to constitute information blocking. Individuals can be subject to criminal charges if a violation is discovered which has the intention of personal financial gain or causing harm.

Ensure you Know the HIPAA Compliance Requirements

In order to avoid penalties for non-compliance with HIPAA, it is necessary for CEs to fully understand its regulations. HIPAA compliance can be confusing and difficult to follow. Organizations may find it difficult to implement the appropriate safeguards for the protection of PHI. In addition, the HIPAA requirements are frequently changing and CEs and BAs must keep up-to-date with these changes. Therefore, it is advised that those subject to the HIPAA Rules seek expert advice to ensure full HIPAA compliance.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes