The 2021 Guide to HIPAA Compliance

HIPAA compliance featured

Table of Contents

  1. What is HIPAA?
  2. HIPAA Compliance Terminology
  3. What Are the Three Rules of HIPAA Compliance?
  4. What Is the HIPAA Privacy Rule?
  5. What Is the HIPAA Security Rule?
  6. What Is the HIPAA Breach Notification Rule?
  7. What Is the HITECH Act?
  8. What Is the Omnibus Rule?
  9. What Does HIPAA Compliance Entail?
  10. What Are the Penalties for Not Meeting HIPAA Compliance?
  11. What Can I Do to Ensure That My Organization is HIPAA Compliant?


What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act signed into law by President Bill Clinton in 1996. HIPAA was put into place to protect patient data from theft or loss. 

Why is this important? Private Health Information (PHI) is considered some of the most sensitive data that a person can have. It was determined that it was critical to protect PHI for patients and that this responsibility fell on healthcare providers who used that information for treatment, research, or billing purposes. 

With the emergence of electronic PHI (ePHI) and digital technologies like networked communication and electronic recordkeeping, HIPAA became that much more important. HIPAA was therefore conceptualized to protect ePHI no matter where it is. 

HIPAA Compliance

HIPAA Compliance Terminology

When discussing HIPAA compliance, there are a few specialized terms that the framework defines to help involved parties better understand their responsibilities:

  • Electronic Private Health Information (ePHI): This is patient data related to their treatment, medical history or payment history related to that treatment. This is the primary information that must be protected under HIPAA guidelines.
  • Covered Entities (CEs): These are the primary responsible parties under HIPAA, and include organizations like hospitals, clinics, insurance companies and broader healthcare networks.
  • Business Associates (BAs): Business Associates are typically contractors or third-party companies that handle specific functions for CEs and, in doing so, manage ePHI. A BA can manage such functions as payment processing and management, cloud software and storage or cybersecurity measures. Under HIPAA, a BA is equally responsible for ePHI as a Covered Entity.
  • Business Associate Agreements: Required documents detailing the working relationship between a CE and a BA, including the BAs responsibilities under HIPAA. HIPAA requires that every CE have a standing BAA with their Business Associates. 

 

A “business associate” is a person or an organization that performs tasks that involve the use or disclosure of PHI, such as:

  • Laboratory facilities
  • CPAs, attorneys, and other professionals with clients in the healthcare industry
  • Medical billing and coding services
  • IT providers, such as cloud hosting services and data centers, that are doing business in the healthcare industry
  • Subcontractors and the business associates of business associates must also comply with HIPAA rules.

 

A “covered entity” is one of the following:

  • A healthcare provider, such as a doctor’s office, pharmacy, nursing home, hospital or clinic that transmits “information in an electronic form in connection with a transaction for which HHS has adopted a standard.”
  • A health plan, such as a private-sector health insurer, a government health program such as Medicaid, Medicare, or Tricare, a company health plan, or an HMO.
  • A “healthcare clearinghouse,” is an entity that processes health information received from another entity, such as a billing service or a community health information system.

 

What are the Three Rules of HIPAA Compliance?

At the heart of HIPAA regulations are three rules:

  1. The Privacy Rule that defines PHI, responsible organizations, and how the latter must protect the former.
  2. The Security Rule defines the necessary controls a healthcare organization must implement to protect PHI properly. 
  3. The Breach Notification Rule outlines the steps an organization must take to notify the public about any security breaches resulting in the theft or loss of PHI.

There is an additional rule, the Omnibus Rule, that revises and updates several aspects of the HIPAA rules and how they impact healthcare organizations.

 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule establishes the basic standards for patient data, privacy and compliance requirements. This rule establishes many of the foundations of HIPAA compliance, including:

  1. The definition of PHI within compliance. According to the Privacy Rule defines PHI as information that relates to a patient’s past, present, or future health conditions; the provision of healthcare for that individual; and any payments made for past, present, or future care.
  2. The definition of responsible parties under HIPAA. Under this rule, two major players are highlighted: Covered Entities (CEs) and Business Associates (BA) that handle PHI.
  3. The way organizations work together to handle PHI. Essentially defines the necessity of a Business Associate Contract (BAA) between CEs and BAs.
  4. The types of data not protected under HIPAA. This includes how to de-identify health information, and under what circumstances a doctor or healthcare provider can disclose healthcare information. 

The Privacy Rule, therefore, is the bedrock by which all the other rules make sense, including the controls and safeguards defined in the Security Rule.

 

What is the HIPAA Security Rule?

The HIPAA Security Rule takes the responsibilities in the Privacy Rule and dictates the appropriate security measures that an organization must implement to be compliant. It does not state specific technologies, however. Instead, it outlines general practices and approaches with the understanding that those practices meet reasonable expectations for protection. So, for example, the Security Rule expects that encryption be in place to protect ePHI, but the organization must implement an encryption algorithm that protects against current threats. 

The Security Rule covers several areas. Primarily, this rule defines necessary security controls over three broad categories:

  • Technical: The implementation of technological safeguards like encryption, firewalls, anti-malware, and any other relevant protection. 
  • Administrative: The placement of risk management and assessment, training, and other administrative processes to monitor and manage security. 
  • Physical: The protection of physical systems (data centers, workstations, mobile devices) from unauthorized access. 

These security rules tell Covered Entities where they must protect data and how and leaves them to implement appropriate standards to do so. 

 

What is the HIPAA Breach Notification Rule?

Security breaches happen, and under HIPAA Covered Entities and Business Associates have a legal obligation to report breaches to the victims and the public more broadly. A “breach” is when an unauthorized party accesses ePHI and can include both accidental disclosures and malicious hacks. 

The Breach Notification Rule dictates that responsible organizations notify relevant parties within a period. Once an organization determines that a breach has occurred, they have 60 calendar days from the day of discovery to notify patients whose records have been compromised. This must occur in writing or via email, and if there are a significant number of affected individuals without contact information on hand, the organization must post the notification prominently on their website. 

If the breach involves more than 500 people, then the affected organization must also notify prominent media outlets within the affected jurisdiction of the breach. They must also notify the office of the Secretary of Health and Human Services.

These regulations only apply to the theft or unauthorized access to unencrypted data. 

 

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH Act), signed by President Obama in 2009, updated HIPAA by outlining rules and penalties regarding breaches of private health information (PHI).

Among other provisions, HIPAA mandates that security measures be taken to protect PHI. HIPAA is split into five sections or titles. HIPAA Title II, which is known as the Administrative Simplification provisions, is what most information technology (IT) professionals are referring to when they speak of “HIPAA compliance.”

HITECH also contains several provisions and requirements to encourage (and eventually force) healthcare organizations to migrate health data and communication systems to digital infrastructure.

 

What Is the Omnibus Rule?

The Omnibus Rule is a revision and update of many HIPAA requirements. Made effective in 2013, the Omnibus Rule most significantly reshaped responsibilities for Business Associates. Before 2013, Business Associates had more limited liability under HIPAA. HITECH made it so liability requirements were spelled out in a BAA, but the Omnibus Rule codified responsibilities and penalties for BAs, essentially making them responsible for their compliance. 

The Omnibus Rule also updated several other aspects of HIPAA, including:

  • How organizations could or could not sell ePHI
  • Student immunization records
  • Sharing of ePHI across individuals or organization
  • Individual access of ePHI by patients

What Does HIPAA Compliance Entail?

The Administrative Simplification provisions in HIPAA Title II are split into five rules, including the HIPAA Privacy Rule and the HIPAA Security Rule.

The HIPAA Privacy Rule establishes national standards to protect PHI. It applies to all forms of records – electronic, oral, and written – and requires employers to implement PHI security procedures and ensure that all employees are trained on them. The HIPAA Security Rule applies to ePHI. It establishes national standards to protect ePHI and requires entities to implement administrative, physical, and technical safeguards of ePHI.

 

What Are the Penalties for Not Meeting HIPAA Compliance?

If your organization is not HIPAA compliant, and a breach of PHI occurs, the penalties can be severe, as can be the public relations fallout for your organization. You will be required to notify all affected patients of the breach, and this publicity could do irreparable damage to your organization’s reputation. Your organization could also face fines of more than $1 million – and, in some cases, even criminal penalties.

HIPAA breaks penalties down into four tiers based on the type of violation:

  1. Tier 1: These are violations that are unknown (accidental) and that are not realistically avoided even with a HIPAA compliance review.
  2. Tier 2: These violations are those that the organization should have been aware of but were not, but that probably could not have been avoided (that is, the org should have known but the violation isn’t due to negligence).
  3. Tier 3: These violations are the result of willful neglect of compliance, but attempts have been made to rectify the problem.
  4. Tier 4: These are violations of willful neglect in which no attempt has been made to rectify the situation. 

As tires increase, so does the severity of the non-compliance and, accordingly, the penalties:

  1. Tier 1: A minimum fine of $100 per violation, up to $50,000.
  2. Tier 2: A minimum fine of $1,000 per violation up to $50, 000. 
  3. Tier 3: A minimum fine of $10,000 per violation and again up to $50,000.
  4. Tier 4: A minimum fine of $50,000 per violation.

As you can see, multiple violations of HIPAA due to willful neglect can easily bankrupt small organizations and business associates. 

That is not all! The most common breaches are usually accidental, but almost all breaches involve someone internal to the organization. In either case, the penalties for stealing ePHI are steep under HIPAA, and fall under three separate tiers:

  1. Tier 1: When the party initiates a breach through lack of knowledge or by accident, they can get up to 1 year in jail. 
  2. Tier 2: When a party obtains ePHI through fraud or other means, they can receive up to 5 years in jail. 
  3. Tier 3: When a party commits fraud to obtain ePHI with the intent to sell it or harm individuals, they can get up to 10 years in jail. 

What Can I Do to Ensure That My Organization is HIPAA Compliant?

Lazarus Alliance believes that the best defense against a PHI breach is a good offense – and HIPAA requires that covered entities and business associates take a proactive approach to protecting patient data. Considering the financial penalties and potential PR nightmare associated with breaches of sensitive personal medical information, HIPAA compliance is serious business.

HIPAA is a complex law, and many organizations are baffled regarding where, to begin with, their HIPAA compliance. Thankfully, the HIPAA compliance experts at Lazarus Alliance are here to help. We offer comprehensive HIPAA Audit, HITECH, NIST 800-66, and Meaningful Use Audit services to help you evaluate your existing HIPAA protocols and establish new ones. Lazarus Alliance’s proprietary IT Audit Machine (ITAM), which is fully HIPAA compliant; helps eliminate 96% of cybercrime and nearly 100% of the headaches associated with compliance audits.

Lazarus Alliance offers full-service risk assessment and risk management services helping companies all around the world sustain a proactive cybersecurity program. Lazarus Alliance is a proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cybersecurity needs and find out how we can help you with HIPAA Compliance.

 

Lazarus Alliance

Website: