The Health Insurance Portability and Accountability Act (HIPAA) is as important to the healthcare industry now more than ever — if not more. Hospitals, insurance companies and healthcare providers all need to ensure HIPAA compliance to safeguard private and sensitive patient data.
Thankfully, we’re providing a clear, step-by-step HIPAA compliance checklist that covers everything you need to know.
You don’t want to have to worry about a HIPAA complaint against your company, and you don’t want to be one of those that get fined. This guide will tell you what you need to know about HIPAA compliance and help you protect and secure your HIPAA-protected data.
What is HIPAA Compliance?
HIPAA compliance is the process that business associates and covered entities follow to protect and secure Protected Health Information (PHI) as prescribed by the Health Insurance Portability and Accountability Act. That’s legalese for “keep people’s healthcare data private.”
Protected Health Information (PHI) is your/my/everyone’s healthcare data. PHI is the content that HIPAA tries to protect and keep private. The Safe Harbor Rule identifies what kind of data you must remove to declassify PHI.
Covered entities are individuals in a healthcare field that uses and has access to PHI. They are doctors, nurses, and insurance companies.
Business associates are individuals that work with a covered entity in a non-healthcare capacity and are also responsible for maintaining HIPAA compliance as covered entities. Lawyers, accountants, administrators, and IT personnel that work in the healthcare industry and have access to PHI are some common examples of business associates.
Your 2021 HIPAA Compliance Checklist
Now that you know what constitutes PHI and who needs to comply with HIPAA, let’s take a look at what you need to do step-by-step to achieve HIPAA compliance.
1. Understand the HIPAA Privacy Rule
The HIPAA Privacy Rule is the foundational piece that all applicable organizations need to familiarize themselves with. The Privacy rule explains when and how authorized personnel can access PHI. This includes healthcare professionals, administrators, lawyers or anyone else within your health information ecosystem.
That’s why the first step towards HIPAA compliance is familiarizing yourself with the Privacy Rule. The Rule mandates appropriate safeguards to protect the privacy of PHI, setting limits on the access and use of said information. The Privacy Rule also gives patients certain rights over their PHI, including the right to obtain copies of records and request corrections.
2. Determine if the Privacy Rule Affects You
Next, you’ll need to assess and confirm that the Privacy Rule does, in fact, apply to your business, practice, or healthcare organization. Remember that the Privacy rule protects individual PHI by governing the practice of all covered entities, from doctors and nurses to lawyers and insurance providers.
Covered entities are the people and organizations that hold and process PHI data for their customers and/or patients. Covered entities are also responsible for reporting HIPAA violations and who will pay any fines imposed by the Office of Civil Rights if a HIPAA violation does occur.
HIPAA defines these individuals and organizations as covered entities:
Health Care Providers
- Nursing homes
- Health Plan
- Health Insurance Companies
- Company health plans
- Government-provided health care plans
- Health Care Clearinghouses
These entities process healthcare data from another entity into a standard form.
3. Protect the Right Types of Patient Data
The third action item in your HIPAA compliance checklist is knowing what types of patient data you need to protect and begin putting the right security and privacy measures in place.
The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or their business associates. This can be in any form of media, from paper and electronic to verbal communications.
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payment information that identifies or for which there is a reasonable basis to believe can be used to identify the individual.”
This typically includes — but is not exclusively limited to — the following kinds of patient data:
- Names and birthdates
- Dates pertaining to a patient’s birth, death, treatment schedule or relating to their illness and medical care
- Contact information such as telephone numbers, physical addresses and email.
- Social Security Numbers
- Medical Record Numbers
- Photographs and digital images
- Fingerprints and voice recordings
- Any other form of unique identification or account number
4. Prevent Potential HIPAA Violations
HIPAA violations can occur in any number of ways, so it’s critical that you understand what a violation is and how they happen so you can take preventative measures. The most common type of violation is actually internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.
A workstation left unlocked or paper file misplaced in a public setting — although not malicious — are the types of violations to be most on guard for. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a non-intentional violation. However, something like a lost or stolen laptop with PHI isn’t necessarily a violation in and of itself. If the PHI is encrypted in alignment with Privacy Rule standards, you’re not liable for fines or penalties.
Data Breaches Under HIPAA
As we alluded to earlier, a data breach doesn’t necessarily have to be an external hack. Under HIPAA, a data breach is simply unauthorized personnel or people accessing PHI when they shouldn’t. While it can be a malicious cyberattack designed to steal PHI, it’s also any covered entity accessing or viewing PHI in a time or manner when they shouldn’t.
HIPAA defines a data breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” To prevent data breaches, you’ll need a strong cybersecurity program to keep hackers out, as well as proper internal security measures and training.
Recognizing Common HIPAA Violations
We’ve touched on a few common scenarios where HIPAA violations occur, but you’ll need to familiarize yourself with multiple cases and scenarios that can trigger a violation.
Here are some of the other common causes can lead to a HIPAA violation:
- Theft of equipment that stores PHI
- Hacking, malware, or ransomware
- Physical office break-in
- Sending PHI to the wrong person or business partner
- Discussing PHI in public
- Posting PHI to social media
Which violations that your company is most at risk for depends on the nature of your business and relationship with patients and their data. That’s why it’s critical to work with a HIPAA compliance partner to determine what measures you need to put in place or improve.
Anticipating a Minor Breach
The HIPAA Breach Notification Rule requires that any affected patient or customer be notified that their PHI may have been stolen, compromised, or even merely exposed to such risk. How and when you need to notify customers depends on the nature of the breach. First, you need to have processes in place in case what HIPAA defines as a minor breach takes place.
A minor or smaller breach is one that affects fewer than 500 individuals within a single jurisdiction. The HIPAA Breach Notification Rule mandates certain actions be taken in this instance. You’ll need to gather all data on minor breaches that occur throughout the course of a year and report them to regulators within 60 days of year’s end. Affected individuals must also be notified within 60 days of then when the breach took place.
Prepping for a Meaningful Breach
On the other hand, a meaningful breach is one that affects over 500 people within a given jurisdiction. Meaningful breaches need to be reported to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days of the actual occurrence. You should also be ready to notify affected parties upon immediate discovery of the breach.
Moreover, meaningful breaches need to be reported to local law enforcement agencies immediately. You will also need to coordinate with local media agencies and organizations as a part of notifying affected parties. While meaningful breaches are rare, part of your HIPAA compliance journey is making sure you have all the resources in place in case such a breach does occur.