Achieving HIPAA Compliance

COMPLIANCE WITH the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a vital component of any medical practice, especially as healthcare becomes more complex with the growing use of technology. Indeed, noncompliance with HIPAA can be extremely costly for covered entities and their business associates. In 2016, the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) began conducting the second phase of its HIPAA audit program as part of its overall health information privacy, security and breach notification compliance activities. These random desk audits request documentation and evidence from small and large organizations across the U.S., and those not in compliance have faced fines from $215,000 on the low end up to millions of dollars.^1,2

Because every covered entity and business associate is eligible to be audited by OCR, it’s imperative they have a solid understanding of how to comply with HIPAA in their facilities. This includes the requirement for all covered entities to identify a HIPAA privacy and security officer responsible for developing and implementing policies and procedures that ensure the integrity of electronic protected health information (ePHI).³

HIPAA Security, Privacy and Breach Notification Rules

HIPAA is a series of national standards healthcare organizations must have in place to safeguard the privacy and security of PHI. PHI is defined as any demographic individually identifiable information that can be used to identify patients such as names, addresses, emails, telephone numbers, Social Security numbers and full facial photos.⁴ With advancements in technology, in the last couple of decades, HIPAA has adopted national standards for electronic healthcare transactions and code sets, unique health identifiers and security, which have resulted in the privacy, security and breach notification rules.

The privacy rule, which was first published in December 2000 and later modified in August 2002,⁵ established national standards for when PHI may be used and disclosed. PHI relates to “an individual’s past, present or future physical or mental health or condition; the provision of healthcare to an individual; and past, present or future payment for the provision of healthcare to an individual.”

The security rule, which was published in February 2003,⁵ specifies safeguards that covered entities and their business associates must implement to protect ePHI confidentiality, integrity and availability. In essence, they must “implement reasonable and appropriate security measures through policies and procedures to protect the security of ePHI they create, receive, maintain or transmit.” And, they must analyze the risks to ePHI in its environment and create appropriate solutions based on the nature of the business and its size, complexity and resources.

The breach notification rule requires covered entities to notify affected individuals, HHS and the local media (if affecting more than 500 patients) of a breach of unsecured PHI without reasonable delay and no later than 60 days following the breach discovery. A breach is considered an “impermissible use or disclosure under the privacy rule that compromises the security or privacy of PHI.” And, the impermissible use or disclosure is presumed to be a breach unless the entity can demonstrate there is a low probability the PHI has been compromised based on the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was acquired or viewed; and the extent to which the risk to the PHI has been mitigated.⁶

Covered Entities and Business Associates Defined

HHS defines covered entities as covered healthcare providers, health plans and healthcare clearinghouses. Covered healthcare providers are “providers of medical or other healthcare services or supplies that transmit any health information in electronic form in connection with a transaction for which HHS has adopted a standard.” Health plans are “individual or group plans that provide or pay the cost of healthcare” such as company health plans, government programs that pay for healthcare, health insurance companies and health maintenance organizations. Healthcare clearinghouses are “public or private entities that process another entity’s healthcare transactions from a standard format to a nonstandard format or vice versa.”

Business associates are persons or organizations that perform functions or provide services on behalf of a covered entity that involve access to PHI. They can also be subcontractors responsible for creating, receiving, maintaining or transmitting PHI on behalf of another business associate.⁶

Steps to Complying with HIPAA Rules

Basic compliance with HIPAA involves six steps:⁴

1) Conducting audits. Audits provide a baseline of where a practice stands against HIPAA law. Audits should be executed across all elements of the business using the HIPAA standards as their basis.

2) Creating remediation plans. These plans should be opened for each gap audits have uncovered, and they must be fully documented in one central repository, with limited role-based access depending on parties involved in the remediation process. Each remediation plan must assign responsibility to someone on the staff to fix the gap, along with action items and a timeline for completion.

3) Developing policies and procedures and training employees. Organizations are required to have policies and procedures in place that address each HIPAA standard, and which create uniform processes across all parts of the organization for handling PHI and other HIPAA-mandated implementation specifications. And, they must be tailored to the needs of the organization. Once in place, employees must be trained on their content, and all employees must sign an attestation they have read and understood the content of each policy.

4) Executing business associate agreements with vendors. These agreements, which must be executed before any PHI can be shared, describe the relationship between the covered entity and the business associate. They must also be reviewed annually, and amended if necessary to account for any changes in the relationship. In addition, covered entities are mandated to perform due diligence on their business associates before executing the agreements. Due diligence includes informally assessing the associate’s current security/cyber-security infrastructure and their history of data breaches to determine whether it is a safe relationship to pursue.

5) Managing incidents. Because data breaches can still occur even when a HIPAA compliance program is in place, there should be processes for documenting, tracking and reporting breaches. These processes should set specific standards for both minor (fewer than 500 individuals) and meaningful (more than 500 individuals) breaches.

6) Maintaining good documentation. A compliance program relies upon documentation that demonstrates HIPAA compliance, both internally and to a federal investigator. And, that documentation must be kept in a centralized repository that can be accessed by necessary personnel and retained for six years.

The Role of the HIPAA Privacy/Security Officer

As mentioned previously, HIPAA mandates organizations to appoint a HIPAA security officer and a HIPAA privacy officer. However, depending on the size of the organization, it is possible for the two roles to be combined into one.

The specific responsibilities of the security officer include establishing, managing and enforcing the security rule safeguards and any subsequent rules issued by OCR; integrating IT security and HIPAA compliance with the organization’s business strategies and requirements; addressing issues related to access controls, business continuity, disaster recovery and incident response; maintaining organizational security awareness, including staff training in collaboration with the HIPAA privacy office; conducting risk assessments and audits; and investigating data breaches and implementing measures for their future prevention and/or containment.

While the role of a HIPAA privacy officer is similar to a security officer since the individual also conducts risk assessments, trains staff and manages business associate agreements, the privacy officer is also responsible for establishing, managing and enforcing HIPAA-compliant policies and procedures to protect PHI in whatever format it is maintained.³

Customizing the Compliance Program

HIPAA compliance is not a voluntary undertaking, but rather a mandatory requirement governed by OCR. As such, a compliance program must be implemented by all covered entities and their business associates, and someone designated in the organization must oversee management of it. And, because entities vary in type and size, each will need to develop a program to meet their specific needs.