If you work for or with healthcare organizations, you know about HIPAA — and you know you can face major HIPAA violations if you fail to comply with its rules and regulations. But what does it mean to be HIPAA compliant, and how do you go about achieving it?
HIPAA legislation was passed in 1996 to address key issues within the US healthcare industry. The Health Insurance Portability and Accountability Act established national standards that make healthcare more accessible, efficient, and secure. Today, all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must comply with HIPAA regulations.
What are those regulations, and how can healthcare organizations prove compliance? This article explains what’s required and lays out the 7 key steps to becoming HIPAA compliant.
HIPAA regulations, rules, and requirements
HIPAA includes a set of rules to help healthcare organizations and their business associates protect the privacy and security of patient data. To become compliant, healthcare organizations must follow five HIPAA rules.
The HIPAA Privacy Rule
The HIPAA Privacy Rule is a federal law that gives patients rights over their protected health information and limits who can access and disclose protected health information (PHI). It ensures that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.
The HIPAA Security Rule
The Security Rule establishes three types of safeguards that organizations must use to secure PHI from unauthorized access: physical, administrative, and technical. Together, these safeguards help ensure patient health information isn’t at risk for a data breach.
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires organizations to notify affected individuals and the Department of Health and Human Services (HHS) when unsecured PHI has been breached. To avoid a HIPAA violation, organizations must send notifications to affected individuals within 60 days of identifying a breach.
The HIPAA Enforcement Rule
This rule defines how investigations into HIPAA complaints and violations are conducted, as well as how fines and penalties for HIPAA violations are determined.
The HIPAA Omnibus Rule
One of the key points of HIPAA legislation is to give patients greater control over who can access their health records and when. Under the Omnibus Rule, covered entities must comply with a patient’s request to access or share their medical records.
7 steps to achieving HIPAA compliance
While HIPAA legislation requires organizations to be proactive about protecting PHI, it doesn’t specify the exact actions covered entities must take. This flexibility allows organizations to decide which safeguards are best suited to their unique needs. A regional hospital system will likely need to have different safeguards in place than a small family clinic, for example.
That said, all organizations will need to follow the same basic process to achieve HIPAA compliance. We outline those steps below.
Step 1: Conduct a security risk assessment
Under the Security Rule, covered entities are required to complete a HIPAA risk assessment. This risk analysis helps organizations understand their threat landscape, define their risk tolerance, and identify the probability and potential impact of each risk.
During a risk assessment, organizations identify and rank potential threats to their security posture, including human error, technical failures, and natural disasters. Armed with this knowledge, covered entities can build more effective strategies for identifying vulnerabilities, mitigating risks, and improving data security standards.
Both covered entities and business associates are required to complete periodic risk assessments, typically on an annual basis.
Step 2: Implement safeguards
HIPAA compliance requirements include three types of safeguards covered entities and business associates must put in place to protect PHI.
Administrative safeguards
Administrative safeguards ensure employees know how to properly access and store PHI. For example, completing security training, reviewing privacy policies, and ensuring staff know how to secure PHI in the event of an emergency.
Physical safeguards
Physical safeguards protect areas that allow physical access to PHI, such as file cabinets and workstations. These can include requiring ID badges to access PHI, locking file cabinets, and ensuring any screens displaying PHI aren’t publically visible.
Technical safeguards
Technical safeguards protect ePHI (PHI that’s stored electronically) from unauthorized access and alteration. Examples include using cybersecurity measures like antivirus software and data encryption.
Step 3: Designate a HIPAA compliance officer
This compliance officer is responsible for monitoring HIPAA compliance over time. Responsibilities include:
- Ensuring security and privacy policies are followed and enforced
- Managing privacy training for employees
- Completing periodic risk assessments
- Developing security and privacy processes
- Investigating any security incidents or suspected/confirmed data breaches
- Reporting breaches when required
- Creating a disaster recovery plan
- Ensuring the organization is has properly implemented the Security Rule’s administrative, physical, and technical safeguards
For large organizations managing a vast amount of PHI, these responsibilities are often divided between two different compliance officers: a security officer and a privacy officer.
Step 4: Complete HIPAA training for all staff that interface with PHI
Proper HIPAA training ensures that all employees handling PHI understand how to protect it and are familiar with HIPAA regulations and rules.
HIPAA rules and regulations can be complex for newcomers, so ensuring all employees who interface with PHI receive proper training is an essential step for compliance. HIPAA training ensures your staff understands their role in upholding security standards and know exactly what steps they should take to keep PHI private and secure.
Step 5: Collect Business Associate Agreements (BAAs)
Under HIPAA, covered entities may only work with business associates and service providers who also comply with HIPAA requirements for protecting PHI. Business Associate Agreements are written agreements that specify each party’s responsibilities surrounding PHI.
According to the Department of Health and Human Services (HHS), a BAA must include:
- A description of when PHI is either permitted or required to be used by the Business Associate
- Assurance that the Business Associate will not use or disclose PHI outside of what’s either permitted in the agreement or required by law
- A requirement that the Business Associate implement appropriate safeguards to protect PHI against unauthorized access or disclosure
You’ll need to collect these BAAs, review them on an annual basis, and update them to reflect any changes.
Step 6: Establish a breach notification process
A data breach isn’t always a guaranteed penalty — in some cases, a breach is either unintentional or outside your control to prevent.
Failing to report a breach, on the other hand, is a definite violation of the Breach Notification Rule. This rule requires organizations to report a data breach to the Office for Civil Rights (OCR) and notify any individuals who may have been affected within 60 days.
To be compliant, you’ll need to have a documented breach notification process that defines how your organization will follow this rule. This process should be reviewed and updated on an annual basis by your compliance officer.
Step 7: Document evidence of compliance
In the event of a HIPAA audit or complaint investigation, the OCR will need to review your documentation to verify compliance (or noncompliance). Keep a record of your security and privacy policies, risk assessments, internal audit reports, remediation plans, employee training certificates, business associate agreements, and other documentation related to HIPAA.
HIPAA compliance checklist for 2023
Track your company’s progress toward HIPAA compliance with this step-by-step checklist.
Faster, easier HIPAA compliance with Secureframe
Compliance automation solutions make it easier to monitor your HIPAA compliance program by helping you build privacy and security policies, tracking employee training, managing BAAs, and continuously monitoring your safeguards to alert you of any nonconformities.
Schedule a demo to see how Secureframe can simplify your HIPAA compliance today.
FAQs
Is HIPAA compliance mandatory?
Yes, HIPAA compliance is mandatory for covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA). Covered entities include healthcare providers, health plans, and healthcare clearinghouses that transmit any health information in electronic form in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards. Business associates are individuals or entities that perform certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provide services to, a covered entity. Compliance with HIPAA's Privacy, Security, and Breach Notification Rules is not optional for these organizations and individuals; it's a legal requirement.
How long does it take to get HIPAA compliant?
The time it takes for an organization to become HIPAA compliant can vary widely depending on several factors, including:
- The size and complexity of the organization
- The current state of its compliance efforts
- The amount and types of protected health information (PHI) it handles
- The resources it dedicates to the compliance process
Generally, achieving HIPAA compliance is an ongoing process that involves continual assessment, updates, and improvements rather than a one-time event.
How much does it cost to get HIPAA certified?
Here are the traditional costs of HIPAA compliance, from cybersecurity measures to data privacy training and HIPAA audit costs:
- Risk analysis and risk management plan: $2k-20k, depending on organization size and complexity
- Policy creation and implementation: $2-5k, depending on organization size and complexity
- Periodic vulnerability scanning and/or penetration testing: $1k-5k, depending on organization size and complexity
- Gap analysis and remediation costs: $1k-10k, depending on the current security program
- Annual HIPAA training for staff: $30-50 per user
- HIPAA compliance readiness assessment: $15k
- Onsite HIPAA compliance audit (if necessary): $40k+
- HIPAA consultant fees: $250-300/hr
Total cost of HIPAA compliance: $25k-100k+
What happens if you are not HIPAA compliant?
If an organization or individual is found to be not HIPAA compliant, several consequences can occur, depending on the nature and extent of the non-compliance:
- Investigations and Audits: The Office for Civil Rights (OCR) within the HHS is responsible for enforcing HIPAA rules. If non-compliance is suspected or a breach is reported, the OCR can initiate an investigation or audit of the covered entity or business associate.
- Fines and Penalties: Non-compliance with HIPAA can result in significant civil monetary penalties. These fines vary based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. In cases of willful neglect, the penalties are more severe.
- Criminal Charges: In extreme cases, particularly those involving knowing and willful violations of HIPAA rules, criminal charges may be brought against individuals responsible for the non-compliance. Criminal penalties can include fines up to $250,000 and imprisonment for up to ten years.
- Corrective Action Plans: The OCR may require the entity in violation to adopt a corrective action plan to address the compliance issues identified during the investigation or audit, which can include making changes to policies and procedures, staff training, and other measures to ensure compliance.
- Reputational Damage: Beyond legal and financial repercussions, non-compliance with HIPAA can lead to significant reputational damage. Loss of patient or client trust, negative media coverage, and a decline in business can all result from a failure to comply with HIPAA requirements.
