The Ultimate Guide to HIPAA
This guide covers everything you need to know about safeguarding sensitive healthcare information and achieving HIPAA compliance.
Download ebookIf you work for or with healthcare organizations, you know about HIPAA — and you know you can face major HIPAA violations if you fail to comply with its rules and regulations. But what does it mean to be HIPAA compliant, and how do you go about achieving it?
HIPAA legislation was passed in 1996 to address key issues within the US healthcare industry. The Health Insurance Portability and Accountability Act established national standards that make healthcare more accessible, efficient, and secure. Today, all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must comply with HIPAA regulations.
What are those regulations, and how can healthcare organizations prove compliance? This article explains what’s required and lays out the 7 key steps to becoming HIPAA compliant.
HIPAA includes a set of rules to help healthcare organizations and their business associates protect the privacy and security of patient data. To become compliant, healthcare organizations must follow five HIPAA rules.
The HIPAA Privacy Rule is a federal law that gives patients rights over their protected health information and limits who can access and disclose protected health information (PHI). It ensures that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.
The Security Rule establishes three types of safeguards that organizations must use to secure PHI from unauthorized access: physical, administrative, and technical. Together, these safeguards help ensure patient health information isn’t at risk for a data breach.
The HIPAA Breach Notification Rule requires organizations to notify affected individuals and the Department of Health and Human Services (HHS) when unsecured PHI has been breached. To avoid a HIPAA violation, organizations must send notifications to affected individuals within 60 days of identifying a breach.
This rule defines how investigations into HIPAA complaints and violations are conducted, as well as how fines and penalties for HIPAA violations are determined.
One of the key points of HIPAA legislation is to give patients greater control over who can access their health records and when. Under the Omnibus Rule, covered entities must comply with a patient’s request to access or share their medical records.
This guide covers everything you need to know about safeguarding sensitive healthcare information and achieving HIPAA compliance.
Download ebookWhile HIPAA legislation requires organizations to be proactive about protecting PHI, it doesn’t specify the exact actions covered entities must take. This flexibility allows organizations to decide which safeguards are best suited to their unique needs. A regional hospital system will likely need to have different safeguards in place than a small family clinic, for example.
That said, all organizations will need to follow the same basic process to achieve HIPAA compliance. We outline those steps below.
Under the Security Rule, covered entities are required to complete a HIPAA risk assessment. This risk analysis helps organizations understand their threat landscape, define their risk tolerance, and identify the probability and potential impact of each risk.
During a risk assessment, organizations identify and rank potential threats to their security posture, including human error, technical failures, and natural disasters. Armed with this knowledge, covered entities can build more effective strategies for identifying vulnerabilities, mitigating risks, and improving data security standards.
Both covered entities and business associates are required to complete periodic risk assessments, typically on an annual basis.
HIPAA compliance requirements include three types of safeguards covered entities and business associates must put in place to protect PHI.
Administrative safeguards
Administrative safeguards ensure employees know how to properly access and store PHI. For example, completing security training, reviewing privacy policies, and ensuring staff know how to secure PHI in the event of an emergency.
Physical safeguards
Physical safeguards protect areas that allow physical access to PHI, such as file cabinets and workstations. These can include requiring ID badges to access PHI, locking file cabinets, and ensuring any screens displaying PHI aren’t publically visible.
Technical safeguards
Technical safeguards protect ePHI (PHI that’s stored electronically) from unauthorized access and alteration. Examples include using cybersecurity measures like antivirus software and data encryption.
This compliance officer is responsible for monitoring HIPAA compliance over time. Responsibilities include:
For large organizations managing a vast amount of PHI, these responsibilities are often divided between two different compliance officers: a security officer and a privacy officer.
Proper HIPAA training ensures that all employees handling PHI understand how to protect it and are familiar with HIPAA regulations and rules.
HIPAA rules and regulations can be complex for newcomers, so ensuring all employees who interface with PHI receive proper training is an essential step for compliance. HIPAA training ensures your staff understands their role in upholding security standards and know exactly what steps they should take to keep PHI private and secure.
Under HIPAA, covered entities may only work with business associates and service providers who also comply with HIPAA requirements for protecting PHI. Business Associate Agreements are written agreements that specify each party’s responsibilities surrounding PHI.
According to the Department of Health and Human Services (HHS), a BAA must include:
You’ll need to collect these BAAs, review them on an annual basis, and update them to reflect any changes.
A data breach isn’t always a guaranteed penalty — in some cases, a breach is either unintentional or outside your control to prevent.
Failing to report a breach, on the other hand, is a definite violation of the Breach Notification Rule. This rule requires organizations to report a data breach to the Office for Civil Rights (OCR) and notify any individuals who may have been affected within 60 days.
To be compliant, you’ll need to have a documented breach notification process that defines how your organization will follow this rule. This process should be reviewed and updated on an annual basis by your compliance officer.
In the event of a HIPAA audit or complaint investigation, the OCR will need to review your documentation to verify compliance (or noncompliance). Keep a record of your security and privacy policies, risk assessments, internal audit reports, remediation plans, employee training certificates, business associate agreements, and other documentation related to HIPAA.
Track your company’s progress toward HIPAA compliance with this step-by-step checklist.
Compliance automation solutions make it easier to monitor your HIPAA compliance program by helping you build privacy and security policies, tracking employee training, managing BAAs, and continuously monitoring your safeguards to alert you of any nonconformities.
Schedule a demo to see how Secureframe can simplify your HIPAA compliance today.