If you work for or with healthcare organizations, you know about HIPAA — and you know you can face major HIPAA violations if you fail to comply with its rules and regulations. But what does it mean to be HIPAA compliant, and how do you go about achieving it?
HIPAA legislation was passed in 1996 to address key issues within the US healthcare industry. The Health Insurance Portability and Accountability Act established national standards that make healthcare more accessible, efficient, and secure. Today, all covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must comply with HIPAA regulations.
What are those regulations, and how can healthcare organizations prove compliance? This article explains what’s required and lays out the 7 key steps to becoming HIPAA compliant.
HIPAA regulations, rules, and requirements
HIPAA includes a set of rules to help healthcare organizations and their business associates protect the privacy and security of patient data. To become compliant, healthcare organizations must follow five HIPAA rules.
The HIPAA Privacy Rule
The HIPAA Privacy Rule is a federal law that gives patients rights over their protected health information and limits who can access and disclose protected health information (PHI). It ensures that organizations take the proper steps to secure health information while allowing that information to be shared in a way that promotes high-quality healthcare.
The HIPAA Security Rule
The Security Rule establishes three types of safeguards that organizations must use to secure PHI from unauthorized access: physical, administrative, and technical. Together, these safeguards help ensure patient health information isn’t at risk for a data breach.
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires organizations to notify affected individuals and the Department of Health and Human Services (HHS) when unsecured PHI has been breached. To avoid a HIPAA violation, organizations must send notifications to affected individuals within 60 days of identifying a breach.
The HIPAA Enforcement Rule
This rule defines how investigations into HIPAA complaints and violations are conducted, as well as how fines and penalties for HIPAA violations are determined.
The HIPAA Omnibus Rule
One of the key points of HIPAA legislation is to give patients greater control over who can access their health records and when. Under the Omnibus Rule, covered entities must comply with a patient’s request to access or share their medical records.
7 steps to achieving HIPAA compliance
While HIPAA legislation requires organizations to be proactive about protecting PHI, it doesn’t specify the exact actions covered entities must take. This flexibility allows organizations to decide which safeguards are best suited to their unique needs. A regional hospital system will likely need to have different safeguards in place than a small family clinic, for example.
That said, all organizations will need to follow the same basic process to achieve HIPAA compliance. We outline those steps below.
Step 1: Conduct a security risk assessment
Under the Security Rule, covered entities are required to complete a HIPAA risk assessment. This risk analysis helps organizations understand their threat landscape, define their risk tolerance, and identify the probability and potential impact of each risk.
During a risk assessment, organizations identify and rank potential threats to their security posture, including human error, technical failures, and natural disasters. Armed with this knowledge, covered entities can build more effective strategies for identifying vulnerabilities, mitigating risks, and improving data security standards.
Both covered entities and business associates are required to complete periodic risk assessments, typically on an annual basis.
Step 2: Implement safeguards
HIPAA compliance requirements include three types of safeguards covered entities and business associates must put in place to protect PHI.
Administrative safeguards ensure employees know how to properly access and store PHI. For example, completing security training, reviewing privacy policies, and ensuring staff know how to secure PHI in the event of an emergency.
Physical safeguards protect areas that allow physical access to PHI, such as file cabinets and workstations. These can include requiring ID badges to access PHI, locking file cabinets, and ensuring any screens displaying PHI aren’t publically visible.
Technical safeguards protect ePHI (PHI that’s stored electronically) from unauthorized access and alteration. Examples include using cybersecurity measures like antivirus software and data encryption.
Step 3: Designate a HIPAA compliance officer
This compliance officer is responsible for monitoring HIPAA compliance over time. Responsibilities include:
- Ensuring security and privacy policies are followed and enforced
- Managing privacy training for employees
- Completing periodic risk assessments
- Developing security and privacy processes
- Investigating any security incidents or suspected/confirmed data breaches
- Reporting breaches when required
- Creating a disaster recovery plan
- Ensuring the organization is has properly implemented the Security Rule’s administrative, physical, and technical safeguards
For large organizations managing a vast amount of PHI, these responsibilities are often divided between two different compliance officers: a security officer and a privacy officer.
Step 4: Complete HIPAA training for all staff that interface with PHI
Proper HIPAA training ensures that all employees handling PHI understand how to protect it and are familiar with HIPAA regulations and rules.
HIPAA rules and regulations can be complex for newcomers, so ensuring all employees who interface with PHI receive proper training is an essential step for compliance. HIPAA training ensures your staff understands their role in upholding security standards and know exactly what steps they should take to keep PHI private and secure.
Step 5: Collect Business Associate Agreements (BAAs)
Under HIPAA, covered entities may only work with business associates and service providers who also comply with HIPAA requirements for protecting PHI. Business Associate Agreements are written agreements that specify each party’s responsibilities surrounding PHI.
According to the Department of Health and Human Services (HHS), a BAA must include:
- A description of when PHI is either permitted or required to be used by the Business Associate
- Assurance that the Business Associate will not use or disclose PHI outside of what’s either permitted in the agreement or required by law
- A requirement that the Business Associate implement appropriate safeguards to protect PHI against unauthorized access or disclosure
You’ll need to collect these BAAs, review them on an annual basis, and update them to reflect any changes.
Step 6: Establish a breach notification process
A data breach isn’t always a guaranteed penalty — in some cases, a breach is either unintentional or outside your control to prevent.
Failing to report a breach, on the other hand, is a definite violation of the Breach Notification Rule. This rule requires organizations to report a data breach to the Office for Civil Rights (OCR) and notify any individuals who may have been affected within 60 days.
To be compliant, you’ll need to have a documented breach notification process that defines how your organization will follow this rule. This process should be reviewed and updated on an annual basis by your compliance officer.
Step 7: Document evidence of compliance
In the event of a HIPAA audit or complaint investigation, the OCR will need to review your documentation to verify compliance (or noncompliance). Keep a record of your security and privacy policies, risk assessments, internal audit reports, remediation plans, employee training certificates, business associate agreements, and other documentation related to HIPAA.
HIPAA compliance checklist for 2023
Track your company’s progress toward HIPAA compliance with this step-by-step checklist.
Faster, easier HIPAA compliance with Secureframe
Compliance automation solutions make it easier to monitor your HIPAA compliance program by helping you build privacy and security policies, tracking employee training, managing BAAs, and continuously monitoring your safeguards to alert you of any nonconformities.
Schedule a demo to see how Secureframe can simplify your HIPAA compliance today.