If your organization has access to electronic Protected Health Information (ePHI), you should review your Health Insurance Portability and Accounting Act (HIPAA) compliance checklist. The purpose of a HIPAA compliance checklist is to help ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.
Failure to comply with HIPAA regulations can result in substantial fines being issued, criminal charges and civil action lawsuits being filed should a breach of ePHI occur. There are also regulations you need to be aware of covering breach reporting to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the issuing of breach notifications to patients.
Ignorance of HIPAA regulations is not considered to be a justifiable defense by the OCR. The OCR will issue fines for non-compliance regardless of whether the violation was inadvertent or if it resulted from willful neglect.
What is HIPAA Compliance?
The HIPAA Act sets the standard for protecting sensitive patient data. Companies that deal with Protected Health Information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides certain services to a covered entity) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also comply.
The question that typically follows “What is HIPAA compliance?” is “What are the HIPAA compliance requirements?” Unfortunately, that question is not as easy to answer. This is because the requirements of HIPAA are intentionally vague in certain places. This is so HIPAA can be applied equally to every different type of covered entity or business associate that handles PHI.
The HIPAA Privacy and Security Rules
According to HHS, the HIPAA Privacy Rule establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form.
The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ ePHI. Within HHS, the OCR is responsible for enforcing the Privacy and Security Rule with voluntary compliance activities and monetary civil penalties.
Despite the intentionally vague HIPAA requirements, every covered entity and business associate that has access to PHI must ensure not only that the technical, physical, and administrative safeguards are in place but also that they are being followed. Moreover, these entities must comply with the HIPAA Privacy Rule in order to protect the integrity of PHI, and – if a breach of PHI should occur – that they follow the procedure in the HIPAA Breach Notification Rule.
The Need for HIPAA Compliance
HHS points out that HIPAA compliance is more important than ever now – especially as health care providers and other entities responsible for PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Similarly, health plans provide access to claims as well as care management and self-service applications. While all these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data.
The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ ePHI.
The Security Rule contains the standards that must be applied to safeguard and protect ePHI when that data is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers that reveal the identity of an individual.
As alluded to earlier, there are three parts to the Security Rule – technical safeguards, physical safeguards, and administrative safeguards – that covered entities and business associates need to address in their HIPAA compliance checklist.
The technical safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to the National Institute of Standards and Technology (NIST) standards. This is to ensure the information is unreadable, undecipherable, and unusable should a breach of this confidential patient data ever occur. Thereafter, organizations are free to select whichever mechanisms are most appropriate to:
- Implement a means of access control
- Introduce a mechanism to authenticate ePHI
- Implement tools for encryption and decryption
- Introduce activity logs and audit controls
- Facilitate automatic log-off of PCs and devices
The physical safeguards focus on physical access to ePHI, irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers that are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
- Facility access controls must be implemented
- Policies for the use/positioning of workstations
- Policies and procedures for mobile devices
- Inventory of hardware
The administrative safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
The audits conducted by OCR have identified that risk assessments are the major area of Security Rule non-compliance. Healthcare providers need not only conduct an assessment, but they must ensure these assessments are comprehensive and ongoing. This means that a risk assessment is not just a one-time requirement, but a regular task necessary to ensure continued compliance.
The administrative safeguards include:
- Conducting risk assessments
- Introducing a risk management policy
- Training employees to be secure
- Developing a contingency plan
- Testing of contingency plan
- Restricting third-party access
- Reporting security incidents
Incident Reporting: Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the HHS of such a breach of ePHI and issue a notice to the media if the breach affects more than 500 patients.
There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.
Breach notifications to patients should include the following information:
- Brief description of the breach, including date of breach and date of discovery.
- Types of unsecured PHI that were involved.
- Steps individuals should take to protect themselves from harm resulting from the breach.
- Description of what the entity is doing to investigate the breach, mitigate harm, and protect against further breaches.
- Contact information for individuals to ask questions or learn about the breach.
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the covered entity must inform the individual of the steps they should take to protect themselves from potential harm, include a brief description of what the covered entity is doing to investigate the breach and the actions taken so far to prevent further breaches and security incidents.
Penalties: HIPAA Enforcement Rule
The HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation that occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days can attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days can attract a fine of $50,000. Fines can amount to as much as $1,500,000 for additional identical violations within the same year.
It should be noted that the penalties for willful neglect can also lead to criminal charges being filed. The most common causes of ePHI breach are:
- Misuse and unauthorized disclosures of patient records.
- No protection in place for patient records.
- Patients are unable to access their patient records.
- Using or disclosing to third parties more than the minimum necessary protected health information
- No administrative or technological safeguards for electronically protected health information.
How to Become HIPAA Compliant
So, what is the easiest way to become HIPAA compliant?
You will certainly need to use a HIPAA compliance checklist to make sure your organization, product, or service incorporates all the technical, administrative, and physical safeguards of the HIPAA Security Rule. You must also adhere to the requirements of the HIPAA Privacy and Breach Notification Rules.
The good news is that in order to assist entities that need to comply with HIPAA, NIST has published SP 800-66 REV1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This publication provides mapping with other NIST publications. More specifically, for the requirement of data encryption, either in transit or at rest, maps with the NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, SC-12 and SC-13.
Furthermore, organizations that are required to be HIPAA compliant, can also consult the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory. Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful as a starting place to identify potential gaps in their programs. Addressing these gaps can bolster their compliance with the Security Rule and improve their ability to secure ePHI and other critical information and business processes. This mapping document also allows organizations to communicate activities and outcomes internally and externally regarding their cybersecurity program by utilizing the Cybersecurity Framework as a common language.
Get anything wrong and fail to safeguard ePHI and, as a HIPAA business associate, you can be fined directly for HIPAA violations by the HHS’ Office for Civil Rights, state attorneys general and other regulators. Criminal charges may also be applicable to some violations. HIPAA compliance can, therefore, be daunting, although the potential benefits of moving into the healthcare market are considerable.
To ensure you cover all elements on your HIPAA compliance checklist, it is worthwhile seeking expert guidance from HIPAA compliance experts. Find out how ITEGRITI can help your company become HIPAA compliant.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of ITEGRITI, Inc.