In Part 1 of this HIPAA Compliance Basics series, we looked at HIPAA history, and we defined Protected Health Information (PHI) and electronic Protected Health Information (ePHI).
We also compared covered entities to business associates, and we summarized the four main HIPAA rules.
With that HIPAA knowledge in place, let’s look at the HIPAA compliance requirements.
HIPAA compliance means protecting PHI/ePHI by meeting the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all its additions, amendments, and rules.
This then begs the question, “what are the requirements?”
Thanks to training materials from the US Department of Health & Human Services (HHS), we don't have to guess what the compliance requirements are.
Their tipsheet, “The Seven Fundamental Elements of an Effective Compliance Program," breaks them down:
1. Implementing written policies, procedures, and standards of conduct.
2. Designating a compliance officer and compliance committee.
3. Conducting effective training and education.
4. Developing effective lines of communication.
5. Conducting internal monitoring and auditing.
6. Enforcing standards through well-publicized disciplinary guidelines.
7. Responding promptly to detected offenses and undertaking corrective action.
Let’s sample a few of these fundamental elements and dig deeper.
Thorough documentation is a staple of any HIPAA compliance program.
Covered entities and business associates alike must document all HIPAA compliance efforts. A security committee should review and update all documentation each year to account for business, process, and staffing changes. Documentation should be clear and should tailor to the intended audience and their job function.
If documentation and review is half the battle, the other half is training.
Review and update training programs as needed. To keep it new and memorable for employees, use different approaches like stories and real-life examples. Training and acknowledgment should be a job requirement, and leadership should have the same training as regular employees.
Entities should obtain acknowledgments from staff that they:
• Have attended training
• Understand the training
• Will abide by the documented policies, procedures, and standards
Like documentation, monitoring and logging are essential to HIPAA compliance.
Monitor and log all administrative, technical, and physical controls to know the current status and to fix problems as they emerge. It’s especially important to log all access to PHI/ePHI.
Audit the controls annually to find HIPAA compliance gaps. Internal self-audits are useful, but third-party audits can add validation, value, and trust to the auditing process.
After auditing, fix gaps with remediation plans. These plans should include full documentation with timelines to completion.
In the event of a data breach at a covered entity or business associate, there must be full documentation of the breach details. Here, the Breach Notification Rule goes into effect.
Depending on the amount of data compromised, individuals, media, and the HHS may need to be notified. HIPAA compliant entities should create systems to track complaints and resolutions and should take corrective actions without delay.
HIPAA violations are failures or infringements of a HIPAA compliance program that threatens threaten PHI/ePHI.
HIPAA categorizes violations into four levels with corresponding fines per violation:
• The entity was unaware of the violation - $100 minimum to $50,000 maximum fine.
• The entity should have been aware of the violation (but falls short of willful neglect) - $1000 minimum to $50,000 maximum fine.
• The entity had willful neglect that led to the violation, but remediation occurred within 30 days - $10,000 minimum to $50,000 maximum fine.
• The entity was guilty of willful neglect with no attempt to remediate - $50,000 minimum fine.
The more common HIPAA violations include:
• Theft of equipment that contains PHI/ePHI
• Hacking, ransomware, or malware
• Leaking PHI/ePHI to social media
• Sending PHI/ePHI to the wrong recipient
HIPAA compliance is mandatory for covered entities and business associates. Ignoring the administrative, technical, and physical safeguards that protect PHI/ePHI can lead to HIPAA violations, breaches, fines, and even jail time.
Streamworks’ HIPAA compliance program reflects best practices for data protection. It also builds trust with our clients.
In the upcoming Part 3 of this series, we’ll take HIPAA compliance to the next level by looking at third party validation, namely Streamworks’ SOC 2 Type 2 + HITRUST Opinion.
If you're in the healthcare industry, HIPAA compliant secure mail is critical. Make sure that you're working with a vendor that you can trust with your sensitive data by using our FREE Secure Marketing Communications Checklist. Learn more below.