HIPAA 101

If your organization deals with electronic Protected Health Information (ePHI), we highly recommend that you review our HIPAA compliance guidelines for 2018-2019. The reason behind our HIPAA compliance guidlines is to ensure that your organization is in compliance with the HIPAA regulations that cover the security and privacy of confidential patient data.

If you fail to comply with these HIPAA regulations, it may result in substantial fines being issued and criminal charges and civil action lawsuits being filed in the case of an ePHI breach occurring. Additionally, there are also regulations covering breach reporting to the OCR and the issuing of breach notifications to patients which you need to be aware of.

If you ignore HIPAA regulations, this is not considered to be a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR). The OCR has the ability to issue fines for non-compliance regardless of whether the violation was inadvertent or was as a result of willful neglect.

Our HIPAA compliance guidelines have been created through dissecting the HIPAA Security and Privacy Rules, HIPAA Omnibus Rule, HIPAA Enforcement Rule and the HIPAA Breach Notification Rule.

Our HIPAA Compliance Guidelines

Our HIPAA compliance guidelines have been divided into segments for each of the applicable rules. It is worth noting that there is no hierarchy in HIPAA regulations, and even though the regulations may refer to privacy and security measures as “addressable”, this does not mean they are optional. Each of the criteria in our HIPAA compliance guidelines has to be complied with if your organization is to be fully HIPAA compliance.

HIPAA Compliance

Before looking at the elements of our HIPAA compliance guidelines, many of you may be wondering the answer to the question “What is HIPAA compliance?” HIPAA compliance means fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Now that we know what HIPAA compliance, the next important question that needs answering is “What are the HIPAA compliance requirements?” This question is the more difficult of the two as, in certain sections, the requirements of HIPAA are intentionally vague. The reason behind this is so HIPAA can be applied to every different type of Covered Entity or Business Associate that deals with Protected Health Information (PHI) equally.

HIPAA Requirements

Despite HIPAA requirements being intentionally vague in nature, every Covered Entity and Business Associate that has access to PHI must ensure:

  • the technical, physical and administrative safeguards are in place and followed
  • that they adhere to the HIPAA Privacy Rule in order to protect the integrity of PHI
  • that in the case of a breach of PHI occurring, they adhere to the procedure in the HIPAA Breach Notification Rule

All risk assessments, HIPAA-related policies and reasons why addressable safeguards have not been implemented must be recorded in the event of a PHI breach occurring. In this event, an investigation will also take place to establish how the breach occurred. All of the HIPAA requirements are explained in further detail below. Businesses uncertain of their obligation to comply with the HIPAA requirements should seek professional advice to be sure.

HIPAA Security Rule

The HIPAA Security Rule contains the rules that must be applied to protect ePHI, both when it is at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. What is meant by ‘access’ is the means necessary to read, write, communicate or modify ePHI or personal identifiers which reveal the identity of an individual (e.g. name, telephone number, email, etc).

There are three main sections to the HIPAA Security Rule – these are technical safeguards, physical safeguards and administrative safeguards. We will talk about each of these in order in our HIPAA compliance guidelines.

Technical Safeguards

The Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:

Implementation Specification Required or Addressable Further Information
Implement a means of access control Required Not only is this a means of assigning a unique username and PIN code for each user that is centrally-controlled, it also is a means of establishing procedures to control the release or disclosure of ePHI during an emergency.
Introduce a mechanism to authenticate ePHI Addressable This mechanism is crucial in order to adhere to HIPAA regulations as it confirms whether ePHI has been altered or destroyed in a way that was unauthorized.
Implement tools for encryption and decryption Addressable This section relates to the devices used by authorized users. These must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and also decrypt those messages when they are received.
Introduce activity logs and audit controls Required The audit controls that are necessary under the technical safeguards are in place to register attempted access to ePHI and record what is done with that data once it has been accessed.
Facilitate automatic log-off of PCs and devices Addressable This function logs authorized personnel off the device they are using to access or communicate ePHI after a certain period of time that is pre-defined. The reason behind this is to prevent unauthorized access of ePHI should the device be left unattended.

Physical Safeguards

The Physical Safeguards focus around the physical access to ePHI, regardless of its location. ePHI could be stored in a number of locations such as a remote data center, on servers which are located within the premises of the HIPAA covered entity, or indeed in the cloud. Furthermore, they also control how workstations and mobile devices are secured against unauthorized access:

Implementation Specification Required or Addressable Further Information
Facility access controls must be implemented Addressable This function controls who has physical access to the location where ePHI is stored, including software engineers, cleaners, etc. The procedures also require the inclusion of safeguards to prevent unauthorized physical access, tampering, and theft.
Policies for the use/positioning of workstations Required Policies must also be implemented to restrict the use of workstations that have access to ePHI, to specify the protective surrounding of a workstation and control how functions are to be carried out at these workstations.
Policies and procedures for mobile devices Required If users have permission to access ePHI from their mobile devices, policies must be devised and implemented to control how ePHI is removed from the devices if the user leaves the organization or the device is re-used, sold, misplaced, etc.
Inventory of hardware Addressable An inventory of all hardware with ePHI access must be maintained, matched with a record of the movements of each piece of hardware. An exact copy of ePHI that is easily retrievable must be made before any equipment is moved.

Administrative Safeguards

The Administrative Safeguards are the policies and procedures that bring together the Privacy Rule and the Security Rule. These safeguards are the essential elements of HIPAA compliance guidelines. They require that a Privacy Officer and a Security Officer be assigned to put the measures in place to protect ePHI, while also governing the conduct of the workforce.

The OCR pilot audits determined that risk assessments are the major reason for non-compliance with Security Rule. Risk assessments will be checked thoroughly in the second phase of the audits. This is not just to ensure that the organization in question has conducted one, but also to ensure they are comprehensive and a regular occurrence. A risk assessment is not a one-time requirement, but a regular task necessary to ensure continued compliance.

The administrative safeguards are as follows:

Implementation Specification Required or Addressable Further Information
Conducting risk assessments Required One of the Security Officer´s primary tasks is the creation of a risk assessment to identify every area in which ePHI is being used, and to determine any ways in which breaches of ePHI could occur.
Introducing a risk management policy Addressable The risk assessment must be repeated at regular intervals with methods introduced to reduce the risks to an appropriate level. A penalties policy for employees who fail to adhere to HIPAA regulations should also be introduced.
Training employees to be secure Required Training schedules must be implemented to raise awareness of the policies and procedures governing access to ePHI and how to identify malicious software attacks. All training should be documented.
Developing a contingency plan Addressable In the case of an emergency, a contingency plan must be at the ready to ensure the continuation of critical business processes while protecting the integrity of ePHI during the course of the organization operating in emergency mode.
Testing of contingency plan Required The contingency plan must be tested periodically to assess the relative criticality of specific applications. There must also be accessible backups of ePHI and procedures to restore lost data in the event of an emergency.
Restricting third-party access Addressable It is essential to ensure ePHI is not accessed by unauthorized parent organizations and that Business Associate Agreements are signed with all business partners who will have dealings with ePHI.
Reporting security incidents Required The reporting of security incidents is different from the Breach Notification Rule, due to incidents being contained and data retrieved before the incident ever develops into a breach.

The reason “required” safeguards and the “addressable” safeguards on the HIPAA compliance checklist differ is that “required” safeguards must be implemented whereas there is a certain amount of leeway with “addressable” safeguards. If the implementation of an “addressable” safeguard is not reasonable to implement as it appears on the HIPAA compliance checklist, covered entities have the option of introducing an appropriate alternative, or in certain cases not introducing the safeguard at all.

This will depend on factors such as the entity’s risk analysis, risk mitigation strategy and other security measures that the entity already have in place. The decision must be documented and include all the factors that were considered, as well as the results of the risk assessment, on which the decision should be based.