The Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare facilities (hospitals, clinics, nursing homes, and private practices, etc.) that have access to Protected Health Information (PHI) take steps to safeguard the privacy of patients and protect patient data.
Healthcare facilities must ensure that any services they contract out are HIPAA compliant before they can be considered to be outsourced. HIPAA compliance on the part of both partners results in superior data security.
At WheelHouse IT, we understand the severity of data breaches and unauthorized access to health data. Through our exceptional cloud storage service, we help healthcare providers and health maintenance organizations be 100% HIPAA compliant in their healthcare operations.
What is HIPAA?
When it comes to patient data and personal health records, federal law clarifies that HIPAA, or the Health Insurance Portability and Accountability Act, is standard. A set of regulatory standards, security rules, and privacy protections must be followed by companies when dealing with susceptible protected health data (PHI). HIPAA compliance program is a requirement for all healthcare facilities. This includes doctors’ offices, hospitals, and clinics. If they don’t, they risk breaking the law and being sued, and bearing financial penalties.
HIPAA is best known for protecting patients’ privacy and ensuring patient data and transfer of healthcare data together with the processing services is appropriately secured, with those requirements added by the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003. The need for notifying individuals of a breach of the flow of health information was introduced in the Breach Notification Rule in 2009.
The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information, stipulating when, with whom, and under what circumstances health information could be shared. Another vital purpose of the HIPAA Privacy Rule was to give patients access, while undergoing medical care, to their health data on request. The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is appropriately secured without any impermissible disclosure, access to electronic health data is controlled, and an auditable trail of PHI activity is maintained.
The purpose of HIPAA is to improve efficiency in the healthcare industry, improve the portability of health insurance, protect the privacy of patients and health plan members, and ensure health information is kept secure. Patients are notified of healthcare fraud and breaches of their health data.
The history of HIPAA
HIPAA was founded in 1996 when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed. It was created to improve the portability and accountability of health insurance coverage for employees handling Protected Health Information (PHI). Other goals were to provide adequate safeguards and standard identifiers relating to waste, fraud in billing records and accounting services, identity theft, pretenses in care coordination, and abuse in health insurance and health care delivery. Over time, with the advancement of health technology, HIPAA became a vehicle for encouraging the healthcare industry to digitize patient documents and comply with privacy regulations.
Key HIPAA terms
Protected health information (PHI)
HIPAA regulations apply to “protected health information,” that is, medical information that contains any of several patient identifiers, including name, Social Security number, telephone number, medical record number, or ZIP code. The regulations protect all identifiable health information in any form (electronic, paper-based, oral) stored or transmitted by a covered entity.
Covered entities
Any health care providers, health plans, or clearinghouses that electronically transmit medical information such as billing, claims, enrollment, or eligibility verification must meet HIPAA regulations. Covered entities also include medical practices (including solo practices), employers, rehabilitation centers, nursing homes, public health authorities, life insurance agencies, billing agencies, vendors, service organizations, and universities.
Business associates
Covered entities cannot circumvent HIPAA regulations by using a “business associate,” such as a billing service or other agency, to handle their electronic transactions. HIPAA requires covered entities to guarantee that their business associates and partners have security measures in place and technology sufficient to avoid accidental disclosure or mishandling of individually identifiable health information. This is known as a “chain of trust” relationship. Business associates must also abide by HIPAA regulations, for example, by ensuring that the individuals who are the subject of the information have access to it.
Privacy
HIPAA regulations protect an individual’s right to the privacy of their medical information, that is, to keep it from falling into the hands of people who would use it for commercial advantage, personal gain, or malicious harm. The HIPAA privacy regulations require providers to obtain a signed consent form to use and disclose PHI for activities related to treatment, payment, and health care operations and to get a separate authorization to use or disclose PHI for any other purposes (e.g., marketing).
Security
Security refers to a covered entity’s specific efforts to protect the integrity of the health information it holds and prevent unauthorized breaches of privacy, such as might occur if data are lost or destroyed by accident, stolen by intent, or sent to the wrong person in error. Security measures can be physical (e.g., locking rooms and storage facilities), administrative (e.g., policies and procedures covering access to information, user IDs and passwords, or punishments for violations of these), or technological (e.g., encryption of electronic data and use of digital signatures to authenticate users logging into a computer system).
What counts as Protected Health Information (PHI)?
Under HIPAA, PHI is considered health information like diagnostics, treatment information, prescription information, and medical test results. Identification numbers and patient identifiers (biometric identifiers) such as birth dates, ethnicity, gender, and contact information fall under HIPAA protection.
Who Needs to be HIPAA Compliant?
Anyone who works in healthcare or does business with healthcare clients who require health data access must be HIPAA compliant. Organizations include:
- Hospitals
- Nursing homes
- Health clinics
- Dentists
- Doctors
- Pharmacies
- Psychologists
- Chiropractors
If any of these enterprises need outsourcing (translating, transcription, medical billing, coding, etc.), the company they chose to outsource to also needs to be HIPAA compliant. This means the medical provider or facility will be responsible for knowing if they have chosen to do business with a legitimate medical transcription services company or a fraudulent foreign-based company.
What Is HIPAA compliance?
To comply with HIPAA, healthcare providers, including physicians, must use administrative, physical, and technical safeguards to protect patient health information (PHI) stored electronically. This safeguards the data’s privacy and security.
HIPAA Privacy and Security Rules infractions can result in financial penalties. Severe breaches of HIPAA privacy can result in criminal penalties, including jail time.
HIPAA security requirements
- The Administrative Safeguards is to conduct ongoing risk assessments to identify potential vulnerabilities and risks of PHI.
- Physical Safeguards are integrated measures to prevent unauthorized access to PHI and protect data from disasters like fire, flooding, and any other environmental hazards.
- The Technical Safeguards are the controls needed to ensure data security when PHI is being shared through an electronic network.
Many more compliance security requirements fall under the three safeguards to protect data.
What is a HIPAA violation?
A HIPAA violation happens when a breach in an organization’s compliance program compromises the integrity of PHI.
Does a breach always mean a violation?
HIPAA beach does not always mean a violation. However, a data breach becomes a violation when the breach results from an ineffective, outdated, or incomplete HIPAA compliance program. It could also be a direct violation of an organization’s HIPAA policies. Here are scenarios that help differentiate between a breach and a violation.
- An employee’s laptop containing PHI gets stolen. This is a data breach.
- After the employee’s laptop gets stolen, the organization doesn’t have a policy, barring laptops being taken off-site or requiring encryption. This is a HIPAA violation.
Some of the most common HIPAA violations are:
- Stolen devices (laptop, phone, USB)
- Malware incidents
- Hacking
- Office break-in
- Sending PHI to the wrong person
- Social media posts
- Ransomware attack
- Discussion of PHI outside of work
These HIPAA violations fall into several common categories:
- Use and disclosure
- Access controls
- The Minimum Necessary Rule
- Improper security safeguards
- Notice of Privacy Practices
If an organization gets a HIPAA violation and claims they didn’t know about the incident, they will still get fined.
Effective HIPAA compliance program
To ensure organizations have all the boxes ticked for compliance, the office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) created a compliance training guide. The guide is referred to as “The Seven Fundamental Elements of an Effective Compliance Program.” Following are elements of an effective compliance program:
- Implementing written policies, procedures, and standards of conduct
- Designating a compliance officer and compliance committee
- Conducting practical training and education
- Developing effective lines of communication
- Enforcing standards through well-publicized disciplinary guidelines
- Conducting internal monitoring and auditing
- Responding promptly to detected offenses and undertaking corrective action
An auditor will use these criteria during investigations, and so as long as the organization is following the seven rules, they’ll be in compliance.
How WheelHouse IT can help you
Working in healthcare can be incredibly demanding, not to mention stressful. Due diligence, such as ensuring compliance, can seem taxing and near impossible because of the time and resources it consumes. Compliance is viewed as a burdensome hassle by most practice managers and healthcare professionals.
Yet, these applications now drive the technology in your company. Process and management are required for your clinical operations and the personnel who use those systems and applications. For the most part, much of that burden can be carried by an experienced, capable Managed Services Provider (MSP) like WheelHouse IT.
WheelHouse IT will help you focus on running your practice while your staff is more productive than ever before. And while no one can be 100% “HIPAA compliant” our expert team – which includes both 6 certified security and compliance specialists and 6 HIPAA certified professionals – focuses on your technology to help protect patient information, reduce your risk of a data breach, and mitigate a threat when one is detected.
