Who must be HIPAA compliant?
The HIPAA Rules apply to two groups: covered entities and business associates. A covered entity is a health plan, health care clearinghouse or health care provider who electronically transmit any health information. Examples of covered entities are:
- Health insurance companies
- Company health plans
A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Examples of business associates (whose services involve access to PHI) are:
- IT providers
- Billing and coding services
For more detailed information on the definition of a covered entity and businesses associate visit HHS website.
HIPAA Privacy Rule
The HIPAA Privacy Rule provides federal protections for personal health information and gives patients rights to their own protected health information (PHI). The Privacy Rule permits the disclosure of PHI needed for patient care and other important purposes. The Privacy Rule applies to all healthcare providers, including those who do not use an EHR system, and includes all mediums: electronic, paper, and oral.
Privacy Rule Basics:
- Spells out administrative responsibilities
- Discusses written agreements between covered entities and business associates
- Discusses the need for privacy policies and procedures
- Describes employer responsibilities to train workforce memebers and implement requirements regarding their use and disclosuer of PHI.
Privacy Rule Examples
- Train all employees on its privacy policies and procedures
- Properly dispose of documents containing protected health information
- Secure medical records with lock and key or pass code
- Create procedure for individuals to know to whom they can submit a complaint about a covered entity's compliance with the Privacy Rule
HIPAA Security Rule
The HIPAA Security Rule requires covered entities, business associates, and their subcontractors to implement safeguards to protect electronic protected health information (ePHI) that is created, received, or maintained. It specifies a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Most violations of the HIPAA Security Rule result from businesses not following policies and procedures to safeguard ePHI.
Security Rule Basics:
- Establish a national set of security standards for ePHI
- Protects health information held or transmitted in electronic form
- Requires administrative, physical, and technical safeguards to secure ePHI
- Supports the Privacy Rule requirement to reasonably safeguard PHI in all forms
Security Rule Examples:
- Designate a security officer who is responsible for HIPAA compliance
- Create policies and procedures that explain proper use of workstations and electronic media
- Ensure all employees have unique passwords
- Limit physical access to covered entity's facilities
HIPAA Breach Notification Rule
The Breach Notification Rule requires covered entities, business associates, and their subcontractors to provide notification following a breach of unsecured PHI to affected individuals, the Secretary of Health and Human Services (HHS), and the media (if breach affects more than 500 residents of a state or jurisdiction). The Breach Notification Rule consists of protocols a business must undertake in the event of data compromise.
It includes elements such as:
- What constitutes a breach
- Necessary parties to be notified
- Notification timelines
- Notification methods
- Notification content
- Remediation plan
The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, increases noncompliance penalties and incentives for covered entities to implement an EHR. It also extends requirements of the HIPAA Security Rule and some aspects of the HIPAA Privacy Rule to business associates. Covered entities are financially penalized or rewarded.
HIPAA Final Omnibus Rule
The final omnibus rule was passed in January 2013 and became effective in March 2013. The rule is intended to strengthen HIPAA Privacy and Security Rules and Health Information Technology for Economic and Clinical Health (HITECH) Act. The final omnibus rule expands the HIPAA requirements expected of covered entities and business associates and adds subcontractors of business associates that access PHI to the list of organizations that must comply with HIPAA regulations. The rule requires a modification of business associate agreements to include requirements from the final omnibus rule. The final omnibus rule also includes a compliance date of September 23, 2013 for covered entities, business associates and subcontractors of business associates. So time to comply is up!
The Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA final omnibus rule provide additional guidance and authority for the Office of Civil Rights (OCR) to enforce HIPAA compliance through audits and financial penalties.
HHS HIPAA compliance audits have begun. HHS Office for Civil Rights Director Leon Rodriguez said, “These changes [omnibus rule] not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections.” The main form of enforcement is an audit. HIPAA compliance audits can be triggered by one of five ways:
- Self reported data breach (required under Breach Notificaton Rule)
- Complaints to the HHS by patients
- Complaints to the HHS by current or ex-employees
- Data breach of over 500 patient records
- Random targets chosen by HHS
Audits are one way the HHS identifies HIPAA violations. Once identified, the HHS then determines how to penalize covered entities, business associates, and potentially their subcontractors for noncompliance. The penalties outlined below are per day and per violation. This means that if you have multiple violations you could potentially get fined up to $50,000 per day for each violation until the violation is resolved. The following chart summarizes compromise and/or noncompliance penalties.
|Violation Category||Penalty||Total Per Calendar Year|
|A. Did not know||$100 - $50,000||$1,500,000|
|B. Reasonable Cause||$1,000 - $50,000||$1,500,000|
|C. i. Willful Neglect - Corrected||$10,000 - $50,000||$1,500,000|
|C. ii. Willful Neglect - Not Corrected||$50,000||$1,500,000|
A. Did not know
$100 - $50,000
Total Per Calendar Year:
B. Reasonable Cause
$1,000 - $50,000
Total Per Calendar Year:
C. i. Willful Neglect - Corrected
$10,000 - $50,000
Total Per Calendar Year:
C. ii. Willful Neglect - Not Corrected
Total Per Calendar Year:
Risk Analysis and Risk Management
The HHS directs covered entities, business associates, and their subcontractors to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” HHS HIPAA Security Rule.
To use a medical analogy, a HIPAA security risk analysis is the examination and testing you use to make a diagnosis. Just as you use a diagnosis and other clinical data to create a treatment plan, you will use the risk analysis to create a risk management plan. However, without the diagnosis you cannot properly treat the problem, or in this case to become HIPAA compliant.
The risk analysis process is designed to accomplish two things:
- Identify potential security risks of an organization
- Determine the likelihood and potential impact of these risks
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the General Requirements of the Security Rule].” HHS HIPAA Security Rule.
To continue with the medical analogy, after the diagnosis or HIPAA security risk analysis, it is essential to create a treatment plan. A diagnosis without a treatment plan is not only ineffective, but also irresponsible. The risk management plan is essential to effectively secure protected health information (PHI) and to become HIPAA compliant.
The risk management process is designed to accomplish two things:
- Implement security measures
- Evaluate and maintain security measures