What Do I Need to Do to Be HIPAA Compliant?
HIPAA Knowledge Hub
Learn how you can safeguard private data with our HIPAA compliant checklist
Rather than being a “set it and forget it” situation, staying HIPAA compliant is an ongoing, concerted effort for healthcare facilities. Continual compliance was already difficult enough, but today’s advancements, many fueled by the pandemic, have made the process even more challenging.
As more mobile devices, telehealth, and other technologies enter the scene, risks increase and prevention plans get more complex. It’s a lot for companies to manage.
Are you struggling with organizational HIPAA compliance? Are you looking for a better way to manage ongoing compliance in your company? Let’s take a step back and answer a few questions to guide your process:
- Why is it important to be HIPAA compliant?
- What are HIPAA compliance requirements?
- How long must HIPAA records be retained?
- Do you have technical safeguards in place?
- How best to modernize your HIPAA compliance?
Many companies are now using regulatory compliance software platforms to improve security. Keep reading to learn about strategies to meet HIPAA standards.
Why is it Important to be HIPAA Compliant?
First, we should answer the question: what is HIPAA compliance? The U.S. passed The Health Insurance Portability and Accountability Act (HIPAA) in 1996. Its purpose is to protect the privacy of patient medical records.
The Privacy Rules Standards associated with HIPAA passed in December 2000. It applies to the use and disclosure of all protected health information (PHI). This involves all PHI seen by care providers, doctors and hospitals. Health plans and third parties, called “covered entities” (CEs), must also follow the law.
The Office of Civil Rights (OCR) enforces this Rule. And not following these rules can get expensive for your company. HIPAA violations and repeat offenses carry the following annual maximums in fines based on the circumstances:
Many different scenarios can lead to HIPAA breaches. One of the most common causes involves inadequate or lack of risk assessments. This can cause insufficient PHI access control and intentional or accidental PHI sharing.
Other examples include PHI snooping, inadequate access logging or insecure PHI disposal. Not encrypting PHI can lead to improper handling, unauthorized disclosure and data breaches as well. One breach could lead to another violation, which can add up to costly fines.
What are HIPAA Compliance Requirements?
HIPAA compliance involves several components. All CEs must meet the following criteria:
All personnel and CEs must receive initial HIPAA compliance training. When HIPAA-related policies or procedures change, retraining should occur within a few days. All involved parties should receive an annual refresher course as well.
HIPAA Privacy Rule
Begin by understanding the HIPAA Privacy Rule and defining its impact for your operations. Track and document your company’s privacy procedures to show understanding and compliance.
HIPAA Security Rule
Teach about the HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part 164. This sets the national standards for the protection of electronic PHI (ePHI). The rule applies to all PHI created, collected, used or stored by a CE.
CEs must establish appropriate administrative, technical and physical safeguards. The goal is to protect the integrity, confidentiality and security of all PHI.
Under HIPAA, patients have the right to look at their medical records. They may also obtain a copy (not the original) of their records. Patients must use the Notice of Privacy Practices when requesting records.
PHI Disclosure Rules
CEs can only disclose PHI in the two following situations:
- If the individual or his or her representative requests access to their records.
- If the individual or his or her representative requests an accounting of disclosures of the individual’s PHI.
The second involves investigations by the Department of Health and Human Services (HHS). This may involve a review or examination of a covered entity’s compliance. The HHS also uses this information for enforcement actions.
Establish Electronic Safeguards for PHI and ePHI
Breaches may result from improper disposal, hacking, loss, unauthorized access or theft. Physical documents, as well as digital devices and back-end systems, are at risk.
The key is to encrypt everything. Encryption helps prevent thieves from getting usable data. Any unencrypted data is at risk.
One best practice for this? Conduct regular risk assessments of all systems that process, transfer or store ePHI. Look for potential areas of exposure and teach your staff about cybersecurity. Many threats, such as phishing, rely on mistakes by a single staff member.
If a breach occurs, follow these actions:
- Implement your response and mitigation plan.
- Take action immediately to stop and contain the attack.
- Report the breach to law enforcement.
- Submit pertinent cyber threat indicators to federal authorities as well as information sharing & analysis organizations (ISAOs)
- Notify the OCR of any breach that compromises the PHI of at least 500 people. This must take place within 60 days of detecting the breach.
Make sure you practice due diligence when working with CEs or third-party business associates. You may be vulnerable if they aren’t HIPAA compliant with protecting PHI and ePHI.
How Long Must HIPAA Records be Retained?
Every state establishes its own laws for how long you must keep medical records. All CEs must adhere to their state laws.
While HIPAA doesn’t address medical record retention, it does cover HIPAA-related documents. CFR §164.316(b)(1) and (2) mandates that CEs must keep HIPAA compliance policies and procedures. This includes records of actions taken, activities, or assessments.
Under this rule, you must keep these documents for at least six years. This timeline starts with the document creation date.
For policies, it’s from the last effective date. In this case, HIPAA rules override state laws with shorter document retention times.
Do You Have Technical Safeguards in Place?
All ePHI must meet NIST standard encryption when leaving internal firewall servers. This makes the data unreadable, unusable, and undecipherable if hacked. The National Institute of Standards and Technology (NIST) includes several steps:
First, search for cybersecurity risks that could disrupt critical functions. This allows the organization to understand the cyber risks to their sensitive information and capabilities.
Establish Protective Measures
The next action is to develop relevant safeguards for critical infrastructure services. This allows the organization to establish protection against cyberattacks.
Create an Early Detection System and Rapid Response
It’s vital for businesses to detect early signs of probing or breaches. Develop protocols for rapid response to these alerts. This will help stop, mitigate, or contain losses if a breach occurs.
Your business’s cybersecurity plan must include a recovery strategy. If an attack happens, how will you quickly restore services and capabilities? Conduct follow-up evaluations and implement process improvement to prevent future breaches.
Maintaining HIPAA Compliance with Increased Technology
The COVID-19 pandemic added to the increasing use of technology in healthcare. While this is not necessarily a new issue for CEs as they strive to protect PHI, now there’s more ePHI in use. The following provides some examples of potential IT HIPAA risk areas:
How Best to Modernize Your HIPAA compliance?
Software solutions are available to help with compliance management, like Onspring. This can make it easier for your business to meet all HIPAA standards. When shopping for the right technology tool, find one that automates the process capabilities.
Managing risk for a successful compliance program includes completing a risk assessment searching for weaknesses. The software tool you choose should categorize each process, risk, and other data elements and assign each an owner.
Over time, third-party reputations, relationships, operations and risks will change. Your platform should capture, relate & analyze each of those changes as well as automatically assign risk remediation tasks based on the impact on your security stance. Your system should allow you to control all access by user, role and group.
The ideal solution provides you with analytics in a format that is easy to understand and delivered with coordinating action items. This data may be provided on live, interactive dashboards.
The platform may integrate reports with other third-party or business unit data feeds. PDF and Excel spreadsheets are also used to provide the information and analysis.