What are HIPAA Compliance Requirements?
HIPAA compliance involves several components. All CEs must meet the following criteria:
All personnel and CEs must receive initial HIPAA compliance training. When HIPAA-related policies or procedures change, retraining should occur within a few days. All involved parties should receive an annual refresher course as well.
HIPAA Privacy Rule
Begin by understanding the HIPAA Privacy Rule and defining its impact for your operations. Track and document your company’s privacy procedures to show understanding and compliance.
HIPAA Security Rule
Teach about the HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part 164. This sets the national standards for the protection of electronic PHI (ePHI). The rule applies to all PHI created, collected, used or stored by a CE.
CEs must establish appropriate administrative, technical and physical safeguards. The goal is to protect the integrity, confidentiality and security of all PHI.
Under HIPAA, patients have the right to look at their medical records. They may also obtain a copy (not the original) of their records. Patients must use the Notice of Privacy Practices when requesting records.
PHI Disclosure Rules
CEs can only disclose PHI in the two following situations:
- If the individual or his or her representative requests access to their records.
- If the individual or his or her representative requests an accounting of disclosures of the individual’s PHI.
The second involves investigations by the Department of Health and Human Services (HHS). This may involve a review or examination of a covered entity’s compliance. The HHS also uses this information for enforcement actions.
Establish Electronic Safeguards for PHI and ePHI
Breaches may result from improper disposal, hacking, loss, unauthorized access or theft. Physical documents, as well as digital devices and back-end systems, are at risk.
The key is to encrypt everything. Encryption helps prevent thieves from getting usable data. Any unencrypted data is at risk.
One best practice for this? Conduct regular risk assessments of all systems that process, transfer or store ePHI. Look for potential areas of exposure and teach your staff about cybersecurity. Many threats, such as phishing, rely on mistakes by a single staff member.
If a breach occurs, follow these actions:
- Implement your response and mitigation plan.
- Take action immediately to stop and contain the attack.
- Report the breach to law enforcement.
- Submit pertinent cyber threat indicators to federal authorities as well as information sharing & analysis organizations (ISAOs)
- Notify the OCR of any breach that compromises the PHI of at least 500 people. This must take place within 60 days of detecting the breach.
Make sure you practice due diligence when working with CEs or third-party business associates. You may be vulnerable if they aren’t HIPAA compliant with protecting PHI and ePHI.