Failing to meet HIPAA regulations comes with severe consequences. This could be a civil and/or criminal penalty with numerous years in jail, fines to pay, loss of credibility, and a damaged reputation that would be near impossible to reestablish.
According to the U.S Department of Health and Human Services Office for Civil Rights breach report, there were 418 HIPAA breaches in 2019 and 34.9 million Americans that had their personal health information (PHI) compromised. To put this into perspective, that is nearly 10 percent of the U.S. population in a single year of breaches.
With this being said, it is crucial for the healthcare industry and the organizations that support it to maintain HIPAA compliance. But how do you become HIPAA compliant and ensure that your organization won’t become another data breach statistic? Well, it starts with learning the ins and outs of HIPAA from the bottom up.
With so many moving parts that are consistently evolving in complexity, we wanted to take this time to break it down for you. Read along for everything you need to know about achieving HIPAA compliance internally and partnering with organizations that do so as well.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was formed in 1996 with the original intent of helping individuals in risk of losing their health insurance when changing jobs and for those with pre-existing health conditions. Over the years, HIPAA has expanded. It is now a federal law that requires certain standards be upheld for healthcare organizations and the companies supporting them, to protect the sensitive data of their patients.
HIPAA ensures patient accounts, medical records, and billing information fall subject to the highest standards in documentation and privacy. It also allows patients to access their own records and maintain the ability to make changes to them, if needed.
It makes sense though, right? It should be the main priority of a healthcare provider to keep the personal information of their patients secure, private, and stored away where no one else can access it.
This is why HIPAA isn’t just an option anymore. With HIPAA being essential for the healthcare vertical, two critical rules have come along to clearly address the security and privacy factors.
HIPAA Privacy Rule
The HIPAA Privacy Rule defines which personal health information (PHI) must be protected and how that private information can be used and disclosed. Any of the following is considered private information:
- Dates relating to patients’ information
- Medical records
- Social security number
- Finger or voice prints
- Any unique identifying number
In other words, if your organization has access to PHI, HIPAA applies to you.
HIPAA Security Rule
The HIPAA Security Rule contains all the standards that must be applied when it comes to patients’ electronic personal health information (ePHI). Whether the ePHI is being created, accessed, processed or stored, it all must be properly secured. The rule also applies to any system or body who has access to ePHI.
In order to meet this rule, there are three types of safeguards that you need to implement:
- Administrative: This safeguard encompasses the policies and procedures that help protect against a breach. This includes the documentation process, roles and responsibilities, training requirements, data maintenance, and more.
- Physical: This safeguard makes sure that data is physically and properly protected. This includes security systems, video surveillance, the location of computers, and even locking doors and windows in the event of a trespasser looking to commit a theft.
- Technical: This safeguard includes the technology that protects the data from unauthorized access. The decision of what type of technical safeguard to use is up to the covered entity. The most common is to encrypt your data. If you do decide to encrypt your data, make sure it is feasible and you have a trusted service provider that can help you through this process.
Where Do You Fall Under HIPAA?
Now that you understand the background of HIPAA and the rules that come along with it, the next step is to recognize your role in these requirements. There are two types of entities that organizations fall under, both with unique HIPAA standards to meet.
HIPAA defines “Covered Entities” as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards.
- Health plans: These include but are not limited to, health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs that fund healthcare.
- Healthcare clearinghouses: These include organizations that process nonstandard health information to conform to standards for data content, or vice versa, on behalf of other organizations.
- Health care providers: These include people that submit electronic HIPAA transactions, such as claims. These providers often consist of doctors, clinics, dentists, chiropractors, and pharmacies.
Business Associates are entities that assist covered entities in performing their functions, mostly dealing with ePHI. Examples of business associates are:
- Third-party administrator that assists with claims processing
- Consultant that performs reviews for hospitals
- Service provider that helps with risk management, information security, audit preparedness, and support
Healthcare companies, vendors, or providers who qualify as a business associate are required to sign a HIPAA Business Associate Agreement (BAA). This agreement must provide detailed information explaining how the business associate will respond to a breach of any kind, should it occur. The BAA must also outline how the business associate will respond to an audit by the Office for Civil Rights (OCR).
Having a BAA is more important than ever for covered entities and their business associates. When selecting a partner, it is crucial to look at the standards they have already achieved. Some key ones to seek out include HITRUST, HIPAA, PCI DSS, SSAE/SOC, NIST 800-53, ISO 27001, and ISO 20000-1.
If you are considering partnering with a technology provider that doesn’t meet these requirements, you’ll need to ask them some serious questions about the safeguards and processes they have in place. They should be able to present all of the documentation you need, otherwise be wary.
How Does my Organization Become HIPAA Compliant?
There are no given steps in the HIPAA rule on how to become HIPAA compliant. It is up to the organization on where and how to start. However, there are best practices to follow and important facts to know in order to meet regulations. Here are three key steps you can take:
Step 1: Educate Your Employees
Most leaders still believe that threats to their PHI are only coming externally. In reality, one of the greatest lurking dangers is actually the employees, volunteers, and other internal players who could knowingly (or unknowingly) cause you serious harm.
One of the most common insider threats is human error. With healthcare workers already having a lot on their plate, this best practice tends to take a backseat which then can cause detrimental consequences. In fact, Kroll reported that human error was the cause of approximately 90 percent of data breaches received by the Information Commissioner’s Office (ICO) between 2017 and 2018.
Not only should HIPAA-related protocols be in place to train employees and vendors, but ongoing courses should be implemented to keep security education top-of-mind. One of the main topics should revolve around how to handle PHI and the risk associated with certain behaviors. The benefits of having these courses will far outweigh the financial and time resources put in in the long run.
With regard to the question of how often HIPAA training is required, the Privacy Rule and Security Rule both offer suggestions without mandating specific timeframes. According to the Privacy Rule, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the Covered Entity´s workforce” and also when “functions are affected by a material change in policies or procedures” – again within a reasonable period of time.
Step 2: Conduct Regular Risk Assessments
Healthcare organizations should get in the practice of conducting risk assessments to evaluate the likelihood of a breach and then apply the corrective measures. Always test your policies and procedures while also making sure your business associates do the same. These risk assessments should help you determine where a breach could occur, the weaknesses in your system, and of course feedback on where and how to improve.
Step 3: Explore HIPAA Compliant Hosting
When operating in healthcare, it is common to hire a hosting provider who can take away some of the headaches that comes with meeting the HIPAA regulations. When looking for a compliant hosting provider, we recommend to dive deep in ensuring they have achieved top-level storage security. Here are some key factors you should keep in mind when selecting a hosting provider:
- Does this hosting provider have compliance and security experts on their team?
- Does this hosting provider have secure offsite backup offerings?
- Does this hosting provider have the ability to facilitate an auditor’s risk assessment in the environment that houses ePHI?
- Does this hosting provider have experience with healthcare customers?
- Does this service provider offer private cloud solutions?
Go a Step Above the Competition with LightEdge’s HIPAA Compliant Services
LightEdge has HIPAA secure data center locations at our Des Moines, Kansas City, Omaha, Austin, and Raleigh facilities. With LightEdge, you can achieve auditable HIPAA compliance. Given our expertise working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is also compliant with:
If you are interested in getting a risk-free assessment from our healthcare experts, a tour of any of our HIPAA compliant data centers, or to learn more about LightEdge’s Compliance as a Service, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
If you want to learn more about HIPAA compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.
- 7 Steps for Ensuring HIPAA Compliance for Your Business
- HIPAA Compliance: The Difference Between Addressable and Required Specifications
- HIPAA and Encryption Best Practices
- What to Look for in HIPAA Compliant Hosting
- What All Healthcare Companies Need to Know About HIPAA Compliance
- HITRUST vs HIPAA: What You Need to Know