Regulated by the United States Department of Health and Human Services’ Office for Civil Rights (OCR), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
In this post, we will explain the basic concepts involved in the process of becoming HIPAA compliant, outline what you can expect as you work towards compliance, and provide guidance based on our cumulative experience working closely with our customers and auditor partners.
What Constitutes Protected Health Information (PHI)?
PHI is any personal health information that potentially identifies an individual that was created, used, or disclosed in the course of providing healthcare services, including, but not limited to:
- Date of birth
- Social security number
- Payment or billing information
- Medical records (electronic or paper)
Depending on your organization’s function in the healthcare ecosystem, you may be handling PHI either directly or indirectly. While certain organizations have a greater obligation to safeguard patient information under HIPAA, you should be doing your part to ensure that this information is secure and well-protected.
Who Are You?
TL;DR. HIPAA categorizes PHI-handling organizations into three categories: Covered Entities, Business Associates, and Subcontractors. While the specifics differ, all of these organizations must safeguard PHI.
Without getting too existential, before we discuss the specifics of the regulation, we’ll determine whether you are a Covered Entity, a Business Associate, or a Subcontractor.
Covered Entities include:
- Healthcare providers such as hospitals, clinics, doctors offices, pharmacies, and home health agencies.
- Health plans such as government programs that pay for healthcare, health insurance companies, health maintenance programs, and military and veterans’ health programs.
- Healthcare clearinghouses, i.e. organizations that act as the go-betweens for healthcare providers and insurance providers.
If you are a Covered Entity, you are subject to, and legally required to, comply with all the standards set forth by HIPAA.
Particularly given the digital nature of today’s health landscape, Covered Entities do not carry out all their healthcare-related activities and functions by themselves. They often use the services of other organizations, known as Business Associates.
What is a Business Associate?
A Business Associate is an entity that provides services to, or performs certain functions involving the use or disclosure of PHI on behalf of, a Covered Entity.
Examples of organizations considered to be Business Associates include:
- Third-party administrators
- Billing companies
- Cloud service providers
- Data storage firms – electronic and physical records
- EHR providers
- Pharmacy benefits managers
- Claims processors
- Collections agencies
- Medical device manufacturers
In case all of this wasn’t complex enough…
A Business Associate may delegate a function, activity, or service to a Subcontractor.
What is a Subcontractor?
A Subcontractor is an entity to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of the Business Associate. For example, a Business Associate could hire a media shredding company to securely dispose of printed medical records, or a software developer to work on a part of the platform that handles PHI. Subcontractors can be accountants, attorneys, transcription services, email encryption providers, file sharing vendors, backup storage services, and more.
Business Associates are required to ensure that Subcontractors are implementing and maintaining the systems needed to safeguard PHI.
HIPAA Rules Demystified
TL;DR. There are four rules designed to keep PHI safe and secure, and to properly notify affected parties in case of a data breach.
The HIPAA regulation is composed of four rules: Privacy, Security, Breach Notification, and Omnibus.
The Privacy Rule was developed to:
- Ensure that organizations that create and store health information take appropriate steps to protect this information from misuse or wrongful disclosure.
- Provide individuals with the ability to understand and control how their health information is being used.
Complying with the Privacy Rule assures individuals seeking care that an organization is committed to keeping their information private and secure. Even if they’re not dealing directly with you, these individuals can rely on the HIPAA framework to ensure the privacy of their data across all relevant parties.
The Security Rule protects a subset of information covered by the privacy rule, and sets the standard for the protection of electronically stored and transmitted PHI (ePHI). It does so by requiring the implementation of administrative, technical, and physical safeguards.
Complying with the security rule demonstrates that you are committed to protecting the confidentiality, integrity, and security of ePHI, and have taken the necessary steps to protect your systems from security threats and unauthorized disclosures.
Breach Notification Rule
Any PHI usage or disclosure that isn’t permitted under the Privacy Rule is considered a breach. When a breach occurs, Covered Entities are required to notify affected individuals.
Whether or not you are required to comply with this rule, you can help your Covered Entity customers maintain their compliance by monitoring any impermissible use or disclosure of PHI, and promptly notifying affected parties when a breach is detected. Being transparent is a great way to build trust with your customers. Trust us on this.
The HIPAA Omnibus Rule, which became effective in 2013, contains modifications and edits to the Security, Privacy, Breach Notification Rules and their enforcement. These modifications are intended to enhance confidentiality and security in data sharing, and strengthen the protection of protected health information, especially in electronic form.
One major change is the Omnibus rule makes Business Associates and Subcontractors liable for non-compliance with HIPAA
How do I know if HIPAA applies to me?
TL;DR. Covered Entities must comply with all rules. Otherwise, follow our handy table below to see what’s required and what’s optional. Even if you’re not required to follow a rule, it’s still a good idea if you’re in or working with companies in the healthcare space.
By law, if you are a Covered Entity, you are required to be compliant with the Privacy, Security and Breach Notification Rules.
If you are a Business Associate, you are only required to be compliant with the Security Rule. However, if you’re working with a Covered Entity (or want to), you will need to show reasonable proof that you’re able to safeguard the PHI you receive or create on behalf of the Covered Entity.
Pro Tip for Healthcare Startups
As a startup in the health space, it is important to keep the HIPAA regulations in mind. Identify whether your product is performing a function or service on behalf of a Covered Entity, and then determine whether or not you process any PHI. If either of these is true, we recommend that you plan to comply with the Security Rule, and consider complying with the Privacy and Breach Notification Rules as well.
A Handy-Dandy Cheat Sheet
That’s a lot to take in. If your head is spinning a little, just identify what type of organization you are, and follow this table:
|Breach Notification Rule
|Required (with Covered Entity)
|Required (with Business Associate)
*A HIPAA Business Associate Agreement (BAA) is a contract between a Covered Entity and a vendor (Business Associate or Subcontractor) used by that covered entity, or by a Business Associate and its Subcontractors.
How do I prove compliance?
HIPAA does not require an assessment to be performed, and there is also no such thing as an official HIPAA certification — the OCR does not endorse or recognize any such “certifications” provided by private organizations. There is no standard or implementation specification that requires a covered entity to “certify” compliance. The OCR does not endorse or recognize the ‘certifications’ provided by private organizations. As long as it is done, the regulating body doesn’t care if the HIPAA assessment is performed internally or by an external organization. Though, being evaluated by an independent third-party is still ideal. Some companies may choose to manage compliance internally and that is fine.
If you are seeking to demonstrate HIPAA compliance to your customers and potential customers, there are several options you can consider:
- Conduct a self-assessment against the HIPAA requirements.
- An independent HIPAA gap assessment with a consultant.
- An independent HIPAA compliance attestation report.
Even though it’s not required, an attestation report holds more weight than a self-assessment, so you may want to consider going down this path if you need to demonstrate the highest level of compliance.
What will it cost me to become compliant?
Traditionally, HIPAA can cost anywhere from $20,000 to $75,000 when you factor in the cost of an audit firm as well as internal costs including loss of productivity, staff training, and resources needed to meet specific requirements.
At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. We want to make the readiness and audit process both affordable and simple. We’ve broken the cost down into two areas:
- A compliance automation platform. By automating much of the process, platforms such as TrustOps help you reduce and better manage your internal costs. We’ve developed a transparent and straightforward pricing structure to make it easier for you to manage the overall cost of the program (read: $8,000/year for HIPAA with no hidden consulting fees.)
- An auditor. We’ve developed strong relationships with a number of audit firms. Not only does this mean that they are trained on the platform and know how to evaluate your business, they are also able to pass along sizable discounts as a result of a referral from TrustCloud. HIPAA audit partners in the TrustCloud network charge between $10,000 – $20,000 for HIPAA audits, based on the maturity and complexity of the engagement.
How to prepare for a self-assessment or a gap assessment?
TL;DR. Appoint a compliance and/or security officer to lead the effort. Ensure that the team and yourself understand all the requirements, prepare the appropriate controls and policies, and complete a thorough internal review.
If you’ve been through an audit in the past, you are well aware of how tedious and time-consuming the process can be for you and your team. If not, think of the great joy brought on by lots and lots of spreadsheets.
When pursuing HIPAA compliance, you may want to consider appointing a compliance and/or a security officer to lead the effort. These functions can be done by the same individual, or the work can be divided within the team.
The role of compliance officer will be responsible for developing any required procedures, conducting a risk assessment in coordination with senior management, investigating any incidents resulting in a breach, and reporting when a breach occurs.
The role of security officer will be responsible for developing security policies, conducting training, creating a disaster recovery plan, testing systems, and implementing mechanisms to prevent unauthorized access to PHI.
The process can be broken down into three major components:
- Understanding Requirements
It is important for you to know what constitutes a breach of ePHI, and how to report a breach to the OCR should it occur. You must develop a risk management program, perform a risk assessment, document data management policies, and create security and training plans against these requirements.
- Prepare Materials
In this next phase, you will create a list of controls and policies to adopt, gather required evidence artifacts, document all necessary procedures, and provide adequate training to your team. If you’re a TrustOps user, we’ve got your back. TrustOps helps you automate much of this process, and automatically maps your controls to the Code of Federal Regulations to make it easy for you to assess your systems, policies, and procedures. If you’re not a TrustOps user yet, call us… we’d love to have your back, too.
- Complete Internal Review
Whether or not you choose to do an independent assessment, you must first conduct a thorough internal review to ensure that you are meeting all requirements. The internal audit review you get when you work with us analyzes your gaps against HIPAA (as well as other compliance standards such as SOC 2), and could be used as your self-assessment.
How to choose your independent HIPAA assessor?
If you opt to be independently assessed, you will find that the audit process can be nerve-racking. The auditor will review controls, policies, and other artifacts in your program, verify them against submitted evidence, and conduct tests of their own to ensure that you are meeting the requirements for the HIPAA rule(s) you want to achieve.
Here are a few things you should consider when selecting an auditor:
- Accreditation: An independent attestation report is issued under the AICPA attestation standards, which are designed to allow a CPA firm to determine an organization’s compliance with the HIPAA requirements.
- Find a reputable firm. It doesn’t have to be a brand-name firm. One with a good reputation will suffice. If you need guidance in this area, we’re happy to provide some recommendations.
- Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of HIPAA, how to evaluate your controls against its requirements, and any applicable best practices.
- Fit. Auditors are like snowflakes; no two are alike. It’s important that your auditor understands your business, so they can expertly assess if there are any gaps or deficiencies.
What does the assessor look for?
Auditors are guided by the IIA standard Code of Ethics, which tasks auditors with being independent and objective. The documentation you developed as evidence is seen by an auditor as proof that a particular control exists, and helps them evaluate operational effectiveness (whether or not the control is performing as it should).
Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the HIPAA framework. These techniques may include:
- Observation: Observing you perform a task relevant to specific control.
- Inquiry: Interviewing you or your team to learn about a specific process.
- Inspection: Requesting evidence of compliance with a control.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of the information in the document has to be identified and verified, the content of the document must be written with integrity, and the documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
Once an auditor has determined that your controls, policies, and procedures meet all applicable requirements, they will give you their stamp of approval. You have now achieved HIPAA compliance. Congratulations!
But… wait. There’s more.
What is a HIPAA violation?
Even after you’ve successfully completed an audit, there is a possibility that you may violate one of the HIPAA rules. A HIPAA violation is the failure to comply with any of the standards outlined in the rules.
The top five common violations that we see in the digital space are:
- Failure to conduct a risk analysis.
- Failure to provide HIPAA and Security Awareness training.
- Failure to maintain and monitor PHI access logs.
- Failure to terminate access rights to PHI when no longer required.
- Failure to document compliance efforts.
What is the cost of a HIPAA violation?
Penalties for HIPAA are applicable to Covered Entities and Business Associates alike. The OCR is currently using a 4 tier system to gauge the level of non-compliance and determine if any financial penalties are to be levied.
Tier 1: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, but they may not have known about a breach and could not have avoided it. Financial penalties could range from $100 – $50,000 per violation, with a maximum penalty of $25,000 per year.
Tier 2: Organizations in this tier have made a reasonable amount of effort to comply with HIPAA, and were aware, or should have been aware, that a breach occurred. Financial penalties could range from $1000 – $50,000 per violation, with a maximum penalty of $100,000 per year.
Tier 3: A breach occurred as a result of “willful neglect” on the organization’s part. However, attempts have since been made to correct the violation. Financial penalties for organizations in this tier is $10,000 – $50,000 per violation, with a maximum penalty of $250,000 per year.
Tier 4: A breach has occurred as a result of wilful neglect, but no attempts have been made to correct the violation. The financial penalty for organizations that fall into this tier is $50,000 per violation, with a maximum penalty of $1.5 million per year.
What do I do when I become aware of a breach, and how does this affect my compliance status?
Under the HIPAA Breach Notification Rule, you are required to notify relevant parties of any breach. As a first step, you should evaluate the severity of the breach. Once you have the full picture, you have 60 days to notify affected individuals, the OCR, and any other relevant parties. It’s important to note that you must provide these notifications even if you are unsure whether PHI has been compromised. Any violations of the HIPAA Breach Notification Rule will result in financial penalties and in noncompliance. The OCR publishes a list of cases currently under investigation (a bit of public shaming, if you will), and you should make it your goal to never be on it.
Complying with the HIPAA standards, rules, and regulation is an ongoing effort that requires careful monitoring of your information security program against known, suspected, and unknown threats. Maintaining continuous compliance helps you build trust with your customers, proving that safeguarding their information is in your best interest as well as theirs.
And you’re in luck — it just so happens continuous compliance is what we do.