A Guide to HIPAA Compliance
What Does HIPAA Stand for?
The HIPAA or Health Insurance Portability and Accountability Act was formed on August 21, 1996, and signed into law by then president, Bill Clinton. It helps to organize and structure rules and regulations regarding online information transfer pertaining to healthcare organizations.
HIPAA started out with two major goals—the first was to maintain health insurance coverage for workers who change or lose their jobs. The second part was to protect patient data from unauthorized access.
We frequently hear about patient data breaches and malware, and how HIPAA works to keep healthcare institutions and their patients safe by structuring their institutions in safer ways such as:
- Reducing data breaches by setting proper digital standards.
- Bringing down the administrative burden of healthcare organizations by modernizing healthcare operations.
- Safeguarding the integrity of financial transactions.
What are HIPAA policies and procedures?
HIPAA has far-reaching security and privacy regulations that you might need to address by understanding, in detail, how HIPAA policies and procedures apply to your business. HIPAA regulations have a pretty wide scope. So, even if your business isn’t directly involved in the healthcare space, you still might have to adhere to HIPAA guidelines by making sure that your business is in alignment with the latest standards.
There’s are four major HIPAA rules, which make up the entire HIPAA regulation:
- HIPAA Privacy Rule: This sets national standards for patient’s rights to their own sensitive health information, including things like content, right to access and more.
- HIPAA Security Rule: This sets the standards for the securing, transmitting and maintenance of sensitive health data.
- HIPAA Omnibus Rule: This is an addendum to the standard regulation and it specifies and clarifies how your business can achieve compliance.
- HIPAA Breach Notification Rule: This specifies how a security breach must be handled, and differentiates between different types of security breaches.
All of the HIPAA privacy standards work together to help protect sensitive health information. When it comes to your business, it’s important to implement the proper protocols to remain compliant.
What do the HIPAA Privacy Rule and HIPAA Privacy Notice mean for your Business?
In order to become HIPAA compliant, your healthcare business must adhere to certain HIPAA regulations. It is essential to know how the Privacy Rule and Privacy Notice work in order to achieve and keep your compliance up to date.
The HIPAA Privacy Notice is part of the HIPAA Privacy Rule. It helps your customers, clients, and users understand how their information is being protected and how they can access it. You will first need to go through the standard HIPAA compliance protocols, before you can effectively create a HIPAA Notice of Privacy Practices and then implement these practices into your own organization.
Here’s a more in-depth breakdown of how the HIPAA Privacy Rule and HIPAA Privacy Notice are related.
The General Privacy Rule
The Privacy Rule states that an individual has a right to know how their health information is being collected, used, and protected. It’s the job of your organization to create a document that organizes these procedures, explains them in common languages, and implements the procedures.
Consent of Notice
The HIPAA Privacy Notice is a plain language document that addresses common privacy concerns like:
- How an individual’s information is being used and disclosed to others.
- The rights an individual has to their own information, including how they can access or provide feedback about their information.
- Legal information that addresses any issues concerning their information, along with the legal rights related to protecting that information.
- Who to get in contact with regarding health-related personal information.
Providing the Notice
The privacy notice needs to be made public and available to any individual who asks to see it. This is in alignment with the HIPAA Privacy Notice distribution requirements. It also includes adding your HIPAA Privacy Notice to your website and providing multiple different formats of the notice, per HIPAA guidelines.
What is the HIPAA Security Rule?
The HIPAA Security Rule will probably be most immediately applicable to your business. This deals with the standards your business must implement to protect and safeguard HIPAA PII or Personally Identifiable Information. HIPAA PII includes any information that can be used to uniquely identify an individual and could be used to harm the person if it were stolen. Some items of HIPAA PII include:
- Place and date of birth.
- Biometric, medical or financial information.
- Mother’s maiden name.
- Passport numbers.
- Criminal history.
What are the HIPAA Security Standards?
The HIPAA standards you must abide by to protect HIPAA PII are spelled out in the HIPAA Security Rule. Here’s a brief look at the three different levels of safeguards you need to have in place:
1. Technical Standards
These standards relate to any technology that’s connected to any health-related data. This will include things like:
- Implementing secure access control systems including usernames, passwords and authentication.
- Adding encryption and decryption mechanisms to ensure that the right people have access to information.
- Recording data and information access.
- Safeguarding data access by implementing procedures such as automatic system log-off.
2. Physical Standards
Whether data is stored on the premises, in the cloud or even at data centers located hundreds of miles away, the storage standards need to be HIPAA compliant. Here’s a look at some of the physical standards you must abide by:
- Safeguards to prevent any unauthorized access to data stored at a physical facility.
- Workstation security protocols to ensure only authorized data access.
- Restrictions or policies surrounding data access from mobile devices.
- A record of system hardware maintenance or replacement, along with data logging.
3. Administrative Standards
The administrative rules bring together both the Privacy and Security aspects of the HIPAA regulation. It involves both the creation and management of a plan to implement the above rules. Here are a few of the elements it should include:
- A contingency plan for continued operation if a breach or data loss occurs.
- A plan to both assign and manage third-party access to data.
- Reporting and minimizing effects of a security breach, if it occurs.
Adhering to the HIPAA Policies and Procedures takes a lot of work, but ensuring your organization is up to the latest standards will help you avoid any fines and keep your customer’s data safe.
How can HIPAA Limited Data Set Increase Data Security?
Technology makes accessing and using medical data easier than ever, but it can also increase the potential exposure of that data if not safeguarded properly.
When data needs to be shared for research or other legitimate purposes, the HIPAA limited data set data use agreement helps to maintain patient privacy. A HIPAA limited data set, is any set of identifiable healthcare data that can be shared with certain third-parties without obtaining prior authorization from patients. This applies only to certain data under certain conditions, such as research, public health uses, or healthcare operations, but there are 16 elements that HIPAA laws require to be removed from limited data sets, such as names, address information and email addresses.
What are the HIPAA Password Requirements?
Creating and implementing secure password standards is the right direction when it comes to implementing HIPAA compliance. HIPAA password requirements help improve the strength of existing passwords, but, if there is a way to improve the strength of passwords across your organization even further, then implement that practice as well. Here are the HIPAA password rules your organization should implement:
- Use a minimum of eight characters: This is the bare minimum, NIST even goes so far as to say your password can be up to 64 characters long.
- Don’t use password hints: Password hints can easily be guessed, especially if they relate to your actual password.
- Don’t keep a physical reminder of your password: Don’t keep any physical hints (or your actual password) written near your computer.
- Don’t use commonly used passwords: Make your password as unique as possible, don’t use combinations like ‘1