A Guide to HIPAA Compliance
What Does HIPAA Stand for?
The HIPAA or Health Insurance Portability and Accountability Act was formed on August 21, 1996, and signed into law by then president, Bill Clinton. It helps to organize and structure rules and regulations regarding online information transfer pertaining to healthcare organizations.
HIPAA started out with two major goals—the first was to maintain health insurance coverage for workers who change or lose their jobs. The second part was to protect patient data from unauthorized access.
We frequently hear about patient data breaches and malware, and how HIPAA works to keep healthcare institutions and their patients safe by structuring their institutions in safer ways such as:
- Reducing data breaches by setting proper digital standards.
- Bringing down the administrative burden of healthcare organizations by modernizing healthcare operations.
- Safeguarding the integrity of financial transactions.
What are HIPAA policies and procedures?
HIPAA has far-reaching security and privacy regulations that you might need to address by understanding, in detail, how HIPAA policies and procedures apply to your business. HIPAA regulations have a pretty wide scope. So, even if your business isn’t directly involved in the healthcare space, you still might have to adhere to HIPAA guidelines by making sure that your business is in alignment with the latest standards.
There’s are four major HIPAA rules, which make up the entire HIPAA regulation:
- HIPAA Privacy Rule: This sets national standards for patient’s rights to their own sensitive health information, including things like content, right to access and more.
- HIPAA Security Rule: This sets the standards for the securing, transmitting and maintenance of sensitive health data.
- HIPAA Omnibus Rule: This is an addendum to the standard regulation and it specifies and clarifies how your business can achieve compliance.
- HIPAA Breach Notification Rule: This specifies how a security breach must be handled, and differentiates between different types of security breaches.
All of the HIPAA privacy standards work together to help protect sensitive health information. When it comes to your business, it’s important to implement the proper protocols to remain compliant.
What do the HIPAA Privacy Rule and HIPAA Privacy Notice mean for your Business?
In order to become HIPAA compliant, your healthcare business must adhere to certain HIPAA regulations. It is essential to know how the Privacy Rule and Privacy Notice work in order to achieve and keep your compliance up to date.
The HIPAA Privacy Notice is part of the HIPAA Privacy Rule. It helps your customers, clients, and users understand how their information is being protected and how they can access it. You will first need to go through the standard HIPAA compliance protocols, before you can effectively create a HIPAA Notice of Privacy Practices and then implement these practices into your own organization.
Here’s a more in-depth breakdown of how the HIPAA Privacy Rule and HIPAA Privacy Notice are related.
The General Privacy Rule
The Privacy Rule states that an individual has a right to know how their health information is being collected, used, and protected. It’s the job of your organization to create a document that organizes these procedures, explains them in common languages, and implements the procedures.
Consent of Notice
The HIPAA Privacy Notice is a plain language document that addresses common privacy concerns like:
- How an individual’s information is being used and disclosed to others.
- The rights an individual has to their own information, including how they can access or provide feedback about their information.
- Legal information that addresses any issues concerning their information, along with the legal rights related to protecting that information.
- Who to get in contact with regarding health-related personal information.
Providing the Notice
The privacy notice needs to be made public and available to any individual who asks to see it. This is in alignment with the HIPAA Privacy Notice distribution requirements. It also includes adding your HIPAA Privacy Notice to your website and providing multiple different formats of the notice, per HIPAA guidelines.
What is the HIPAA Security Rule?
The HIPAA Security Rule will probably be most immediately applicable to your business. This deals with the standards your business must implement to protect and safeguard HIPAA PII or Personally Identifiable Information. HIPAA PII includes any information that can be used to uniquely identify an individual and could be used to harm the person if it were stolen. Some items of HIPAA PII include:
- Place and date of birth.
- Biometric, medical or financial information.
- Mother’s maiden name.
- Passport numbers.
- Criminal history.
What are the HIPAA Security Standards?
The HIPAA standards you must abide by to protect HIPAA PII are spelled out in the HIPAA Security Rule. Here’s a brief look at the three different levels of safeguards you need to have in place:
1. Technical Standards
These standards relate to any technology that’s connected to any health-related data. This will include things like:
- Implementing secure access control systems including usernames, passwords and authentication.
- Adding encryption and decryption mechanisms to ensure that the right people have access to information.
- Recording data and information access.
- Safeguarding data access by implementing procedures such as automatic system log-off.
2. Physical Standards
Whether data is stored on the premises, in the cloud or even at data centers located hundreds of miles away, the storage standards need to be HIPAA compliant. Here’s a look at some of the physical standards you must abide by:
- Safeguards to prevent any unauthorized access to data stored at a physical facility.
- Workstation security protocols to ensure only authorized data access.
- Restrictions or policies surrounding data access from mobile devices.
- A record of system hardware maintenance or replacement, along with data logging.
3. Administrative Standards
The administrative rules bring together both the Privacy and Security aspects of the HIPAA regulation. It involves both the creation and management of a plan to implement the above rules. Here are a few of the elements it should include:
- A contingency plan for continued operation if a breach or data loss occurs.
- A plan to both assign and manage third-party access to data.
- Reporting and minimizing effects of a security breach, if it occurs.
Adhering to the HIPAA Policies and Procedures takes a lot of work, but ensuring your organization is up to the latest standards will help you avoid any fines and keep your customer’s data safe.
How can HIPAA Limited Data Set Increase Data Security?
Technology makes accessing and using medical data easier than ever, but it can also increase the potential exposure of that data if not safeguarded properly.
When data needs to be shared for research or other legitimate purposes, the HIPAA limited data set data use agreement helps to maintain patient privacy. A HIPAA limited data set, is any set of identifiable healthcare data that can be shared with certain third-parties without obtaining prior authorization from patients. This applies only to certain data under certain conditions, such as research, public health uses, or healthcare operations, but there are 16 elements that HIPAA laws require to be removed from limited data sets, such as names, address information and email addresses.
What are the HIPAA Password Requirements?
Creating and implementing secure password standards is the right direction when it comes to implementing HIPAA compliance. HIPAA password requirements help improve the strength of existing passwords, but, if there is a way to improve the strength of passwords across your organization even further, then implement that practice as well. Here are the HIPAA password rules your organization should implement:
- Use a minimum of eight characters: This is the bare minimum, NIST even goes so far as to say your password can be up to 64 characters long.
- Don’t use password hints: Password hints can easily be guessed, especially if they relate to your actual password.
- Don’t keep a physical reminder of your password: Don’t keep any physical hints (or your actual password) written near your computer.
- Don’t use commonly used passwords: Make your password as unique as possible, don’t use combinations like ‘12345678’, or ‘password.'
How do HIPAA Confidentiality Rules Affect Security?
HIPAA compliance makes an organization more secure and results in better experiences for patients and customers. One of the critical methods for ensuring compliance is proper drafting and enforcement of HIPAA confidentiality agreements.
Beyond establishing rules, HIPAA compliance plays out in the actions of employees who could be responsible for data breaches by being careless or failing to abide by policies and standards. How does an organization ensure compliance? HIPAA confidentiality agreements provide the necessary framework.
These agreements can take the form of a simple non-disclosure format that outlines privacy policies in clear language and mirrors HIPAA requirements. A basic and necessary provision would be that employees should never discuss any information about a patient with a non-employee. These agreements, however, should be in place for situations that go beyond employer-employee relationships. HIPAA confidentiality agreements should be executed with vendors, contractors, and business associates under HIPAA.
How can the HIPAA Omnibus Rule Strengthen Data Privacy Laws?
The HIPAA Omnibus Rule was made effective on September 23, 2013, as part of an effort to expand the reach of HIPAA privacy laws. Thanks to the creation of this rule, the Office of Civil Rights is empowered to enforce rules and levy fines in a way that it previously had not been able to do under the original HIPAA laws.
Although the Omnibus Rule sounds like it would be a single rule, it actually is made up of a combination of four interrelated final rules.
Final Rule Requirements
The following changes were made to bring the HIPAA Omnibus Final Rule into existence:
- Adjustments were made to the HIPAA Privacy Rule and HIPAA Security Rule.
- An increased and tiered fine structure was developed in alignment with the HITECH Act as part of the HIPAA Enforcement Rule.
- Changes to breach notification regulations and procedures were made, in accordance with the HITECH Act.
- The Genetic Information Nondiscrimination Act (GINA) that prohibits health plans from disclosing genetic information for underwriting-related purposes was incorporated into the HIPAA Privacy Rule.
If you or your organization handle protected health information, it is vital that you have a solid understanding of the HIPAA Omnibus Rule, so you can ensure that your organization and its employees stay compliant with it. A HIPAA Omnibus Rule checklist helps to better understand the details of the rule.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule, requires HIPAA covered entities and their business associates to provide notification following a breach of protected health information or PHI. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
How does HIPAA Compliance Impact Cloud Communications Providers?
If your business deals with health-related data, then ensuring you're HIPAA compliant is incredibly important. Non-compliance can lead to penalties and fines, not to mention a loss of customer trust, which can be hard to recover from.
The penalties handed down to organizations that are found to have committed HIPAA violations vary greatly, depending on the severity of the violation and the intent. Non-compliance with HIPAA laws can result in anything from fines to jail time. An unknowing violation can result in anything from $100 per violation to $50,000 per violation. More harsh financial penalties are doled out to those groups that are found to be willfully negligent. The minimum penalty for this type of HIPAA violation is $50,000 per violation and a maximum of $1.5 million annually.
8x8 Can Help You Take the Guesswork out of HIPAA Compliance
HIPAA compliance can be downright scary, with severe ramifications for non-compliance. Read why it’s a good thing to be wary of HIPAA and its complicated rules. The good news for healthcare providers and other related organizations is that utilizing the right tools gives you a tremendous amount of safety in reducing HIPAA violation risk. For example, 8x8 business phone services facilitate secure phone calls and chats among caregivers and other staff or between doctors and patients — while still ensuring that the conversations are private and secure. 8x8 Inc. is a pioneer in modern cloud communication systems and always puts security and HIPAA compliance above all else . Since 8x8 communication services are fully compliant with HIPAA, there is no question of security or compatibility issues. The added layers of security further ensure the integrity and safety of PHIs.