What Are HIPAA Compliance Requirements?
The healthcare industry has become a primary target for thieves, who see patient data as a lucrative source of bank account information, credit card information, Medicare and Medicaid fraud, and identity theft. As HHS Office for Civil Rights data shows, Healthcare data breaches have surged in the past decade, swelling from 199 breaches reported in 2010 to 344 in 2017, with an increase nearly every year in between.
The growing threat to healthcare data makes it imperative for organizations entrusted with patients’ information to do due diligence in safeguarding it through HIPAA compliance. Here are some basics you and your organization need to know about HIPAA compliance requirements, why you can’t afford not to comply with HIPAA regulations, and how to go about ensuring that your organization is HIPAA compliant.
What Is HIPAA? What Does It Do?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to enact a number of reforms to healthcare. One title of the act focuses on preventing healthcare fraud and abuse, and includes
- a Privacy Rule that covers both physical and electronic healthcare protected health information (PHI);
- a Security Rule to protect electronic protected health information (EPHI); and
- rules covering other areas, such as a Breach Notification Rule.
The Privacy Rule regulates use and disclosure of PHI, limiting when healthcare data may be shared, how much may be shared, and when sharing requires the patient’s written permission. The Security Rule requires specific administrative, physical, and technical safeguards for protecting EPHI.
These rules apply to healthcare providers, health plans, healthcare clearinghouses. By extension, they can also apply to “business associates” of healthcare providers. These include healthcare subcontractors, companies that transmit healthcare data, electronic prescription software, patient safety organizations, accountants, medical transcriptionists, pharmacists, attorneys, and others. In other words, your organization may be affected even if you only interact with the healthcare industry indirectly.
Consequences of Non-Compliance
HIPAA enforcement imposes hefty fines for non-compliance. Fines can range from $100 to $50,000 per violation or per record, with steeper fines imposed for willful negligence, up to a maximum of $1.5 million per year per violation. For example, Cignet Health was fined $4.3 million after the U.S. Department of Health and Human Services Office of Civil Rights found the company guilty of violations as well as failing to comply with investigators.
Criminal charges can also be applied in some circumstances. As of July 2018, the HHS OCR had imposed penalties in 55 cases totaling over $78 million in fines.
How to Be HIPAA Compliant
HIPAA compliance requirements are complex, and there is no shortcut to becoming HIPAA compliant. To achieve compliance, a first step is to review the entire text of HIPAA, which the HHS has simplified into a 115-page administrative summary. You may find it easier to wade through the long regulatory document if you use a HIPAA compliance checklist, like the one provided by HIPAA Journal.
A complete checklist will cover all areas of HIPAA regulations, including the Privacy Rule and the three major areas of the Security Rule, as well as other areas, such as rules for notifying patients in the event of a data breach. For best results, work with an experienced third-party HIPAA compliance solution provider who can walk you through all the items on your checklist, as well as ones you may not have considered.
HIPAA Compliance and Business Phone System Providers
One important item that’s easy to overlook your HIPAA compliance checklist is your phone system security. Today an increasing number of phone systems are handled by VoIP, which is transmitted over the Internet and is as susceptible to hackers as other Internet communications. Additionally, a growing number of companies in the healthcare industry provide customer service through automated interactive voice response (IVR) systems, which can also be exploited by hackers.
To avoid having your data compromised through your phone system, it’s vital to use a phone system provider that delivers HIPAA compliant services. Look for products that provide strong security for information stored in the cloud, including instant messages, a potential security vulnerability typically overlooked by other providers. Other qualities of a reputable phone system provider might be if a company's HIPAA compliance has received third-party validation, and if they offers business associate agreements for entities covered by HIPAA and other business associates. 8x8 leads the field in delivering HIPAA compliant virtual office and virtual contact center solutions for customers in the healthcare industry and related industries.
Ensure HIPAA Compliance
HIPAA regulations are designed to protect healthcare patients, but following them can also protect your company from costly fines, lawsuits, and even criminal penalties. The best way to ensure your organization is HIPAA compliant is to work with a third-party compliance solution provider in implementing a HIPAA compliance checklist. One important item your checklist should include is your business phone system. For more information about how HIPAA compliance requirements affect your business phone service, download 8x8’s white paper, “Why HIPAA Compliance Should Scare You and What You Should Ask Your Business Phone Service Provider NOW.”
When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.