Many articles and blog posts mention HIPAA compliance, but what are HIPAA requirements, and what do you have to do to be compliant? What is the security rule? The privacy and breach rule? What does it all mean?
In a previous blog post, we discussed HIPAA compliance. This time we are going to look at the components of the actual HIPAA requirements.
HIPAA stands for the Health Insurance Portability and Accountability Act. Its purpose is to set standards to safeguard medical records and health information provided to covered entities (hospitals, clinics, insurance providers and others). HIPAA also gives patients access to their health records and control over how their confidential information is shared or disclosed.
HIPAA Requirements: the Privacy and Security Rule
Before we get to the requirements, it is important to look at a few HIPAA rules.
HIPAA is vague by design so the requirements can fit across multiple and diverse covered entities. Unfortunately, this lengthy and obtuse language does not help hospitals and clinics that are trying to meet compliance and safeguard patient information.
The HIPAA Security Rule picks up where the HIPAA Privacy Rule leaves off. In other words, the privacy rule establishes national standards to safeguard medical records and personal health information (protected health information, or PHI). The privacy rule governs and describes what constitutes a covered entity, which are health plans, healthcare providers and relevant vendors. The privacy rule also allows patients access to their records and the right to appeal for records corrections.
The HIPAA Security Rule incorporates everything from the Privacy Rule but goes on to regulate how digital health information and private patient information is stored or transferred electronically. The easiest way to think about the HIPAA Security Rule is to consider it the electronic equal of the HIPAA Privacy Rule.
While the security rule can be considered the electronic version of the HIPAA privacy rule, the language and breakdown of the security rule are not so simple. In 2008, the National Institute of Standards and Technology released an introductory resource guide – 117 pages long, in a small font. This imposing document covers only one rule. There are others.
HIPAA Requirements: the Breach Notification Rule
The Breach Notification Rule dictates that covered entities must notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media in the event of a major data breach.
Here are requirements for this rule:
- Breach notifications must be delivered within 60 days.
- Smaller breaches of 500 people or fewer may be submitted annually to HHS.
- Business associates of a covered entity report only to the covered entity, which then reports as required.
- Notice to the media in cases of a major breach.
Business associates are someone or an organization, other than a covered entity, that carries out tasks or provides services to a covered entity that involve access to PHI. A business associate may even be a subcontractor responsible in some way for the upkeep or transmitting of PHI on behalf of the business associate. Here are common services provided by business associates:
- Billing or claims processing.
- Consulting services.
- Data analysis.
- Financial or legal services.
- Legal services.
A contractor or subcontractor is subject to the same HIPAA requirements, especially the Security Rule. The covered entity must supply the contractor or subcontractor with the following:
- Details about the rules for handling of PHI that the business associate may make.
- Details about the way PHI is used and other disclosures.
- Requirements for the business associate to safeguard the PHI.
HIPAA Compliance Requirements in Simple Terms
Is HIPAA compliance complicated? When one pamphlet is 115 pages of fine print and that pamphlet outlines only a single rule, the answer is yes, HIPAA compliance is complicated. The complications, for the most part, rest in the language, in the deliberate vagueness.
To understand HIPAA requirements, you have to wade through the language to find the point, and, to a degree, the point varies by covered entity. In other words, what applies to you and what applies to a pharmacy or an insurance provider or a business associate?
You maintain appropriate technical and physical safety measures in regards to patient files, if you . . . .
- Do not share patient information with a third party without proper patient authorization.
- Do not destroy files in an inappropriate manner.
- Allow patients to access their PHI.
- Ensure all physical and electronic files are safe.
- Choose a reputable third-party or individual to oversee security implementation.
- Provide workforce training on HIPAA.
- Create and update device security policies including documentation about the transfer, disposal, and recycling of PHI.
- Use contracts with business associates that demonstrate how the associate should handle and secure PHI.
- Keep a signed HIPAA disclosure form in the physical file of each patient.
Lastly, a periodic HIPAA Risk Analysis is in order
- Assessment of the probability and impact of PHI breach risks.
- Implementation of security measures to address risks.
- Documentation that proves the analysis took place and corrective actions are implemented.
HIPAA requirements also include policies, procedures, and other documents that must be kept on hand. In the event of an audit, you want to be able to prove that you have satisfied the requirements. The written copies of security policies and procedures must also show appropriate and required actions in follow up to risk assessments. A covered entity must re-analyze and update its documentation in the event of environmental or organizational transformations that affect the security of PHI.
The following are examples of what should be on hand:
- HIPAA risk management plan and analysis.
- Business associate and commerce agreements.
- Breach response plan.
- HIPAA compliance training log.
- Policies and procedures for the Security, Privacy, and Breach Notification Rule.
HIPAA compliance is a challenge and penalties for non-compliance are steep. Have you done enough to meet the various requirements? Will it hold up to an audit? You may want to start by using this HIPAA compliance checklist and review it often.