HIPAA Compliance Crash Course
A quick guide on the Health Insurance Portability and Accountability Act
Anyone performing a service with access to patient records must remain in compliance with HIPAA at all times. Although it’s a term most commonly associated with the healthcare industry, it directly impacts many other types of organizations too.
Most of you are probably familiar with the term HIPAA and its duty to protect your private information, but do you understand the rules and regulations that come along with it on the provider side? Let’s dive into a HIPAA Compliance Crash Course just to make sure we’ve removed any uncertainty.
What is HIPAA?
Let’s start with the basics before we dive deeper into HIPAA compliance. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act. According to the U.S. Department of Health and Human Services (HHS), this act states that the Secretary of HHS is responsible for publicizing the standards for the electronic exchange, privacy and security of health information.
All HIPAA Rules apply to both covered entities and business associates. Here’s who falls under each of these buckets:
A covered entity defined under HIPAA includes a health plan, a healthcare clearinghouse or a healthcare provider who electronically transmits protected health information or PHI. Breaking down covered entities even further:
Health Plan: This includes health insurance companies, health maintenance organizations (HMOs), company health plans and government programs that pay for healthcare (eg. Medicare, Medicaid and military or veteran programs).
Healthcare Clearinghouse: These are entities that process nonstandard health information they receive from another entity into a standard electronic format or vice versa.
Healthcare Provider: This encompasses clinicians like doctors or nurses, specialists like psychologists, dentists or chiropractors and facilities like hospitals, skilled nursing facilities and pharmacies.
A business associate is a person or entity that provides a service to a covered entity that involves accessing PHI maintained by the covered entity. Before the business associate has access to PHI, they must sign a contract that specifies which PHI they can access, how the PHI can be used and that it will be returned or destroyed once they have completed the service they are hired to perform. Examples of business associates include accountants, billing companies and lawyers.
Now that we’ve covered who is required to comply with HIPAA regulations, let’s dive into the rules as defined by the HHS:
The Privacy Rule
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. This is what people most commonly think of when they hear ‘HIPAA’, and its most basic purpose is to protect all your personal information.
The specific “individually identifiable health information”, or protected health information (PHI), that is outlined in this rule includes:
The patient’s past, present or future physical health, mental health or medical conditions
The treatments or healthcare services provided to the patient
The past, present or future payments for the services provided to the patient
PHI also includes common identifiers of the patient like name, address, birth date and social security number.
The Security Rule
The security rule establishes the standards that must be followed in order to protect all electronic PHI when in transit or not in use. There are three parts to the security rule to ensure the confidentiality and integrity of electronically protected health information.
Administrative Safeguards: These are the policies and procedures that bring the privacy rule and the security rule together. They require that a security and privacy officer be assigned at your organization to establish and enforce measures for protecting electronic PHI across the workforce.
Physical Safeguards: These focus on physical access to electronically created, accessed, processed or stored PHI regardless of its location. Electronic PHI, or ePHI, can be stored in many places including the cloud, an offsite data center or on-site servers. It’s critical to ensure that physical access to that data is monitored at all times through restricted access, multi-factor authentication and surveillance.
Technical Safeguards: These are exactly as they sound, technical measures put in place to safeguard ePHI from data loss or breach. Common examples include encryption, authentication and access control. Regular employee training, penetration testing and compliance audits are a great way to confirm that no holes can be poked in your security strategy.
The Breach Notification Rule
The breach notification rule requires covered entities to alert patients when their PHI has been exposed, as well as the HHS. Should the breach impact over 500 patients, then the media must also be notified.
Breach notifications must include the following information:
The PHI that was breached, including the types of personal identifiers exposed (eg. name and address)
The likelihood of re-identification
If known, the unauthorized person who used or had the PHI disclosed to them
If known, whether the PHI was actually seen or acquired
The extent to which the risk to the PHI has been mitigated
Timeliness is key. Once covered entities discover the breach, they are required to send out breach notifications within 60 days or face a serious penalty.
Common HIPAA violations
Sadly, HIPAA violations are not rare occurrences. Most, if not all, healthcare facilities will experience a minor HIPAA violation at some point. Even though it’s relatively common, violations are very serious matters. If not properly and urgently handled, they can lead to major problems for patients and healthcare facilities.
Let’s explore some of the most common HIPAA violations and their consequences.
Unpermitted access to healthcare records: Accessing patient health records for reasons other than those permitted (treatment, payment and healthcare operations) is a huge no-no. This is one of the most common violations from healthcare employees. Snooping on the healthcare records of family, friends, co-workers, neighbors and celebrities can result in termination of employment for the employee at fault. In more severe cases, it can even bring criminal charges.
Failing to perform an organization-wide risk analysis: To evaluate if there are any weaknesses in the confidentiality and integrity of PHI, healthcare organizations are required to perform regular cross-company risk analyses. Failure to do this is a HIPAA violation that can result in serious consequences. Covered entities who have failed to perform a risk assessment have had to pay settlements upwards of $6 million.
Failing to issue breach notifications within 60-days: As we covered earlier, covered entities must issue a breach notification no later than 60 days after the discovery of the breach. Exceeding this timeframe is a violation that can result in a large sum of money being paid to the settlement.
Denying patients access to their health records: Patients have the right to access their medical records under the privacy rule. This is a very common request from patients so they can share them with other entities and individuals. Denying patients access to or copies of their health records, overcharging for the copies or failing to provide records within 30 days are all direct violations of HIPAA. One covered entity was fined over $4 million dollars for denying patients access to their records.
As you can see there are many ways healthcare organizations can receive a HIPAA violation and they are all easily avoidable. Making sure you stay up-to-date with the constantly evolving HIPAA regulations is essential to avoiding these fines and penalties.
Staying HIPAA compliant
Maintaining compliance with HIPAA across every area of your organization can be a complex undertaking. There are consistently small changes being made to the standards annually which can be hard to keep up with - but not impossible. We’re going to share some tips and tricks for staying HIPAA compliant to make your life easier and keep your organization away from unnecessary risk.
Hire a HIPAA Expert: Hiring or designating at least one member of your team to be a HIPAA expert is a great way to keep your organization compliant. Their role should revolve around building and enforcing security standards across the organization, keeping employees educated and comfortable with the processes and staying current on evolving compliance changes. They are also the perfect point person to lead penetration testing, tabletop exercises and audits.
Establish a Training Program: Requiring all employees at your organization to complete a training program annually or bi-annually is a great way to ensure compliance adherence and keep it top-of-mind.
Define Best Technology Practices for Employees: Creating a clear list of best practices for employees to follow when accessing or sharing PHI can limit your risk of breaking compliance. Your team members can even have hard copy “cheat sheets” posted at their workstations. Here are some examples of items you could include:
Immediately closing computer programs containing patient information when you step away or enter a public setting
Limiting email transmissions of PHI to avoid breaches
Changing employee passwords frequently and using password management tools
Erasing, locking, or shredding private information when it’s no longer needed
There are many ways to avoid falling out of HIPAA compliance, these are just a few. Although it may seem excessive, taking as many steps as necessary could save your organization millions of dollars, a LARGE headache and reputational harm or even loss of business.
That being said, the booming adoption of telehealth from the COVID-19 pandemic made staying in compliance with HIPAA regulations much more difficult. Thankfully, to make the abrupt shift into virtual care easier, the Department of Health and Human Services temporarily suspended penalties for noncompliance with HIPAA regulations surrounding telehealth at the beginning of the pandemic. Organizations shouldn’t take this as a free pass to break HIPAA regulations, however.
Let’s talk about some ways to stay compliant across your telehealth services.
HIPAA compliance and telehealth
The temporarily suspended penalties for noncompliance with HIPAA regulations won’t last forever. Hackers are targeting healthcare companies while everything is moving towards a virtual format, so the time to stay diligent is now.
It’s critical for virtual healthcare providers to work towards HIPAA compliance and layout best practices for protecting PHI through telehealth visits. Here are some tips to remember while seeing patients virtually to avoid the disclosure of ePHI without approval.
Always use a VPN: When accessing the company’s intranet and patient information, employees should use a VPN. In addition to using a VPN, multi-factor authentication should be required on all VPN connections. If that isn’t an option, remote providers should be using strong passwords generated from a random password generator.
Be prepared with video telehealth visits: Always set an entry password for each video meeting with a patient. This adds an extra security measure for people trying to join the meeting. Providers should also make sure they are in a private room to avoid eavesdropping. Make sure no one is around you and that no one will disturb you throughout the duration of the visit.
Protect patient PHI: Protecting PHI is a number one priority when it comes to telehealth visits. All PHI should be encrypted before being transmitted electronically whether it’s through the company’s intranet or by email. If keeping hard copies of PHI in your home, a lockable cabinet or safe should be kept to store the information. These steps should ensure no unauthorized person gets access to patient information.
It’s in your organization’s best interest to set some virtual visit guidelines to minimize the risk of PHI getting in the wrong hands.
Now that you’re full of information about HIPAA compliance, let’s talk about OpenLoop.
At OpenLoop, we power virtual care services in every state with full-stack clinical operations and a vast network of certified clinicians. Our network consists of more than 6,500 certified, multi-state licensed physicians, nurse practitioners and specialists across the US ready to fill virtual care shifts for the clients we support. We pride ourselves on matching organizations with clinicians that align with their values, culture and unique patient needs for seamless continuity of care.
On top of confidently filling shifts with leading clinicians for our clients, the OpenLoop platform provides all necessary legal, regulatory and compliance infrastructure required for companies to offer medical services via telemedicine in all 50 states. Our team and our technology allow us to streamline licensing, credentialing, hiring, onboarding, scheduling, payroll and EHR management.
We don’t stop there. Offload as much or as little of your back office challenges to us! We can take care of all of the above plus…
MSO & PC Groups
Managed Services Agreements
Telehealth Consulting & Support
Interested in learning more? We would love to connect and talk about how we can help scale your telehealth services!
Congratulations! You’ve completed your crash course in HIPAA compliance. With the shift to a hybrid model of virtual care and in-person visits, it’s important to stay up-to-date with all the changes in HIPAA regulations. The best practices outlined in this blog will ensure everyone stays HIPAA compliant no matter the location.