Employers and anyone in charge of a company’s HR duties will often have several questions about HIPAA compliance.
The Health Insurance Portability and Accountability Act, or HIPAA, is a 1996 national law designed primarily to update and streamline the circulation of healthcare information. It contains five titles that include a series of regulatory standards that explain the legal use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) regulates HIPAA compliance, while the Office for Civil Rights (OCR) enforces it by investigating HIPAA violations.
What Is Protected Health Information?
Protected Health Information (PHI) refers to any demographic data that can be utilized as identification for a patient or client of a business that is obligated to comply with HIPAA. Names, phone numbers, addresses, Social Security numbers, financial information, and medical records are all considered PHI.
Protected Health Information can also be stored, accessed or transmitted electronically and is known as ePHI. This type of information also falls under HIPAA standards and is subject to the HIPAA Security Rule, a regulation added to the law as a way to factor in the impact of changes in medical technology.
What Is A HIPAA Violation? Examples, Causes & More
A HIPAA violation occurs whenever the integrity of PHI (or ePHI) is compromised. It’s important to note that this is different from a data breach. A data breach is only considered a HIPAA violation if it happens due to an ineffective, outdated or incomplete HIPAA compliance program or a direct violation of an entity’s HIPAA policies.
For example, if a company-owned unencrypted device (such as a laptop, phone or USB key) containing medical records or other PHI is stolen, this is only considered a HIPAA violation if the organization in question lacks a policy regarding encryption requirements or prohibits the company’s property from being taken off the premises.
Other examples of HIPAA violations include:
- Malware incidents
- Ransomware attacks
- Office break-in
- Discussing PHI outside of work
- Sending PHI to the wrong contact/patient
- Social media posts
Who Is Required To Be HIPAA-Compliant?
According to HIPAA rules and regulations, two kinds of organizations need to comply with the law:
- Covered entities: HIPAA defines a “covered entity” as any organization that gathers, creates or transmits ePHI. Examples of covered entities include healthcare providers, insurance providers and healthcare clearinghouses.
- Business associates: HIPAA defines a business associate as any organization that handles PHI in any way on behalf of a covered entity. Examples of business associates subject to HIPAA rules include billing companies, third-party consultants, practice management firms, IT providers, email hosting services, accountants, and lawyers.
What Are The HIPAA Rules?
- Privacy Rule: This rule sets national regulations regarding patients’ rights to access PHI, healthcare providers’ rights to deny access to PHI, and the contents of Use and Disclosure forms and Notices of Privacy Practices. This rule applies only to covered entities.
- Security Rule: This rule establishes standards for the safe maintenance, handling, and transmission of ePHI. It sets standards for the security and integrity of ePHI, including administrative, physical and technical protections.
- Breach Notification Rule: This rule dictates the procedures that healthcare organizations and business associates must follow in the event of a data breach involving PHI. There are two types of breaches that can occur: Minor Breaches and Meaningful Breaches, and organizations are required to report both kinds.
- Omnibus Rule: This rule specifically applies to business associates and describes the rules regarding Business Associate Agreements (BAAs). These are contracts that a business associate and a covered entity — or two business associates — must agree to before sharing or transferring any kind of PHI.
Requirements For HIPAA Compliance
- Self-audits: Under HIPAA, covered entities and business associates must conduct annual audits of their organization to identify and evaluate any type of issues regarding compliance with the law’s Privacy and Security standards. A Security Risk Assessment is insufficient to be considered compliant.
- Remediation Plans: These plans must be implemented to drive back any compliance violations.
- Policies, Procedures & Employee Training: Policies and procedures linked to HIPAA regulatory standards must be regularly updated to account for any changes to the organization. Annual staff training is required to ensure all employees understand these policies and procedures.
- Documentation: Covered entities and business associates must record all the steps they take to meet HIPAA compliance requirements.
- Business Associate Management: HIPAA-beholden organizations must record all vendors with whom they share PHI and complete BAAs to ensure PHI is safely handled and liability is reduced.
- Incident Management: In the event of a data breach, this breach must be documented and patients must be quickly notified that their information has been compromised.
It’s important for you as an employer or HR executive to consider hiring a professional employer organization (PEO) consulting firm to ensure your business meets HIPAA compliance requirements. A PEO can help you save significant time and money by handling all administrative tasks like negotiating with insurance providers and providing HIPAA-related legal notices like Notices of Privacy Practices.
Seeking More Information About HIPAA Compliance
Speak to the experienced PEO Consultants at BenefitCorp in Dallas or Denver to learn more about HIPAA compliance requirements. BenefitCorps’ consultants are highly knowledgeable about the Affordable Care Act and provide services such as ACA compliance, benefits administration, HR poster services, employee handbook development, and support and employee review workflow. BenefitCorp will provide your organization with extensive information and recommendations regarding payroll, HR, health insurance and retirement.