What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.
To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. Collectively, these federal requirements were updated and merged in 2013 and is now known as the HIPAA Omnibus Rule.
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (ePHI) i.e., the Security Rule) establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. Being such a firm regulation, it starts to become and clearer and clearer why a complete HIPAA Security risk assessment can save thousands of dollars and future regulatory headaches.
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
The updated Omnibus Rule, published in 2013, also implements most of the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends the reach and limits of HIPAA.
The Omnibus Rule, in part, expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA).
Becoming compliant : a High Level Checklist
Davis, Wright & Tremaine, a leading law firm, summarizes HIPAA compliance requirements for both “Covered entities” such as health providers and insurers, and Business Associates (vendors or partners). Its HIPAA Compliance checklist is as follows:
- Performing a gap analysis to determine what policies and procedures must be revisited considering the Omnibus Rule (this should be done annually.
- Revising privacy and security policies and procedures to bring the organization into compliance—this is a good opportunity to review and fine-tune existing policies based on guidance and experience.
- Revising breach notification policies, procedures, and breach response plans, particularly with respect to conducting a risk assessment for determining whether notification is required.
- Amending notices of privacy practices (and making sure the revised notices are properly posted and distributed).
- Training workforce and promoting more ongoing awareness.
- Revising business associate contract templates and beginning the painful process of amending/renegotiating each one.
- Determining whether any forms, such as requests for access, should be updated or created.
- Continuing—or making an increased effort—to take advantage of the safe harbor provision by encrypting PHI according to HHS’ guidance; and
- Making sure an updated risk analysis is in place and reflects vulnerabilities addressed in HHS guidance, such as mobile devices.
Conducting a HIPAA Gap Analysis and developing a Risk Management Plan
An annual HIPAA gap analysis of the approximately 50 clauses in the Omnibus rule will identify the need for any improvement needed by a covered entity or business associate.
This more detailed HIPAA Compliance checklist will likely help you during an audit or prevent you from getting audited . The 50 clauses are grouped under prescribed technical, administrative, or physical safeguards.
Technical controls are items such as firewall rules, encryption capabilities on laptops, PCs, servers and mobile devices, malware detection software and the like.
Administrative controls include, among others, items such as policies, governance measures, security and privacy training and awareness programs, and evidence of business associate agreement.
Finally, physical controls include adequate locks, and fire suppression mechanisms for data centers, video cameras to monitor physical movement in sensitive areas and locks for computer equipment in heavily travelled areas.
The adequacy of controls is not described specially in HIPAA, so using the National Institute for Standards and Technology (NIST) Special Publication 800- 53 control set is a good option to follow. NIST 800-53 is commonly referred to by the Department of HHS as meeting the intent of HIPAA. (See: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53) .
An additional twist to the HIPAA Omnibus Rule is that some controls are mandated or required, while others are addressable (potentially optional).
A sample of key technical, administrative and physical safeguards are provided in the tables below. (Recall there are over 50 clauses in the Omnibus Rule that require attention . In essence measuring yourself against a HIPAA Compliance checklist is a critical annual effort. .
Technical Safeguards – Sample HIPAA Compliance checklist
|REQUIRED OR ADDRESSABLE
|Implement a means of Access Control
|Assigning a centrally controlled unique user name and password for each user
|Mechanism to authenticate ePHI
|Has EPHI been altered during transit?
|Implement tools for encryption and decryption
|Are laptops, desktops and servers encrypted? Does data communication use encryption?
|Possess activity logs and audit controls
|Records who has viewed, edited, or added ePHI to a system
|Facilitate automatic log-offs of PCs or other devices
|Logs off unattended devices to prevent snooping
Administrative Safeguards – Sample Checklist
|REQUIRED OR ADDRESSABLE
|Conducting a Risk Assessment
|Typically done annually
|Risk Management Policy
|Reduce risks to an appropriate level. Provides direction on how to manage risk
|Training employees to be secure
|Provide annual security and privacy training
|Develop a contingency plan
|In emergencies, a contingency plan should be ready to prevent disruption of services
|Testing of Contingency plan
|Using a table-top exercise or other simulation, conduct a review of decision making needed
|Restrict 3rd party access
|ePHI should not accessed by vendors or subcontractors without a signed business associate agreement
|Reporting Security Incidents
|Breaches are required to be reported to the OCR
Physical Safeguards – Sample Checklist
|REQUIRED OR ADDRESSABLE
|Facility Access controls
|Controls access to sensitive data processing areas using locks, cameras, etc
|Workstation Use policy
|To ensure that users are using devices in protected settings ( e.g. to prevent snooping)
|Controls for Mobile Devices
|Ensuring that mobile devices such as phones and which store or process ePHI are adequately protected
|Inventory of hardware
|An inventory of all hardware processing ePHI should be maintained
Addressing the risks in a meaningful way, should be described in a corollary risk management plan and forms the second piece of ensuring that an organization is committed to securing ePHI.
This annual gap analysis and subsequent risk management plan, therefore, forms the bedrock of a HIPAA compliance program. By adequately performing these two tasks, a covered entity or a Business associate is demonstrating its intent to meet the HIPAA compliance rule.
We note that the Government recognizes that not all risks can be obviated and that there are resource constraints. Should a breach of data occur, a high quality of the Gap analysis and risk management plan will mean lower penalties or sanctions.
What happens if you violate HIPAA?
According to HIPAAJournal.com ( https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/ , The Office of Civil Rights (OCR) within the Department of HHS oversees compliance of the Omnibus Rule.
The OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
The four categories used for the penalty structure are as follows:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.
Fines for Tier 3 and Tier 4 violations can be significant.
A list of fines meted about by the OCR demonstrates that fines can run into the millions. Anthem, a health insurer, was fined $16 million in 2019, Aetna was fined $1 Million in 2020, and Athens Orthopedics $1.5 million in 2020. (See: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
Conducting an annual Gap analysis of the prescribed technical, administrative, or physical safeguards followed by the development and execution of a risk management plan is the first step in meeting compliance.
This requires honesty, diligence and a commitment to improve. The gaps identified followed by additions of remediative controls clearly demonstrate that an entity has performed its required obligations under HIPAA.
While a breach may still occur due to criminal activity or employee misuse, a robust gap analysis and risk management plan go a long way to assuage enforcement officers. Don’t get caught short. You need a reliable partner to help you through this.
Need help with a gap analysis? Contact us for a free 30 minute consultation