HIPAA is the Health Insurance Portability and Accountability Act of 1996 that has acted as the standard rules and regulations to protect and secure the circulation and existence of past, current, and future protected health information (PHI and ePHI).
With so much health information transmitted and circulated through multiple parties, HIPAA Privacy and Security Rules ensure and secure the personal health information of individuals against misuse. The Health and Human Services (HHS) and the Office for Civil Rights (OCR) regulate the rules and standards of HIPAA compliance that must be implemented by associated organizations.
There are two types of organizations that must ensure they stay HIPAA compliant: covered entities and their business associates.
Covered entities (CE) are any existing healthcare organizations like healthcare providers, health insurance plans, and healthcare clearinghouses. Covered entities are involved with the creation and transmission of PHIs that they must safeguard by following the regulations set by the HHS and the OCR.
Business associates (BA) are any outside service provider that works with the storing, circulation, and transmission of PHIs and ePHIs. BAs are mostly hired by CEs to assist in outside financial, technical, or legal work. Examples of common BAs are third-party billing and payment services, accountants, IT providers, email service providers, cloud computing services, and more.
Understanding PHI Security
The trick to understanding what is HIPAA compliance is to first understand and distinguish what is PHI. Protected health information is essentially data that is any personal demographic used to identify patients that may appear on medical records or spoken between health professionals. PHI and ePHI, the electronic form of PHI, are maintained and circulated by HIPAA-covered entities or a business associate. There are 18 general PHI and ePHI identifiers as indicated by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR):
- Full names
- Dates (except years) that are directly related to an individual
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers and license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
Once identified, PHI and ePHI data must be properly protected and secured by HIPAA-covered entities and their business associates.
Currently, there are four fundamental rules that establish HIPAA compliance: the privacy rule, the security rule, the breach notification rule, and the omnibus rule. These four rules create the framework in which HIPAA-covered entities and their business associates must function in order to be HIPAA compliant.
The HIPAA Privacy Rule protects a patient’s or individual’s privacy, medical records, and PHIs from being disclosed without their authorization and knowledge. Under this rule, the individual has the right to obtain a copy of their health records and circulate it to a third party of their choice. It also limits and regulates the access that CEs and BAs have to an individual’s records and PHIs.
The official HIPAA Security Rule is an extension of the HIPAA Privacy Rule to safeguard and protect an individual’s electronic protected health information, ePHI. In order to successfully implement the Security Rule, the involved parties must maintain the administrative, physical, and technical safeguards that ensure the confidentiality and security of ePHI.
The HIPAA Breach Notification Rule outlines the steps of what must be done in the case of a breach of unsecured protected health information. In the event of a breach, the involved organization (either the covered entity or business associate) must report it to the OCR following their specific guidelines.
The HIPAA Omnibus Rule
The HIPAA Omnibus Rule is a recent expansion to the original HIPAA Act that ensures the compliance of business associates involved in the handling and storing of PHI and ePHI. The Rule specifically forces business associates and any third-party organization to comply legally with HIPAA regulations.
Understanding and maintaining these four core rules means your healthcare and business organizations stay HIPAA compliant. It’s a lot to cover and ensure your organization stays consistently compliant. However, we’ve compiled five steps to help ensure your organization stays HIPAA compliant.
- Establish business associate/vendor agreements
Establish business associate agreements (BAAs) before PHIs and ePHIs are disclosed to business associates. A strong relationship between working covered entities and business associates ensures both organizations are in agreement to protect and handle sensitive and confidential patient information.
- Implement HIPAA privacy and security policies in the organization
One of the most important things that your organization can do to ensure HIPAA compliance is to implement HIPAA privacy and security policies throughout the organization. When developing company policy, adapt HIPAA rules and regulations into the workforce. You end up developing a secure environment against future breaches.
Make sure your organization is prepared for a possible breach. Despite the lengths you go to ensure your organization is HIPAA compliant, sometimes things can’t be completely safeguarded and protected. Conduct regular self-audits to discover and manage your organization's gaps and vulnerabilities.
- Designate HIPAA experts and employee training on-site
One of the best ways to make sure your organization stays HIPAA compliant is to involve the people in your organization. Designate or hire a knowledgeable security officer that is responsible for the education of your employees in HIPAA policies and regulations. Implement HHS endorsed HIPAA training programs into mandatory work policy so your employees will be HIPAA compliant in the handling of PHIs and ePHIs.
- Make sure to document all records
Keep track, organize, and document all HIPAA-related information to keep it easily accessible when needed. This ensures your organization is aware of all HIPAA-related information, history, and issues and prepares the organization for a federal investigator from the OCR.