Four Winds Blog

HIPAA and You: A Compliance Conundrum

Written by Dylan Borden | May 30, 2023 5:55:08 PM

If you aren’t in the healthcare industry (or in some cases even if you are, YIKES!) you might have only heard the term HIPAA in passing.

So, What Is a HIPAA?

The thing is, HIPAA now covers plenty of businesses outside of the healthcare industry due to the addition of the Omnibus Rule in 2009, and there is a severe lack of knowledge in terms of HIPAA requirements and how it can affect business. [1]

We will explore which businesses need to be concerned with HIPAA, some of the requirements if you do fall under the scope, and, why it all matters to your business. As with anything, it is important to first get an idea of what HIPAA is and where it came from before we can truly understand why it’s important, so, without further ado let’s dive in.

 

---------------------------------------------------------------------------------------------------------------------------

Deciphering HIPAA

So, what exactly is HIPAA? It stands for the Health Insurance Portability and Accountability Act and it was enacted back in 1996 when computers and the internet were becoming more and more prevalent in businesses. The original intention of the act was to make it easy for an individual to maintain insurance coverage and to help control administrative costs in the healthcare industry.

Individuals today can apply for insurance with a few clicks of a button so it is hard to imagine a time when all your patient records were solely stored in locked cabinets at your doctor’s office, and applying for health insurance or changing providers was like pulling teeth. This archaic method of data storage also made it difficult to access and transmit patient information, caused plenty of mistakes, and resulted in spiking administrative costs for healthcare providers. HIPAA essentially provided the rubric for digitizing healthcare records so they could be accessed and used with ease by both the healthcare organization and the patients themselves.

Although ease of access and cost reduction was the original intention of HIPAA, what really matters now to organizations under the scope of HIPAA are the rules and requirements to ensure the security and privacy of this information. Under the act, organizations handling protected health info (PHI) must comply with numerous specific requirements and create policies and staff training to ensure these requirements continue to be met. If an organization falls out of compliance, the Department of Health and Human Services can levy some hefty fines especially if any data was compromised because a certain requirement was not properly met.

Here is where we get to the root of the problem: Organizations don’t always know they fall under the scope of HIPAA, and even when they do, they are typically far from compliant. Sadly, these organizations are often not aware of their shortcomings until a problem arises and they are facing a fine.

---------------------------------------------------------------------------------------------------------------------------

The Big Question: Do I Have to be Compliant? 

Before you go and call a HIPAA compliance expert, take a minute and make sure the act applies to your organization. Initially, only “covered entities” needed to worry about HIPAA and they are defined as:

1. Health Care providers - Doctors, clinics, psychologists, dentists, nursing homes, etc.…

2. Health Plans - Health insurance companies, HMOs, or government programs that pay for health care

3. Health Care Clearing Houses - health care billing services or repricing companies

Now you might be thinking, “Hey! I don’t fall into any of these three categories. I’m safe!”, but, not so fast. Healthcare providers, like most businesses today, are not 100% self-sufficient and as such need to rely on other companies for their services. Because patient records are so sensitive, these business partners must also be complete HIPAA compliant.

Seem ridiculous? Consider this: If you woke up to find your complete medical history posted to the web who would you blame? Do you care that the insurance company your physician’s office works with was responsible for the leak, or do you care that the doctor you’ve been with for however many years chose to work with a company with shoddy data security?

This is where we really see the long reach of HIPAA. A covered entity MUST verify that all business associates with access to PHI, even in the slightest degree, are also HIPAA compliant. To ensure these business partners are compliant, all covered entities are required to have a business associate agreement (BAA) between them and their partners. A BAA essentially states that the partner is also 100% HIPAA compliant and can be trusted to properly handle PHI.

Not only is it the responsibility of the covered entity to get the BAA signed, but they also need to take the time to verify what the other organization is saying is true. Why does this matter? It puts a much greater responsibility on covered entities to select the right business partners because they must be able to trust them with their clients’ PHI.

Businesses supporting the healthcare industry also need to be conscious of this rule for two reasons. The first and most obvious reason is that if you aren’t HIPAA compliant and sign a BAA, you are going to be on the hook for any violations that come about. The other is that you will dramatically limit your potential business partners because you lack an essential element of working in the healthcare industry.

Again, more companies fall under HIPAA’s scope than is typically known, so whether you’re a covered entity, a business associate, or you simply don’t know - do your homework, and make sure your organization meets the appropriate standard.

---------------------------------------------------------------------------------------------------------------------------

The Fun Part: Getting Your Company HIPAA Compliant

Once you have determined that your organization falls under HIPAA’s scope, it is your responsibility to become compliant, but what exactly does that mean? For most, it means satisfying two main components of HIPAA - the Privacy Rule and the Security Rule. Each rule establishes safeguards with specific standards that act as a compliance checklist, and, although they have some similarities, they should also be addressed separately.

The Privacy Rule:

This rule is sometimes viewed as the “people” rule as it establishes who has access to PHI and reinforces the reason to have BAAs signed between business partners and clients alike. It essentially sets the tone for proper use and disclosure for PHI in and out of the organization.

Privacy Safeguards:

  • Assign a HIPAA Privacy Officer - responsible for implementing/maintaining HIPAA Privacy
  • Staff training – HIPAA awareness training – minimum every 2 years
  • Employee sanction policy – how employees are penalized for violating rules
  • Record retention policy – 6-year minimum
  • Policies, procedures, and systems in place to protect PHI – Must be documented and could include the policy of whom to disclose PHI to or how to safely email documents with PHI
  • Breach notification – Policies to properly notify and handle any improper use of data or a breach

The Security Rule:

This rule is more specifically about the protection of any PHI an organization creates, receives, maintains, or transmits. It also establishes that an organization should protect against reasonably anticipated hazards (fires, flood, etc.), and unauthorized use (data breach, improper discloser) as well as ensure the workforce understands and abides by the rule.

Instead of detailing each of the 17 security safeguards, we will summarize the three types of safeguards:

Administrative Safeguards (8 Total):

There are 8 safeguards specific to administration and they are similar to the Privacy Rule. They require the appointment of a HIPAA Security Officer, staff training, and the establishment of procedures to report and respond to incidents. The admin safeguards take things a step further by requiring organizations to perform RSA’s (Risk Self-Assessment) to identify their greatest threats, create a plan to mitigate these threats, and then re-evaluate this plan every so often to ensure it’s still appropriate.

Physical Safeguards (4 Total):

These focus on protecting an organization’s electronic information systems and include items such as door locks to reduce access and passwords on company laptops. These safeguards also cover the proper use of devices. An example would be something like a policy restricting what websites employees can access while on company computers. Other proper-use safeguards address disposal and repurposing of company devices so that PHI does not end up in the wrong hands. Physical safeguards seem like no-brainers, but because of this, they are often overlooked.

Technical Safeguards (5 Total):

These safeguards address what a company must have in place from an IT standpoint. This includes firewalls, data encryption, access controls, etc. as well as policies and procedures to ensure the integrity and secure transmission of the data.

Why Bother With Compliance?

---------------------------------------------------------------------------------------------------------------------------

After learning about the long list of rules and requirements accompanying HIPAA, it is easy to see why some compliance officers would rather run for the hills. So, why is it so important that organizations ensure they are HIPAA compliant? The most obvious and relevant reason is that IT IS THE LAW. For covered entities and business associates, compliance is not a “nice to have” but an absolute, and there are consequences for being out of compliance.

The Department of Human Health Services, HHS, has the ability to levy fines anywhere from $100 to over $1,000,000 per violation [6], and when this happens, organizations are typically on the hook for multiple violations. The severity of the violation also plays a role since egregious violations will carry much larger fines and can even result in jail time. The HHS relies on the concept of reasonable cause and willful neglect to judge severity. Violations stemming from willful neglect - the organization recognized the obligation to do something but acted with disregard for the obligation - are the most severe and could lead to imprisonment.            

If fines, legal fees, and imprisonment aren’t enough, consider how this looks from a PR standpoint. Can you imagine the blowback from clients once it’s been exposed that you haven’t taken proper steps to protect their most sensitive information? Depending on the severity of the violation, this can often be a death sentence for a business.

Although these penalties are often the driving force behind compliance, there is an overarching ‘good’ reason to become compliant as well. That good reason is that compliance instills a sense of trust in the healthcare system. You and your loved ones will interact with the healthcare system at some point in life and you need to be able to trust those organizations to properly protect and handle your information.

---------------------------------------------------------------------------------------------------------------------------

Takeaway:

HIPAA was originally created to reduce hospital administration costs and to allow for easier access to health insurance but it has also become the standard for protecting and properly handling PHI. Healthcare providers are not the only organizations affected by the law, and you should check to see if you are a covered entity or business associate. If you are under HIPAA’s scope you want to ensure you meet the safeguards and standards of the Privacy Rule and Security Rule otherwise you may face some hefty fines. Lastly, although it might be difficult to sort through all the red tape of compliance, don’t lose sight of all the good HIPAA does by ensuring the security of our most private data which creates trust in the healthcare system as a whole.

---------------------------------------------------------------------------------------------------------------------------

Sources