The Healthcare Insurance Portability and Accountability Act (HIPAA), created in 1996, was developed to add protection for patient information in electronic health records and communication. This regulation has gone through several changes as new technology comes out, but the goal remains the same: it guards this sensitive data against unauthorized viewing and usage.
This guide details how HIPAA applies to healthcare organizations and the options they have at becoming compliant.
The first step of HIPAA compliance is understanding whether you’re a covered entity under this act. Healthcare clearing houses, health care providers and health plans are the primary organizations that have to meet HIPAA requirements. If you’re not one of those three types of companies, you may fall under the business associate category.
When you do business with a covered entity and you need access to protected health information, you would be considered a business associate. You sign an agreement with the entity dictating the acceptable use and management of the PHI, and you must remain in compliance with HIPAA.
The primary areas that HIPAA requirements cover are technical safeguards, physical safeguards, administrative safeguards, privacy rules and breach notification rules.
What Options Do Healthcare Providers Have
Non-compliance is not an option for healthcare providers that want to retain patient trust and keep their operations going without massive hits to their operating budget. You have two options: you can handle HIPAA compliance yourself or outsource it.
Doing it In-House
For healthcare providers that have the expertise on-staff to handle their IT infrastructure, HIPAA compliance may be able to be obtained in-house. The National Institute of Standards and Technology (NIST) has provided healthcare providers with the HIPAA Security Rule Toolkit, which was developed to help healthcare organizations better understand the requirements of the HIPAA security rule, implement those requirements, and assess those implementations in their operational environment. Two other documents prepared by the Department of Health and Human Services that may be helpful are:
- Guide to Privacy and Security of Electronic Health Information
- Key Privacy and Security Considerations for Healthcare Application Programming Interfaces (APIS)
Outsourcing HIPAA Compliance to an IT Company
Keeping it in-house might seem like a straightforward, convenient option, but you may run into a few problems. The first is that you probably need an IT specialist on staff who is experienced with HIPAA compliance and understands all the controls necessary for compliance. These in-demand professionals don’t come cheap, and recruiting them takes up a lot of your hiring budget.
If you want to leverage your existing IT department for this process, then they could overlook recent changes to the regulations or fail to find areas that are particularly vulnerable to cyber attack. When they have to support end users on top of maintaining compliance, then you end up in a situation where they’re stretched too thin. They may not be able to keep the infrastructure running smoothly.
An outsourced IT company who specializes in IT for Healthcare organizations has several ways that they help you become compliant. An unbiased IT Assessment looks at your current infrastructure, procedures and policies to determine whether they match HIPAA requirements. Any gaps in coverage are noted. Once this assessment is complete, the IT company puts together a remediation plan for fixing any issues with your healthcare infrastructure.
They may augment your in-house IT department during the deployment of this plan or handle the entire process themselves. Once everything is addressed and the remediation plan is complete, the outsourced IT company can move into a monitoring role.
They keep up with the latest changes to HIPAA requirements and look for opportunities to improve your infrastructure to better protect PHI.
How to Respond to a Data Breach
Sometimes you do everything right but hackers find a way to get in any way. You have to respond in a specific way to meet HIPAA requirements following this disaster.
According to the Breach Notification Rule, covered entities are responsible for letting patients know when breaches of their protected health information occur. If more than 500 people have their records breached at one time in an attack, you also need to tell the Department of Health and Human Services. The media must also receive a notification, and this must occur as soon as possible. If you have less than 500 patients impacted, then you need to send the information to the OCR portal within a year of the attack. They recommend uploading it after you finish the first part of the investigation. Healthcare providers and IT departments can notify the DHHS online by following these links:
- Submit a Notice for a Breach Affecting 500 or More Individuals
- Submit a Notice for a Breach Affecting Fewer than 500 Individuals
Your biggest priority is figuring out how the attacker got into your systems, how many records they accessed and how to fix the vulnerability that led to this situation. An outsourced IT services company can support your IT department with additional resources required for this part of disaster recovery.
HIPAA Non-Compliance Penalties
HIPAA has a number of non-compliance penalties that you should be aware of. The fines reflect whether reasonable measures were taken to protect the PHI prior to it being accessed without authorization or stolen.
For example, if you have a HIPAA violation that was caused by being ignorant of a part of the act’s requirements, then the cost ranges from $100 to $50,000. If you do your best at protecting the data but a breach occurs regardless, the fine starts at $1,000.
Willful neglect has a particularly steep penalty, starting at $10,000 for violations that were corrected within 30 days and $50,000 for those that were not fixed within that time frame.
These fines are charged on a per record basis, so if a healthcare organization ends up with hundreds of patient files breached, they could quickly end up paying the yearly maximum of $1.5 million per violation category.
The U.S. Department of Health and Human Services (HSS) has a record of cases which detail the penalties faced by non-compliant healthcare providers in the real world.
Need Help? Contact a HIPAA Specialist
HIPAA compliance has many requirements that take up your IT resources. An outsourced IT company specialized in HIPAA compliance offers valuable tools and additional specialists and technicians that you can use throughout this process. Since HIPAA violations are so costly, and cyber criminals often target the healthcare industry, it’s critical to keep patient records safe and secure.