The Health Insurance Portability and Accountability Act (HIPAA) is a pillar of both regulatory compliance and healthcare cybersecurity. To protect confidential and sensitive patient data, hospitals, insurance providers, and healthcare organizations must all adhere to HIPAA compliance.
- What is HIPAA compliance?
- How to become HIPAA compliant
- Benefits of HIPAA compliance
- Three security tips for HIPAA compliance
- HIPAA key resources
- HIPAA compliance FAQ
Any organization subject to HIPAA must be ahead of the curve by recognizing any changes and preparing now as we approach 2023. In this detailed guide, we’ll explain HIPAA compliance in a step-by-step manner based on changes to the law, COVID regulations, and growing cybersecurity issues.
You don’t want to be concerned about a HIPAA complaint against your organization, and you certainly don’t want to be one of those fined. This guide will inform you all you need to know about HIPAA compliance and will assist you in protecting and securing your HIPAA-protected data.
What exactly is HIPAA compliance?
HIPAA compliance is a process that business associates and covered entities pursue to protect and secure Protected Health Information (PHI) as required by the Health Insurance Portability and Accountability Act. That’s legalese for “protecting people’s healthcare data.”
- Protected Health Information (PHI) is healthcare data that belongs to you, me, or everyone. PHI is the information that HIPAA aims to secure and keep private. The Safe Harbor Rule specifies what types of data must be removed in order to declassify PHI.
- Covered entities are healthcare professionals who handle and have access to PHI. It consists of doctors, nurses, and insurance companies.
- Business associates are people or services who collaborate with a covered entity in a non-healthcare role and are as accountable for maintaining HIPAA compliance as covered entities. Business associates include, but are not limited to, professionals who work in the legal, accounting, administrative, or IT fields in the healthcare sector and have access to PHI.
How to be HIPAA compliant
Combining internal procedures with the appropriate technology and strategic external partnerships is necessary to meet all HIPAA requirements. Here’s how you become HIPAA compliant on a strategic level before digging into the details of the regulation.
- Create policies: You should start by creating and implementing effective cybersecurity standards, policies, and procedures. Your staff should be properly trained, and your administrative policies and practices should all be HIPAA compliant. Additionally, make sure your policy is well-documented and communicated to everyone in the organization.
- Implement safeguards: Maintaining HIPAA compliance requires strong PHI safeguards, both physically and digitally. Physical PHI storage areas should only be accessible to authorized people. Strong password and login security should also be implemented.
- Risk assessments: Every covered entity should have an annual HIPAA risk assessment. So, if you haven’t already started planning for 2023, now is the time. Risk audits should include all administrative, physical security, and technical security measures implemented by your company to achieve HIPAA compliance.
- Investigate violations: In an ideal world, your entire organization would be HIPAA compliant every day of the year. However, errors do occur, whether discovered by you, an auditor, or regulators. If a violation is discovered, put procedures in place to undertake root cause analysis and remediation so that the problem does not reoccur.
By keeping these four principles in mind throughout your HIPAA journey, you will be able to achieve and maintain compliance in the most effective manner possible.
HIPAA compliance guide 2023
The HIPAA Privacy Rule is the fundamental piece that all applicable entities must understand. The Privacy rule specifies when and how authorized staff may get PHI. Healthcare professionals, administrators, lawyers, and anybody else involved in your health information ecosystem fall into this category. At the same time, the HIPAA Security Rule specifies the actual protections that must be implemented, including both technological and non-technical safeguards.
1. Recognize HIPAA Privacy and Security Rules
You’ll want to be aware of a few important components of the Privacy and Security regulations in 2023. The Department of Health and Human Services (HHS), for instance, will continue to concentrate on looking into minor security incidents, possibly increasing their focus on safeguarding PHI in the mental health, psychiatry, and psychology areas.
Additionally, you’ll need to balance how you’re carrying out those operations with the Privacy Rule as healthcare increasingly moves online in the form of remote consultations and digital assessments. You’ll need specific procedures to handle these kinds of digital health interactions in 2023 and beyond because there has been some controversy over whether professionals using Facebook and other social media while at work violates HIPAA.
In a nutshell, there are connections between the security and privacy rules. You can help yourself adhere to the Privacy Rule, which outlines further protections of PHI, by adhering to the HIPAA Security Rule and putting the proper security processes in place.
2. Determine if the Privacy Rule affects you
Next, you’ll need to assess and confirm that the Privacy Rule does, in fact, apply to your business, practice, or healthcare organization. Remember that the Privacy rule protects individual PHI by governing the practice of all covered entities, from doctors and nurses to lawyers and insurance providers.
Covered entities are the people and organizations that hold and process PHI data for their customers and/or patients. Covered entities are also responsible for reporting HIPAA violations, and are who will pay any fines imposed by the Office of Civil Rights if a HIPAA violation does occur.
HIPAA defines these individuals and organizations as covered entities:
Health care providers
- Nursing homes
- Health Plan
Health insurance companies
- Company health plans
- Government-provided health care plans
- These entities process healthcare data from another entity into a standard form.
3. Protect the right types of patient data
The third action item in your HIPAA compliance checklist is knowing what types of patient data you need to protect and begin putting the right security and privacy measures in place.
The HIPAA Privacy Rule defines PHI as “individually identifiable health information” stored or transmitted by a covered entity or its business associates. This can be in any form of media, from paper and electronic to verbal communications.
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payment information that identifies or for which there is a reasonable basis to believe can be used to identify the individual.”
This typically includes — but is not exclusively limited to — the following kinds of patient data:
- Names and birthdates
- Dates pertaining to a patient’s birth, death, treatment schedule, or relating to their illness and medical care
- Contact information such as telephone numbers, physical addresses, and email.
- Social Security Numbers
- Medical record numbers
- Photographs and digital images
- Fingerprints and voice recordings
- Any other form of unique identification or account number
4. Prevent potential HIPAA violations
HIPAA violations can occur in any number of ways, so it’s critical that you understand what a violation is and how they happen so you can take preventative measures. The most common type of violation is internal, and not the result of any outsider hack or data breach. Typically, violations stem from negligence or only partial compliance with the Privacy Rule.
A workstation left unlocked, or a paper file misplaced in a public setting — although not malicious — are the types of violations to be most on guard for. Not properly configuring software like Office 365 for HIPAA compliance is another great example of a non-intentional violation. However, something like a lost or stolen laptop with PHI isn’t necessarily a violation in and of itself. If the PHI is encrypted in alignment with Privacy Rule standards, you’re not liable for fines or penalties.
Here are some of the basic steps you can take to prevent HIPAA violations:
- Understand data breaches: A data breach doesn’t necessarily have to be an external hack. Under HIPAA, a data breach is simply unauthorized personnel or people accessing PHI when they shouldn’t. To prevent data breaches, you’ll need a strong cybersecurity program to keep hackers out, as well as proper internal security measures and training.
- Recognize common violations: Some common causes that can lead to a HIPAA violation are equipment theft, hacking, malware or ransomware, physical office break-in, sending PHI to the wrong party, discussing PHI in public, and/or posting it to social media. Knowing these common violations will help you prevent them from occurring.
- Anticipate a minor breach: A minor or smaller breach is one that affects fewer than 500 individuals within a single jurisdiction. The HIPAA Breach Notification Rule mandates certain actions to be taken in this instance. Have processes in place in case what HIPAA defines as a minor breach takes place.
- Prep for a meaningful breach: A meaningful breach affects over 500 people within a given jurisdiction. They need to be reported to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days of the actual occurrence. You should also be ready to notify affected parties and law enforcement immediately.
5. Stay updated on HIPAA changes
HIPAA compliance can be a moving target, with changes taking place on a regular basis. After you’ve put all of the right cybersecurity measures in place — and processes for potential breach response — you’ll still need to keep abreast of new HIPAA developments. There are a variety of HIPAA changes expected to take effect in 2023 that you should prepare for now.
Some highlights of the 2023 HIPAA update include potential changes to:
- Patient acknowledgment of notice of privacy practices
- The minimum necessary standard for PHI protection
- Allowable disclosures related to care coordination and case management
- Disclosures of PHI for health emergencies
- Citizens’ rights to access their protected health information (PHI)
- Fees that organizations may charge individuals to access PHI
Even though you may have reached HIPAA compliance at present, it’s imperative to monitor the impending 2023 HIPAA update and work with your compliance partner to ensure you comply when it arrives.
6. Know how COVID affects HIPAA
The COVID-19 pandemic is changing healthcare forever, and HIPAA compliance is changing along with it. That’s why an important item on your HIPAA compliance checklist is taking COVID-19 into account in the cybersecurity, physical security, and compliance aspects of your business that might be affected.
The biggest aspect that most healthcare providers and covered entities need to account for is remote work and telehealth. Patients’ PHI is now being handled from more locations and in people’s homes on personal devices in many cases. To account for this, the HHS CSC decided to suspend HIPAA-related fines and penalties for a time.
However, the change may or may not be permanent, so extra precautions involving PHI handling in the work-from-home, telehealth-centric era must be taken to ensure compliance over the long haul. You’ll want to tightly define and control device ownership so that it’s crystal clear who is handling what types of PHI.
The HHS has also recently released guidelines for how healthcare organizations need to treat vaccination status as PHI in 2023 and beyond. The current announcement sets forth very specific guidelines as to how, where, and to whom a patient’s vaccination PHI status can be disclosed. Your HIPAA compliance team should carefully review these standards, build the right processes into your compliance plan, and ensure staff only discloses vaccination status in a HIPAA-compliant fashion.
7. Document everything
One of the best things you can do is to document as much as possible related to your HIPAA compliance efforts. You may even want to implement custom-build HIPAA compliance software to track things like security measures taken, PHI sharing with other entities and potential breach activity.
8. Report data breaches
If someone’s PHI is compromised, HIPAA sets forth rules for notifying affected individuals. These procedures are set for by the HIPAA Breach Notification Rule. Your cybersecurity policy should have procedures in place for notifying the right parties — including regulators or law enforcement — in sufficient time.
Three security tips for HIPAA compliance
Implementing the right security processes and measures is the backbone of year-round HIPAA compliance. Here are four tips to help bolster your PHI security.
Strong login measures: Ensure that only authorized users have access to PHI by implementing strong standards for ID and password complexity. Make sure that users change their default passwords immediately as well as have systems in place requiring that they change passwords on a regular basis.
Regular activity logging: Making sure that your IT staff and systems log everything will help comply with HIPAA in that you’ll be always tracking and documenting PHI happenings. Have the right logging and data monitoring technology in place so that you have records of where PHI is, who’s viewed it, and if a breach has occurred.
Take a multi-layer approach: User IDs and logins are just one layer of potential HIPAA breaches. You’ll also want to examine the security measures taken at various other layers, including network, systems, software, and firewalls. Don’t simply utilize default configurations, for instance, which can be more prone to breaches.
HIPAA key resources
Here’s a list of resources to monitor regularly to say ahead of the game in your HIPAA compliance effort in 2023:
- HIPAA Compliance Journal
- Health IT Security
- Calculated HIPAA
- American Medical Association
- Center for Disease Control
HIPAA compliance FAQ
Q: How do I start with HIPAA compliance?
A: The first step towards HIPAA compliance is defining who within your organization is primarily responsible for HIPAA compliance. You can then begin assessing your cybersecurity and business process around PHI, preferably alongside an experienced HIPAA compliance partner. A HIPAA compliance audit is also recommended.
Q: Does HIPAA regulate social media usage?
A: Yes and no. The HIPAA Privacy Rule was adopted before the popularization of most social media platforms, so technically there is no verbatim mention of social media. However, the disclosure of PHI on social media without the patient’s consent is clearly forbidden under HIPAA.
Q: What’s the official definition of a Covered Entity (CE)?
A: A covered entity — as defined by HIPAA — is any business entity that must by law comply with HIPAA regulations. This includes healthcare providers, insurance companies, and clearinghouses. Health care providers include doctors, dentists, vision clinics, hospitals and other related health caregiving services.
Q: What types of information are categorized as PHI?
A: Any information in a patient’s medical records or personal data set that can be used to identify an individual. PHI is created, used, or disclosed while providing a health care service. PHI includes but is not limited to electronic or paper records, x-rays, schedules, medical bills, dictated notes, dental casts, and verbal conversations.
Q: Is employee training required under HIPAA?
A: Yes. HIPAA requires that all employees undergo training annually. Cybersecurity training should already be built into your employee onboarding and development processes, but you should work with a compliance partner to ensure your training is adequate. You should also include training modules and materials that address telemedicine and work-from-home.
Q: How do you do a HIPAA compliance checklist?
A: A HIPAA compliance checklist should be completed in tandem with your compliance partner. While the checklist we’ve outlined will surely get you from point A to point B, a compliance partner can tailor the roadmap to your organization and help implement the right measures more quickly and cost-effectively.
Q: How do I know if my documentation is sufficient for a HIPAA audit?
A: Generally, you will need to have detailed logs. Audit logs document what went wrong and who is responsible in the event of a breach. In an audit, whether random or due to an incident, HHS will want to see these logs. Like all HIPAA compliance documentation, logs must be kept for six years.
Q: What’s the difference between a HIPAA desk audit and a physical audit?
A: A HIPAA desk audit is the most basic form of audit and can be completed on a remote basis. Documents are transmitted between you, the auditor, and your compliance partner from your own “desks.” A physical audit is a more comprehensive on-site audit that closely examines both physical and digital PHI security measures.