Your most common questions about the Healthcare Information Portability and Accountability Act, answered.
This post was updated on October 6, 2017.
|By: Jen Stone
QSA, CISSP, MCSIS
What is HIPAA compliance?HIPAA (The Health Information Portability and Accountability Act) is a federal mandate that, among other things, requires organizations to keep patient data secure. Compliance requires a myriad of privacy and security actions outlined in the mandate’s specific rules, such as password policy creation, patient data protection, and employee training.
Who is required to become HIPAA compliant?Any covered entity (CE) or business associate (BA) that stores, processes, transmits, maintains, or touches protected health information (PHI) in any way must be compliant. Examples of covered entities include any healthcare service provider such as a hospital, pharmacy, or physician. Examples of BAs are persons or entities that provide services to a CE that involve the disclosure of PHI, such as a medical records vendor, prosthetic manufacturer, or outside medical consultant.
How do I work towards HIPAA compliance?Compliance will look a little different at every organization, but most entities will complete a risk analysis, create and complete a risk management plan, conduct regular employee training, and implement updated policies and procedures.
Who is responsible for HIPAA?Both the healthcare organization and individual staff members who accesses PHI are responsible. The organization is responsible to put all necessary safeguards in place for HIPAA compliance. Every individual (office manager, doctor, etc.) is held responsible for health information they should, can, or do access. Individuals and companies can independently face criminal charges for mishandling PHI.
SEE ALSO: HIPAA Violations. . . Who is Responsible?
What’s the difference between the HIPAA Security and Privacy rules?The HIPAA Privacy Rule addresses appropriate PHI use and disclosure practices by healthcare organizations. The same rules, regulations and policies that regulate Privacy do not necessarily extend to the Security Rule. The HIPAA Security Rule revolves around safeguarding the systems that house or transmit PHI.
SEE ALSO: HIPAA Privacy Rule 101 Whitepaper
Who enforces HIPAA compliance?The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is the federal organization responsible for enforcing HIPAA compliance.
What is the Final Omnibus Rule?The Omnibus Rule, enacted in January 2013, is an extension of the HITECH Act that expands patient rights, assigns liability to business associates, and increases penalties for security violations. The deadline to comply with the rule was September 2013.
What happens if I don't become HIPAA compliant?If you are found in violation of HIPAA, both the HHS and state attorney generals can levy fines against you. In fact, the HHS assesses fees of up to $50,000 per day per violation.
If noncompliance leads to a breach, you are required by law to notify the HHS, your patients, and, if more than 500 records are involved, the media. This could severely damage brand equity and publicly embarrass your organization. According to a recent survey, 76% of patients state they will stop dealing with an organization responsible for a privacy breach.
What is a HIPAA violation?Each failure to follow one or more of the HIPAA standards, requirements, or implementation specifications is considered a violation. For example, sharing passwords among nurses, not using an industry-standard firewall, and not encrypting emailed patient data are all separate violations.
What’s the difference between a required and addressable rule?Required rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. Addressable rules are more technical, and allow organizations of varying size the flexibility to implement different security controls that accomplish the requirement’s objective.
SEE ALSO: Required vs. Addressable HIPAA Requirements
What does it mean to have a HIPAA audit?The HHS expects healthcare providers to actively work on their HIPAA compliance and tests them through organizational audits. An entity could be chosen for a HIPAA compliance audit at random, or because of a reported breach by an employee or customer. The best way to prepare for an audit is by having an aggressive and fully functional HIPAA compliance program already in place. You can perform a ‘mock’ audit by enlisting an experienced and knowledgeable third party to follow the HHS audit protocol.
At the end of 2016, the OCR ramped up with phase 2 of their HIPAA Audit Program. If you’re a covered entity or business associate, it’s important to watch for emails from OCR asking for your contact information. After they receive your contact info, the OCR will “transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.”
What should I do if I think PHI has been compromised at my organization?Contact the HHS immediately following discovery of the breach, and they’ll tell you what to do next. You can report a breach here. See Breach Notification Rule protocols.
What is a business associate agreement? Do I need one?A business associate agreement (BAA) is a contract required for any business associate that receives patient data from either a covered entity, or from another business associate. Covered entities and business associates are responsible for having proper business associate agreements in place. It’s their job to draft BAAs that meet their own requirements, as well as HIPAA requirements.
What is SecurityMetrics' role in HIPAA compliance?We offer a guided HIPAA Risk Analysis (the first and most important step toward compliance), HIPAA audits, HIPAA policy templates, HIPAA training, and other security services.
More questions about HIPAA?
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.