Blog

January 1, 2021

HIPAA Compliance Requirements Explained

Security & Compliance,

Data Management

As technology permeates every facet of our lives, industries across all sectors have adopted methods to make business faster and more efficient. One industry that has seen exponential growth thanks to modern advancements is the healthcare sector. 

Hospitals, doctors, clinics, and pharmacies, among others, have been able to speed up their jobs by going paperless. Payment systems, questionnaires, and a host of other administrative and clinically based systems have been migrated to electronic devices, allowing healthcare professionals to see more patients and maintain easily accessible records. 

However, before the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) instituted the Health Insurance Portability and Accountability Act (HIPAA), there wasn't a universally accepted set of privacy and security standards to safeguard patient information. 

Today, we'll take a detailed look at the various aspects of HIPAA compliance and which companies are affected by this regulation.

HIPAA Compliance Explained 

HIPAA is an initiative that created standards and protocols governing the handling and storage of sensitive patient data. Organizations that manage protected health information (PHI) must abide by a stringent set of rules and security measures to ensure they remain HIPPA compliant and avoid penalties. 

Those subjected to the mandates of HIPAA compliance requirements are typically referred to as covered entities or business associates. Covered entities are those in the healthcare profession that provides treatment, accept payments, or perform clinical operations within the industry. Business associates are ancillary organizations with access to PHI or offer support in delivering treatment, payment, or operations. If a private company, subcontractors, or public institutions manages PHI, they will need to meet HIPAA compliance standards.

The rules established under HIPAA are made so under the HHS, and the regulations are enforced by the OCR. 

hipaa-definition-penalty

 

HIPAA Privacy Rule 

The Health Insurance Portability and Accountability Act of 1996 was enacted to make it easier for people to keep health insurance and to provide a minimum standard for the safeguarding of sensitive patient data, as well as combating exploitable aspects in health insurance and healthcare delivery. Over the past two decades, HIPAA compliance requirements have undergone a series of updates, with the most notable being written on April 14, 2003, as it set a precedent for what constitutes Protected Health Information (PHI).

According to the amendment, PHI is any data that is maintained by a company or healthcare center which can be used to identify an individual, as well as signifying their current health status, payment history, or provisions of healthcare. PHI includes demographic information such as:

  • Names
  • Addresses
  • Phone numbers
  • Social Security numbers
  • Medical records
  • Financial information
  • Full facial photos

This HIPAA compliance definition was instituted in an attempt to provide autonomy over personal information to the linked individual. In this regard, healthcare providers and companies that hold PHI are required to seek permission from the patient before using the prescribed data for marketing, fundraising, or research.

With this added autonomy level, patients could also choose to withhold their private data concerning their healthcare provisions from health insurance providers if their treatment is conducted using private funds.

The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, created a federal standard governing the protection of certain health information. It's important to note that the Privacy Rule only applies to covered entities (specifically health plans, health care clearinghouses, and health care providers), not business associates. 

These covered entities are tasked with integrating the Privacy Rule standards into their operations to protect PHI from misuse or abuse. If a company fails to reach HIPAA compliance, it can be subjected to the imposition of civil or criminal penalties.

As it stands, the HHS understands the necessity of healthcare communication so a patient can receive prompt and comprehensive treatment, even if it comes at the risk of exposing PHI. As there are a multitude of environments that healthcare treatment and processing can occur, the chance that some information will slip through the cracks. To this end, the HHS's HIPAA compliance requirements doesn't necessitate the need for all risks of an incidental use or accidental disclosure to be entirely eliminated.   

General Provision

The Privacy Rule is deemed satisfied with HIPAA compliance if reasonable safeguards and minimum necessary policies and procedures have been implemented into a covered entity's operations. 

Reasonable Safeguards

A covered entity must incorporate an appropriate level of administrative, technical, and physical safeguards for patient PHI to fulfill the requirements under Reasonable Safeguards. While it would be unreasonable to expect a one hundred percent secure environment, these safeguards should limit the scope of incidental uses or disclosures.

Reasonable safeguards will differ between the various types of covered entities that are accountable for HIPAA compliance. In this regard, each individual covered entity will need to evaluate its own circumstances, assets, and held PHI to determine which minimum safeguards are necessary to protect patient data without overburdening the financial and administrative capabilities of the organization. 

Key factors that should be maintained in a covered entities documentation to ensure reasonable safeguards include:

  • Speaking quietly when discussing a patient's condition with family members in a waiting room or other public area
  • Avoid identifiable markers such as patients names in public areas
  • Securing areas that provide access to PHI
  • Encrypting devices that have access to PHI

Minimum Necessary

Covered entities are required to institute policies and procedures regarding the use of private health information so that only the minimum necessary is disclosed. The policies outlined should also reasonably limit who has access to the PHI within the entity as well as the conditions required for them to request it.  

 

The 2024 State of Data Compliance and Security Report

66% of organizations we surveyed are using static data masking to protect non-production data. Discover insights from 250 global leaders around sensitive data, compliance, masking, AI, and more.

Get the Data Compliance Report

 

HIPAA Security Rule

Following the PHI definition, the HHS enacted HIPPA compliance regarding security protocols on April 21, 2005. While the Privacy Rule created a regulation surrounding PHI and who can access it, the Security Rule standardized the measures around who has access to the data in electronic form.

As providers and companies sought to ease the burden of administrative and clinical tasks through applications such as computerized physician order entry (CPOE) systems and electronic health records (EHR), the need for newer security protocols became an issue. These systems and others like them give healthcare providers quick access to patient information without being at a centralized terminal. However, it does create security risks. To balance the potential risk associated with the ease of mobility, the federal government mandated that the medical workforce maintain a baseline known as HIPAA Security Rule.

The new Security Rule was drafted to govern HIPAA secure data stored in electronic form (ePHI) and goes into further detail than that of the Privacy Rule. 

The Security Rule mandated that organizations needed to maintain three security safeguards - administrative, physical and technical - to be considered HIPAA compliant: 

Administrative

The Security Rule places the most stringent regulations around the administrative aspects of HIPAA compliance. These administrative safeguards comprise more than fifty percent of the HIPAA compliance requirements. According to the ruleset regarding electronic transmission of PHI, administrative actions, policies, and procedures need to establish security measures involving:

  • Selection management
  • Implementation
  • Security Maintenance
  • Conduct Management 

The Administrative Safeguards standards will need to be thoroughly investigated in their current state so that an evaluation of the security controls can be accurately accounted for regarding risks that are unique to the covered entity to ensure HIPAA compliance.

Physical Safeguards

The second component of the Security Rule revolves around the physical safeguards necessary to protect ePHI. As with the other two components, adhering to the Physical Safeguards standards in the Security Rule is necessary for ensuring HIPAA compliance. It will require a thorough analysis of the current security posture, potential exploits, and documentation regarding any necessary solutions for the aspects unique to a particular covered entity. 

Physical safeguards refer to policies and procedures as well as physical obstacles that protect a covered entity's ePHI. 

Facility Access Controls

The Physical Safeguards' first standard is Facility Access Control. Under this standard, policies, and procedures need to be created and implemented to ensure only authorized individuals are physically capable of accessing electronic data within the covered entity's premises. 

The policies should also include procedures toward identifying specific workforce members (or business associates) by title or job function. 

Finally, the standard dictates that a covered entity should have established protocols governing who has and under what circumstances they can physically access areas that hold ePHI. 

Technical

As technology continues its exponential advancements, creating specific policies and procedures is becoming increasingly more difficult. To address this growing issue, the Security Rule has designed its third section to be as technology-neutral as possible. 

With each new advancement, the ease of access and portability that healthcare works can use ePHI grows, but not without increasing risk. To ensure ePHI is as protected as it can reasonably be, HIPAA compliance requires that covered entities implement technical safeguards. 

While the Security Rule sets a standard for technical safeguards, it is designed to be flexible and scalable as technology improvements are made. To this end, the Security Rule doesn't dictate the type of technology that needs to be safeguarded, as it may be rendered obsolete in the near future. Instead, the policies and procedures surrounding technology safeguards must adhere to core principles. 

It is also understood that the size and scope of covered entities can vary drastically. Therefore reasonable judgment should be used when determining the level of measures reasonable for any specific organization. 

HIPAA Compliance IT Requirements

The HIPAA compliance IT requirements aim to ensure that the mandates issued through the Security Rules are upheld. 

The HIPAA compliance regulations were updated in 2009 under the economic stimulus package, the American Recovery and Reinvestment Act (ARRA). Signed in by President Obama to quell the pressure of the Great Recession, the ARRA was also packaged with the Health Information Technology for Economic and Clinical Health Act (HITECH). The laws prescribed in the act made direct reference to evolving technology as well as the business associates that covered entities contracted. Under HITECH, these organizations would now be liable for adhering to federal provisions.

In addition, covered entities were urged to adopt electronic health records (EHR) systems while increasing privacy and security protection through HIPAA information technology compliance. EHRs were readily adopted by healthcare providers due to the monetary incentive granted by the federal government, while those found not to be HIPAA compliant were punished with increased fines and penalties. 

Before HITECH was written into law, only a tenth of all hospitals in America were using EHR systems. This reliance on paper records made delivering the appropriate treatment and coordination between separate covered entities a cumbersome affair. While switching over to an electronic system seems like an obvious choice, the costs to integrate an entirely new infrastructure was prohibitively expensive.

The Meaningful Use Program

To facilitate healthcare providers of varying sizes to adopt EHR technology, the HHS was given a budget of over $25 billion to create an incentive program. With this budget, they were able to develop and launch the Meaningful Use program. If covered entities incorporated a certified EHR into their operations, they would receive monetary inducements. 

Certified EHRs are deemed worthy of the incentive program if they could demonstrate they met the prescribed standards issued by an authorized testing and certification body.

However, even if healthcare providers adopted a certified EHR, they had to show they were using the system in a meaningful way. An organization would need to show that they were improving its:

  • Efficiency, safety, and quality of treatment
  • Patient, family, and caregiver engagement in their healthcare
  • Healthcare coordination
  • Work toward public health
  • Protection over PHI 

The financial inducements for voluntarily joining the Meaningful Use program are substantial. However, while over the years, the inducements increased, so did the penalties and the need to join the program. 

To remain HIPAA compliant, avoid fines, and receive the incentive, healthcare providers need to go through the three stages of the Meaningful Use program.

Stage 1

The first stage is composed of 15 core requirements and 10 menu requirements and deals with the sharing of data through an EHR. If a covered entity wants to recoup 100% of the incentive, they will need to meet each of the 15 core requirements and a minimum of five of the menu requirements within 90 days of beginning the program. 

Stage 2

Stage 2 builds upon the first, requiring covered entities to maintain the standards of the first stage. The primary concern of Stage 2 is on the exchange of PHI, such as immunizations and care coordination of patients. Healthcare providers in this stage will have to demonstrate that they satisfy 17 core objectives and a minimum of three of the six menu objectives.

Stage 3

The final stage of the program is centered around improving the outcome of patient treatment. As with stage two, the standards of the previous stages need to be continually fulfilled in order to obtain the financial incentive and avoid penalization. 

With Stage 3, healthcare providers will need to meet eight requirements:

  1. Protected Health Information (PHI) — Parallel to HIPAA compliance, clinicians will need to perform security risk analysis on the EHR systems.
  2. Electronic Prescribing — Physicians will need to transmit 80% of their prescriptions electronically.
  3. Clinical Decision Support (CDS) — Adhere to the five CDS interventions while also performing active checks on drug interactions.
  4. Computerized Provider Order Entry — Eligible providers will need to meet the standards attributed to medication, lab, and diagnostic imaging orders.
  5. Patient Engagement — Physicians will need to maintain at least 80% of the patient's records on an EHR. This condition is supplemented with the need to provide educational information to at least 35% of their patients.
  6. Coordination of Care — A covered entity must induce their patients to use electronic systems. To fulfill this criterion, a healthcare provider needs to have:
    1. A quarter of their patients use their EHR
    2. 15% of their patient provide data through a fitness tracker
    3. 35% of  their patients obtain secure digital information from a healthcare provider
  7. Health Information Exchange — Eligible providers need to have:
    1. A minimum of 50% of care record-transition done electronically
    2. A minimum of 40% of new patients' PHI recorded electronically
  8. Public Health Data Reporting — Providers need to submit EHR information to three out of five of these destinations:
    1. Public health registry
    2. Clinical data registry
    3. Syndromic surveillance
    4. Cases
    5. Immunization registry

While the Meaningful Use program was constructed under the HITECH Act, it is one of the avenues towards fulfilling HIPAA IT requirements. Complying with the standards under this program shows that a covered entity has instituted safeguards over its held ePHI. 

Cost of Integrating HIPAA Compliance with IT Systems

Covered entities will need to invest heavily in servers or similar platforms to meet HIPAA information technology compliance standards. For medium to large-scale HIPAA-regulated organizations, the costs can exceed $50,000, not including the cost of training and manpower for migrating systems. Smaller firms may be able to switch over to HIPAA compliant systems for a fifth of the associated costs. 

Electronic Data Interchange (EDI) Standards

As HITECH places a strong emphasis on interoperability, the transmission of ePHI has been a key point for regulators. As such, regulators have mandated the transmission of ePHI needs to conform to electronic data interchange (EDI) standards. 

Under this standard, HITECH has dictated the means of:

  • Format of the data transfer
  • Coordination of benefits
  • Referrals and authorizations
  • Eligibility verifications and responses
  • Claims status and remittance advice
  • Health care claims

These rules were implemented to unify the means of ePHI transmission into a standard practice. 

HIPAA Violation Risk Assessment and Management

A key factor under the HIPAA IT requirements is the need for enhanced security standards. Covered entities and business associates will need to adopt systems and protocols for preventing data breaches and create policies for identifying and remediating attacks.

Any system within an organization that comes in contact with ePHI, whether it has transmitted, received, placed in storage, or altered the data in any way, must maintain a reasonable level of security protection. 

HIPAA Compliance Requirements Checklist for IT

While there are specific regulations that need to be followed by an IT department to remain HIPAA compliant, there are several steps it can take to ensure the company's ePHI is secured.

  • Integrate a secure messaging solution for devices that transmit ePHI within a covered entities workforce
  • Encrypt every outgoing email that contains ePHI
  • Educate staff against social engineering attacks
  • Create physical safeguards around on-site servers

There are claims that medical records are more valuable than credit card details on the dark web, and taking basic safety precautions can significantly reduce a company's likelihood of being compromised. 

How to Become HIPAA Compliant 

While many solution providers may be developing the latest and greatest technological feat, they still need to ensure they deliver a product that can undergo the scrutiny of HIPAA compliance regulators. 

There are publicly provided HIPAA compliance checklists offered by the HHS. However, unless the company is well-versed in the nuances of the regulations, the process can be convoluted and challenging to execute correctly while at the same time avoiding any of the hefty fines. 

Vendors need to validate and ensure that they've satisfied an appropriate level of policies, procedures, and safeguards when it comes to transmitting ePHI. A system with an easily detectable exploit that leaks unauthorized disclosure of ePHI can expect swift and harsh penalties. Additionally, until a solution provider has met HIPAA's prerequisites, its products can be used by HIPAA-regulated covered entities.  

Companies that hope to become a HIPAA compliant business associate will certainly need to rely on a HIPAA compliance checklist to ensure their business has instituted the reasonable levels of administrative, physical, and technical safeguards described above in the Security Rule section. Failing to do so can have financially crippling ramifications. It also poses the possibility of criminal charges being brought forth by the Office for Civil Rights (OCR). 

HIPAA Compliance Requirements

The regulations outlined under the HIPAA created a standardized formula that impacts every covered entity and business associate. 

Aspects that need to be addressed to fall within HIPAA compliance include:

Self-Audits

Under the articles of the HIPAA, both covered entities and business associates must undergo a yearly audit of their PHI policies and infrastructure to assess if they are in compliance with HIPAA Privacy and Security standards in terms of their Administrative, Physical, and Technical protocols. 

Remediation Plans

After detecting and gaps found from its self-audit analysis, covered entities must undertake remediation actions to correct the violations. The remediation plans must be documented and accompanied by milestone dates that indicate when violations will be reversed. 

Policies and Procedures

One of the most common aspects throughout the HIPAA ruleset is for covered entities and HIPAA-regulated business associates to create policies and procedures in line with HIPAA regulatory standards.

These policies and procedures must be updated regularly to account for newly implemented technology and changes within the organization. Both new staff and long-standing workforce members must be annually updated on the guidelines within the company's policy and procedures. The training must be documented, indicating that the staff has been trained and understood the material. 

Documentation

To remain HIPAA compliant, covered entities and business associates must document any and all measures taken to achieve compliance. If an organization undergoes the scrutiny of an OCR audit, this documentation will need to be presented. 

Business Associate Management

HIPAA-beholden organizations must maintain documentation regarding any Business Associate Agreements made with vendors who may come in contact with privileged PHI. These agreements must be reviewed annually to ensure they are aligned with the current environment that the organization is operating within. 

Incident Management

In the event that a covered entity or business associate has identified they've experienced a leak of PHI, there must be a documented established protocol on how to remediate the issue. According to the HIPAA Breach Notification Rule, the patients who may have had their personal data exposed must also be notified. 

How to Create a HIPAA Compliance Program

To create a HIPAA compliance program, every covered entity and business associate needs to compose a minimum of the following seven elements. 

1. Implementing written policies, procedures, and standards of conduct.

The first element is to create written standards that apply to every member of the organization's workforce. These policies should incorporate the entirety of the entity's compliance program, code of ethics, training, remediation plans, and disaster recovery plan. 

2. Establishing a HIPAA compliance officer and compliance committee.

Covered entities and business associates will need to place an individual in a compliance officer's role, who will lead the committee. 

3. Performing effective training and education.

Designed to maintain a strict level of competency concerning the safeguarding of PHI, companies will need to regularly perform HIPAA compliance training. 

4. Developing open lines of communication.

Companies and organizations need to establish an environment where HIPAA compliance violations can be brought to the compliance officer's attention without fear of reprisal. 

5. Conducting internal monitoring and auditing.

For any program to remain effective, it will need to undergo regular analysis to ensure it's meeting the necessary standards it's designed to achieve. 

6. Enforcing policy through well-publicized disciplinary guidelines.

Covered entities and business associates must create and distribute the information concerning how violations within the organizations will be handled. 

7. Responding promptly to detected offenses and performing remediating action.

The plan isn't complete until it sets a standard for how violations will be detected, verified, and remedied. 

If a covered entity or business associate experiences an OCR investigation due to a HIPAA violation, the auditor will measure the organization's established policies against these aforementioned elements. 

HIPAA Compliance Violations 

A healthcare provider may be in HIPAA violation if the integrity of their PHI or ePHI becomes compromised due to the intrusion of a data breach. While not every breach is considered a HIPAA violation, it is if it's the result of an inadequate, deficient, or obsolete HIPAA compliance program. It can also be deemed a violation if the data is leaked through the willful disregard of the established HIPAA policies and procedures. 

The HIPAA Breach Notification Rule

The differences between a data breach and HIPAA violation are outlined in the HIPAA Breach Notification Rule. The rule details the actions necessary should covered entities or business associates experience a data breach.

Minor Breach

According to the HIPAA Breach Notification Rule, a minor breach entails an event that affects fewer than 500 individuals within the parameters of a single jurisdiction. 

Under this rule, organizations must document each breach that spans the length of a year and must report them to HHS' OCR within 60 days from the last day of the calendar year that they took place. Organizations are also required to notify individuals impacted by the breach within 60 days of detecting the intrusion.

Meaningful Breach

As described by the HIPAA Breach Notification Rule, a meaningful breach is an exploited situation that affects more than 500 individuals within the parameters of a single jurisdiction. Unlike a minor breach, in which the organization only has to report all events once a year, a meaningful breach must be reported within 60 days of detection. Affected individuals, along with local law enforcement and news outlets, must also be notified immediately upon discovery of the breach.

To encourage strict adherence to HIPAA compliance, the HHS maintains a permanent ledger known as the “Wall of Shame” that lists every meaningful breach which has occurred. 

Common HIPAA Violations

Common violations include:

  • Stolen devices with access to ePHI
  • Stolen drives with ePHI stored on them
  • Hacking, malware, and ransomware attack
  • Business associate breach
  • EHR breach
  • Physical on-site break-ins
  • Negligence in transmitting PHI
  • Openly discussing PHI in public areas

The fines and penalties for violating HIPAA standards can range from a few hundred dollars to tens of thousands of dollars, reaching as high as $1.5 million per calendar year for violations. Financial penalties aren't the only punishments that can be imposed. If the level of negligence or willful malice permits, jail time can also be levied. 

HIPAA Compliance Checklist for the Organization

To help you begin the road to HIPAA compliance, here is a HIPAA compliance checklist to ensure you have the necessary safeguards established. 

Administrative

  • Perform an ongoing risk assessment to detect any potential gaps.
  • Conduct risk management to ensure reasonable PHI security is in place.
  • Train staff in ePHI access protocols and how to mitigate chances of social engineering to reduce chances of cyber-intrusion.
  • Design contingency plans to ensure continued business operations.
  • Perform regular testing on contingency plans.
  • Create and sign business associate agreements with any vendor or business associate who may have contact with ePHI.
  • Record every security breach, successful or otherwise. 

Physical

  • Monitor and control access to areas that hold PHI or ePHI.
  • Establish a written policy concerning workstation habits to inhibit accidental PHI disclosure.
  • Create policies governing the exchange and transfer of mobile devices, which may at one time contained ePHI.

Technical

  • Mask (anoymize) individually identifiable health information
  • Encrypt all transmitted ePHI to meet NIST cryptographic standards
  • Issue PIN codes, keycards, and / or passwords to authorized personnel with access to ePHI.
  • Regularly authenticate ePHI to protect its integrity.
  • Encrypt any device that can access ePHI.
  • Monitor the logs of ePHI access attempts.
  • Create auto-logoff systems to ensure workstations are secured once authorized personnel leaves the area. 

HIPAA Privacy Rule

  • Respond within 30 days to patient access requests.
  • Inform patients and subscribers of data sharing policies through a Notice of Privacy Practices (NPP) form.
  • Receive permission from patients to use their PHI for marketing, research, or fundraising.
  • Conduct privacy training with the workforce to ensure understanding of the Privacy Rule.
  • Ensure your documentation accounts for the changes in the treatment of school immunizations, ePHI restriction in disclosure to health plans, and the right of patients to their electronic records.

HIPAA Breach Notification Rule

  • Understand the differences between a minor breach and a meaningful breach and the required measures once one is identified.
  • Ensure that a breach is notated with:
    • A description of the ePHI
    • Who gained unauthorized access
    • The degree that the data's integrity was misused or corrupted
    • How well the safeguards mitigated any damages

HIPAA Final Omnibus Rule

  • Update Business Associate Agreements to indicate the amendments of the Omnibus Rule.
  • Retrieve newly signed copies of BAAs that incorporate the Omnibus information.
  • Update privacy policies to include the Omnibus changes.
  • Update NPPs to address the changes to authorizations and the right to privacy.

This checklist does not cover the entirety of the Health Insurance Portability and Accountability Act. It's also important to note if you transfer over to a new cloud-based system, there are several additional steps required to stay compliant. 

Perforce Delphix Can Help Your Organization Become HIPAA Compliant

As part of your overall HIPAA compliance checklist, adding the right data masking solution goes a long way to securing protected health information. Delphix Continuous Compliance enables your IT teams to implement security measures that automatically identify protected health information (PHI) and securely mask the data, so that the data meet the HIPAA definition of “Health information that does not identify an individual.”

un-maskied-vs-masked-data-example-for-data-masking