In 2017, the U.S. Department of Health and Human Services (HHS) filed 477 healthcare breaches. The breaches affected over 5.5 million patient records.
Such incidents are the reasons why the HHS implements stricter rules on companies that deal with protected health information (PHI).
The HHS enforces the rules through the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996. Failure to adhere to the rules can result in substantial fines, civil litigations, and criminal charges.
Keep in mind that these regulations cover health data handling, breach prevention, and breach reporting. They also provide guidelines for notifying patients whenever there's a breach.
Ignoring the HIPAA regulations is a justifiable defense by the Office for Civil Rights of the Department of Health and Human Services (OCR).
So, to help you ensure HIPAA compliance, this post is here to offer the essential checklist.
Keep on reading to learn more.
Understand the HIPAA Rules
Developing an effective compliance program can only be achieved if you understand the rules and their applicability. The rules apply to Covered Entities, including health insurers, health care providers, and health care clearinghouses.
They also apply to all Business Associates that work with these entities. Also, if your business handles or accesses personal health data, HIPAA rules apply to you, too. The four essential rules of the act include:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
If your company is a Covered Entity, you need to majorly focus on the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Software developers who design and create systems for Covered Entities need to pay much attention to the Technical and Physical Safeguards of the Security Rule.
1. Privacy Rule Checklist
The Privacy Rule defines the standards for people who are allowed to have access to PHI. The information can be in oral, paper or electronic form. The rule ensures that patient data is well protected, especially when an entity shares it with their associates.
- You must develop and implement privacy policies and procedures that adhere to the Privacy Rule
- Train everyone in your entity on your privacy rules and ensure they are aware of the penalties of violations
- Be sure to define the mitigation measures handling mistakes made by your employees or associates
- Ensure you have data safeguards in place to prevent unauthorized use and disclosure of patient data
- You should also have procedures for handling complaints from individuals
- All your records and documents must be stored at least for six years after creating them
This checklist should provide you with the guidance you need to limit the disclosure of PHI. Additionally, avoid policies that bar individuals from exercising their HIPAA rights.
2. Security Rule Checklist
The Security Rule details the standards that Covered Entities must apply to safeguard ePHI. The rules apply to systems and individuals with access to patient data.
Under the Security Rule, there are three essential parts: physical safeguards, technical safeguards, and administrative safeguards.
These safeguards focus on the technology that stores and protects PHI. Even though you can use your preferred technology, it must meet the standards defined by the rule.
These standards include access control, security audit control, integrity, authentification, and transmission security.
- Every user must have unique name or number of easy identification
- Define your procedures for obtaining essential ePHI during emergencies
- Put in place procedures to terminating electronic sessions due to inactivity
- Implement a framework for encrypting and decrypting ePHI
- Always monitor activity ins systems that use or store ePHI
You'll need to work with your IT team and software vendor to ensure the technical safeguards are implemented.
Physical Safeguards are a set of rules that control the physical access to PHI. There are four standards you need to cover, including facility access controls, workstation use, workstation security, and device and media controls.
- Establish procedures for enabling data access and restoration in case of emergencies
- Set security strategies for protecting your facility and its equipment from theft and unauthorized access
- Define methods for controlling a person's access to your facility and systems
- Keep a record of all modifications and repairs of your facility
- Ensure only authorized users to have access to your workstations
- Establish an action plan for disposing of ePHI and storage devices and hardware
- Define the policies for removal of ePHI before it's reused
- Implement systems for tracking movements of electronic media and hardware
- Create procedures for retrieving exact copies of ePHI before moving equipment
Keep in mind that physical safeguards are necessary to deter thieves that want to steal your devices or those who are after your patient data. You must work with your security team to implement the necessary security measures.
Under the Administrative Safeguards, you'll find all the rules that govern your workforce and ensure HIPAA compliance. These rules typically bring the Security Rule and the Privacy Rule together.
According to these safeguards, you must have a privacy officer, establish employee training, complete annual risk assessments, review your procedures, and execute all agreements.
They focus on several standards, such as security process management, workforce security, assigned security responsibility, information access management, and contingency plan.
Here are things you need to do to meet all the standards:
- Perform a risk analysis to assess the usage and storage of PHI to prevent HIPAA violations
- Establish measures for reducing possible risks
- Define your sanction policies for employees who fail to comply
- Review your system logs and activity to monitor your employees
- Be sure have designated Security and Privacy officers
- Implement procedures for authorizing and supervising employees who have access to PHI
- Ensure PHI is not accessible to unauthorized subcontractors or partner organizations
- Monitor your employee and associate logins to your systems
- Create procedures for detecting and stopping malicious software and files
- Identify, document, and report all security incidents
- Always have backups for your PHI and define the processes for data restoration
- Conduct periodic evaluation to review changes in your business and the law
- Have procedures for protecting your business and PHI in case of a breach
- You must have a contingency plan to ensure critical processes are functioning normally
Working with HIPAA trained employees means they'll be liable for any misconduct or acts of malice. Your facility won't suffer any consequences or fines due to their actions.
3. HIPAA Enforcement Rule
These rules cover the steps and investigations that occur following a breach. They also highlight the potential penalties that covered entities are likely to face. You'll also learn about the typical procedures for hearings.
Fines depend on the number of records exposed during a breach, risk posed by the exposure, and the level of negligence involved. A violation due to ignorance can attract a fine of $100 to $50,000.
The HIPAA has categories for violations, so fines can hit a maximum of $1,500,00 per year for each violation category. Cases that involve willful neglect can lead to criminal charges, which will undoubtedly cost more for your organization.
Victims of the breach can also file civil lawsuits. To avoid fines, criminal charges, and possible lawsuits, you must:
- Prevent unauthorized use and misuse of patient records
- Put protection it place for patient data
- Allow patients to access their records
- Avoid disclosing PHI to third parties more than the minimum
- Establish technological and administrative safeguards for ePHI
This rule also includes the HITECH Act, which was enacted in 2009. The act aims to promote the adoption and meaningful use of health information technology.
4. HIPAA Breach Notification Rule
This rule requires covered entities to notify their patients whenever there's a health data breach. It also requires entities to notify the HHS and issue a notice to the media is the breach affected more than 500 patients.
According to section 13402(e)(4) of the HITECH Act, you also need to report small breaches - those that involved fewer than 500 patients - via the OCR breach portal. You should submit these reports after conducting your initial investigation.
In your breach notification or report, you must state:
- The nature of the ePHI that was breached
- The person or organization that accessed or used the ePHI
- Whether the data was viewed or acquired
- The extent of your mitigation to reduce the risk of damage
The HHS requires all entities to make breach notifications without any delay. You have up to 60 days to issue your patients the notification. When sending notifications, be sure to advise patients on the necessary steps they should take to avoid harm or damage.
Also, inform them of what your company is doing to investigate the breach and prevent such breaches in the future.
HIPAA Compliance - The Takeaway
If you're a covered entity, adhering to all HIPAA regulations for patient data protection and handling is critical today. With the increased cases of cyber insecurity, the last thing you want is to face penalties and lawsuits.
Be sure to design a HIPAA risk assessment to suits your business size and type. The assessment should cover the kind of ePHI you handle, possible threats you can face, measures for preventing threats, and procedures for documentation. Such as evaluation is a regular task to ensure continuous HIPAA compliance.
At Alpine Security, we offer cybersecurity training and services to ensure your systems meet the HIPAA requirements. Our HIPAA penetration testing is specifically designed to help you ensure your systems and data are safe from hackers. Our test helps to identify all vulnerabilities before we implement the necessary fixes.
Do you want to talk to us about your PHI system security and training? Just reach out to us via phone or email when you're ready.