HIPAA Compliance Rules and Requirements, and Elements of Compliance

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a set of regulations that govern the proper use and sharing of protected health information (PHI). The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) regulate and enforce HIPAA compliance. It updated the flow of healthcare information, outlined how personal information kept by Healthcare and Healthcare Insurance businesses must be secured against fraud and theft, and addressed certain restrictions on healthcare insurance coverage. The HIPAA compliance regulations apply to anyone in the healthcare industry who provides treatment, payment, or operations. Anyone with access to patient information who assists with treatment, payment, or operations, must also comply with HIPAA. Other entities, such as subcontractors and other business connections, are also covered by HIPAA.

Those subject to HIPAA compliance rules are often referred to as either Covered Entities or Business Associates. Entities that offer treatment, take payments, or conduct clinical operations within the healthcare industry are Covered Entities. Business Associates are organisations that have access to PHI and provide assistance with treatment, payment, or operations. HIPAA rules say that a private company, its subcontractors, or a public institution that manages PHI must follow those rules.

HIPAA Compliance Rules

HIPAA regulation is comprised of a variety of HIPAA rules. Since its enactment in 1996, HIPAA has been in effect for more than two decades, during which the HIPAA Rules have been passed. The Health Insurance Portability and Accountability Act (HIPAA) establishes four rules for safeguarding patient health information.

Privacy Rule

The HIPAA Privacy Rule establishes national guidelines for patients’ rights to their PHI. The HIPAA Privacy Rule applies exclusively to Covered Entities and not to Business Associates. The HIPAA Privacy Rule outlines numerous requirements, such as patients’ rights to access PHI, health care providers’ rights to reject access to PHI, the contents of use and disclosure HIPAA release forms and Notices of Privacy Practices, and more. The regulatory standards must be established in the HIPAA Policies and Procedures of the organization.

The patient privacy rule regulates the extent to which medical records may be disseminated without the patient’s explicit consent. Under the HIPAA privacy rule, patients and their next of kin (representatives) may access their medical records. Requests for access and disclosure must be answered within 30 days of being sent to Covered Entities.

According to the amendment, PHI is defined as any information stored by a firm or healthcare facility that can be used to identify an individual and convey information about their current health status, payment history, or healthcare services. PHI comprises demographic data such as:

• Names
• Addresses
• Telephone number
• Social Security numbers
• Medical records
• Financial information
• Full facial photographs

This term was established in an effort to provide linked individuals with control over their personal information. In this regard, healthcare professionals and organizations holding protected health information are obligated to obtain the patient’s permission before using the information for marketing, fundraising, or research.

Security Rule

The HIPAA Security Rule establishes national requirements for the safe maintenance, transport, and handling of electronic protected health information (ePHI). Because ePHI may be shared, the HIPAA Security Rule applies to both Covered Entities and Business Associates. The Security Rule specifies criteria for the integrity and protection of electronic protected health information (ePHI), including physical, administrative, and technical precautions that every health care organization must implement. In an organization’s HIPAA Policies and Procedures, the specifics of the rule must be documented.

As mentioned, the Security Rule consists of three categories.

Administrative: This covers policies and procedures affecting ePHI and the technologies, system architecture, risk management, and maintenance associated with all other security measures. Human Resources and employee training are also included. Physical: Physical safeguards keep unauthorized people from getting to equipment like computers, routers, switches, and places to store data. Covered Entities must maintain secure facilities where only authorized personnel may access data. Technical: Cybersecurity includes computer systems, mobile devices, encryption, network security, device security, and anything pertaining to the ePHI storage and transmission technologies.

The Covered Entity must adhere to the confidentiality, integrity, and availability regulations in the health care industry.

Breach Notification Rule

In the event of a data breach involving PHI or ePHI, Covered Entities and Business Associates must comply with the HIPAA Breach Notification Rule. The Rule specifies varying reporting obligations for breaches based on their extent and size. Organizations are obligated to report all breaches, regardless of magnitude, to the HHS OCR; however, the reporting methods vary depending on the type of breach. No matter how the breach happened, this must be done within 60 days of finding out about it. A strong risk management plan can help with this.

The Breach Notification Rule describes what should be done in the event of a security breach. It is nearly impossible to protect data with 100 percent efficacy, and organizations must have protocols in place to inform the public and victims of a HIPAA breach about what has occurred and what they should do next. Covered Entities must provide victims with formal, written notification of a data breach by mail or email. In the event of a breach affecting more than 500 patients in a particular jurisdiction, the media should also be notified.

Omnibus Rule

The newer Omnibus rule makes the requirements apply to more than just Covered Entities.

Briefly, the Omnibus Rule stipulates that Business Associates and contractors are subject to compliance duties. Consequently, this means that Covered Entities are liable for any potential violations committed by Business Associates and contractors and must adjust their gap analysis, risk assessment, and compliance procedures accordingly. The HIPAA Omnibus Rule requires Business Associates to be HIPAA-compliant and sets the rules for Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a Covered Entity and a Business Associate, or between two Business Associates, prior to the transfer or sharing of ANY PHI or ePHI.

HIPAA Compliance requirement

The HIPAA regulations set up a standard procedure that all Covered Entities and Business Associates must follow.

Aspects that must be addressed for HIPAA compliance include the following:

Self-audit

HIPAA mandates that Covered Entities and Business Associates undertake annual audits to identify Administrative, Technical, and Physical compliance gaps with HIPAA Privacy and Security standards.

Remediation Plans

After identifying their compliance gaps through self-audits, Covered Entities and Business Associates are required to establish remediation plans to correct compliance infractions. These remediation plans must be clearly documented and contain deadlines for closing the gaps.

Policies and Procedures

Covered Entities and HIPAA-regulated Business Associates are required to develop policies and processes in accordance with HIPAA regulatory standards. This is one of the most common requirements throughout the HIPAA ruleset.

These rules and procedures must be continuously updated to reflect newly installed technologies and organizational changes. Both new employees and those who have been with the company for many years must receive annual training on the company’s policies and procedures. Employee Training must be documented and acknowledged as proof that the employee understands the topic.

Documentation

To maintain HIPAA compliance, Covered Entities and Business Associates must document all compliance-related actions. This documentation is essential during a HIPAA inquiry with the HHS OCR in order to pass rigorous HIPAA audits.

Business Associate Management

Covered Entities and Business Associates must both document all vendors with whom they exchange PHI and fulfil Business Associate Agreements to confirm PHI is handled securely and reduce liability. Annual reviews of BAAs are required to account for changes in the nature of organizational interactions with vendors. BAAs must be undertaken prior to the sharing of any PHI.

Incident Management

In compliance with the HIPAA Breach Notification Rule, if a Covered Entities or Business Associates has a data breach, they must establish a mechanism to document the breach and inform patients that their data has been exposed.

Elements of HIPAA Compliance

• Implementing written policies, procedures, and standards of conduct
• Establishing a compliance officer and compliance committee
• Performing effective training and education.
• Developing effective lines of communication.
• Conducting internal monitoring and auditing.
• Policy enforcement through well-publicized disciplinary guidelines.
• Responding promptly to detected offences and performing remediating action.

Appsvolt can assist your company and internal IT department in remaining HIPAA compliant. In addition to our years of expertise in HIPAA compliance, we can help your business better serve patients and their data. We’ve developed several custom Healthcare Software solution for our clients, including cloud-based Dental EHR, Practice Management Solution, Health & Fitness Mobile Applications.