Advancements in technology have made it easier for cybercriminals and insider threats to steal, leak, and misuse electronic personal health information (ePHI). If your organization handles ePHI or works with other companies in the healthcare industry, it's vital that you comply with the regulations of the Health Insurance Portability and Accountability Act (HIPAA).
What Is HIPAA?
HIPAA is a security standard designed to protect ePHI. This includes medical history, lab results, bills, medication, and more that are created, used, stored, and maintained by covered entities and business associates.
A covered entity can be:
- A healthcare provider
Healthcare providers include health professionals like doctors, dentists, and psychologists, as well as organizations like nursing homes and pharmacies. However, they can only be considered covered entities if they transmit patient information electronically in accordance with US department of Health and Human Services standards.
- A health plan
This includes health insurance companies, company health plans, health maintenance organizations, and government programs paying for healthcare services such as Medicare, Medicaid, and military and veterans healthcare programs.
- A healthcare clearinghouse
This refers to a third party that processes nonstandard health information into a standard form (i.e. standard, data content or electronic format).
A business associate is an individual or entity that performs tasks that involve the use or disclosure of ePHI on behalf of a covered entity. Examples of business associates include:
- A third-party company assisting with a health plan's claims processing
- An accounting firm whose services require access to ePHI
- A consultant who conducts utilization reviews for hospitals
- A medical transcriptionist
What Are the Repercussions of Violating HIPAA?
Covered entities and business associates who violate HIPAA regulations can face corrective action plans and financial penalties. The financial penalties are tiered and based on the level of culpability.
- Tier 1 – an unintentional or an unavoidable violation that occurs despite an organization taking measures to comply with HIPAA rules. Fines range from $117 to $58,490 per violation.
- Tier 2 – violations that covered entities should have been aware of but couldn't avoid even with an acceptable amount of care, though they didn't act with willful neglect. Fines range from $1,170 to $58,490 per violation.
- Tier 3 – violations resulting from the willful neglect of HIPAA regulations, with corrective action taken to address the violation. Fines range from $11,698 to $58,490 per violation.
- Tier 4 – result from willful neglect of HIPAA regulations without any attempt to correct the violations. Fines range from $58,490 to $1,754,698 per violation.
To prevent such fines, entities that require HIPAA compliance must ensure they have a solid and continually updated HIPAA compliance program.
How Do I Prepare for HIPAA Compliance?
This guide will help you get started toward becoming HIPAA-compliant.
- Take an online HIPAA checkup
This checkup contains questions that will provide covered entities and business associates with insight into their organization's present compliance level based on HIPAA's privacy, security, and breach regulations. Note that this checkup is not the same as a risk assessment.
- Conduct a risk assessment
A risk assessment involves reviewing an organization’s infrastructure and identifying vulnerabilities that can be exploited by cybercriminals. Understanding the weaknesses of your organization's current cybersecurity posture will help you determine what needs to be done to improve your cyber defense strategy.
This policy should clearly state how electronic and non-electronic personally identifiable information is gathered, stored, shared, and maintained. If you're not sure what to document, a good rule of thumb is to cover everything related to ePHI such as medical history, treatment plans, medical insurance information, and more. This policy must be evaluated regularly, and any modifications need to be well documented and communicated to employees.
- Hire a dedicated HIPAA security officer
The HIPAA security officer will be responsible for implementing policies to detect, contain, and prevent breaches of ePHI. Their other responsibilities include:
- Implementing and enforcing HIPAA Security Rule safeguards and other rules issued by the Office for Civil Rights
- Performing risk assessments and assisting in third-party audits
- Addressing any problems related to incident response, disaster recovery, and business continuity
- Investigating and rectifying data breaches, and implementing measures for effective breach containment
Human error and negligence are still a major cause of data breaches, which is why it's vital to regularly train staff on HIPAA cybersecurity protocols. According to the HIPAA Privacy Rule, training is a must for every new employee and every time you update your security policies and procedures to help reduce the risk of data breaches and fines.
- Ensure business associates are secure
The HIPAA Privacy Rule states that business associates must first sign a business associate agreement (BAA) with a covered entity before they are granted access to ePHI. A BAA ensures that a business associate has the proper administrative, physical, and technical safeguards to keep ePHI safe. A violation of this agreement (i.e., unauthorized disclosure of ePHI) can result in civil and criminal penalties for a business associate.
Getting started with HIPAA compliance can be overwhelming, which is why you need to partner with a managed IT services provider like Charles IT. Our IT experts will help make HIPAA compliance easier by assessing your infrastructure for cybersecurity and compliance risks, and recommending plans for improvement. Call us today to learn more about our HIPAA compliance services.
Editors Note: This blog was originally published on March 12th, 2021 and was updated on January 12th, 2023 for accuracy.