Complying with HIPAA regulations is as easy as following four simple steps:
- Determining whether your organization is considered a covered entity
- Implementing controls for the prescriptive HIPAA rules
- Ensuring you have the infrastructure for breach notification
- Streamlining compliance requirements with a unified approach
Step 1: Check if HIPAA Applies to You
The Health Insurance Portability and Accountability Act (HIPAA), governed by the Department of Health and Human Services (HHS), exists to safeguard protected health information (PHI) like patients’ medical and billing records. If your organization processes PHI, HIPAA likely applies.
Although they’re commonly considered and referred to as the HIPAA guidelines for healthcare professionals, they actually apply much more widely. Covered entities are healthcare providers, health insurance plan administrators, and healthcare clearinghouses. These individuals and institutions come into contact with PHI most frequently, so they are the most directly impacted.
However, HIPAA also applies to select business associates of covered entities.
Through the business associate agreement, HIPAA can apply far outside the confines of the healthcare industry. Any organization that works with covered entities at present—or plans to in the future—needs to account for PHI in their systems. That starts with control implementation.
Assess your HIPAA / HITECH compliance
Step 2: Implement Privacy and Security Protections
The part of the HIPAA regulation that requires the most resources to satisfy is the suite of controls that you’ll need to implement per the prescriptive Privacy Rule and Security Rule.
Your primary responsibilities under the Privacy Rule include:
- De-identifying PHI by removing elements like individuals’ names, addresses, etc.
- Ensuring that PHI is available to subjects it concerns when they request access
- Accounting for Required Disclosures to the individual or to the HHS upon request
- Restricting all other PHI access except for certain Permitted Uses and Disclosures—
- Disclosure to an individual who is the subject of the PHI in question
- Uses for select treatment, payment, and healthcare operations
- Uses with an opportunity for the subject to agree or object
- Disclosures incidental to other authorized or permitted uses
- Uses for public benefit activities and public interest initiatives
- Disclosures of limited data sets for research and other activities
- Limiting all Permitted non-Required PHI access to the minimum necessary
Your primary responsibilities under the Security Rule are:
- Ensuring confidentiality, integrity, and availability of PHI and electronic PHI (ePHI)
- Implementing Administrative Safeguards, including:
- Security management processes
- Security personnel (and resources)
- Information access management
- Workforce training and management
- Ongoing evaluation
- Implementing Physical Safeguards, including:
- Facility access and control
- Device and workstation security
- Implementing Technical Safeguards, including:
- Access control
- Audit controls
- Integrity controls
- Transmission security
- Monitoring for, identifying, and addressing threats and vulnerabilities that impact PHI
Taken together, these two rules comprise the majority of the implementation burden for HIPAA compliance. Installing the required protections makes breaches and noncompliance less likely.
Step 3: Prepare for Breach Notification Responsibilities
Many of the HIPAA guidelines exist to prevent patients’ identities from being compromised. But the HHS also has protocols in place for when that does happen. Per the Breach Notification Rule, a HIPAA breach is when de-identified PHI is accessed without authorization (see above).
If a breach as defined above happens, notice about its occurrence and impacts needs to be provided to individuals who were impacted (along with guidance on minimizing potential harm).
The individual notice must be provided in writing no later than 60 days of the breach. Individuals may opt-in to receive it electronically. If there is no contact information for 10 or more people, the covered entity must post the notice on the home page of its website for at least 90 days.
All breaches must also be reported to the Secretary of the HHS. If fewer than 500 people are impacted, this can be done annually, no more than 60 days after the end of the calendar year. In breaches impacting 500+ or more individuals, the HHS must be notified within 60 days. In these cases, covered entities must also notify news outlets serving areas where impacted people live.
Step 4: Optimize Processes for Seamless Compliance
Organizations new to the HIPAA policies and procedures may still be aware of other regulatory initiatives and laws they need to follow. In many cases, frameworks and their requirements overlap, creating costly redundancies in implementation or while assessing for certification.
The HITRUST CSF solves this problem by covering HIPAA guidelines alongside many other widely applicable regulations. For example, organizations subject to National Institute of Standards and Technology (NIST) frameworks or the Payment Card Industry Data Security Standards (PCI-DSS) can install controls that satisfy their requirements and HIPAA’s together.
There are several varieties of HITRUST assessment, which confer varying degrees of HITRUST Certification. At intermediate and higher levels, these processes allow organizations to “report once, assess many”—or, in other words, utilize a single audit for all their compliance needs.
Get Started with HIPAA Compliance Today
Whether your organization is new to HIPAA or is seeking to refine systems you’ve had in place for a long time, following the four-step plan above will help streamline your compliance process.
RSI Security has helped countless organizations achieve and maintain HIPAA compliance. We know that the right way is the only way to safeguard PHI and, by extension, protect your own business, its partners, and your clientele. We’ll help you rethink your approach to those aims.
To learn more about our HIPAA regulations solutions, contact RSI Security today!