From the largest hospitals in America to dentists and plastic surgeons, virtually everyone in the medical profession or anyone that deals with public health is affected by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is the law of the land as it relates to standards for patient private data and medical record privacy, and non-compliance and HIPAA violations can come with stiff penalties.
The problem is the HIPAA privacy rules are such a lengthy, complex, and often difficult to interpret regulatory framework that many covered entities are confused about how to approach HIPAA compliance or how to navigate HIPAA rules to even get started on their road to compliance with HIPAA. And even when they’re clear on what they need to do, developing a sound roadmap to covering all of the bases of privacy and security proves just as daunting (if not more). However, entities that are not covered should seek HIPAA compliance solutions as soon as possible to avoid any penalties.
The good news is once you get past all of the jargon and legalese, HIPAA compliance does break down into four main rules that medical providers and covered entities can address step by step: Privacy, Security, Enforcement, and Breach Notification.
Also Read: Top 5 Components of HIPAA Privacy Rule
By following our HIPAA compliance checklist that covers these four key areas of HIPAA regulations, you’ll know specifically what rules and regulations you need to follow to be fully protected. However, to be completely sure that they are checking all of the boxes, most professionals seek cyber security solutions with matters like these.
1. Privacy Rule
The first area of HIPAA compliance that any covered entity needs to consider is the Privacy Rule. From a 10,000-foot view, the Privacy Rule is designed to protect patients’ Protected Health Information (PHI) with regards to storage, communications, and transmissions of all shapes and sizes. Whether it’s sending PHI via postage, email, or fax, all covered entities must take HIPAA specified precautions designed to ensure that all PHI does, indeed, remain private.
That being said, here are the five steps you should take to ensure that you are completely Privacy Rule Compliant:
Appoint a Privacy Officer – Make sure you assign someone whose responsibility it is to implement the Privacy Rule, aka a HIPAA Privacy Officer. In small practices the Privacy Officer can be the actual doctor or an office manager. In large practices it may be a full-time job for a few weeks or months in the beginning, and a part-time job thereafter. Either way, HIPAA requires that you have a Privacy Officer named, so make sure they’re officially designated and always in the loop.
Safeguard PHI – More than likely, you’re already taking a number of precautions to ensure that PHI is safe and secure. While HIPAA does not provide specific guidance as to the exact measures that need to be taken, it does require that all covered entities take reasonable effort to ensure that PHI is protected. You may discuss patient PHI verbally, for instance, but be sure to take reasonable efforts to protect said PHI, such as discussing PHI only in a private room and not mentioning the patient by name.
Implement Policy & Procedures – One of the main duties of the Privacy Officer is to develop written policies and procedures for secure storage and communication of PHI, as well as training all staff to make sure all procedures are followed. You’ll need to require that all staff review these guidelines, hold meetings and training to review them, and have all staff sign documents certifying that they’ve received training, understand the policies, and will enforce them at all times.
Inform Patients – Under HIPAA, you’re required to inform patients of their rights under the Privacy Rule. This includes their right to access and view their PHI, their right to request changes or amendments to PHI, and their right to receive assistance with regards to any complaints. You can use a variety of forms and formats to describe to patients their rights, but to be HIPAA compliant it must be written in plain language that patients can understand.
Limit Third-Party Access – Finally, to be fully compliant with the Privacy Rule, you must be sure not to sell, share or grant access to patient data to outside companies, businesses, or organizations without patient consent. This normally includes lawyers, consultants, accountants, and the like. Truthfully, this is the easiest part of Privacy Rule compliance, as most covered entities won’t need to allow access to any third parties.
2. Security Rule
While the Privacy Rule covers policy, procedures, and patient consent, the HIPAA Security Rule requires covered entities to take appropriate physical, technical, and administrative safeguards. You’ll need to focus on each of these three areas to ensure the confidentiality, integrity, and security of all PHI. Potential breaches and violations can occur at any time, so you’ll want to follow the HIPAA risk assessment checklist below that covers all aspects of Security Rule compliance.
Technical Safeguards – This area focuses on the technology which protects PHI, as well as who controls and has access to those systems. While the Security Rule does not require the use of any specific technology (the standards were designed to be technology-neutral), there are areas in your technical safeguard risk assessment that need to be covered for compliance:
- Access Controls – Assign each user with access to PHI a unique identifier for login and tracking purposes. Have an emergency access procedure documented and outlined and ensure that all technology is set on auto-logoff after a certain period of time.
- Audit Controls – You’ll need to implement hardware, software, and/or procedural mechanisms that record and examine all activity within systems that contain or use PHI.
- Authentication – Implement procedures to verify that a person or entity accessing PHI via technology systems is the one claimed. This includes secure passwords, logins, and the like.
- Data Integrity – Have electronic mechanisms in place to verify and corroborate that PHI has not been altered or destroyed in an unauthorized manner.
- Transmission Security – Implement security measures to ensure that electronically transmitted PHI isn’t improperly modified without detection until disposed of. Have a method of email or data encryption if at all possible.
Physical Safeguards – As the name indicates, this aspect of the security rules pertains to physical access to PHI. Typically, this includes access to hard-copy files, computer hard drives, and other hardware that contains PHI. Your physical safeguard risk assessment should encompass the following:
- Facility Access – Document the reasonable measures you’ve taken to secure the medical facility from unauthorized parties. Have a policy that allows third parties access to the facility in the event of a data breach or emergency.
- Workstation Access – Make sure that only authorized parties have access to only the workstations they need. Does each employee know which workstations they’re authorized to use and which ones they aren’t? Have you implemented physical safeguards to protect each workstation?
- Device Control – Do you have procedures in place that ensure PHI is wiped from devices when disposed of? If hardware is being reused for another purpose or workstation, are you making sure to remove the appropriate PHI? Whenever computers change hands or locations, make sure there are safeguards in place.
Administrative Safeguards – Finally, you’re required to develop, document and implement policies and procedures to assess and manage administrative PHI risk:
- Risk Analysis – Perform and document a risk analysis to see where PHI is being used and stored in order to determine all the ways that HIPAA could be violated.
- Risk Management – Implement sufficient measures to reduce these risks to an appropriate level.
- Security Policy – Create a security plan that covers PHI continuity, emergency access, disaster recovery and vendor management.
Security Rule compliance goes much deeper, but these are the main areas you need to consider. It’s wise to work with a HIPAA compliance expert to ensure that you’re not missing anything with regards to the Security Rule.
3. Enforcement Rule
Also commonly referred to as the Final Rule, the Enforcement Rule outlines the financial and criminal penalties for HIPAA non-compliance. This relates to any organizations, businesses, or healthcare-related entities that fail to adhere to various aspects of the other three rules.
Knowing the consequences of non-compliance is a key part to any HIPAA checklist you are developing, so here is an outline of the various levels of violations along with potential fines and penalties:
Unknowing Violation – You have taken safeguards, but they were not enough and somehow (unintentionally) PHI security was violated. This carries a minimum penalty of $100 per record and an annual maximum of $25,000 for repeat violations.
Reasonable Cause Violation – It’s been determined that you had reasonable cause to suspect lack of security of PHI was violated, but failed to take action. Fine of $1,000 per violation, with an annual maximum of $100,000.
Willful Neglect – The most severe form of violation possible, willful neglect penalties range from $10,000 to $50,000 per infraction, depending on whether or not you correct the problem within the HIPAA specified time period. Willful neglect penalties carry a maximum of $1.5 million per year.
As you can see, Enforcement Rule penalties can be quite severe and (in some cases) financially crippling. Make sure that your core compliance team knows the ins and outs of the Enforcement Rule as a precaution.
4. Breach Notification Rule
The final stage of your HIPAA compliance audit checklist is ticking all the right boxes as it relates to the Breach Notification Rule. This requires most providers to notify patients when there is a breach of unsecured PHI. The Breach Notification Rule also requires the entities to promptly notify the Department of Health and Human Services (HHS) if there is any breach of unsecured PHI, and notify the media and public if the breach affects more than 500 patients.
Here are the key aspects to the Breach Notification Rule to familiarize yourself with and develop a compliance strategy for in the event of a security breach:
Breach Definition – Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach. There are exceptions to this definition, such as inadvertent or good faith PHI disclosures within your office.
Individual Notice – You must notify individuals without unreasonable delay, but no more than 60 days after a breach. Notice must be written, provide a description of the breach, describe actions taken in response, and suggest actions that the individual take to protect themselves.
HHS Notice – If the breach involves fewer than 500 people, you must submit annually to HHS by the March 1st deadline. If the breach involves more than 500 people, then HHS must be notified within 60 days.
Media Notice – Again, if the breach involves more than 500 people, you’re required to notify local and prominent state media within 60 days. You must issue a press release with the same basic information that’s required by HIPAA in the individual notice.
Associate Notice – Also be aware that if any of your business associates, vendors, or contractors are involved in a PHI breach, they’re required to notify the covered entity within 60 days no matter how large or small the breach is.
The bottom line for your Breach Notification checklist is that you be prepared to cover the above four bases in the event of a potential breach. Have policies and procedures in place that will serve to make contacting patients as quick as possible, and make sure that your HHS notices are filed properly and within the allotted amount of time.
No matter how you choose to structure your path to compliance, you need to make sure that your HIPAA checklist includes strategies to tackle all four key rules. Appoint a privacy officer and conduct regular training to ensure Privacy Rule compliance. Complete a risk assessment and audit of your physical, administrative and technical systems for HIPAA Security Rule compliance. Know the penalties and consequences of non-compliance as outlined by the Enforcement Rule. Have a Breach Notification and response plan in place so that, in the event that something does happen, you’ll know how to limit the damage and avoid further fines.
Most importantly, find an experienced HIPAA compliance partner to help you customize a checklist and roadmap that’s tailor-made for your specific practice. Each area of medicine is unique and deals with different forms of PHI in different manners, and speaking with a HIPAA expert like RSI Security will help ensure that you’re checking each and every single compliance box.