The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to secure protected health information (PHI). Most companies that provide healthcare services and their strategic partners need to implement HIPAA controls to protect stakeholders from cybercrime threats. Want to know if your company is a HIPAA-covered entity? Keep reading to discover if you are and what HIPAA compliance entails.
What are Covered Entities Under HIPAA?
If your business is involved in the healthcare industry (even indirectly), there is a good chance it needs to be HIPAA compliant. This article will discuss everything you need to know in two primary sections:
- A guide to covered entities under HIPAA, inside and outside the healthcare industry, including all categories of covered entities and select business associates
- An overview of all the specific rules these HIPAA covered entities need to follow, including the Privacy, Security, Breach Notification, and Enforcement Rules
By the end, you’ll know how to determine if your company needs to comply with HIPAA. We’ll also walk you through what resources you can use to meet compliance requirements.
Breakdown of Covered Entities Under HIPAA
Most companies in and adjacent to the healthcare industry need to be HIPAA compliant. Many companies that come into contact with healthcare concerns tangentially still need to comply. According to the HHS, covered entities under HIPAA include the following:
- Healthcare providers – Healthcare-focused businesses and organizations, as well as certain medical employees working within them, including the following:
- Private practices of doctors, psychologists, psychiatrists, dentists, etc.
- Large group healthcare facilities such as hospitals, nursing homes, clinics, etc.
- Merchants selling healthcare products and medication, including pharmacies
- Health insurance plans – Businesses and other organizations that directly provide or facilitate individuals’ access to health insurance coverage, including the following:
- Healthcare focused financial institutions, such as health insurance companies
- Companies and organizations that coordinate employees’ health insurance
- Healthcare maintenance organizations (HMOs) that manage care plans
- Governmental programs such as Medicare, Medicaid, veteran care, etc.
- Healthcare clearinghouses – Vendors and service providers that come into contact with PHI indirectly through hosting, transmitting, or processing it, including:
- Companies that translate PHI from nonstandard forms to standard forms
- Companies that translate PHI from standard forms to nonstandard forms
Across these categories, HIPAA impacts many businesses of all shapes and sizes. As of 2009, these businesses aren’t the only ones that need to comply.
Business Associates and Their Contracts
The original drafts of HIPAA came well before the technology that businesses have to navigate today. In 2009, the HITECH Act’s passing and implementation spelled significant compliance changes, including a much wider application across industries. Namely, the HITECH Act made business associates of covered entities share the burden of compliance.
Now, the list of covered entities also includes (but is not limited to) the following:
- The administrative staff of third-party companies that assist with processing insurance claims
- Attorneys, CPAs, and other professional consultants with access to covered entities’ PHI
- Staff or independent contractors fulfilling transcription services for a covered entity
- Managers in charge of a pharmacist network for one or more health plans
Service providers and third-parties who work with covered entities need to be aware of HIPAA requirements. In most cases, these third-parties need to be compliant themselves. In some cases, the covered entity they work with can be held responsible for a violation made by the associate. In all cases, business associate contracts help to hold all parties accountable.
Overview of HIPAA Compliance Requirements
The expansion of covered entities to apply to business associates means that HIPAA for professionals now applies to a more diverse set of companies than it had initially. The HIPAA framework these companies need to implement comprises four rules:
- HIPAA Privacy Rule – Governing conditions for access and availability of PHI
- HIPAA Security Rule – Governing safeguards to protect PHI against compromise
- HIPAA Breach Notification Rule – Governing notifications if a data breach occurs
- HIPAA Enforcement Rule – Governing investigations and penalties for non-compliance
Prior to HITECH, HIPAA’s scope included only the first two rules, and enforcement was far less strict. Now there are more rules to follow for more companies, and penalties for non-compliance are tougher. Let’s take a detailed look at their individual requirements.
HIPAA Privacy Rule Requirements
The Privacy Rule defines baseline approaches to take to ensure privacy and availability of PHI. Per the HHS’s Privacy Rule breakdown, its essential requirements include the following:
- Restriction of disclosure – Covered entities must not use or disclose PHI unless the subject of the PHI requests as much, the HHS requests access, or one or more of the permitted use criteria are met (i.e., research, public interest, or benefit projects, etc.).
- Limitation of disclosure – Covered entities must limit disclosure according to the principle of minimum necessary requirement unless the given use or disclosure is required (i.e., if requested by the subject of the PHI or a governmental agency).
Overall, the Privacy Rule requires covered entities to control who accesses PHI and under what conditions. It also protects patients’ own right to access their PHI unrestricted.
HIPAA Security Rule Requirements
The Security Rule ensures the confidentiality, integrity, and availability of electronic PHI (ePHI). Per the HHS’s Security Rule breakdown, its essential requirements include the following:
- Administrative safeguards – Top-level controls governing overall management of a covered entity’s security processes, personnel, and approach to risk management
- Physical safeguards – Miscellaneous controls for the monitoring, restricting, and overall control of individuals’ access to spaces and devices connected to ePHI
- Technical safeguards – Detailed and comprehensive controls focused on digital and virtual threats posed by wireless networks, servers, and other IT infrastructure
Overall, the Security Rule requires covered entities to implement robust safety measures, including risk analysis and management, to protect all sensitive ePHI.
Breach Notification Rule Requirements
The Breach Notification Rule accounts for contingencies if a cyber-attack does impact a covered entity. Per HHS, specific requirements of Breach Notification Reporting include the following:
- Breaches that affect fewer than 500 people – Company must notify the affected individuals and HHS Secretary within 60 days of the end of the calendar year.
- Breaches that affect 500 people or more – Company must notify the affected individuals and HHS Secretary without reasonable delay (within 60 days of discovering the violation). Depending on the scope of the breach, companies may have to notify a prominent media outlet that a breach occurred.
Overall, the Breach Notification Rule requires covered entities to report to the parties directly impacted by a data breach and the HHS and media outlets for the most significant breaches.
Enforcement Process and Requirements
Finally, the most pertinent specifications of the Enforcement Rule are its tiers of civil money penalties for non-compliance violations, including:
- Individual fines – Individual infractions may incur penalties as low as $100 dollars for violations committed in good faith ignorance or as much as $50,000 dollars for offenses committed amid willful neglect without corrective action taken.
- Annual limits – The total amount of fines a covered entity may be subject to over a calendar year, including all infractions, cannot exceed $1,500,000 dollars.
Professional Compliance for Covered Entities
The rules detailed above apply to all covered entities and the business associates who come into contact with PHI. In practice, this means that companies both in and adjacent to the healthcare industry need to ensure the privacy of PHI. In addition, they need to notify all stakeholders if a breach occurs.
Failure to comply can result in severe consequences. Luckily, RSI Security offers a suite of HIPAA compliance services to help you avoid civil and criminal penalties. If your business is a HIPAA covered entity or a business associate of one, don’t wait — contact RSI Security today!