What are HIPAA Compliance Requirements?
The Health Insurance Portability & Accountability Act (HIPAA) compliance requirements are a list of standards and practices that certain healthcare organizations must adhere to as part of legal compliance with US laws. Specifically, the HIPAA aims to protect each person’s Protected Health Information (PHI) and ensure that it is not shared without their permission.
Who Needs to Follow?
According to the U.S. Department of Health & Human Services (HHS), the entities required to follow HIPAA policies and procedures are the following:
- Most health care providers
- Institutions that conduct business electronically
- Health plan providers, both for individuals and companies
- Health insurance companies
- Health Maintenance Organizations (HMOs)
- Healthcare clearinghouses (entities that handle other nonstandard health-related information into another standard and back)
Aside from direct health institutions, business associates of covered entities are also required to follow HIPAA compliance requirements. Most business associates are the contractors, subcontractors, and other persons and companies a health institution deals with often, giving them access to patient health information when providing their services. Some common businesses associates are as follows:
- Companies that pay or help pay doctors, such as billing companies
- Companies that administer health plans, both for individuals and companies
- Healthcare institutions’ lawyers, IT specialists, accountants, and other outsourced staff
- Organizations that help dispose hospital and other personal records
HIPAA Compliance Requirements
There are three main rules under the HIPAA policies and procedures. Each rule covers a specific function in healthcare institutions and aims to improve client experience and data security.
Privacy Rule
Under the Privacy Rule, entities covered by HIPAA should implement the appropriate safeguards to protect each person’s privacy, focusing on the rules of use and disclosure of information. Data must not be shared without the patient’s consent and must not be used for marketing or selling purposes without earlier notice.
Security Rule
The Security Rule details the standards to be followed when it comes to generating, accessing, modifying, protecting, processing, and disposing of electronic PHI (ePHI). This rule has three safeguards:
- Admin Safeguards
Covered entities under the HIPAA rule are required to perform risk analyses regularly on potential risks to ePHI management, designate a security official to develop and implement security policies, and provide training for the authorized staff to handle ePHI. Access to ePHI must also be granted only to specific people, ideally in a role-based manner, to limit the chances of said data being misused by the wrong people. An assessment must also be conducted regularly on these safeguards to ensure they are still effective. - Technical Safeguards
This pertains to the measures to be taken on the digital end of ensuring ePHI security. These safeguards require covered entities to implement technical policies that ensure only authorized personnel can access ePHI and manage the electronic hardware and systems needed for storing, sharing, viewing, editing, and disposing of them. - Physical Safeguards
Physical access to the hardware, facilities, and systems must be limited to only those who are authorized to do so.
Breach Notification Rule
Per the Breach Notification Rule, covered entities are required to alert their clients individually when there is a breach in the data storing systems or when their PHI falls into unauthorized hands. Notifications should contain details of the breach and must be given within 60 days from when the breach was first discovered. They must also be disseminated via email or first-class mail.
In case there are less than 10 individuals with outdated contact information, they can be notified via telephone and other forms of written notice. On the other hand, if there are more than ten individuals with insufficient or outdated contact details, the notification should be shared on a public website or any large broadcast platform for 90 days for easier viewing.
For cases where more than 500 people are affected by a breach, the covered entity must notify them through a media outlet serving the state or jurisdiction where the beach happened. Afterward, the Secretary of the HHS must be notified as well.
Importance of Complying with HIPAA Regulations
The main purpose of HIPAA is to protect the privacy of an individual’s information. One’s PHI contains not only details on their health, but also important information such as their addresses, contact numbers, credit cards, and other sensitive details. Such information must be protected at all costs, for unauthorized access to them can lead to identity theft, unauthorized purchases made on your behalf, and other data privacy breaches.
On the other hand, legal and financial repercussions also await HIPAA-covered entities failing to comply with HIPAA regulations. Individuals of covered entities who break HIPAA compliance requirements may be sanctioned or terminated. If the violation was caused by a lack of knowledge or training, they will need to undergo additional training on top of their sanction. At worst, they can be imprisoned or pay a minimum fine of $50,000 and a maximum of $250,000, not including the restitution for victims that may be required by the court.
Covered entities who, as a whole, fail to comply with HIPAA compliance regulations may be brought to court as well and/or be required to pay fines. The fines to be paid, however, will depend on the severity of the violation.
Improve your GRC management
SafetyCulture (formerly iAuditor) for HIPAA Compliance
Keeping compliant with HIPAA requirements can be confusing, as there are many things to keep track of and many PHIs to be aware of. Using a checklist can help with this as it could streamline processes, organize tasks, and ensure compliance with the three rules and safeguards. Going digital with these forms can also ensure a smoother process in maintaining records, for it would reduce paper waste, improve daily operations, and increase efficiency in the workplace.
A digital checklist platform one can look into for HIPAA compliance is SafetyCulture. SafetyCulture is a digital inspection tool that aims to improve HIPAA compliance with the help of its digital checklists. With SafetyCulture, HIPAA-covered entities can:
- Create their own smart checklists and include a scoring system, showing if they are compliant with HIPAA guidelines or not
- Use pre-made HIPAA-compliant forms from the Public Library and edit them as needed
- Address problems with HIPAA compliance by raising issues, assigning specific actions to certain people or teams, and sharing a Heads Up to a department or the whole organization
- Train staff on proper HIPAA compliance practices regularly from anywhere
- Export completed inspection forms as a Word file, PDF file, or a web page
- Generate analytical reports of completed checklists and visualize data at a glance