What Is HIPAA Compliance?

Learn how to become HIPAA-compliant ➔ What is HIPAA compliance? ➔ We help you navigate HIPAA requirements and understand HIPAA regulations in clear language ✅

Tanya Kobzar

CEO

Contents
smartwatch health tracker

Have you wondered how patient information protection works? Or why is HIPAA compliance such a big deal? For those who have, we have prepared a must-read HIPAA guide for 2024.

HIPAA is short for Health Insurance Portability and Accountability Act. The original Act saw the light of day on August 21, 1996. It provides standards for the safety and privacy of protected health information (PHI). The Office for Civil Rights (OCR) ensures that all the entities meet HIPAA standards. The Department of Health and Human Services (HHS) handles HIPAA compliance regulation.

What Is Protected Health Information (PHI)?

One of the most crucial things in HIPAA compliance is the notion of PHI. It refers to any demographic data that identifies a patient or client. Data such as financial information, phone numbers, names, and full facial photos fall into the PHI category.

Handling PHI is a part of any HIPAA-responsible organization. To guarantee the integrity, privacy, and security of PHI, every health care company must devolve along with HIPAA Rules.

Companies often store PHI in electronic format. ePHI is an acronym for electronic protected health information. It refers to any transmitted or stored PHI on electronic devices. You can find ePHI regulations in the Security Rule section of HIPAA.

Who Needs to Be HIPAA Compliant?

Two types of organizations fall under HIPAA Rules. The first one is a covered entity, and the second one is a business associate.

The former can be any provider of medical services. A person that has PHI can also represent a covered entity. Such a person or organization must comply with the Rules stated by HIPAA. They must have a risk assessment and compliance training for the staff. Having a book of evidence with Policies and Procedures is a must for any covered entity. Here are some of the examples of covered entities:

  • laboratories;
  • hospitals;
  • optometrists;
  • dentists;
  • mental health providers;
  • nurses;
  • pharmacies;
  • call centers;
  • healthcare workers;
  • radiologists;
  • physicians;
  • durable medical equipment providers;
  • ambulance companies;
  • social workers.

There are some exceptions. For instance, a hospital is a covered entity. However, their employees and healthcare providers are generally not covered entities. Employees who provide health plans or benefit programs are hybrid entities.

Business associates are companies that encounter PHI in any way throughout their work. They deal with protected data under the authority of a covered entity. There are plenty of companies and service providers that process or manage PHI. Here are some of the examples of business associates:

  • IT providers;
  • third-party administrators and consultants;
  • accountants;
  • cloud and physical storage providers;
  • lawyers;
  • medical transcribers;
  • consultants.

They all need PHI to perform their services. Every business associate signs an agreement with their cover entity. This agreement is mandatory for HIPAA compliance. It describes the permitted uses of PHI. The agreement also states what happens with the information in the end. Sometimes patients get their data returned, but in most cases, the data gets destroyed.

Business associates have the same responsibilities regarding HIPAA compliance as covered entities. Both parties sign the agreement to clarify this fact.

What Are the Main HIPAA Rules?

Since 1996, there have been several updates to the Act. With each update came small changes to the Rules. The most drastic changes occurred in 2009 with the HITECH Act, which promoted the use of electronic medical records. In 2020, with the advance of the COVID-19 outbreak, HIPAA Rules became more flexible. It happened thanks to the Notification of Enforcement Discretion by OCR. However, the main clauses in the Rules have remained immune to the changes.

The HIPAA Privacy Rule

The most important and the first HIPAA Rule is the Privacy Rule. It mandates data protection on anyone who stores, uses, or creates PHI. The Rule is affirming each person’s rights over their personal data.

The Privacy Rule outlines conditions and limitations regarding the use and disclosure of medical data with and without the authorization of its owner. Moreover, this rule provides patients with the right to access, get a copy, or make changes to their data.

It’s the OCR who investigates violations of the Privacy Rule. Since 2010, the OCR has settled over 150,000 cases.

The HIPAA Security Rule

The Security Rule is a document that describes ePHI protection standards.

The Security Rule implies that all compliant parties maintain three types of safeguarding mechanisms: administrative, technical, and physical. They are security precautions that preserve ePHI from unauthorized access.

Each organization determines the specifics of its data security regulation. It is an essential part of the company’s HIPAA Policies and Procedures. Besides, companies must conduct annual training on Policies and Procedures. This training will be liable only when documented with attestation reports.

The HIPAA Breach Notification Rule

OCR introduced the Rule in 2009 with the HITECH Act. All HIPAA-responsible organizations bear certain obligations under the Rule. The chief responsibility is to notify the affected persons, the HHS, and, in large cases, the media about the breach of PHI. The obligations also include:

  • mitigating the consequences of the breach;
  • carrying out breach investigation;
  • disciplinary actions with any member of the workforce who violated HIPAA Rules.

A breach compromises the privacy or security of the information. It is the use, acquisition, disclosure, or access of PHI without following HIPAA Rules. Any unauthorized disclosure of PHI is a breach of HIPAA.

The HIPAA Omnibus Rule

In January 2013, HHS published the HIPAA Omnibus Rule. It provides individuals new rights to their health information. It strengthens the government’s ability to enforce privacy and security protections. The new Rule outlines who is a business associate. Here are some other things that the Omnibus Rule introduced:

  • limits on information sharing for marketing and fundraising;
  • a patient’s right to access the electronic version of their medical records;
  • a patient’s ability to have information kept private from their health plan;
  • prohibition on the sale of information without authorization.

The Omnibus Rule makes business associates liable under HIPAA. These organizations become accountable to consumers and HHS for safeguarding PHI. The Rule also states that any unauthorized sharing or use of PHI is a breach of the regulations. Reported data breaches increased in number thanks to the Rule.

What Is Required for HIPAA Compliance?

Each HIPAA-responsible company must keep up with the set standards. Here are the measures an organization must undertake to be compliant with HIPAA:

Self-Audits

HIPAA-responsible organizations perform audits. They exist to check technical, physical, and administrative issues against HIPAA standards. A Security Risk Assessment is crucial for HIPAA compliance. There are also other essential measures like Privacy and Breach Notification Audits.

Remediation Plans

Once a HIPAA-compliant entity spots its issues, it must form remediation plans to re-establish the standards. Complete documentation of these plans is a must. Companies should also keep a calendar with dates of resolving their compliance issues.

Documentation

Organizations must take notes of all the steps they take on their road to HIPAA compliance. This documentation will play a leading role during a HIPAA investigation with OCR and HHS. Documentation is also critical during HIPAA audits.

Policies, Procedures, Employee Training

As stated in HIPAA Rules, each company must have its Policies and Procedures in place. Correspondence with HIPAA standards is vital for these Policies and Procedures. Companies must update their HIPAA Policies and Procedures to account for the latest changes to the organization. Companies must conduct annual staff training on HIPAA regulations, along with employee attestations.

Business Associate Management

HIPAA-responsible organizations must document any collaboration with services providers that involve PHI. Companies must form and sign Business Associate Agreements to guarantee the safety of PHI. It’s vital to review agreements and note changes to the relationship with service providers. Like every other procedure, a company must do it once per year.

Incident Management

If a data breach occurs, HIPAA-responsible organizations must have a process to document it. The organization must inform people about the breach and leakage of their data.

What Are Common HIPAA Violations?

Health information or insurance information about a person is worth up to $250 apiece on the black market. That is why patients must perform risk assessment and make sure they provide sensitive information to a HIPAA-certified organization with a proven reputation. Health care workers, on their end, should assure their clients about the safety of their data.

A HIPAA violation is the failure to adhere to HIPAA standards. Violations usually occur due to a lack of proper protection of PHI. Security measures must be in place so that an unauthorized person won’t access PHI. You can learn more about them by viewing Privacy and Security Rules.

HHS Office for OCR and U.S. Department of Health handles the enforcement of the Privacy and Security Rules. It’s crucial to adhere to HIPAA Rules because your negligence may cause you up to $1.5 million in fines. There are two main types of HIPAA violations: civil violations and criminal violations.

HIPAA violation

Cause

Penalty

Civil violation

Unintentional

from $100 to $50,000 per one case (up to $25,000 per year)

Civil violation

Valid cause

from $1,000 to $50,000 per one case (up to $100,000 per year)

Civil violation

Deliberate disregard (corrected)

from $10,000 to $50,000 per one case (up to $250,000 per year)

Civil violation

Deliberate disregard (not corrected)

$50,000 per one case (up to $1.5 million per year)

Criminal violation

Intentional disclose or theft of PHI

up to one year in prison, as well as $50,000 fine

Criminal violation

Violations committed under false pretenses

up to five years in prison, with $100,000 fine

Criminal violation

Violations committed with the intent to transfer, use, or sell PHI for personal gain, or other advantages

up to ten years in prison, as well as $250,000 fine

Here are some of the most common causes of violations:

  • ransomware attack;
  • hacking;
  • office break-in;
  • malware incident;
  • business associate breach;
  • sending PHI to the wrong contact/patient;
  • social media posts;
  • EHR breach;
  • a stolen laptop, phone, USB device;
  • discussing PHI outside the organization.

There can be situations when a covered entity does not want to resolve the issue. In that case, OCR is within its right to levy civil financial penalties on the organization.

Checklist to Avoid HIPAA Violations

To help you avoid a possible HIPAA violation, we have prepared a checklist of guidelines that will help you comply with every rule:

HIPAA Security Rule

Administrative Safeguards

  • Get to know which obligatory annual assessments and audits apply to your company.
  • Appoint a HIPAA Officer.
  • Implement the required evaluations and audits, document deficiencies, and analyze the results.
  • Ensure the designated HIPAA Officer carries out training for all members of the company about HIPAA.
  • Create and sign a business associate agreement with any vendors or subcontractors that may handle your organization's ePHI.
  • Document all HIPAA training and attestations.
  • Review all your agreements each year.

Physical Safeguards

  • Limit access to areas where ePHI is stored, processed, or transmitted to authorized personnel only. Install security measures such as card readers, biometric systems, or security cameras to control access to these areas.
  • Develop disaster recovery and business continuity plans to ensure that ePHI is protected in the event of natural disasters, power outages, or other emergencies. Test these plans regularly to ensure that they are effective.
  • Train employees on physical security policies and procedures, including how to handle ePHI, how to secure workstations and mobile devices, and how to report security incidents.

Technical Safeguards

  • Ensure that your ePHI is encrypted according to the National Institute of Standards and Technology (NIST) cryptographic standards.
  • Control access to ePHI by issuing passwords and other login credentials only to people who need them.
  • Protect ePHI by encrypting any device that can access the data.
  • Protect ePHI by regularly authenticating it.
  • Put in place auto-log-off programs so that workstations are secured when employees have left the area.
  • Monitor the logs of ePHI access attempts and take corrective action if there is a potential breach.

HIPAA Privacy Rule

  • Establish procedures for proper usage and disclosure of PHI, obtaining authorization, managing access requests, and reporting violations.  
  • Create a Notice of Privacy Practices (NPP) that specifies how your organization may use and disclose PHI.
  • Conduct privacy training with the workforce to ensure that employees understand their obligations under the Privacy Rule.
  • Conduct due diligence on your partners and vendors, make sure your agreements with him comply with the Privacy Rule.

HIPAA Breach Notification Rule

  • Conduct employee training on breach procedures.
  • Make sure employees know how to distinguish between a reportable and a non-reportable breach.
  • Ensure that data breaches containing ePHI are carefully documented, and include a description of the breached information's sensitivity level, how the breach could have been avoided, and what steps were taken to prevent future incidents.

HIPAA Final Omnibus Rule

  • Update your Business Associate Agreements to incorporate the amendments in the Omnibus Rule.
  • Retrieve newly signed copies of BAAs incorporating the most recent Omnibus changes.
  • Update your NPPs to reflect the changes in authorizations and privacy rights.
  • Update privacy policies to reflect the new rules set forth by the Omnibus changes.

This checklist is not exhaustive. You must also follow several additional steps if you transfer data into a new cloud-based system.

Expert Security Tips for HIPAA Compliance

If you are looking to improve PHI security, here are a few tips from Raj Chaudhary, a HIPAA security and privacy expert at Crowe Horwath:

  • strengthen security with logins to keep data from unauthorized access;
  • check your login management at software, network, and other levels;
  • lockout anyone who fails ten login attempts;
  • ensure that login is working 24/7 and check login controls;
  • keep an eye on your business partners who are dealing with any PHI.

Changes to HIPAA Compliance During the COVID-19 Pandemic

COVID-19 pandemic brought a few mitigations into the health care scene. Sanctions for non-compliance with particular clauses of HIPAA Rules will no longer be applied. For instance, one-on-one remote consultations via video conferencing software programs are legal now. OCR will not impose sanctions for PHI disclosure if the information is crucial to public health activities.

These mitigations opened up new possibilities for entrepreneurs worldwide. All it takes is to learn about HIPAA compliance basics and build your own mobile app. You can contact Diversido if you want to develop your app according to the ever-changing HIPAA regulations. Here is one of our cases in healthcare — mobile app with gamification.

We specialize in different mobile apps, which include categories like:

  • Health & Wellness (Bodies Done Right, Visual Gains)
  • Education (Etutorcloud, Diversido LMS)
  • Services (WizFix, Kiwi)
  • Games (Legend of Tapatan, Cat Carnage)
  • Entertainment (Insiders, Power Velocity)

The development of the best quality healthcare apps is our strong suit. Get on board to the future of mobile development together with Diversido!

FAQ

Here are the questions most commonly asked by Diversido clients regarding HIPAA.

What Does HIPAA Not Cover?

HIPAA only applies to PHI and ePHI within the United States. Therefore, other types of data — such as login credentials for social media sites or records an employer keeps about employees — are not covered by HIPAA.

Does the United Kingdom Have an Equivalent Law to HIPAA?

The United Kingdom has a very similar law called the Data Protection Act (DPA) 2018. The DPA is considered to be a stricter document, as it specifies the use of your personal information by businesses and the government. If you want to learn more about the DPA, we recommend reading this guide.

Does the EU Have a Law Resembling HIPAA?

The EU has a law very similar to HIPAA, called the General Data Protection Regulation (GDPR). While this law is not identical to HIPAA, it provides many of the same protections. The GDPR applies to any business that collects or processes data on EU residents, regardless of where it is based. When compared to HIPAA, the EU has stricter rules about breach notification, patient consent, and transfer of data outside of Europe.

Interested in our website creation approach?
Book a meeting