HIPAA Compliance for Medical Practices

HIPAA guidelines

1. Keep patients’ privacy intact

HIPAA guidelines for patient confidentiality may look complex. But, they all percolate down to one essential point – not sharing your patient’s personal information. This means not even specifying that the reviewer visited you since that is a personal detail. For example, rather than saying “So glad you enjoyed your visit, come back again soon!” an ideal HIPAA-compliant response would be:

“Thank you for your feedback! We strive to provide the best services to all our patients.”

This response does not provide any specific information about the patient or the visit. It shows appreciation and also emphasizes the organization’s policy. It’s also important to respond to reviews without referring to the reviewers as patients.

Here is a great example of a HIPAA-compliant response to a patient review:

There’s absolutely no mention of the patient’s medical information in the response.  Notice how there’s no specific mention of the patient’s medical issue or appointment either, making it the perfect response.  

2. Avoid disclosing the patient’s medical issue

Instead of inadvertently declaring protected information like a medical diagnosis, avoid the issue entirely. What if the patient refers to the symptoms in their review? If you think that then it is alright for the healthcare provider to mention details — well, you are wrong. Even if the patient reveals their diagnosis, the doctor is in violation of HIPAA guidelines if their reply repeats the information. The easiest hack is to avoid. 

3. Take critical issues offline

If something feels urgent (hey doctors, we know it’s actually a matter of life and death in your profession) and there is no way to respond without asking for more information — take it offline. You wouldn’t want to brush aside their fears with a generic reply or violate HIPAA guidelines either by asking questions that reveal personal details either. The best route to take it to message the patient personally or ask them to get in touch with you via phone or email. In your response, you can mention your contact details and even invite them to visit your medical facility. 

If the urgency also involves the patient’s unhappiness with the care received, a private communication channel might help you get to the bottom of it easily. Getting more insight into why a patient is unhappy will help you to resolve the issue faster. If you address the concern by personally getting in touch with the patient, you may even persuade them to remove or edit the negative post. Now, this is a win-win. 

4. Avoid sharing confidential information via personal messages  

Address the patient’s negative reviews and concerns through direct contact channels like personal messaging and avoid unwanted disclosures, breaches of data or breaches of patient privacy.

HIPAA’s Security Rule mandates that all electronically protected health information (ePHI) is free from any of the HIPAA violations mentioned earlier. However, social media messaging services do violate HIPAA’s standard for compliance. Patient data or health documents should never be distributed using these messaging services.   

5. Don’t share your patient’s pictures on social media

A picture is worth a thousand words. Do you really want to write a thousand words about your patients on social media? Thanks to smartphones, photos seem to be the easiest way to communicate. If I had a dollar for every time I heard “Show and don’t tell” in writing school, I’d be able to pay off my student loans in one payment. While this is great advice for everybody else, it doesn’t apply to doctors and healthcare providers. 

If you love your patient’s positive reviews and want to share their pictures as a part of your response, think twice. According to HIPAA guidelines, posting a patient’s pictures on social media websites like Facebook is a violation. 

While it may seem inoffensive or harmless, especially if the patient’s name is left out, someone may still recognize them (thanks to all the facial recognition software used on these social media) and that becomes an infringement of the patient’s privacy. So, even if you’re celebrating something as significant as a patient’s recovery from an illness or horrible injury, sharing their photos is a major violation of HIPAA’s book. Again, the best route to take is to avoid posting photos altogether.

6. Create a response strategy for your reviews

Work with your team and create a policy on how you can respond to different types of reviews while complying with HIPAA guidelines. Study different scenarios to identify various types of patient reviews. After careful study, create standard response templates for each scenario.

For instance, for all negative responses, you may say something like: “We deeply regret the inconvenience. Kindly get in touch with us at [Contact Number] or [Contact Email ID] so that we can address your concern.”

For all positive patient feedback, you might say that “It is our goal to provide the best care to patients. We appreciate your feedback.”

This works well for review sites like Facebook and Google. However, in the case of Twitter, you may have to abbreviate your response to stay within the character limits.

The Health Insurance Portability and Accountability Act, or HIPAA, ensures the confidentiality and security of protected health information (PHI). If you are a healthcare provider or manage any kind of health-related business, then you must be HIPAA compliant. To become HIPAA compliant, you must take a few key steps.

First, all of your employees must receive up-to-date, comprehensive training on the regulations set forth by the HIPAA Security Rule and the Privacy Rule.

This includes not only understanding what is expected of them in protecting PHI but also how to handle a breach and what to do if they suspect one has occurred.

Understanding What HIPAA Is and Why It Matters

HIPAA is a federal law that sets standards for protecting sensitive patient data. These standards include physical, technical, and administrative safeguards to secure electronic PHI (ePHI).

In addition to protecting patient data from unauthorized access or disclosure, it also prevents healthcare organizations from using PHI in marketing without the patient’s consent.

Becoming HIPAA compliant is essential for any organization that handles PHI as it helps protect patients’ privacy and keeps their data secure.

Performing a Risk Analysis

The first step in becoming HIPAA compliant is performing a risk analysis. This involves assessing your current systems and procedures to determine where your organization might be vulnerable to a breach of ePHI.

You should evaluate each system used to store or transmit ePHI and any third-party vendors you use to handle this information. Once you have identified any areas of vulnerability, you can begin to work on resolving them.

Creating Policies and Procedures

Once you have completed the risk analysis process, it’s time to create policies and procedures that ensure your organization remains compliant with HIPAA regulations going forward.

This includes creating a policy manual outlining how to handle ePHI properly across all departments within your organization and establishing protocols for responding in the event of a breach.

Establishing Ongoing Compliance

It’s important to remain vigilant in your efforts to stay HIPAA compliant. This means regularly conducting internal audits and risk assessments, updating policies and procedures as needed, and adding or revising security systems when necessary.

Additionally, it is important that all employees receive regular training on new regulations, processes, and procedures.

Training Your Employees on HIPAA Regulations

Employee training is an integral part of ensuring compliance with HIPAA regulations. All employees who interact with patient data must receive training on proper handling techniques to recognize potential breaches before they occur.

Training should be provided regularly, so new hires are aware of their responsibilities when working with PHI while existing employees remain up-to-date on any changes in regulations or best practices related to handling this type of sensitive information securely.

Final Thoughts

By following these steps understanding what HIPAA is and why it matters, performing a thorough risk analysis, creating policies and procedures for maintaining compliance going forward, and training employees on those policies, you can ensure your organization meets all requirements for being listed as an official “HIPAA Compliant” entity.

Taking these measures will help protect patients’ data from unauthorized access or disclosure while also helping prevent identity theft due to lost or stolen healthcare records.

For healthcare organizations to ensure that they are fulfilling all rules and regulations laid out in the HIPAA Privacy and Security Rules, they must have a Telemedicine HIPAA compliance plan to be followed. 

Telemedicine benefits every healthcare professional and patient likewise and has made it very easy for the two to interact without physical contact or the need to go to any hospital or clinic. Although the Telemedicine app cost is somewhat between $40,000 to $55,000, and developing a Telemedicine app can be a bit challenging but such apps have proved to be very useful for healthcare professionals. 

Many healthcare professionals believe that passing on the ePHI (Protected Health Information) is safe if the communication is between the physician himself and the patient and this is where Telemedicine and HIPAA compliance needs to be linked together. 

How to make sure that your Telemedicine services are HIPAA compliant? 

Certain ways can be implied to make sure that your Telemedicine services are HIPAA compliant. A few of them are mentioned below: 

• One way to ensure Telemedicine HIPAA compliance is to ensure the encryption of all web forms. 

• Securing the healthcare website using an SSL certificate can also be considered to make your website HIPAA compliant for Telemedicine providers.
• Assuring that third-party service providers make a HIPAA business associate agreement (BAA) with a Telemedicine software development company also paves the way to HIPAA compliance Telemedicine.
• Securing the location of data and the servers, and using secure user authentication can also help to make sure that your Telemedicine services are HIPAA compliant. 

Why is HIPAA compliance important for Telemedicine providers to protect patient privacy?

Everything is getting digital these days but it also means data theft. Data theft poses a serious threat to online businesses and privacy. The purpose of HIPAA-compliant telehealth is to ensure that patient information remains highly confidential and secure in the hands of HIPAA-trained healthcare professionals. 

Telemedicine HIPAA compliance allows patients to ask for their medical information whenever they want to. 

Tips for setting up a secure and compliant Telemedicine system

To ensure that your system is compliant with HIPAA you can take the following steps: 

Ensure Secure Connection

A secure connection between a physician and a patient is one of the key factors to ensure Telemedicine HIPAA compliance. Be it messaging, voice chat, or video chat, everything needs to be secure. Third parties like Zoom, e-mail apps, or Skype do not provide Telemedicine HIPAA compliance so it is best to avoid such apps to develop a connection between a physician and a patient. 

User Authorization

It is important to give access to PHI only to authorized people. Keep patients’ information highly protected and confidential and never pass it on to another physician or any other person without the consent of the patient. 

Automatic Log-Off

Usually, people forget to log off their desktops. This can lead to the misuse of information by anyone. Therefore, automatic logging off after a period of inactivity for some time can enhance data security and prevent its misuse. 

Appoint someone with good IT expertise

To ensure the protection of patients’ data, appoint someone who has expertise in IT because they will be able to monitor everything in a much more productive and effective way. It is very important because the administration already has a lot of responsibilities and might not be able to effectively manage all the data. 

The benefits of using a HIPAA-compliant Telemedicine platform

Combining Telemedicine and HIPAA compliance software and incorporating it into the healthcare system will provide numerous benefits in the process. A few HIPAA-compliant Telemedicine benefits are mentioned below: 

• One of the most significant advantages of Telemedicine HIPAA compliance is that it ensures a patient’s trust in the healthcare organization. This way, patients will achieve a sense of safety and peace of mind knowing that their personal medical information is perfectly safe and secure with that institution.
• Another benefit of adhering to Telemedicine HIPAA compliance programs in Telemedicine is that organizations will not have to endure any sort of penalties because not adhering to the set standard can lead to fines, and lawsuits imposing a huge threat to the financial stability of the organization in some cases. 

Best practices for ensuring HIPAA compliance with your Telemedicine platform

Here are some best practices for you to follow so you can ensure Telemedicine HIPAA compliance.

• Download or store PHI on an unsecured mobile device

Telemedicine mobile apps are very convenient but you need to use strong passwords for your device. Make sure you establish a process for reviewing data stored on that device before throwing it away. 

Install a remote wipe feature on your device so that in cases where your device might be stolen or get lost, your data immediately erases and there is nothing left on the device for anyone to misuse. 

• Make sure that your Telemedicine staff is HIPAA trained 

There are always new challenges and new workflows for employers and staff likewise. Without proper training of staff, it would be very risky for you to step into Telemedicine. 

• Use a Secure way to communicate with patients 

Communicating with patients has become very easy all thanks to Telemedicine. Physicians can have easy access to all their patients and engage effectively with them. And same goes for the patients as well. Communication through text or email is not a safe option to go for because using such means to communicate means you are sharing PHI without any security. Make sure that the information is protected with encryption and is secure.

• Make sure you share the updated notice of privacy practices with patients.

Patients need to be informed about the ways you are opting for in order to protect their PHI. Make sure you update the Notice of Privacy Practices which covers your Telemedicine program and platform. Do not forget to share it with patients.

FAQs

How can Telemedicine providers ensure that they are compliant with HIPAA? 

Telemedicine providers must ensure that their platforms have the following features to be compliant with HIPAA requirements.

• Make sure only authorized people have access to ePHI.
• Confirm the identity of users who request access to confidential data of the patients.
• Ensure secure, encrypted communications between the physician and the patients. 
• Monitor communications that contain ePHI.

How can patients be sure that their information is protected when using Telemedicine services?

A patient can be sure that his information is protected on a Telemedicine app by confirming through the Telemedicine app itself. The confirmation usually comes in the form of an authenticator app or a code sent to a user’s mobile phone. Multi-factor authentication should form a key part of your telehealth security measures and such measures help you the patients to be sure that their information is safe and secure. 

Conclusion

To sum up, the digitization of data and businesses has guaranteed easy access to everything in today’s world, but at the same time hospitalization has led to cyber theft and exploitation of sensitive data as well. But with the implementation of Telemedicine HIPAA compliance, sharing data on such platforms has become a lot easier and more secure. 

Independent medical practices have been trying to understand, comply with, and avoid penalties under the Health Insurance Portability and Accountability Act since 1996. The intent of the HIPAA statute is to “create confidentiality systems within and beyond healthcare facilities, with the goal of keeping protected health information private.” 

This time period has also seen the rise of the EHR, or Electronic Health Record, for tracking patient medical history and pertinent data. And that is where the potential for danger exists. As cyber criminals become more sophisticated in their attacks, security breaches in healthcare have increased dramatically. According to the HIPAA Journal, 2021 saw more healthcare data breaches reported than any other year since records were first published. 

Breaches continued to rise during the first five months of 2022. In one medical data breach at the Yuma Regional Medical Center in Arizona, a ransomware attack exposed the patient data of 700,000 individuals. If it is possible for cyber attackers to breach such large medical operations, how can your private practice protect itself against healthcare cyber threats? 

What Happens if Your Independent Practice Violates HIPAA Compliance Standards? 

The consequences of a breach can be monumental for your private practice. At the very least, it will take a great deal of time and effort required by the Breach Notification Rule to contact all patients that the breach affected, and to correct the problem. This could result in a loss of revenue and patient confidence. At the most, there could be a number of penalties involved, depending on the severity of the violation. Penalties can be assessed by both the Department of Health and Human Services’ Office for Civil Rights (OCR), and your state’s attorney general. 

In most cases, OCR will try to resolve violations with non-punitive measures and technical guidance, but they can also assess penalties, with fines ranging from $100 to $50,000 per violation for the most egregious of circumstances. According to Medical Economics, one five-physician medical practice in Arizona was fined $100,000 for failing to meet HIPAA’s privacy and security requirements. 

Most Common HIPAA Violations in Healthcare

Even a seemingly small action can become a HIPAA violation, so it is important for your private practice to be aware of danger areas, including: 

• Lost or stolen devices: While laptops, tablets, smartphones, and thumb drives add a great deal of convenience to the practice environment, they can also present a real danger. Insecure or sloppy handling of these devices can lead to theft, and a possible breach. 

• Unencrypted data: All office equipment and devices should have password protection and be encrypted to secure the Protected Health Information (PHI) of patients. When hundreds of patients can be affected by a breach, a practice can face extremely stiff penalties. 

• Inadequate training: Team members can be brought into the practice regularly, or existing office staff might simply get sloppy with the day-to-day pressing activity. 

• Database breach: Data breaches are the most reported form of HIPAA violations, impacting the entire healthcare industry, from independent practices to regional medical centers. 

• Disclosure of Information: Even a seemingly inconsequential conversation can have major implications. In the medical world, this applies to all those conversations around the office and even during off-duty hours, where discussions about a patient’s health or personal information can lead to privacy violations. 

• Disposal of patient information: While medical practices previously had to worry about the management and security of paper charts, today’s Electronic Health Records also require a similar degree of vigilance. Any paper documents should be shredded, and any electronic devices should be wiped of all patient information before disposal.
• Common Data Breach

Steps Your Private Practice Can Take to Maintain HIPAA Compliance 

Vigilance is the key watchword in maintaining HIPAA compliance. Steps your private practice can take include: 

• Limit Access to Information: Really think about who needs to be in areas where any patient information is available, and strictly limit computer access. Don’t allow team members to share devices or passwords for convenience. 

• Respond in a Timely Manner to Requests for Personal Data: Even though your practice has a lot to manage with day-to-day activities, failure to respond to a patient’s request for personal data in a timely manner (usually within 30 days) is a HIPAA violation. 

• Establish and Enforce Security Protocols: Lax attention to security is an open invitation to cyber criminals. Make a risk assessment of your practice on a regular basis to examine all your security procedures and make proper corrections. Update your software within recommended timeframes, and make sure all team members revise their passwords regularly. Pay special attention to mobile devices, so they can be either erased or disabled if lost or stolen. 

• HIPAA Training Schedule: It is important to have a regular HIPAA training schedule, at least on a quarterly basis, to keep everyone vigilant and aware of breach consequences. 

• Ensure Your Software is HIPAA Compliant: To be sure your practice is using an HIPAA compliant EHR, it should be able to meet the following important security criteria: 

1. All users must be properly authorized. 
2. Access is controlled, so that only these authorized users can access it. 
3. An authorization monitoring program is in force. 
4. There is a data backup plan. 
5. There is a remediation plan in case of a breach. 
6. There is an emergency mode. 
7. Users are automatically logged off after a certain period of time. 
8. Data is encrypted. 

Key Takeaways for Protecting Your Private Practice Against a HIPAA Breach 

Healthcare data breaches can be a costly and confidence-sapping violation for your private practice. To protect against breaches, make sure you have security protocols in place, train your staff regularly, and ensure your software is HIPAA compliant.  

PrognoCIS EHR by Bizmatics provides a cloud-based application which is fully integrated with powerful modules including HIPAA compliant Electronic Health Records (EHR), Telemedicine, Practice Management, Medical Billing, Revenue Cycle Management (RCM), and Patient Engagement tools.

5 Best Practices for HIPAA-Compliant Faxing

1. Never Leave Faxes Unattended
2. Switch to an Online Fax Service
3. Use a HIPAA Fax Disclaimer
4. Keep an Audit Trail
5. Migrate Files to the Cloud

Handling protected health information (PHI) can be tricky, but luckily there are a few helpful methods and tips to securely fax patient information.

1. Never Leave Faxes Unattended

Always keep an eye on your documents. Even if you need to do a quick task while sending a fax, leaving patient records unattended can lead to a HIPAA violation. You also need to store these faxes in a secure location.

The same rule applies to online faxing. Make sure you turn off or lock your device if you need to leave your desk during transmission. Better yet, set a password to prevent unauthorized access.

Here are more tips for faxing medical records:

• The fax machine should only be accessible to authorized persons.
• Always double-check that you have entered the right fax number into the machine.
• It’s a good idea to include a fax cover sheet to ensure that the document remains secure.

2. Switch to an Online Fax Service

Using legacy faxing isn’t the most efficient document-sharing method. It does not lend well to interoperability, which allows easy access to information across different networks.

In contrast, cloud-based or online faxing services like iFax have features that traditional faxing can’t match. For one thing, all your faxes are now backed up in the cloud. It’s also a cost-efficient option as you do not have to spend on paper, ink, and filing supplies.

With a cloud-based HIPAA-compliant faxing service, you have the ability to fax straight from your phone or computer. It’s also more secure as most internet fax providers use military-grade encryption for all the data you send via online fax. While there are plenty of online fax providers to choose from, always select one that is compliant with the regulations you have to follow. A top-tier fax service will be HIPAA compliant from the start.

3. Use a HIPAA Fax Disclaimer

Every time you fax a document containing PHI, you are required by HIPAA to use a fax disclaimer with the approved statement warning against unauthorized access. This document informs the receiver that incoming faxes contain personal information that is not to be distributed or disclosed without permission.

There is no official checklist on what information should be included in the disclaimer. Based on HIPAA fax regulations, make sure you mention the:

• Date and time of fax transmission
• Receiver’s complete name, fax number, and organization
• Sender’s complete name, fax number, and organization
• Patient’s case number or code (instead of their name)
• HIPAA disclaimer prohibiting the distribution of the received information

You may also include the word “confidential” or similar labels in the fax cover.

4. Keep an Audit Trail

Another way to maintain HIPAA-compliant faxing is to create audit logs. These allow you to keep track of all activity in your network. Audit controls are a requirement for all covered entities and business associates, meaning that healthcare providers, medical organizations, and all their vendors must keep them.

Cloud fax service providers must offer a way to keep track of all the faxing activity to ensure compliance when sending patient health information. While most fax platforms perform this automatically, the best ones will let you access all document versions online.

According to HIPAA fax regulations, you must keep these logs for at least six years. The logs must be stored in raw format for 6-12 months before you are free to compress them.

5. Migrate Files to the Cloud

Most healthcare data breaches happen because PHI was stolen from portable storage devices such as removable drives, laptops, or tablets. When this happens, your organization will be subject to fines.

With a cloud-based HIPAA-compliant faxing service like iFax, data is stored securely in the cloud via remote servers. A well-secured cloud server significantly lowers the chances of data breaches, especially if it is secured by enterprise-level encryption.

If you must keep a copy of your faxes on portable devices, ensure that PHI is heavily encrypted at all times and safely stored in the organization’s cloud server.

1. Never Leave Faxes Unattended
2. Switch to an Online Fax Service
3. Use a HIPAA Fax Disclaimer
4. Keep an Audit Trail
5. Migrate Files to the Cloud

Handling protected health information (PHI) can be tricky, but luckily there are a few helpful methods and tips to securely fax patient information.

1. Never Leave Faxes Unattended

Always keep an eye on your documents. Even if you need to do a quick task while sending a fax, leaving patient records unattended can lead to a HIPAA violation. You also need to store these faxes in a secure location.

The same rule applies to online faxing. Make sure you turn off or lock your device if you need to leave your desk during transmission. Better yet, set a password to prevent unauthorized access.

Here are more tips for faxing medical records:

• The fax machine should only be accessible to authorized persons.
• Always double-check that you have entered the right fax number into the machine.
• It’s a good idea to include a fax cover sheet to ensure that the document remains secure.

2. Switch to an Online Fax Service

Using legacy faxing isn’t the most efficient document-sharing method. It does not lend well to interoperability, which allows easy access to information across different networks.

In contrast, cloud-based or online faxing services like iFax have features that traditional faxing can’t match. For one thing, all your faxes are now backed up in the cloud. It’s also a cost-efficient option as you do not have to spend on paper, ink, and filing supplies.

With a cloud-based HIPAA-compliant faxing service, you have the ability to fax straight from your phone or computer. It’s also more secure as most internet fax providers use military-grade encryption for all the data you send via online fax. While there are plenty of online fax providers to choose from, always select one that is compliant with the regulations you have to follow. A top-tier fax service will be HIPAA compliant from the start.

3. Use a HIPAA Fax Disclaimer

Every time you fax a document containing PHI, you are required by HIPAA to use a fax disclaimer with the approved statement warning against unauthorized access. This document informs the receiver that incoming faxes contain personal information that is not to be distributed or disclosed without permission.

There is no official checklist on what information should be included in the disclaimer. Based on HIPAA fax regulations, make sure you mention the:

• Date and time of fax transmission
• Receiver’s complete name, fax number, and organization
• Sender’s complete name, fax number, and organization
• Patient’s case number or code (instead of their name)
• HIPAA disclaimer prohibiting the distribution of the received information

You may also include the word “confidential” or similar labels in the fax cover.

4. Keep an Audit Trail

Another way to maintain HIPAA-compliant faxing is to create audit logs. These allow you to keep track of all activity in your network. Audit controls are a requirement for all covered entities and business associates, meaning that healthcare providers, medical organizations, and all their vendors must keep them.

Cloud fax service providers must offer a way to keep track of all the faxing activity to ensure compliance when sending patient health information. While most fax platforms perform this automatically, the best ones will let you access all document versions online.

According to HIPAA fax regulations, you must keep these logs for at least six years. The logs must be stored in raw format for 6-12 months before you are free to compress them.

5. Migrate Files to the Cloud

Most healthcare data breaches happen because PHI was stolen from portable storage devices such as removable drives, laptops, or tablets. When this happens, your organization will be subject to fines.

With a cloud-based HIPAA-compliant faxing service like iFax, data is stored securely in the cloud via remote servers. A well-secured cloud server significantly lowers the chances of data breaches, especially if it is secured by enterprise-level encryption.

If you must keep a copy of your faxes on portable devices, ensure that PHI is heavily encrypted at all times and safely stored in the organization’s cloud server.

In the U.S., specific laws govern the way an individual’s medical information is handled and shared. The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect the privacy of patients. A HIPAA consent form is a document that a patient signs to confirm that he has received a Notice of Privacy Practices statement from the health practitioner’s office as required by law. It should clearly indicate how the facility uses or shares personal information about patients. The practitioner’s office generally provides this to patients, and requires a signed copy before any treatment can commence.

The purpose of the HIPAA consent form is to provide the healthcare facility with permission to release information about the patient as appropriate. It may include disclosing data to insurance companies for the purpose of collecting payment. It can also send treatment plans or diagnostic results to other healthcare providers.

A HIPAA consent form shows the patient understands that the medical facility cannot share health information with another party without permission.

Sometimes a patient may wish to transfer his or her medical records to another facility. It is against the law for a healthcare institution to send that information without a signed HIPAA consent form. If the patient is a minor, a parent or legal guardian can sign the paperwork on behalf of the child.

A HIPAA consent form usually includes a place to indicate who, if anyone, has permission to speak with the medical staff on the patient’s behalf. Unless authorized on the signed paperwork, doctors, nurses, or even the receptionist is not permitted to do so. For example, a friend or family member may call a doctor's office to inquire about a patient's appointment time or test result. The office staff would not be able to answer, unless that individual was authorized on the patient's signed HIPAA consent form.

Non-compliance with the HIPAA law can result in serious financial consequences for the healthcare practitioner. If a medical office fails to obtain a HIPAA consent form for even one patient, it can be fined $100 US Dollars (USD). In some cases, multiple violations result in fines up to $25,000 USD.

A risk assessment is a mandatory annual task completed by a covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.

The Risk Assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.

HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.

The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.

A Business Associate (BA) is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the Risk Assessment is often considered the starting point to achieve HIPAA compliance.

What is a risk assessment?

A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.

PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.

Areas of risk are highlighted, and a roadmap is created for the CE to become HIPAA compliant. Most risk assessments follow the NIST cybersecurity framework, and the NIST schema is a straightforward but highly productive process. There are five essential parts of the NIST framework, and these are; Identify, Protect, Detect, Respond, and Recover. The OCR takes this further with the nine essential elements of Risk Analysis but either framework covers similar topics.

Why is a HIPAA Risk Assessment So Important?

An Organization-wide, risk analysis and assessment is a mandatory part of a HIPAA audit, if you are unable to provide evidence of a valid risk assessment, the business will fail the audit and will likely be fined by the Office for Civil Rights (OCR). It is a mandatory task because it will identify areas within the business where PHI might be at risk, as well as identifying the likely threats you face.

The fines vary from business to business, and because all breaches to HIPAA compliance must be made public, non-compliance can damage reputation, profitability and patient happiness. The breaches vary from the “Did not Know” to “Willful Neglect” HIPAA violation categories.

The risk assessment brings some definitive advantages, the assessment creates a baseline about PHI data collection. It identifies what PHI is processed, stored, and transmitted, as well as the risks or hazards to the security, integrity, and availability of PHI.

The baseline will help to identify what threats you face with your current technical solution, as well as what current protective measures are in place, and the areas that need to be improved. As this process must be documented, it creates a reference point to identify PHI and document any potential threats and vulnerabilities to data integrity.

It directly relates to the required HIPAA administrative, physical, and technical safeguards. Comparisons are made between the existing safeguards already in place and the expected safeguards of the legislation. The comparisons might include user authentication, access control, data, and network encryption techniques, etc.

The risk assessment aim is to determine how likely the covered entities protected health information can be breached in its current configuration. Understanding what services are weak to the common threat vectors used by hacking groups, including the impact a successful breach will have, together with determining the overall level of risk.

No organization has a perfect risk assessment, there is always room for improvement and the risk assessment is designed to be an evolving document that is updated and the recommended actions are completed within the desired timeframes.

After completing the initial Risk Assessment, and the roadmap has been designed the covered entity and business associate must work together to remediate all of the issues identified within a stipulated time frame. This is not optional, it simply must be completed to achieve compliance. This is one of the significant reasons why covered entities often choose to outsource the technical solutions to a HIPAA compliant hosting partner.

The Final Omnibus Rule firmly puts the responsibility with the Business Associate (the hosting partner) to complete the risk assessment actions. The good news is that a reputable hosting provider will already have a compliant infrastructure that can be leveraged. ]

This will appease the technical safeguards and many of the physical safeguard requirements of HIPAA. Allowing the much more manageable administrative requirements to be assessed by the covered entity.

The one-size-fits-all approach is outdated: there are more avenues for healthcare providers and payers to engage with patients and future customers. Yet, problems with navigating patients’ interactions while respecting their data still exist.

Here are three considerations for ways HIPAA can navigate the intersection between personalization and data privacy while meeting regulatory requirements.

Understand the rules and regulations

HIPAA is constantly evolving since the Department of Health and Human Services (HHS) regularly adjusts the regulations to meet the needs of the digital age. There is a thin line between what is compliant and what is not. The HIPAA Privacy Rule gives individuals important control over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before their data can be disclosed and used for marketing.

Conduct a full digital compliance audit with HIPAA

There are 7 key areas that need to be taken into account:

• PHI/ePHI & backup storage. Good platforms should enable tracking data without collecting and processing ePHI or PHI (personal health information), but they should also make it possible to do so, under specific conditions. You have to take into account security of the data, types of PHI that are being collected and backup storage that should give you maximum recovery capability.
• Hosting types. There’s no dedicated HIPAA certification for hosting providers. It’s important to make sure that the vendor respects all the necessary precautions to stay HIPAA-compliant. For example, in case of cloud hosting, the important factors are physical location of the servers, certifications (ISO27001 and SOC2), independent audits and SLA.
• Business associate agreement (BAA). Is it possible to sign it with the vendor? Even once the BAA (Business Associate Agreement) is in place – customers should keep in mind that it requires regular updates to comply with the HIPAA Omnibus Rule.
• Data encryption and transmission. HIPAA doesn’t specify what types of encryption ensure compliance. However, the law takes into account a general technology advancement.
• Audit log and change log. This means being aware who can access the data. The audit log and efficient review process is a must.
• 100% data control. Vendors should be able to guarantee that they do not repurpose the data customers collect.
• Security review. Both customer’s teams and vendors need to be subject to regular review and education on recent HIPAA updates – it’s something that the legal department should coordinate. In the case of analytics vendors, regular audits and pen tests run by independent security researchers are a must.

Invest in appropriate data platforms (those that are able to sign BAA)

A business associate agreement, known as BAA, is a contract between a HIPAA-compliant organization and its business partners. It compels both parties to protect personal health information (PHI) and comply with the guidelines provided by HIPAA.

Under the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), any HIPAA-related business automatically becomes subject to audits by the U.S. Department of Health and Human Services (HHS) and can be held accountable for any data breaches or improper handling of data.

It is up to healthcare leaders and professionals to help navigate the thin line between patients’ personalization convenience and their right to data privacy.

Patients deserve to find information that is relevant to them and their specific health needs. The factors to achieve that goal require exploring nuances and understanding the individuals our healthcare system serves. With the right technology,  safe and compliant use of information and a sprinkle of conscious creativity, we will ultimately reach the goal of patients’ personalization.

If your organization has access to electronic Protected Health Information (ePHI), you should review your Health Insurance Portability and Accounting Act (HIPAA) compliance checklist. The purpose of a HIPAA compliance checklist is to ensure that your organization complies with the HIPAA regulations covering the security and privacy of confidential patient data.

Failure to comply with HIPAA regulations can result in substantial fines being issued. In addition, criminal charges and civil action lawsuits can be filed should a breach of ePHI occur. Complying with the HIPAA requirements is challenging already, let alone by combining these challenges with the sophistication of attacks targeting medical data.

Despite advances in security technology and increased governmental cybersecurity initiatives, threat actors will not abandon their pursuit of patient data. Patient data is valuable. It can be used to file false claims, acquire prescription drugs, or receive medical care. Patient data often includes enough information to steal a person’s entire identity, allowing threat actors to open credit accounts, file fraudulent tax returns, or receive government-issued ID cards.

In light of recent data breaches, it’s clear that the healthcare industry is less prepared with HIPAA compliance than patients would expect. Security measures provided by HIPAA compliance have never been more necessary, as the value of patient data continues to rise on the dark web. Data breaches are often caused by simple, easy-to-correct things that go unnoticed and create vulnerabilities. Even organizations with layers of sophisticated IT and cybersecurity defenses can be exploited by an employee opening a malicious email or using a simple password.

What is HIPAA Compliance?

The HIPAA Act sets the standard for protecting sensitive patient data. Companies that deal with Protected Health Information (PHI) must establish and enforce have physical, network, and process security controls to ensure HIPAA Compliance.

To start your compliance efforts, you need to know where your organization fits in with HIPAA requirements. A covered entity is any healthcare provider that electronically transmits health information. A business associate is a person or an entity that has access to patient information and provides certain services to a covered entity. Covered entities and business associates must meet HIPAA Compliance. The question that typically follows is “What are the HIPAA compliance requirements?” Unfortunately, that question is not as easy to answer. This is because the requirements of HIPAA are intentionally vague in certain places so HIPAA can be applied equally to every different type of covered entity or business associate that handles PHI.

The HIPAA Privacy and Security Rules

The Privacy Rule establishes standards to protect an individual’s medical records and other protected health information (PHI). It concerns the uses and disclosures of PHI and defines the right for individuals to understand, access, and regulate how their medical information is used. The Privacy Rule strives to assure that an individual’s health information is properly protected. At the same time, it allows access to information needed to ensure high-quality health care and to protect the public.

While the Privacy Rule outlines what information needs to be protected, the Security Rule operationalizes the protections contained in the Privacy Rule. It does this by addressing the technical and non-technical safeguards that organizations must put in place to secure individuals’ ePHI.

The Security Rule protects a subset of information covered by the Privacy Rule. The Privacy Rule includes all individually identifiable health information, while the Security Rule includes any data a covered entity creates, receives, maintains, or transmits in electronic form

What are the HIPAA safeguards?

The Security Rule defines three categories of safeguards – technical, physical, and administrative – that covered entities and business associates need to address in their HIPAA compliance checklist.

Technical Safeguards

The technical safeguards describe the technology used to protect ePHI and provide access to the data. The only defined requirement is that ePHI – whether at rest or in transit – must be encrypted to ensure the information is unreadable, undecipherable, and unusable should a data breach occurs. Thereafter, organizations are free to select whichever controls are adequate to their operating environment, including:

• Inventory your PHI
• Email security
• Cloud security
• Network segmentation
• Role-based access control
• Secure remote access
• Enable multi-factor authentication (MFA)
• Continuous monitoring and log management

Physical Safeguards

The physical safeguards focus on physical access to ePHI, irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on-premises. The safeguards also dictate how workstations and mobile devices should be secured against unauthorized access by employing:

• Facility access controls
• Policies for the use and positioning of workstations
• Policies and procedures for mobile devices
• Inventory of hardware

Administrative Safeguards

The administrative safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.

The audits conducted by OCR have identified that risk assessments are the major area of Security Rule non-compliance. Healthcare providers need not only conduct an assessment, but they must ensure these assessments are comprehensive and ongoing. This means that a risk assessment is not just a one-time requirement, but a regular task necessary to ensure continued compliance.

HHS states that “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational.” HHS recommends that organizations follow industry-standard risk analysis protocols, such as NIST SP 800-30.

Incident Reporting: Breach Notification Rule

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured patient data.

If you’re a covered entity, your notifications must be sent to affected patients by first-class mail (or email if the affected individuals agreed to receive notices) as soon as reasonably possible. This notification must be no later than 60 days after breach discovery.

If ten or more individuals’ information is out of date, insufficient, or the breach affects more than 500 residents of a state or jurisdiction, post the statement on your website for at least 90 days and/or provide notice in major print or broadcast media in affected areas.

Covered entities also need to notify the Secretary of HHS about the breach. If a breach affects fewer than 500 individuals, the covered entity notify the Secretary of such breaches on an annual basis. But if a breach affects 500 or more individuals, covered entities are required to notify the Secretary of HHS within 60 days following a breach (if not immediately).

To Become HIPAA Compliant Practice Good Cyber Hygiene

While every organization is different, the end goal of a cyber hygiene program is to identify vulnerabilities, minimize risk exposure, and reduce the potential for a breach. Cyber hygiene is about consistently performing activities that minimize risk, day-to-day. If everyone in an organization is aware of cyber security, you can better develop a security culture.

The following includes some good cyber hygiene practices that can help HIPAA covered entities and businesses associates become HIPAA compliant:

• Minimize the pathways that lead to your ePHI – secure remote access with MFA, and use data blocking USB drives.
• Be cautious of public Wi-Fi networks when using your mobile device.
• Include in your security awareness training the responsible use of social media – social engineers seek personal information to launch phishing attacks.
• Secure your remote workers.
• Establish a strong policy that includes frequent drills of best practices assessments to mitigate misconfigurations and known vulnerabilities.
• Secure your supply chain by performing risk assessments on all third-party relationships and partners.
• Examine your business continuity and disaster recovery plans annually.
• Involve your organization’s Board to keep security risks as a top priority. Executive buy-in will help strengthen the overall security posture.

Conclusion

As technology continues to advance, especially in the healthcare industry, and the value of data continues to rise, organizations need to anticipate security risks before they occur. The best way to achieve this is by consistently monitoring for the spread of PHI and other forms of personal data-using regular data discovery scans that can locate data wherever it rests. To ensure you cover all elements on your HIPAA compliance checklist, it is worthwhile seeking expert guidance from HIPAA compliance experts.

Your patients want to know that their personal information is secure and that the disclosure of protected details happens only when necessary. HIPAA compliance is essential for your medical practice, because it ensures that patients have peace of mind when it comes to the personal information available through their medical records. When you demonstrate a commitment to keeping information secure, you can not only avoid fines, but you can build geniune connections and trust with the people you treat.

Two key aspects of HIPAA, known as the Privacy Rule and Security Rule, are particularly important for medical practices to follow. In general, the Privacy Rule limits the release of health information to what is reasonably needed for the purpose of the disclosure. It also requires the establishment of appropriate safeguards for the confidentiality and security of electronic protected health information (e-PHI).

Although HIPAA was first enacted in 1996, the latest modifications to the regulations, known as the final omnibus rule, went into effect in September 2013. The new rule, detailed by the Department of Health & Human Services, expands patients' privacy protections and allows them to ask for a copy of their electronic medical record. Patients may also instruct providers not to share information about their treatment to their health plan if they pay out of pocket. The omnibus rule also requires providers to request a patient's permission before they market a third-party service to the patient based on their protected health information.

Following these rules is hugely important because, along with gaining the trust and confidence of your patients, you want to avoid any violations, such as theft of patient records, disclosure of information without consent, or lost data, that can result in steep civil or criminal penalties. There are several steps that practices can take to meet HIPAA compliance:

• Always get patient approval for protected health information transfers. Attorney James Wieland, principal at Ober|Kaler's Health Law Group, says it is important to get explicit approval any time information is transferred to a third party, even if it is at the patient's request. "If you get directions or requests from an individual to transfer their personal health information to a third party, you must get them to clearly state it — in writing — or you will be at risk," he says. Wieland also suggests getting consent from the patient if the information is transferred through nonsecured means.

• Run a risk analysis. HIPAA requires that organizations that handle protected health information regularly review administrative, physical, and technical safeguards. According to the Department of Health & Human Services, there are four key steps to the risk analysis process: "Evaluate the likelihood and impact of potential risks to e-PHI; implement appropriate security measures to address the risks identified in the risk analysis; document the chosen security measures, and where required, the rationale for adopting those measures; and maintain continuous, reasonable, and appropriate security protections."

• Conduct employee training. Even with safeguards in place to protect your patients' health information, it's still possible for a violation to occur if employees aren't aware of the rules. HIPAA compliance training should be provided to employees when they first start working at the practice and should be continued annually. This training should include information about the privacy and security rules, violations, and tracking patient record requests. In addition to offering training, your practice should also strengthen its employee password policy and require employees to regularly change the passwords they use to access patients' medical records.

• Update business associate agreements, policies, and procedures. According to Medical Economics by ModernMedicine, relations with business associates is the second major area of vulnerability when it comes to HIPAA compliance. Under the new rules, business associates have the same responsibility to secure protected health information as providers. They are also subject to the same penalties for HIPAA violations. Your practice should review its agreements with business associates and update them to reflect the fact that they are now liable for HIPAA compliance. Your practice should also update its HIPAA policies and procedures, including its Notice of Privacy Practices.

Securing patient information requires procedures and training, but the effort is worth it when you avoid penalties and secure the trust of your patients. When they know you are looking out for their interests by keeping their information safe, it will go a long way to creating a productive relationship and connection.

Ensuring patients get the medical attention they need, while limiting interactions and travel in order to slow the spread of COVID-19, telehealth has rapidly expanded in 2020. As many offices made the shift to WFH setups and remote working, health care professionals have been encouraged to practice virtual medicine whenever possible. Yet, the recent reliance on technology and mobile communications poses some new questions and concerns related to HIPAA compliance.

Expansion of Telehealth in Response to the COVID-19 Pandemic

When the coronavirus pandemic first began, the HHS Office for Civil Rights announced that it would relax HIPAA standards in order to facilitate a greater use of telemedicine. Specifically, the OCR plans to use discretion when enforcing fines for what would be considered a HIPAA violation in a normal situation. The goal is to give medical practitioners the flexibility needed to use remote communications and provide virtual care for patients.

The emergency exemption recently issued by the HHS applies to all healthcare providers who are covered by HIPAA and provide telehealth services during the pandemic. It temporarily waives the requirement that healthcare professionals be in a medical office or facility when providing compliant and billable telehealth services. This includes services for patients with Medicare coverage.

During the COVID-19 pandemic, this allows physicians, nurse practitioners, physician assistants, nurse midwives, clinical psychologists, registered dietitians, and licensed social workers to work from home. At the same time, it helps keep patients at home with respect to stay-at-home orders and public health safety measures. Mental health counseling, preventative health screenings, and medical treatment related to COVID-19 and not, can be done remotely to avoid putting the patients and others at greater risk.

Growing Cybersecurity Threats Targeting Healthcare Now

The medical community faces concurrent challenges at the moment between providing remote healthcare and increased cybersecurity risk. Telehealth raises many patient privacy concerns. Recent reports have sounded the alarm about hackers targeting medical facilities, doctors working remotely, and popular telecommunications platforms, specifically during the pandemic. Security vulnerabilities have also been introduced by third-party contractors, health insurance companies, medical billing agents, and other healthcare administration work being done from home.

Telehealth & HIPAA Compliance Concerns During the Pandemic

Despite this, however, authorities continue to prioritize patient care and citizens’ access to adequate medical attention. To facilitate regular medical practices – and diagnosis or treatment of COVID-19 related conditions – the CMS has waived the business associate agreements (BAA) requirement for HIPAA-compliant telehealth technology.

This opens the door for doctors to use mobile apps, text messages, phone calls, images, internet streaming and videoconferencing to deliver long-distance clinical health care. Platforms such as FaceTime, Zoom, Google Hangout, Facebook Messenger video chat, Skype, and WhatsApp video chat are increasingly being used for this purpose. In general, these technologies use end-to-end encryption and require password-protected login for individual users.

Activities such as storing images, handling PHI, and conducting e-visits with patients won’t be subject to the penalties for violations of HIPAA Privacy, Security, and Breach Notification Rules that might happen while providing telemedicine services in the good faith. These activities are allowable for covered health care providers during the national public health emergency, but could be subject to fines and violation penalties in normal circumstances.

These are the only HIPAA/HITECH compliance requirements which have been waived due to the emergency. It’s important for covered entities and business associates to continue to comply with all other privacy and security regulations. We expect that HIPAA Rules regarding technology and telehealth practices will return to full enforcement when the coronavirus pandemic is contained and the waiver expires.

Current HIPAA Guidelines for Telehealth

In normal circumstances, the use of personal mobile devices to discuss patient care or share patient data, without encryption features and secure servers, would be a clear violation of HIPAA. For that reason, compliant medical communication services provide their clients with secure communications platforms for safely accessing, storing, and transmitting PHI via mobile devices.

While the waiver is in effect, HIPAA telehealth requirements during the COVID-19 emergency are less restrictive. Yet, it’s important to use caution when using technology in healthcare to ensure data security and patient privacy.

1. HIPAA-compliant telemedicine platforms must have an interactive audio and video system that enables live, two-way telecommunications between the health care provider and patient at home.
2. The platform or application used for telehealth purposes must not be public-facing.
3. Patients must consent to using telehealth technology and virtual visits.
4. If the patient is not required to login through a secure portal, the practitioner must confirm his or her identity before beginning the appointment.

Tips for Avoiding Telehealth HIPAA Violations

When carrying out telehealth, it’s important to still follow reasonable HIPAA protections to decrease the possibility of accidental PHI disclosure. Here are some tips to help you decrease the risk of privacy violations and practice telemedicine securely.

• Get informed about the telehealth resources and guidelines available through your state and county medical association.
• Consult with your insurance company to confirm that platforms without a BAA are included in coverage in case of a data breach.
• Refer to your healthcare facility or network to understand what EMR technology is currently available.
• Practitioners should have a private, quiet space where they can perform telehealth visits, communicate with patients, and collaborate with healthcare teams.
• Avoid using speakerphone devices and virtual assistant features, such as Alexa and Siri, which are not considered HIPAA compliant.
• Refrain from using any social media or communications platforms that can be viewed by other users, such as Facebook Live or TikTok.

One of the challenges when discussing the benefits of HIPAA compliance for medical practices is proving the benefits are directly attributable to HIPAA. For example, one frequently claimed benefit of HIPAA compliance is improved efficiency. But, has efficiency improved due to complying with HIPAA or would it have improved anyway because of other measures?

Similarly, how do you prove HIPAA compliance protects PHI against data breaches if you don´t experience a data breach? Alternatively, what if you do implement every HIPAA safeguard, but a breach still occurs because an individual with authorization to access PHI misused the authorization? Although in the latter case, the medical practice may not be liable, a data breach has still occurred.

Furthermore, while there is evidence to show that the increased adoption and use of EHRs has resulted in the more efficient delivery of healthcare and a reduction in medical errors, the increased adoption and use of EHRs is more attributable to the HITECH Act than HIPAA – the HIPAA Security Rule stipulating how data should be protected, rather than how it should be used.

Are There Provable Benefits of HIPAA Compliance for Medical Practices?

Fortunately, there are. Research has shown that, when patients trust that measures are in place to protect the confidentiality of personal information, they feel more in control and less at risk, and are more willing to share personal information with medical professionals. This enables medical professionals to make better informed diagnoses and determine the best course of treatment.

Being able to make better informed diagnoses and determine the best course treatment most often results in positive patient outcomes. This raises morale in the workplace, increases patient safety in other areas of the medical practice´s operations, and reflects in higher satisfaction scores from patients and their families – a commonly used indicator for measuring the quality of health care.

Studies have also shown that when patients trust medical professionals, they tend engage better with preventative services, participate more in healthy activities (or reduce unhealthy activities such as smoking), and are more likely to comply with medications and treatments. This helps reduce the severity of illness and accelerates recovery when patients present at a medical practice.

How HIPAA Helps Foster Patient Trust in Medical Professionals

HIPAA helps foster patient trust in medical professionals in many ways. Under the Privacy Rule, medical practices are required to provide patients with a Notice of Privacy Practices. The Notice should not only explain the circumstances in which PHI may be disclosed, but also encourage patients to become more involved in their healthcare by explaining their rights, why they might want to exercise them, and how they can access their medical records or request an accounting of disclosures.

Thereafter patient trust can be further developed by implementing HIPAA-compliant measures so that conversations with patients outside the physician´s office can be conducted in private (i.e., partitioned waiting areas). Other HIPAA-compliant practices a medical practice could adopt include explaining how patients grant or revoke authorization for uses and disclosures of PHI beyond those permitted by the Privacy Rule, or by suggesting HIPAA-compliant modes of communication.

Less obvious ways in which medical practices can demonstrate to patients that measures are in place to protect the confidentiality of personal information include providing password-protected Wi-Fi, offering advice on how to safely use health care portals such as HealthCare.gov, and recommending health care apps that follow Xcertia guidelines for privacy and security. Although these measures are not required by HIPAA, they build on the trust installed by complying with the HIPAA Privacy Rule.

The Consequences of Non-Compliance for Patient Trust

Non-compliance with HIPAA can manifest in many ways in a medical practice. Common examples include discussing a patient´s health care within earshot of other patients, failing to respond to an access request in a timely fashion, or disclosing PHI to a third party without authorization. Each of these examples can damage patient trust and undermine the benefits of HIPAA compliance for medical practices discussed in the previous sections.

The most extreme example of non-compliance with HIPAA is an avoidable breach of unsecured PHI which affects all the medical practice´s patients. In such HIPAA violation cases, not only do the impacted patients and the HHS´ Office for Civil Rights have to be informed, but it may also be necessary to notify local media channels which can result in reputational damage for the medical practices throughout the community for many years into the future.

Further damage to patient trust can occur when medical practices tighten up processes or tie systems down following an unauthorized disclosure of PHI or data breach. In 2019, a study into HIPAA data breach remediation efforts and their implications for hospital care quality found an increase in the time taken to treat patients suffering heart attacks and an increase in myocardial infarction mortality – understandably lowering patient satisfaction scores.

How Medical Practices can Avoid Gaps in HIPAA Compliance

It is not unusual for gaps to appear in HIPAA compliance in busy medical practices. Shortcuts can often be taken to “get the job done”, and when these shortcuts are allowed to continue, they develop into a cultural norm of unintentional non-compliance. Refresher training can help prevent shortcuts developing into cultural norms, but one of the best ways to prevent shortcuts being taken in the first place is HIPAA compliance software with ongoing gap identification and remediation.

HIPAA compliance software not only monitors compliance with HIPAA but can also help busy medical practices develop HIPAA-compliant policies, track workforce training, conduct security assessments, and manage Business Associate Agreements. More advanced HIPAA compliance software also has incident management capabilities so Compliance Teams can respond faster to violations and mitigate any loss to the benefits of HIPAA compliance for medical practices.

n the healthcare industry, patient data is considered sensitive and, as such, is subject to certain privacy and security requirements to ensure it remains confidential. Some employers may find themselves handling this protected health information (PHI) and could be required under federal law to handle that data in a specific way. It is important for all employers to understand the federal law known as HIPAA and how it applies (or doesn’t apply) to them.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy standards by which healthcare organizations are required to protect sensitive patient information. Since it was signed in 1996, HIPAA has been updated periodically to evolve alongside technology, adapting to include cybersecurity standards required of all “covered entities” and their business associates.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is the section of the law that specifically relates to the confidential handling and transmission of patient healthcare data. Measures in the Privacy Rule include an enumeration of individuals’ rights under the law, such as how they can control and access their own healthcare information.

Moreover, the Privacy Rule prescribes how healthcare organizations and other covered entities and business associates must handle protected health information. This includes requirements governing both process and technology; not only must protected health information be handled properly, but it must also be stored securely.

“It requires you to protect and maintain the security of PHI, which is a defined term that deals generally with health information that can be identified and tied to a specific individual,” Paul Starkman, an employment attorney for Clark Hill, told businesss.com. “It deals with how the information must be protected in terms of encryption, password protection and things like that. It also deals with transmission … and it has some other requirements too in terms of disposing [of] PHI once it is no longer needed.”

Starkman said this includes information from paper files, digital files and machines and equipment that become outdated or are no longer in service.

“Those need to be disposed of in accordance with HIPAA guidelines,” he said.

Which types of businesses does HIPAA apply to?

The stringent requirements included in HIPAA don’t apply to all employers – just those that fall into a certain category.

The term “covered entities” refers to organizations that are required to comply with the rules set out under HIPAA. Covered entities include doctors’ offices, hospitals, insurance companies, insurance plans and clearinghouses. The U.S. Department of Health and Human Services maintains a full list of covered entities on its website.

“HIPAA is primarily going to apply to covered entities,” said Jarryd Rutter, an HR coach at Paychex. “That is where HIPAA is most impactful: for those industries and obligations, not only to customers but their employees.”

Rutter noted that Paychex does not give its clients legal advice and recommended that businesses consult with legal counsel if they are concerned about their HIPAA obligations.

HIPAA also applies to organizations that do business with covered entities and handle or process patients’ protected health information in some way. These organizations are known as “business associates” under the law and are also required to abide by HIPAA regulations.

“Sometimes we get pushback from a client we are helping because they are hesitant to send documents out of concern they are violating HIPAA when, in fact, they are not,” Rutter said. “A non-covered entity doesn’t have to be concerned with HIPAA; it’s really limited to if they offer health insurance plans and the handling of that health insurance info.”

Other employers are generally not covered by HIPAA and, therefore, are not required to abide by the strict privacy and security regulations included in the law. However, Rutter said, non-covered entities likely have some privacy and security obligations under other federal laws, such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA). 

When does HIPAA apply to non-covered entities?

Although HIPAA doesn’t apply to most businesses, there is one unique circumstance in which employers should be aware of the law’s requirements. Employers that provide a self-funded health insurance plan are technically operating a covered entity: the health plan itself. This means the health insurance plan is subject to all of the requirements in HIPAA, while the primary business is not.

“Because that self-funded plan … is viewed as a covered entity, the health plan falls under HIPAA,” said Matt Fisher, healthcare attorney at Mirick O’Connell. “You end up having to wall off the information used for maintenance and operation of that plan. But, on the whole, HIPAA will really not apply to the general employer and employee relationship.”

Another common way employers come into contact with an employee’s PHI is through workers’ compensation claims, Fisher said. In these instances, clinical documentation from medical appointments might be required to support the workers’ compensation claim, and employers would need access to that information.

However, just because an employer has access to this data, it does not necessarily mean HIPAA applies.

“Generally, the health information employers get through the employment relationship is not going to be covered by HIPAA,” Starkman said. “It may be covered by other state privacy laws.”

In the example of a workers’ compensation claim, HIPAA would govern the healthcare provider’s handling of protected health information and its release to the employer; the employee would be required to consent to this transmission of their healthcare data. Once that consent is given and the information is received by the employer, however, HIPAA no longer applies.

What are examples of HIPAA violations?

HIPAA violations can be costly, so it is important to avoid even unintentional violations. Civil penalties for HIPAA violations can exceed $50,000 per violation. Violations committed with malicious intent could result in criminal charges – in the most egregious cases, up to 10 years in prison and $250,000 in fines.

The first step in avoiding HIPAA violations is knowing some of the most common ones.

Unreported data breaches

Healthcare organizations are a major target for cybercriminals attempting to breach the networks and steal sensitive healthcare data. Covered entities must report data breaches to the individuals affected, the secretary of the Department of Health and Human Services and sometimes the media.

To avoid data breaches, ensure that your antivirus software is up-to-date and that all data is encrypted in storage and transmission. Update your software on all connected devices regularly to patch vulnerabilities exploited by hackers. Decommission outdated devices and remove them from your network; dispose of them per HIPAA regulations. Loss of devices

There are thousands of connected medical devices in any given hospital, all of which contain protected health information. The loss or theft of these devices could lead to the loss of sensitive data unless they are properly password-protected and encrypted in accordance with HIPAA. A failure to do so that results in a data breach is a HIPAA violation that could be easily avoided.

Unauthorized access

Employees accessing data they do not need or are not authorized to access usually constitutes a HIPAA violation. To avoid this problem, implement authorization systems that require employees to confirm their identities before accessing restricted information. Establish clear policies and procedures around authorizations and consequences for accessing information fraudulently.

Failure to encrypt data

Under HIPAA, all data must be encrypted. The law does not specify a precise standard, but the National Institute of Standards and Technology recommends Advanced Encryption Standard (AES) 128 at a minimum. Failure to encrypt devices, data in storage and data in transit likely constitutes a HIPAA violation. Avoid this by ensuring that all data in your network is encrypted to the highest possible standard.

HIPAA compliance for employers

If you are a covered entity or a business associate of a covered entity, HIPAA regulations apply to you. To ensure you remain compliant, follow this useful HIPAA compliance checklist from HIPAA Journal:

1. Identify which audits apply to your organization.
2. Conduct those audits internally; then analyze the results and determine corrective measures.
3. Implement the corrective measures and document them. Review compliance annually.
4. Appoint a HIPAA compliance officer. Alternatively, appoint dedicated privacy and security officers.

1. Task the HIPAA compliance officer(s) with training all employees on HIPAA obligations.
2. Document HIPAA training and staff member completion of the training program.
3. Annually perform due diligence assessments on any business associates to ensure HIPAA compliance.
4. Establish processes for reporting breaches and notifying the Department of Health and Human Services Office for Civil Rights.

Following this checklist and establishing a clear set of policies and procedures regarding HIPAA compliance can put your organization in a better position to meet the strict privacy and security requirements included in the law.

Employer HIPAA responsibilities and COVID-19

Although HIPAA applies only to covered entities and business associates, the law offers a good list of guidelines for other employers to follow as they implement employee COVID-19 testing and monitor employees for symptoms.

For example, many employers are requiring COVID-19 tests or on-site temperature checks for employees coming to work. Although HIPAA does not apply, handling or recording that type of health information is risky territory, so it behooves employers to adhere to HIPAA-like steps and to document their activities carefully.

“Most employers are really not specifically covered by HIPAA, but it provides best practices that employers generally tend to follow when keeping PHI about employees,” Starkman said. “It should be kept under lock and key, in separate folders from personnel files.

“If you’re [a non-covered entity] with employee health information, you’re covered by different laws,” Starkman added. “Primarily, the ADA has rules regarding how employers need to keep the medical information of employees. They tend to track the HIPAA requirements in terms of keeping files and computer documents under lock and key and in a secure manner.”

Rutter said employers should turn to the ADA and the Equal Employment Opportunity Commission for guidance on handling employee information related to the COVID-19 pandemic. He said there are three steps every business should take when implementing COVID-19 testing and monitoring procedures:

• Document all policies and procedures.
• Restrict access to employee information to trained employees.
• Establish protocols in the event of a data breach or unauthorized access.

“Even non-covered entities should do this,” Rutter said. “Taking proactive steps is key for any employer.”

The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA compliance important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients?

HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs.

A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals.

Why is HIPAA Important for Healthcare Organizations?

HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely.

The standards for recording health data and electronic transactions ensures everyone is singing from the same hymn sheet. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps enormously with the transfer of electronic health information between healthcare providers, health plans, and other entities.

Why is HIPAA Important for Patients?

Arguably, the greatest benefits of HIPAA are for patients. HIPAA is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.

While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.

HIPAA established rules that require healthcare organizations to control who has access to health data, restricting who can view health information and who that information can be shared with. HIPAA helps to ensure that any information disclosed to healthcare providers and health plans, or information that is created by them, transmitted, or stored by them, is subject to strict security controls. Patients are also given control over who their information is released to and who it is shared with.

HIPAA is important for patients who want to take a more active role in their healthcare and want to obtain copies of their health information. Even with great care, healthcare organizations can make mistakes when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are corrected.

Obtaining copies of health information also helps patients when they seek treatment from new healthcare providers – information can be passed on, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there was no requirements for healthcare organizations to release copies of patients’ health information.

Why is HIPAA Important? FAQs

What might happen to healthcare data if it was not protected by HIPAA?

Prior to HIPAA, the theft of healthcare data was often used for committing identity theft. This not only had financial implications for patients whose data was stolen, but also enabled criminals to obtain healthcare under false pretenses or sell the data on the black market to uninsured persons who could receive expensive healthcare treatments. This resulted in increased insurance costs which were passed down to individuals in the form of increased insurance premiums.

What are the financial benefits for Covered Entities of complying with HIPAA?

It is difficult to quantify the financial benefits of streamlined administration and improved efficiency because the changes Covered Entities have had to introduce have been over a long period of time. However, there is evidence to suggest HIPAA compliance leads to better patient outcomes, which leads to higher workforce morale. If true, compliant Covered Entities will benefit financially from CMS´ value-based programs and have fewer costs related to staff turnover.

Why is it important for healthcare professionals to comply with HIPAA?

Healthcare professionals are most often told it is important to comply with HIPAA because of the sanctions for noncompliance. A different argument is that HIPAA compliance builds trust, which gives patients the confidence to reveal details about their health to healthcare professionals, which improves the delivery of healthcare. The improved delivery of healthcare results in better patient outcomes, which leads to higher morale. Effectively, by complying with HIPAA, healthcare professionals enjoy more rewarding experiences and get more from their vocation.

If patients are unable to exercise their patients´ right allowed by HIPAA, what might happen?

Healthcare professionals are very hardworking individuals, and it´s not unheard of for mistakes to be made with patients´ records that can result in misdiagnoses, the wrong treatment being provided, or the wrong medication being prescribed. By giving patients the right to inspect their medical records and make corrections when necessary, the risks of incorrect diagnoses, treatments, and medications are mitigated. Additionally, having access to their records helps patients take more responsibility for their own wellbeing.

How do patients control who their information is released to and shared with?

Covered Entities are allowed to release and share patient information for treatment, payment, and healthcare operations. For all other disclosures of patient information, Covered Entities must obtain patient consent or give patients the opportunity to object to their information being released or shared. How patients consent or object should be explained in the Covered Entity´s Notice of Privacy Practices along with an explanation of how patients can obtain an “Accounting of Disclosures” to ensure information is not released or shared without their consent.

Why is the HIPAA Privacy Rule important?

The HIPAA Privacy Rule is important because it sets a “federal floor” of privacy protections and rights for individuals to control healthcare data. This means that Covered Entities throughout the country must comply with the HIPAA Privacy Rule unless a state law offers more stringent privacy protections or greater rights for individuals.

What is HIPAA?

HIPAA is a federal law that sets a nationwide standard for protecting patients’ and health plan members’ sensitive health information from disclosure in the absence of their knowledge or consent.

HIPAA is best known for requiring healthcare organizations to protect patient privacy and shield patients’ data from healthcare fraud. But HIPAA contains other types of healthcare-related mandates as well, such as ensuring health insurance coverage for employees who are between jobs.

What is the main purpose of HIPAA?

The main purpose of HIPAA is to protect patient privacy by ensuring that healthcare organizations keep health information secure and notify patients of data breaches that may affect them. But that’s not all HIPAA does. The law was also intended to make the healthcare industry more efficient by standardizing care and make health insurance more portable so that people can keep healthcare coverage when they change jobs.

Let’s take a look at the types of organizations that must comply with HIPAA.

Who must comply with HIPAA?

Organizations that qualify as “covered entities” must comply with HIPAA. Covered entities fall into three main categories:

• Health plans, for example:
  • health insurance companies,
  • health maintenance organizations (HMOs),
  • Medicare,
  • Medicaid, and
  • other government healthcare programs.
    
    
• Healthcare providers, namely providers that use electronic billing and other electronic means of conducting business, such as:
  • doctors,
  • health clinics,
  • hospitals,
  • mental health practitioners,
  • assisted living facilities,
  • pharmacies,
  • dentists, and
  • chiropractors.
    
    
• Business associates that work with covered entities, including:
  • billing companies,
  • healthcare claims processing companies,
  • health plan administrators,
  • lawyers,
  • accountants,
  • information technology (IT) teams,
  • records storage companies,
  • records destruction companies, and
  • healthcare clearinghouses (organizations that process health information from standard formats to non-standard formats and vice versa).

With this list of covered entities in mind, let’s explore the main HIPAA rules.

What are the HIPAA rules?

The HIPAA rules are administrative regulations that the U.S. Department of Health and Human Services (HHS) implemented to simplify its administration of the law. The five rules are the Privacy Rule, the Security Rule, the Transactions and Code Sets Rule, the Unique Identifiers Rule, and the Enforcement Rule.

We will discuss each rule in turn below.

1. The Privacy Rule

The Privacy Rule sets forth HIPAA’s main requirements for using and disclosing protected health information (PHI). PHI is health information combined with individually identifying information that is created, used, or stored by a covered entity.

Generally speaking, the Privacy Rule gives individuals rights regarding their PHI and requires covered entities to obtain the patient’s prior written authorization before disclosing their PHI. But covered entities may also disclose PHI:

• to law enforcement in response to a court order, warrant, subpoena, or administrative request; or
• to arrange for treatment, payment, or other healthcare operations.

The HIPAA Minimum Necessary Rule Standard

The HIPAA minimum necessary standard applies to using and disclosing PHI permitted under the HIPAA Privacy Rule. The “Minimum Necessary Rule” requires covered entities to make a reasonable effort to share the least amount of information necessary to accomplish a given purpose. This rule applies to any use or disclosure of PHI under the Privacy Rule, including access by a healthcare professional or disclosure to another covered entity.

The Privacy Rule also requires covered entities to keep a “disclosure accounting” that documents disclosures of PHI made for any purpose outside of arranging for treatment, payment, or other healthcare operations unless specifically authorized by the individual. Individuals are entitled to receive a disclosure accounting upon request. In a similar vein, the Breach Notification Rule requires covered entities to notify individuals of any data breach involving unsecured PHI.

Finally, the Privacy Rule requires covered entities to correct inaccurate PHI based on an individual’s request and make a reasonable effort to keep communications with individuals confidential.

What is HIPAA Disclosure Accounting?

HIPAA Disclosure Accounting is the process of keeping records of PHI disclosures for purposes other than Treatment, Healthcare Operations, or Payment.

When required, the information provided to the data subject in a HIPAA disclosure accounting must be more detailed for disclosures involving fewer than 50 subject records.

2. The Security Rule

The Security Rule protects electronic PHI that falls under the Privacy Rule. The Rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic PHI.

One of the administrative safeguards set forth in the Security Rule is the requirement that covered entities implement policies and procedures to protect PHI from security violations. This mandate includes the risk analysis requirement, which calls upon covered entities to assess the potential risks to and vulnerabilities of PHI. We will discuss risk assessments in more detail below.

One of the primary technical safeguards that the Security Rule contemplates is encryption. A covered entity must implement encryption measures unless it performs a risk assessment and makes a documented determination that encryption is not reasonable and appropriate and that another safeguard could be just as or more protective. If your organization determines that encryption is necessary, you must encrypt all electronic devices and communications containing PHI, including emails and text messages. Email encryption generally must comply with National Institute of Standards and Technology (NIST) guidelines, whereas personal devices such as cell phones require secure messaging solutions for adequate protection.

3. The Transactions and Code Sets Rule

The Transactions and Code Sets Rule requires health plans to adopt standardized healthcare transaction practices to streamline the transaction process.

4. The Unique Identifiers Rule

The Unique Identifiers Rule requires covered entities to use a 10-digit National Provider Identifier (NPI) when identifying healthcare providers during transactions.

5. The Enforcement Rule

The Enforcement Rule lays out civil fines for noncompliance with HIPAA along with procedures for investigations and hearings. This rule also requires covered entities to take remedial action if HHS determines they have failed to comply with HIPAA provisions.

How do you know if your organization is complying with these rules? Let’s circle back to our discussion of HIPAA risk assessments and take a closer look.

What is a HIPAA risk assessment?

As noted above, a HIPAA risk assessment is an evaluation of a covered entity’s compliance procedures and the potential risks to electronic PHI. A risk assessment typically includes a review of systems, security policies and procedures, and vulnerabilities to viruses and hackers.

Under the Security Rule, a covered entity must update and document security measures on an “as needed” basis. This means that although your organization should analyze risk on an ongoing basis, there is no specified frequency for formal risk assessments. Different types of covered entities need risk assessments at different intervals, ranging from one to three or more years.

To prepare for a HIPAA risk assessment, your organization should implement proper information governance, shore up and enforce its records retention policies, cull data wherever possible, and automate its data access policies. That way, you can enter into the analysis process with your best foot forward and focus on other areas that may need improvement.

Which communication and collaboration tools are HIPAA compliant?

While many communication and collaboration tools can help your healthcare organization run smoothly, not all of them comply with HIPAA. Thankfully, some of the most popular platforms today are HIPAA compliant, provided your organization signs a business associate agreement with the software company first.

Is Zoom HIPAA compliant?

The web conferencing platform is HIPAA compliant, because it meets the required Security Rule measures, such as:

• Zoom contains authentication measures. On its website, Zoom indicates that it enables two types of authentications: OAuth 2.0, for authenticating a user context; and JSON Web Tokens (JWT) for authenticating server-to-server apps.
• Zoom contains access control measures. Access controls govern who or what can view or use resources in a computing environment.
• Zoom has end-to-end encryption to secure all communications. The end-to-end encryption is necessary to ensure that only the sender and recipient of an electronic message can read the content of that message.

Is Microsoft Office 365 HIPAA compliant?

With a signed BAA (Business Associate Agreement) and when properly used, Microsoft 365 is HIPAA compliant. It is the responsibility of the covered entity to ensure BAA is signed before Office 365 can be used to store and maintain PHI. The Microsoft HIPAA Business Associate Agreement is available within Microsoft Online Services Data Protection Addendum by default to all customers who are covered entities or business associates under HIPAA.

Is Microsoft Teams HIPAA compliant?

Microsoft Teams is built on the Microsoft 365 basis, enterprise-grade cloud, delivering advanced security and compliance capabilities. Office 365 and Teams can be easily configured to support HIPAA security and privacy requirements.

Is Gmail HIPAA compliant?

To make Gmail HIPAA compliant, a covered entity would also need to enter into a business associate agreement with Google covering Gmail. Since Gmail is not HIPAA compliant by default, you need to take certain steps to ensure it is compliant. Hence, once the BAA box is obtained, the HIPAA compliance box is also checked. Additionally, you can enable email encryption. An important detail to mention is that the free email service which includes a @gmail.com email address is not HIPAA compliant, as it is only intended for personal use.

In addition to these standard tools, innovative technology can help your organization manage PHI and achieve compliance more efficiently than ever.

How do you comply with HIPAA Encryption Standards?

To ensure that you are compliant with the HIPAA Encryption Standards, you must follow these steps:

• Enable encryption on all devices that store or have access to PHI;
• Enable encryption for the transmission of PHI when using mediums such as email; USB flash drives; etc.
• Develop and maintain proper response and reporting for employees who are transmitting unencrypted PHI;
• Stay informed on the latest Federal and state legislation regarding breach notification requirements including encrypted patient data.

When it comes to handling health information, you need to be especially careful. The Health Insurance Portability and Accountability Act was designed with this in mind. It’s one of the reasons why nurses have a reputation as some of the best professionals when it comes to protecting patient information. But there are many things that even experienced healthcare professionals don’t know about HIPAA compliance and how it can affect them.

In this article, we’ll cover five tips about HIPAA compliance and uncover what you need to know if you’re a nurse who wants to ensure their patients’ medical records are protected at all times. You can also use the HIPAA compliance checklist pdf for a quick reference of all the things you need to consider when it comes to protecting patient information. Here are the top tips on HIPAA compliance for nurses.

Understanding What Constitutes PHI:

Knowing the definition of PHI is a good place to start when it comes to understanding what constitutes protected health information (PHI). According to the U.S. Department of Health and Human Services Office for Civil Rights, “protected health information” is individually identifiable health information that has been created or received by a HIPAA-covered entity (like your hospital) and that relates to your past, present, or future physical or mental health or condition; the provision of health care to you by a HIPAA covered entity; or your past, present, or future payment for the provision of health care to you by a HIPAA covered entity.

Your medical records should always be treated as confidential data and not shared with any non-employees without written consent from you. Be sure that only authorized personnel access these records and that they are stored in accordance with industry standards for security measures and disposal practices.

Securing Electronic Devices:

The most important tip is to secure your electronic devices. Whether you’re using a laptop, tablet, or smartphone – if it holds sensitive data, you must protect it.

– Use a password manager such as LastPass or 1Password. Don’t use the same password for multiple accounts, and don’t share your passwords with anyone.

– Don’t leave your devices unattended so someone can access them while they are not being used by you – especially when they contain protected health information (PHI). If you must leave your device somewhere while working or out in public, make sure that it is locked with a passcode/password before putting it away so no one can access it without permission from you first!

This means making sure that all network connections are secure before logging into any sensitive websites, such as those containing PHI records held within databases belonging to privately owned systems like those maintained by healthcare organizations.

Reporting The Inappropriate Disclosures:

As you may have noticed, the main point of compliance is to protect patient privacy. However, one of the hardest parts about complying with HIPAA is knowing when and how to report a breach of protected health information (PHI).

In order for organizations like yours to be compliant with HIPAA, it’s important that you know what constitutes a breach of PHI.

Once you figure out whether or not there has been an incident that warrants reporting, go ahead and report it! Reporting will help inform your organization about where they need improvement—and also prevent negative consequences from harming patients in future incidents.

Know About PHI Disposal Methods In Detail:

It is important to know about PHI disposal methods in detail because it will help you understand what needs to be done when removing electronic records, paper records, and other types of information.

Having a disposal policy in place ensures that employees adhere to the standards and protocols when disposing of patient information.

If your organization does not have any specific policies related to how much PHI should be shredded at any given time, then your only option is to use an “all-at-once” approach where all documents are shredded simultaneously without being sorted out beforehand based on their sensitivity level which may lead towards noncompliance issues due lackadaisical attitude towards data security measures for sensitive information stored at workplace premises such as health care providers’ offices.

Protecting Your Password or Login Details.

Do not share your passwords with anyone, ever. This is a big one: if you share your password with someone and they use it to log into an account on your behalf, then anyone who knows that password can also impersonate you and access that account.

It’s much easier than you might think for someone else who knows about this relationship to get hold of the information needed to access accounts under your name.

Use unique, strong passwords for every account that requires internet access or personal information (i.e., email addresses).

HIPAA Compliance is an important part of every nurse’s day-to-day routine.

HIPAA Compliance is an important part of every nurse’s day-to-day routine. It’s something you’ve been doing since your first day in school, and it’s something that has only become more essential as technology has made it easier for nurses to transmit information digitally.

The good news is that there are steps you can take to make sure HIPAA Compliance compliance is part of your daily routine without being a burden on yourself or others. This article has outlined the top five tips for making sure that HIPAA compliance becomes second nature for all nurses.

Final Thoughts

It’s important to remember that HIPAA compliance isn’t just a matter of following the rules. It’s also a good way to protect yourself and your patient’s privacy, as well as cut down on any unnecessary stress or anxiety. By following these tips every day, you will be able to keep your practice safe and secure while still enjoying yourself!

Authors C. Jason Wang, M.D., of Stanford University and Delphine Huang of the School of Medicine at the University of California, San Francisco, say that the U.S. Department of Health & Human Services may have "significantly" underestimated the costs associated with compliance. Mobile technology companies, in particular they say, are hurt by the low estimates as the health IT industry continues to expand.

"Although there is much interest in potential partnerships between innovative companies and healthcare organizations to leverage new mobile technologies, the final rule may impose an unfunded mandate for organizations, which ironically may impede adoption of innovation in mobile health," Wang and Huang say.

Wang and Huang outline several other hurdles to HIPAA compliance, including:

• Vague guidance: This leads to organizations, in many instances, to implement several security controls, not all of which may be necessary, rather than focusing on only the most relevant measures.

• User behavior: Because many providers and patients use their own, unsecured personal devices to access data such as electronic patient records, tailoring security efforts often depends on their actions.

• "Insufficient" tools: While the National Institute of Standards and Technology created a HIPAA Security Toolkit to guide organizations in their assessment of operational security, most organizations can't use it, Wang and Huang say. To that end, the use of expensive consultants for such assessments has become the norm.

• Accountability chains: Because all organizations also are held responsible for the actions of their partners, covered entities often will approach contract negotiations with potential business associates with "stringent technical and liability requirements" that BAs simply refuse to accept. "Impassable requirements from the various stakeholders can lead to outright failure of any deal," the authors say.

HHS, the authors conclude, may need to "reevaluate and adapt its regulations" to keep pace with new technology innovations.

Though most healthcare organizations understand the risks of a breach, including violating the HIPAA, many aren't taking the proper steps to prevent one, according to a Ponemon Institute report published in April.

 To minimize the threat COVID-19 posed to its workforce’s health, many healthcare organizations transitioned their medical coders and billers to work remotely from home. This working situation may be permanent in some cases. And, while employees can greatly minimize their risk of exposure by working from home, employees face a different type of issue – HIPAA violation risks.

Last year, 24.5 million patient records were exposed or stolen after approximately 493 data breaches in the U.S. healthcare sector post-COVID-19 outbreak (March-December 2020)1. In the first two months of 2021 alone, there were 77 data breaches, exposing more than 5.7 million patient records1.

The most common causes of these breaches include email/web browsing phishing attacks and network server issues1. Here are several remote-work situations where sensitive patient data can be exposed and pose HIPAA violation risks:

PAPER-BASED CODING AND REVENUE CYCLE MANAGEMENT PROCESSES

Many healthcare facilities and practices still use paper-based procedures for some elements of their operations. This includes medical coding and billing, as well as revenue cycle analysis and management. Working from home has not changed these procedures. As a result, employees are printing files that may contain sensitive patient data or financial information at home.

A breach may occur if the employee does not take proper measures to secure the paper printouts and someone else in the household views the file. Even if this breach is a harmless exposure, compliance officers still consider it a HIPAA violation.

UNSECURE ACCESS TO COMPANY NETWORKS / SECURITY BREACHES

Network infrastructure for healthcare organizations is experiencing major shifts as more coding and billing teams move to working from home. IT departments are updating these systems so that employees can securely connect to the company’s servers and access their work files remotely. These networks are feeling the strain, causing employees to seek out shortcuts – possibly unsecure channels – to access sensitive patient data.

Accessing company systems remotely potentially makes the organization vulnerable to security breaches. If clicked on by employees, email phishing attacks or unsecure websites may give unauthorized users access to the company’s servers. Furthermore, network security may degrade as a result of the increased number of remote users.

IMPROPER DISPOSAL OF FILES

Healthcare organizations have HIPAA-compliant disposal procedures in place to destroy physical and digital PHI files in the office. For physical files, they may outsource their document destruction needs to a secure, approved disposal vendor. Other systems ensure digital files are secured on safe, encrypted storage devices and deleted automatically when necessary.

However, with most of these HIM teams working remotely, organizations are struggling to equip employees with secure methods to properly dispose of these files at home. Since employees do not have access to disposal procedures or equipment, these sensitive files may end up in the individual’s trash bin, where they could be easily accessed.

INADEQUATE COMPLIANCE PROGRAM

Organizations can prevent exposure of patient data and breaches by implementing a thorough compliance program. Inadequate compliance policies leave room for improper disposal of PHI, security breaches, and other HIPAA violations.

Many healthcare organizations already have compliance programs in place. However, these firms need to amended or rewrite their programs entirely to address remote-work scenarios. Policies may continuously evolve as companies and employees adjust to these new working realities.

Is your healthcare facility or practice struggling to maintain compliance with remote-work staff? Entrust YES with your coding support, auditing, denials management, and education needs. Or, our credentialed HIM consultants can help your organization develop a coding compliance plan.

Keeping up with all the niche compliance regulations is daunting and overwhelming, especially if even one small error could potentially lead to a critical financial or reputational loss. Unfortunately, when it comes to HIPAA compliance, it’s challenging to receive a clear “Yes” or “No” answer when trying to get past the very first step – whether or not you fall under mandatory HIPAA compliance in the first place. 

At Scytale, we bring transparency to the murky world of compliance, because no one can afford the risk of being left in the dark. In this article, we’re going to explore HIPAA compliance and the world of Protected Health Information (PHI). 

Understanding the core principles

Before being able to properly distinguish whether or not HIPAA compliance applies to you or your organization, it’s vital to understand what the Health Insurance Portability and Accountability Act (HIPAA) is and what it’s been set out to protect. However, none of it will click into place, unless you appreciate and acknowledge the core: 

The Protected Health Information (PHI).  This is the crux of the topic and if you have even an ounce of PHI that is filtering through your business, you’re going to want to read closely, because we’re talking to you. 

Protected Health Information (PHI)

Protected health information refers to literally any individually identifiable health information. Whether it’s medical histories, insurance information, test results, demographic data, or any other information that relates to an individual’s healthcare services or coverages – it’s PHI, and it’s sacred. PHI is at the forefront of HIPAA which has implemented the HIPAA privacy rule to protect and regulate any data that relates to:

• the health of an individual – past, present, and future 
• All provision of healthcare to individuals
• The financing and payment for the provision of healthcare services

HIPAA Compliance 

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, was established to provide a national standard for the security and privacy of electronic health information for organizations working in healthcare. The main function of HIPAA as stated earlier is to protect, regulate, and secure the handling of PHI by safeguarding its confidentiality, integrity, and availability. To accomplish this, HIPAA consists of three main rules: The Privacy Rule. The Security Rule. The Breach Notification Rule. 

Out of the three rules, there is one that speaks to which organizations must follow the HIPAA standards – The HIPAA privacy rule. This is what we’ll look into a bit deeper to see if your organization fits the description. 

The HIPAA Privacy Rule was first put into effect by the US Department of Health and Human Services in 2003. Initially, it included only healthcare providers, as well as clearinghouses, and other health insurance entities but in 2013, the category ‘Business Associates’ joined the conversation. This Privacy Rule ensures the proper implementation of the HIPAA requirements and focuses on the safe, proper use and disclosure of the protected health information. To better understand who is subject to this rule, HIPAA categorized it into two main establishments: covered entities and business associates. 

Of course, it’s worth mentioning that there are exceptions to the rule, but not quite yet, as these exemptions rarely mitigate compliance, which is what we’re actually concerned about. 

So what exactly is HIPAA Compliance? 

HIPAA compliance means that as an entity, you are aware of the HIPAA regulations and the rules that you’re subject to and have passed a HIPAA self-assessment or self-audit. If you’re HIPAA compliant, it also ensures that you are in accordance with all the standards for data protection required by HIPAA compliance and that you’ve implemented the necessary controls and policies to ensure you’re not in any violation of HIPAA standards. 

Who needs to comply with HIPAA anyway?

The general rule of thumb is that if you work in healthcare in any capacity and store or process PHI, you need to be compliant. However, there is a large misconception that compliance is limited to official healthcare organizations. However, this is far from the case. Many organizations are being audited and fined because they were unaware of the role they play in HIPAA compliance and how the HIPAA privacy rule applies to them. In reality, as mentioned, two main categories fall under mandatory HIPAA compliance. 1. Covered Entities and 2. Business Associates.

Within these two overarching categories, HIPAA has included various businesses that need to adhere to the compliance requirements, all based on their contact with PHI. But not to worry, we’re getting into those too. 

Covered Entities: Who they are and what they do

Covered entities are all individuals, businesses, or organizations that work directly with protected health information. Organizations and individuals who are defined as covered entities (CEs) fall into three main categories. 

• Healthcare providers
• Healthcare plan provider
• Health care clearinghouses

Each one of these three types is defined by HIPAA and is referred to as covered entities (CE). If your business type is defined as a CE, it means that you are subject to the HIPAA privacy rule and must be HIPAA compliant to lawfully align with the rights of individuals on their private health information. 

Seeing as each one of these ‘covered entities’ still cover such a broad spectrum, it’s crucial to elaborate on each different type of covered entity that falls under the strict regulations of the HIPAA privacy rule. 

Healthcare Providers 

This covered entity includes any healthcare providers who deal with electronic personal health information. Regardless of the size of your practice or organization, if you transmit PHI electronically, you need to be HIPAA compliant. The data includes the sending and receiving of any claims, benefit eligibility inquiries, or referral authorization requests. In a digital world, exceptions are few and far in between, and compliance will only be regarded as ‘optional’ very scarcely.

Healthcare Plans

All healthcare insurance companies are considered covered entities. However, this category is not limited to official health insurers or plan providers only. Many business owners and organizations often misinterpret this category and fail to comply with the HIPAA privacy rule. It’s important to make note of the fact that the following individuals or businesses are also considered covered entities within the healthcare plan provider category:

Co-Employers who offer health insurance to their employees. It should be noted that if a group health care plan covers less than 50 individuals and is maintained and administered solely by the employer, it’s exempt from the HIPAA privacy rule and compliance is not mandatory. 

Employers who offer any medical reimbursement or an onsite clinic to their employees are covered entities. 

Health maintenance organizations (HMOs) that provide health insurance coverage are covered entities. 

Government programs that pay for healthcare are covered entities. This includes the sponsorship of military and veteran healthcare programs.

Church-sponsored health programs are covered entities

A Healthcare Clearinghouse

A healthcare clearinghouse acts as a middleman between healthcare providers and their insurance partners. These clearinghouses are the ones that analyze and check all electronic claims and associated medical records to ensure that there are no errors. They aid in the easy, effective, and correct processing and payment between the healthcare provider and their insurer. As this information is considered PHI and they possess said information they qualify as covered entities and are subject to the HIPAA privacy rule and therefore require mandatory HIPAA compliance. 

Business Associates: why they need HIPAA compliance

The second category, and the one that is less frequently talked about, refers to the business associates (BAs) of covered entities. Covered entities very rarely operate in silos and often require the assistance of business associates to carry out their daily functions. 

That means that any individual or organization that therefore falls under a contractual business arrangement with a covered entity may be subject to the HIPAA privacy rule and therefore required to be HIPAA compliant. To specify, if a business or individual deals with any individually identifiable health information via their relationship with covered entities, they are considered business associates under HIPAA. 

Many businesses or individuals do not consider themselves BAs because they do not work within the healthcare industry – but this is where the biggest catch lies. Business associates can be anything from consulting, financial, data aggregation, management, or legal entities. Some examples of business associates include: 

• Consultants who provide hospital utilization reviews
• Third-party administrators that assist health plans
• Shredding companies that handle documents pertaining to PHI
• Billing companies who work with covered entities
• Lawyers who obtain CEs as their clients

Exceptions to HIPAA privacy rule

Being that all of the information is critical in ensuring high-quality healthcare, it’s important that the HIPAA privacy rule needs to provide a quintessential example of the balance between protecting PHI and the accurate flow of medical information between parties. In honor of keeping the balance, there are exceptions to the rule. 

Health and safety

In certain circumstances, exceptions are made to share PHI without a patient’s authorization. These cases include scenarios where disclosing the information is pivotal for ensuring the health and safety of the patient or individual. Nevertheless, isolated exceptions to the rule are rare occurrences within covered entities and do not serve as a quick escape from HIPAA compliance. 

On paper

Don’t throw caution to the wind just yet. If your healthcare organization or practice relies solely on paper records – not only are you stuck in the stone age, but you’re also not 100% exempt from regulation. Although you might submit hard copies to a billing company or third party, if they transmit those records electronically, HIPAA rulings apply to you as well. 

It sounds harsh, we know. So what happens if you make an innocent mistake?

What if your business accidentally violates HIPAA rules?

We hate to break it to you, but there is very little to no grace period when it comes to HIPAA compliance and violations, even if it’s a first offense. Violations are dealt with harshly and without financial mercy. The civil violations, which are reserved for businesses who were not aware that they were violating HIPAA rules, can receive a minimum of $100 fines per violation and a maximum of $25,000 for repeat violations. The maximum penalty can be $50,000 per violation with a yearly maximum of $1.5 million. This applies only to Tier one violations and is considered the smallest and least severe penalty. 

Quickfire questions: An overview of HIPAA compliance 

Feeling more comfortable with the ins and outs of HIPAA compliance? If you’re still a bit foggy on whether or not your specific business needs to start the journey towards HIPAA compliance, have a look at our list of quickfire compliance questions. 

1. Does HIPAA compliance only apply to healthcare industries? 

No. Both covered entities and business associates are required to comply with HIPAA regulations, as long as they work with PHI. 

2. What are the penalties for HIPAA non-compliance?

Fines and penalties can vary and largely depend on the type of violation that occurs, as well as the intent behind the violation. Accidental violations are less severe than violations that occur due to malicious intent. If the violation occurs where the intent is to sell or use PHI or ePHI for personal gain, the maximum fine can be up to $250,000 or up to 10 years imprisonment. 

3. Will SOC 2 help me become HIPAA compliant? 

SOC 2 is a great baseline for ensuring that your organization has implemented the correct foundational security compliance. However, the HIPAA privacy rule will require you to add additional and particular safeguards, necessary for HIPAA specifically. If you’d like to see how SOC 2 can help you implement security controls, have a look at our article Do You Really Need a SOC 2 Report here.

What Does HIPAA Stand For?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA’s original intent was to ensure health insurance coverage for individuals who left their job. Since 1996, HIPAA has gone through modifications and grown in scope.

HIPAA Rules and Regulations are enforced by the Office of Civil Rights (OCR) within the Health and Human Services (HHS) devision of the federal government. Enforcement is ongoing and fines of $2 million-plus have been issued to organizations found to be in violation of HIPAA.

HIPAA was established to strengthen how Personal Health Information (PHI) is stored and shared by Covered Entities and Business Associates. HIPAA regulation covers several different categories including HIPAA Privacy, HIPAA Security, HITECH and OMNIBUS Rules, and the Enforcement Rule. All Covered Entities and Business Associates must follow all HIPAA rules and regulations.

What are the 5 Main Rules of HIPAA?

The Privacy Rule protects the PHI and medical records of individuals, with limits and conditions on the various uses and disclosures that can and cannot be made without patient authorization.

What is the HIPAA Privacy Standard?

The HIPAA Privacy Standard refers to the same law as the HIPAA Privacy Rule. It is the specific standard within HIPAA Law that focuses on protecting Personal Health Information (PHI). It established national standards on how covered entities, health care clearinghouses, and business associates share and store PHI. It established rules to protect patients’ information used during health care services.

These privacy standards include the following:

• The patient’s right to access their PHI;
• The health care provider’s right to access patient PHI;
• The health care provider’s right to refuse access to patient PHI and
• Minimum required standards for an individual company’s HIPAA policies and release forms.

This rule also gives every patient the right to inspect and obtain a copy of their records and request corrections to their file. There are specific forms that coincide with this rule: Request of Access to Protected Health Information (PHI); Notice of Privacy Practices (NPP) Form; Request for Accounting Disclosures Form; Request for Restriction of Patient Health Care Information; Authorization for Use or Disclosure Form; and the Privacy Complaint Form.

Security Rule (45 CFR §164.308)

The security rule defines and regulates the standards, methods and procedures related to the protection of electronic PHI on storage, accessibility and transmission. There are three safeguard levels of security. The Administrative safeguards deal with the assignment of a HIPAA security compliance team; the Technical safeguards deal with the encryption and authentication methods used to have control over data access, and the Physical safeguards deal with the protection of any electronic system, data or equipment within your facility and organization. The risk analysis and risk management protocols for hardware, software and transmission fall under this rule.

Transactions Rule

This rule deals with the transactions and code sets used in HIPAA transactions, which includes ICD-9, ICD-10, HCPCS, CPT-3, CPT-4 and NDC codes. These codes must be used correctly to ensure the safety, accuracy and security of medical records and PHI.

Identifiers Rule

HIPAA has different identifiers for a covered entity that uses HIPAA financial and administrative transactions.  HIPAA mandates health care providers have a National Provider Identifier (NPI) number that identifies them on their administrative transactions.

HIPAA uses three unique identifiers for covered entities who use HIPAA regulated administrative and financial transactions. These identifiers are: National Provider Identifier (NPI), which is a 10-digit number used for covered healthcare providers in every HIPAA administrative and financial transaction; National Health Plan Identifier (NHI), which is an identifier used to identify health plans and payers under the Center for Medicare & Medicaid Services (CMS); and the Standard Unique Employer Identifier, which identifies and employer entity in HIPAA transactions and is considered the same as the federal Employer Identification Number (EIN).

Enforcement Rule

The HIPAA enforcement rules address the penalties for any violations by business associates or covered entities. This addresses five main areas in regards to covered entities and business associates:

• Application of HIPAA privacy and security rules;
• Establishing mandatory security breach reporting requirements;
• Accounting disclosure requirements;
• Restrictions on marketing and sales; and
• Restrictions that apply to any business associate or covered entity contracts. These contracts must be implemented before they can transfer or share any PHI or ePHI.

This rule is derived from the ARRA HITECH ACT provisions for violations that occurred before, on or after the February 18, 2015 compliance date. This expands the rules under HIPAA Privacy and Security, increasing the penalties for any violations.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule establishes the national standard to follow when a data breach has compromised a patient’s record. The rule also addresses two other kinds of breaches. The other breaches are Minor and Meaningful breaches.

All business associates and covered entities must report any breaches of their PHI, regardless of size, to HHS. The specific procedures for reporting will depend on the type of breach that took place.

What Is Right of Access?

Right of access covers access to one’s protected health information (PHI). The HIPAA Privacy Rule explains that patients may ask for access to their PHI from their providers.

Specifically, it guarantees that patients can access records for a reasonable price and in a timely manner. These records can include medical records and billing records from a medical office, health plan information, and any other data to make decisions about an individual.

The right of access initiative also gives priority enforcement when providers or health plans deny access to information. Providers don’t have to develop new information, but they do have to provide information to patients that request it.

Patients should request this information from their provider. They can request specific information, so patients can get the information they need.

What Isn’t Covered?

The HIPAA Privacy Rule omits some types of PHI from coverage under the right of access initiative. While most PHI is accessible, certain pieces aren’t if providers don’t use the information to make decisions about people.

Possible reasons information would fall under this category include:

• Business planning
• Patient safety activity records
• Quality assessment and improvement

As long as the provider isn’t using the data to make medical decisions, it won’t be part of an individual’s right to access. Other types of information are also exempt from right to access.

If a provider needs to organize information for a civil or criminal proceeding, that wouldn’t fall under the first category. The same is true of information used for administrative actions or proceedings.

Another exemption is when a mental health care provider documents or reviews the contents an appointment. As long as they keep those records separate from a patient’s file, they won’t fall under right of access.

Who Does Right of Access Affect?

Right of access affects a few groups of people. When you fall into one of these groups, you should understand how right of access works. That way, you can avoid right of access violations.

Consider the different types of people that the right of access initiative can affect.

Patients

Of course, patients have the right to access their medical records and other files that the law allows. A patient will need to ask their health care provider for the information they want.

This applies to patients of all ages and regardless of medical history. Patients can grant access to other people in certain cases, so they aren’t the only recipients of PHI.

Representatives

Sometimes, a patient may not want to be the one to access PHI, so a representative can do so. The most common example of this is parents or guardians of patients under 18 years old.

However, adults can also designate someone else to make their medical decisions. This could be a power of attorney or a health care proxy. While not common, a representative can be useful if a patient becomes unable to make decisions for themself.

Covered Entities

Covered entities include a few groups of people, and they’re the group that will provide access to medical records. Examples of covered entities are:

• Doctors
• Nurses
• Pharmacies
• Psychologists
• Other providers
• Health insurance plans
• Government health plans

Other covered entities include health care clearinghouses and health care business associates. However, odds are, they won’t be the ones dealing with patient requests for medical records. Still, it’s important for these entities to follow HIPAA.

Right of Access Violations

There are a few different types of right of access violations. Like other HIPAA violations, these are serious. As a health care provider, you need to make sure you avoid violations. Here are a few things you can do that won’t violate right of access.

• Conducting risk analyses
• Offering security awareness training to employees
• Controlling device and media access
• Encrypting electronic PHI (ePHI)
• Using a business associate agreement
• Implementing policies and procedures

Not doing these things can increase your risk of right of access violations and HIPAA violations in general. Even if you and your employees have HIPAA certification, avoiding violations is an ongoing task.

Who Might Violate Right of Access?

Any covered entity might violate right of access, either when granting access or by denying it. Entities that have violated right of access include private practitioners, university clinics, and psychiatric offices.

A violation can occur if a provider without access to PHI tries to gain access to help a patient. Someone may also violate right to access if they give information to an unauthorized party, such as someone claiming to be a representative.

Denying access to information that a patient can access is another violation. While there are some occasions where providers can deny access, those cases aren’t as common as those where a patient can access their records.

How to Prevent HIPAA Right of Access Violations

Fortunately, medical providers and other covered entities can take steps to reduce the risk of or prevent HIPAA right of access violations. Whether you work in a hospital, medical clinic, or for a health insurance company, you should follow these steps.

That way, you can protect yourself and anyone else involved. The steps to prevent violations are simple, so there’s no reason not to implement at least some of them.

What is HIPAA Certification?

With HIPAA certification, you can prove that your staff members know how to comply with HIPAA regulations. Today, earning HIPAA certification is a part of due diligence.

HIPAA compliance rules change continually. As a result, there’s no official path to HIPAA certification. If a training provider advertises that their course is endorsed by the Department of Health & Human Services, it’s a falsehood.

Nevertheless, you can claim that your organization is certified HIPAA compliant. The statement simply means that you’ve completed third-party HIPAA compliance training.

It also means that you’ve taken measures to comply with HIPAA regulations. Here, however, it’s vital to find a trusted HIPAA training partner.

Get HIPAA Certification

What is HIPAA certification? It’s a type of certification that proves a covered entity or business associate understands the law. The certification can cover the Privacy, Security, and Omnibus Rules.

While having a team go through HIPAA certification won’t guarantee no violations will occur, it can help. Sometimes, employees need to know the rules and regulations to follow them.

HIPAA certification is available for your entire office, so everyone can receive the training they need. You can enroll people in the best course for them based on their job title.

That way, providers can learn how HIPAA affects them, while business associates can learn about their relationship with HIPAA. You don’t have to provide the training, so you can save a lot of time.

Implement Safeguards

Another great way to help reduce right of access violations is to implement certain safeguards. The HIPAA Security Rule outlines safeguards you can use to protect PHI and restrict access to authorized individuals.

Safeguards can be physical, technical, or administrative. An example of a physical safeguard is to use keys or cards to limit access to a physical space with records.

A technical safeguard might be using usernames and passwords to restrict access to electronic information. Administrative safeguards can include staff training or creating and using a security policy.

Verify Right of Access

Before granting access to a patient or their representative, you need to verify the person’s identity. HIPAA doesn’t have any specific methods for verifying access, so you can select a method that works for your office.

Consider asking for a driver’s license or another photo ID. When using the phone, ask the patient to verify their personal information, such as their address.

Whatever you choose, make sure it’s consistent across the whole team. That way, you can verify someone’s right to access their records and avoid confusion amongst your team.

Use the Proper Format

When you grant access to someone, you need to provide the PHI in the format that the patient requests. They may request an electronic file or a paper file.

However, HIPAA recognizes that you may not be able to provide certain formats. In that case, you will need to agree with the patient on another format, such as a paper copy.

You don’t need to have or use specific software to provide access to records. However, you do need to be able to produce print or electronic files for patients, and the delivery needs to be safe and secure.

Know When to Deny

While not common, there may be times when you can deny access, even to the patient directly. For example, you can deny records that will be in a legal proceeding or when a research study is in progress.

If revealing the information may endanger the life of the patient or another individual, you can deny the request. The same is true if granting access could cause harm, even if it isn’t life-threatening.

When a federal agency controls records, complying with the Privacy Act requires denying access. And if a third party gives information to a provider confidentially, the provider can deny access to the information.

Obtain HIPAA Certification to Reduce Violations

HIPAA certification offers many benefits to covered entities, from education to assistance in reducing HIPAA violations. Whether you’re a provider or work in health insurance, you should consider certification.

That way, you can learn how to deal with patient information and access requests. And you can make sure you don’t break the law in the process.

HIPAA violations can serve as a cautionary tale.

Public disclosure of a HIPAA violation is unnerving. It can harm the standing of your organization. What’s more—it can prove costly.

Still, a financial penalty can serve as the least of your burdens if you’re found in violation of HIPAA rules. A HIPAA Corrective Action Plan (CAP) can cost your organization even more.

This June, the Office of Civil Rights (OCR) fined a small medical practice. The medical practice has agreed to pay the fine as well as comply with the OCR’s CAP.

Understanding HIPAA Violations

With its passage in 1996, the Health Insurance Portability and Accountability Act (HIPAA) changed the face of medicine. The law has had far-reaching effects. What’s more, it’s transformed the way that many health care providers operate.

The most important part of the HIPAA Act states that you must keep personally identifiable patient information secure and private. This provision has made electronic health records safer for patients.

However, it’s also imposed several sometimes burdensome rules on health care providers. It’s estimated that compliance with HIPAA rules costs companies about $8.3 billion every year.

The various sections of the HIPAA Act are called titles. Titles I and II are the most relevant sections of the act.

Title I encompasses the portability rules of the HIPAA Act. It ensures that insurers can’t deny people moving from one plan to another due to pre-existing health conditions.

This is the part of the HIPAA Act that has had the most impact on consumers’ lives. However, Title II is the part of the act that’s had the most impact on health care organizations.

Current HIPAA Violations

This month, the OCR issued its 19th action involving a patient’s right to access. The covered entity in question was a small specialty medical practice.

The fine was the office’s response to the care provider’s failure to provide a parent with timely access to the medical records of her child. In the end, the OCR issued a financial fine and recommended a supervised corrective action plan.

The Diabetes, Endocrinology & Biology Center Inc. of West Virginia agreed to the OCR’s terms. The care provider will pay the $5,000 fine. They’ll also comply with the OCR’s corrective action plan to prevent future violations of HIPAA regulations.

According to the OCR, the case began with a complaint filed in August 2019. It alleged that the center failed to respond to a parent’s record access request in July 2019.

In response to the complaint, the OCR launched an investigation. The investigation determined that, indeed, the center failed to comply with the timely access provision. As a result, it made a ruling that the Diabetes, Endocrinology & Biology Center was in violation of HIPAA policies.

As a medical spa, clients rely on you to offer the highest quality services and to protect their information while doing it. While clients enjoy the results of fewer wrinkles or reduced spots, they may not want everyone to know what procedures or services they’ve had done.

Check out these five tips for maintaining proper HIPAA compliance.

1. Appreciate feedback, but don’t confirm it. According to Inc., about 84 percent of people trust online reviews as much as a personal recommendation, which makes what people say about your business online matter even more. By HIPAA standards, it’s okay to ask your clients to provide reviews, and they can even mention staff by name and provide their own details. However, you cannot verify what clients disclose in their review. Doing so confirms that they’re a patient and have had those treatments done, thus disclosing confidential, HIPAA-protected information. Keep your review responses vague to avoid any violations.
   

    

2. Share photos with permission only. Make sure that any photos you share publicly are only of your staff or hired actors, unless you have written permission from the photographed patient. Without permission, you’re disclosing that they’re a patient, thereby violating HIPAA privacy requirements. 
   

    

3. Dispose of trash responsibly. When any personal information is discarded, be sure to shred documents or use secure trash cans and a trusted disposal company. Personal information can range from formal medical documents to thoughts on a sticky note. Be even more careful by using a secure, digital document system.
   

    

4. Prioritize patient privacy. Don’t reveal any of this information, since selling or disclosing patient information is illegal. When having a conversation with or about a patient and any of their personal details, do so privately. Avoid casually discussing a patient, which could be overheard by another client or anyone passing by. Make it a point to also protect written information, such as a client’s chart, patient files or even a patient list. 
   

    

5. Use HIPAA compliant software. Managing patient data or appointments, tracking staff trainings, and keeping client data secure can be a lot for a small business. By using digital software systems created specifically for medical spas, patient photos are secure, staff training is easily trackable and you can securely record and protect all client information.  
   

    

Maintaining HIPAA compliance takes education and attention across the business. Be consistent in keeping high standards at your med spa by educating staff on all HIPAA regulations and requirements to ensure client confidentiality. The risk to patients is real, which is why HIPAA is federal law. The risk of non-compliance to your business is equally real. Prioritize compliance to avoid fines, the associated reputation, and client loss. It’s not easy, but it’s not optional.

What is the HIPAA Privacy Rule?

The HIPAAA Privacy Rule requires physicians to implement policies and procedures that protect the privacy of patients’ PHI and regulates how physicians use and disclose PHI with and without patient authorization. The Privacy Rule was intended to provide patients with rights over their health information, such as the right to see their health records, acquire a personal copy of their PHI, and request amendments of errors in the PHI. The Privacy Rule is the first comprehensive federal protection of the privacy of health information, creating a national standard to protect an individual’s PHI.

What was the HIPAA Privacy Rule Meant to Do?

The Privacy Rule, succinctly stated, was meant to give patients more control over their PHI, set boundaries on the use and release of PHI, establish safeguards that physicians must apply to protect PHI, hold violators of HIPAA accountable, and strike a balance when there is a public need for disclosure of HPI.

To What Entities Does the Privacy Rule Apply?

HIPAA applies to what are called covered entities (CEs). This category includes, but is not limited to, physicians who perform standard electronic transactions, health plans, and healthcare clearinghouses. Third parties, called business associates (BAs), that have access to patient information also must comply with HIPAA. The task of identifying who is a CE and BA can be daunting. I will attempt to introduce the reader to what is classified as a CE and BA and therefore is held accountable to HIPAA rules and vulnerable to HIPAA violations.

A health plan is an individual or group plan that pays for medical care. The law outlines various organizations and government programs as health plans. These include insurance companies, CMS, the Children’s Health Insurance Program (CHIPS), the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), and prescription drug programs. A healthcare clearinghouse is a public or private entity that must comply with HIPAA, such as a billing service, a community health management information system, or a community health information system. Healthcare providers are individuals or organizations that bill or are paid for medical services as part of their business.

Affiliated CEs are legally separate entities that are under common ownership. An example is an integrated delivery network that includes hospitals, medical groups, and long–term care facilities.

A business associate is a person or entity that is not part of the CE’s staff, but performs activities on behalf of the CE that include the use or disclosure of PHI. Activities performed by a BA might include, but are not limited to, claims processing or administration; data analysis: processing or administration; utilization review; quality assurance; benefits management; and practice management.

Once a CE recognizes it has a business relationship that meets the definition of a BA, the CE is responsible for guaranteeing that the BA complies with HIPAA rules. This is accomplished by means of a covenant between the CE and the BA. This contract is known as a business associate agreement (BAA). The BAA is a written contract between the parties that specifies each party’s duties with regard to the PHI.

There are exceptions to the BA standard. HIPAA does not demand CEs to have a BAA in place before PHI can be disclosed in the following situations:

• Disclosure of PHI by a CE to a physician for treatment. For example, a hospital does not need a BAA with a specialist to whom it refers a patient.

• Disclosure of PHI by a physician to a medical laboratory to treat a patient.

There are many more exceptions, and navigating the relationships can be intimidating. When uncertainty exists, obtain legal advice as to the nature of the relationship.

What is a Personal Representative?

Patients have the right to select a chosen individual to act on their behalf regarding their PHI. These personal representatives (PRs) have the same rights as the patient concerning the patient’s PHI. The PR may have broad authority to act on the patient’s behalf, or the authority may be limited at the patient’s request. The CE and BA must observe the limits set by the patient. The CE and BA should review state law to identify whether there are regulations regarding the authority of PRs. For example, HIPAA defers to state laws that expressly speak to a parent’s right to assess children’s PHI. If a CE has reasons to believe a patient is the victim of domestic violence, or neglect by the PR, the CE can legally choose not to recognize the PR.

What is Personal Health Information?

Personal health information is defined as individually identifiable health information held or transmitted by a CE or BA on paper, electronically, or orally, that identifies the patient and relates a patient’s present or past physical or mental health condition. Additionally, PHI may be identified through present or past billing statements or payments for treatment.

Types of PHI include identifiers of the individual associated with health information, such as, but not limited to, name, address(es), telephone number, fax number, email, date of birth, date of death, hospital admission and discharge, driver’s license number, and many other identifiers. Any of these data could be used to identify someone and link that person to his or her PHI.

What is De-identified Personal Health Information?

De-identified patient data is information that cannot be used to connect an individual to PHI. HIPAA does not apply to de-identified health information. It is a valuable asset to the healthcare community because it can be used to improve medical care, estimate the costs of medical care, and support public health initiatives.

How are Mental Health Records Handled in Relation to Personal Health Information?

Mental health records are a subset of PHI that receive special consideration under HIPAA, because they may contain personal notes and sensitive information that is not needed for medical treatment, payment, or healthcare operations. The mental health notes are kept separate from the rest of the patient’s PHI and are not disclosed for other purposes. Under HIPAA, psychotherapy notes are specifically excluded from the patient’s general rights to access or inspect their own medical records. CE must get specific authorization from a patient before psychotherapy notes can be disclosed to a third party.

What are Disclosures of Personal Health Information?

HIPAA protects an individual’s right to keep PHI private and confidential. However, there are valid reasons that physicians may need to use and share PHI, such as communicating with insurance companies for payment and sharing PHI with other physicians for patient medical care.

The key reason HIPAA exists is to make CEs take measures to keep PHI private and confidential, and to identify and police the reasons that PHI can be used, shared, or disclosed. There is a dynamic equilibrium between privacy/confidentiality and optimal information for quality medical care.

What is the Difference Between Authorization and Consent?

Patients may give written authorization or consent for use and disclosure of their PHI. The Privacy Rule does not compel CEs to obtain patient authorization for medical treatment, payment, and healthcare operations. Patient authorization is an agreement that allows CEs to use and disclose PHI for purposes other than healthcare operations. CEs need authorization before using or disclosing PHI for any reason that is not allowed under the Privacy Rule. Relying on a patient’s consent when authorization is required is an unauthorized use of PHI. An important distinction is that consent does not equal authorization.

When Does HIPAA Allow or Require Disclosure of Personal Health Information?

HIPAA permits CEs to use their professional ethics and best judgment to share PHI without patient authorization in clearly defined situations. CE permitted disclosures include the following:

• Disclosure to the patient;

• Disclosure for medical treatment, payment, and healthcare operations;

• When patient is allowed to agree/reject use or disclosure;

• Use or disclosure for public benefit;

• Limited data set research; and

• Public health purposes.

• CE required disclosures include:

• Patient request for PHI;

• Patient request for an accounting of disclosures;

• Disclosure to HHS for the purpose of compliance investigation, reviews, or an enforcement action; and

• Protection of the patient and the public.

The duty to inform the patient and public has its foundation in the 1974 California Supreme Court case Tarasoff v. the Regents of the University of California, 551 P2d 334 (Cal.1976), which established a duty for physicians to share warnings of a credible threat of violence. That duty was reaffirmed in the 2013 Office of Civil Rights letter,(1) which sought to balance patient privacy concerns with public health and safety.

What is the Minimum Necessary Standard?

The Privacy Rule exists to guarantee that any PHI accessed by staff or disclosed to another CE or BA is done in a minimal manner that protects and safeguards confidentiality. This is known as the minimum necessary standard and is an essential protection. CEs are mandated to limit use or disclosure of PHI to the minimum necessary standard to accomplish the intended purpose. In light of the minimum necessary standard, CEs determine which staff need access to PHI based upon staff responsibilities.

There are exceptions to the minimum necessary standard, including:

• Disclosure to a physician for medical treatment purposes;

• Authorization of use/disclosure by the patient;

• Use/disclosure required for HIPAA compliance;

• Required by HHS for enforcement purposes; and

• Required by state laws.
  

What is a Notice of Privacy?

A notice of privacy practices (NPP) is a statement by the CE that describes how it will disclose PHI and the procedure the CE has executed to keep PHI confidential. It also explains how patients can access their information and exercise this right under HIPAA. CEs are required to write a NPP in plain and understandable language and make it available to all patients.

A CE that has a direct doctor– patient relationship must provide a copy of the NPP on the patient’s first visit and make a good faith effort to obtain written acknowledgement of receipt. Additionally, the CE should make its NPP available to anyone who requests it and post it in full view at the physical location and on its website. The CE cannot compel the patient to sign the NPP, and it cannot refuse treatment if the patient refuses to sign the NPP. Refusal to sign the NPP does not alter the CE’s need to comply with the Privacy Rule. Staff should attempt to document why the patient refuses to sign the NPP.

What are the Rights of the Patient Under the HIPAA Privacy Rule?

HIPAA provides patients with a general right to access, inspect, and acquire a copy of their PHI for as long as a CE or BA maintains the information. Patients may request a summary or explanation of PHI and have the right to direct the CE to share a copy of this PHI with a PR. A CE must comply with the request within 30 days. The CE can obtain a 30-day extension with written notice to the patient stating the reasoning for the delay.

Patients have the right to specify how they would like the CE to communicate regarding their PHI and to request the CE to make amendments to the PHI. If the CE agrees to amend the PHI, it must make an addendum to the medical record and communicate the amendment to all individuals who rely on the patient’s PHI. The CE must inform all parties involved, and those CEs and BAs must make the amendments.

The patient has a right to file a complaint if they believe the covered entity or business associate has committed a Privacy Rule violation.

Patients also have the right to request an accounting of disclosures. These requests can be made orally or in writing. The CE should document the request on an authorization form. The accounting of disclosures must be kept with the PHI, along with the request for accounting and the name of the person who provided the accounting. The CE must complete an accounting of disclosures within 60 days. A 30-day extension is possible if the CE provides a written statement explaining the delay and the expected date the accounting will be completed.

The patient has a right to file a complaint if they believe the CE or BA has committed a Privacy Rule violation. The CE must develop and implement a procedure that patients can use to file such a complaint.

What are the Privacy Rule Administrative Requirements?

The HIPAA Privacy Rule through its rulings requires CEs to develop a comprehensive blueprint to safeguard PHI and avoid barred uses and disclosures of PHI. Entities that do not develop and implement a comprehensive plan risk significant fines, costly curative measures, and reputational damages. The Privacy Rule’s administrative requirements say there must be the following:

• A designated privacy official;

• A training program for privacy policies and procedures;

• Privacy rule guardrails and safeguards;

• A process for complaint filing;

• Sanctions for privacy violations;

• A mitigation plan;

• No retaliation or waiver of rights toward complainants;

• Policies and procedures for PHI protection; and

• Development of a management policy for PHI protection.
  

Conclusion

Physicians benefit from being educated and knowledgeable about the requirements of HIPAA that relate to PHI. The benefits include an understanding of how the Privacy Rule impacts their daily interaction and management of patients’ medical care.

There is a dynamic balance in managing privacy and optimal medical care. Failure to understand these subtleties of the Privacy Rule and ensuing Privacy Rule violations can result in physician sanctions that affect their ability to practice medicine.

Transgression of any of the enumerated mandates of the Privacy Act by physicians has the potential for loss of medical license, civil and criminal fines, and imprisonment.