Discover the latest practices, obstacles, and solutions to achieving HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal statute that concerns healthcare information and insurance. While the guidelines are designed to help healthcare providers protect patient information and deliver better care, they are also dreaded by many due to their complexity and the hefty fines that can come with violations.
The cost of HIPAA non-compliance can be devastating, especially to small and medium-sized practices. It adds up quickly when you include expenses associated with government audits, violation fines, data loss, breach notifications, class-action and civil lawsuits, attorney general penalties, settlements, and corrective action plans.
At Medicus IT, we take HIPAA seriously and pride ourselves in our ability to effectively help our clients protect their data and maintain compliance. To help you better navigate the HIPAA compliance landscape, we have put together this detailed guide. It will give you an overview of some of the latest HIPAA regulations, discuss HIPAA compliance best practices, review obstacles you should be aware of and how to overcome them, and help you maximize the benefits of HIPAA compliance assessments.
Every healthcare provider and healthcare worker should be familiar with HIPAA regulations. But it can be overwhelming to wrap your head around the many different components. Here are some key points about HIPAA.
HIPAA offers guidelines on how to process patients' personally identifiable information (PII) for the highest level of privacy and security.
To stay compliant, you should be aware of these top facts:
Every organization considered a "covered entity" must ensure ongoing healthcare HIPAA compliance. The term covered entity encompasses different provider types and entities in various healthcare settings. They include physician practices, ambulatory surgery centers (ASCs), hospitals, dentists, psychologists, podiatrists, lab technicians, hospitals, clinics, nursing homes, schools with health services, nonprofits that offer healthcare services, and government agencies involved in healthcare.
A covered entity can be health insurance companies, employer-sponsored health plans, and government health programs such as Medicare and Medicaid. They may also refer to organizations that work with healthcare data (e.g., patient billing services, electronic medical records providers) or require access to healthcare information (e.g., data processing firms, medical equipment providers, law firms, and software vendors.)
HIPAA regulations play a critical role in streamlining administrative healthcare procedures, increasing efficiency in the healthcare industry, protecting sensitive patient information, and ensuring that workers retain their healthcare insurance even if they lose their jobs. Every healthcare provider must always maintain HIPAA compliance or risk substantial fines.
HIPAA consists of 4 key components:
HIPAA enforcement is taken very seriously. Depending on the type of HIPAA violation, providers could face fines of up to $1.5 million per year. Moreover, a failure to protect patient data can erode patient trust, cause long-term damage to the provider's reputation, and impact patient care.
A HIPAA compliance strategy touches upon every aspect of your organization. It must cover the following:
HIPAA focuses on protecting and managing health information that can be associated with a specific individual (i.e., patient.) PHI can include a wide range of data and must be carefully handled under HIPAA regulations. Types of patient data include:
If the information is "de-identified" — for instance, if personal details are removed so that no specific individual can be associated with the data — then it would no longer be considered PHI and HIPAA regulations would not apply.
Maintaining healthcare HIPAA compliance is not a one-and-done process. To keep compliant with HIPAA, you are expected to conduct and document six annual audits:
If you identify compliance gaps during these annual audits, you must document the deficiencies and create a plan to address them. You should keep all audit documentation for at least six years.
All staff members working in a healthcare setting must receive annual HIPAA training and security awareness training. They must understand what HIPAA is and why compliance is important. You'll need to document staff attendance and designate one employee to act as the HIPAA compliance and/or security officer.
The remote working trend will make it tougher to ensure HIPAA compliance. For instance, staff trained in data security on company-owned workstations may not know how to maintain the same level of protection on their laptops or other devices used outside of the workplace.
Additionally, not every employee can guarantee patient confidentiality in an at-home setting. For example, if a healthcare professional is sharing a home office with a family member, patient calls could be overheard.
To best maintain HIPAA compliance when employees are telecommuting, establish security protocols for all work devices used to access health information. Also, provide employees with HIPAA compliance training on how to set up a secure home office environment.
To effectively maintain HIPAA compliance, you need a detailed plan to avoid human errors. HIPAA policies and procedures must be shared and communicated with staff members. Meanwhile, patients must also receive a notice of privacy practices that details how a provider plans to use and disclose their health information. Your policies and procedures should address information security, such as password management, data encryption, email, data backups, and data disposal.
You should define privacy policies, including how and when patient information may be discussed. Also, develop a detailed response plan for data breaches and review your policies annually to make sure they address new developments in your organization or changes in HIPAA regulations.
Once you have a handle on the main tenants of compliance, you'll want to begin strengthening your organization's HIPAA compliance performance. But before we share some guidance for you to consider, we want to discuss a concept commonly associated with HIPAA compliance that's often misunderstood: HIPAA compliance certification. Let's look at what this really means.
HIPAA compliance certification often gets confused with HIPAA compliance, resulting in erroneous and potentially costly assumptions. There's a big difference between achieving HIPAA compliance certification and achieving HIPAA compliance. According to the HIPAA Journal,
"… there is no standard or implementation specification within HIPAA that requires covered entities or business associates to certify compliance …"
What does HIPAA compliance certification mean for your organization? Here's what you need to know about certification and why you may want to get certified even though it's not an essential part of achieving and maintaining compliance.
Bringing your healthcare organization into compliance with HIPAA is just the first step. The challenge is to then remain compliant as regulations evolve and your organization undergoes changes over time.
To adapt to these changes, you need to understand the purposes of HIPAA, which include the following:
New circumstances often present obstacles to staying compliant with HIPAA regulations. Let's examine some common challenges and how to overcome them using ongoing best practices that can help you stay current now and in the future.
Conduct a HIPAA risk assessment annually to help your organization maintain ongoing compliance. A risk assessment may be required more than once per year if new technologies or procedures are introduced. HIPAA Journal recommends that a risk assessment should cover the following:
Conducting a risk assessment can be challenging for small or medium-sized practices. To better ensure a thorough assessment, work with an experienced healthcare IT professional so you can be confident that any HIPAA compliance issues and vulnerabilities are uncovered and addressed.
A protected health information analysis evaluates every element of PHI within your organization and its information systems. While the HIPAA Security Rule covers ePHI, you should also take inventory of all data stored on paper. This will help reveal risks that should be addressed so you can better secure all information from potential breaches. Your practice's PHI should be reviewed at least annually.
While identifying how information is collected, used, stored, shared, and disposed of can be straightforward, protecting such data isn't as simple. Consider partnering with a healthcare IT specialist to perform a thorough PHI analysis and ensure that your PHI is secure.
At least every two years, or more frequently if your organization undergoes significant changes, your policies and procedures should be reviewed and updated. By developing and implementing policies and procedures, you communicate to staff and patients that roles and responsibilities have been established to keep PHI secure. This also enables you to explain how you'd handle an incident such as a data breach.
Policies your practice should have in place include the following:
You can partner with a healthcare IT specialist to ensure that you meet all requirements for the EHR Incentive Program and annual HIPAA security risk analysis (SRA), so you can put your organization in a position to receive financial incentives that support your compliance efforts. Yet, there are more steps you can take — starting with reforming as many paper-based processes as possible.
The migration from paper-based to electronic HIPAA compliance forms has become increasingly important to achieving and maintaining HIPAA compliance. Consider the following:
What do these all mean to healthcare providers? It's imperative to be able to share your HIPAA compliance forms (e.g., NPP, authorizations, intake records, BAAs) quickly and store them in a controlled way. This means switching to electronic forms.
Below are some of the common problems that switching to electronic HIPAA-compliant forms helps to address.
HIPAA compliance involves the continuous monitoring of technical, physical, and administrative processes. Failure to comply with HIPAA regulations can result in massive fines and lasting damages to your organization's reputation.
Fortunately, there's a straightforward and low-cost solution to keep your organization HIPAA compliant: a HIPAA compliance checklist. This resource can be as simple as a list with checkboxes, either in a digital or paper format, to cover areas of HIPAA compliance and identify required actions that your employees must complete to ensure compliance.
Here are seven reasons why your organization should leverage a HIPAA compliance checklist.
Checklists are highly effective at reducing memory-related errors, particularly when people are active, under time pressure, and in stressful situations. That's why checklists are frequently used for surgery and intensive care. You can adopt this method to help enforce HIPAA compliance as well.
The process of creating, reviewing, updating, and completing a HIPAA compliance checklist helps prevent your team from overlooking critical areas. This systematic approach to risk management better enables you to detect threats to and vulnerabilities within your organization that could result in the unauthorized disclosure of PHI. By addressing vulnerabilities, you can avoid potential damages to your brand and patient trust while reducing the risk of breaching HIPAA guidelines and incurring hefty fines.
HIPAA requires covered entities to assign an employee as HIPAA compliance officer. This individual is responsible for ensuring HIPAA compliance in your organization. However, if that person is unavailable for the short or long term, HIPAA requirements might be overlooked. A checklist helps maintain consistency when there is a transfer of responsibility from one HIPAA officer to another.
A HIPAA compliance checklist gives you visibility into issues of concern. It also helps you create and document a plan to address these challenges, as required by HIPAA. Such a level of transparency also allows you to prioritize the issues according to their risk level.
Becoming a HIPAA-compliant healthcare provider isn't just a question of box-ticking. To maintain compliance over time, you need to create a HIPAA-aware culture. That way, if employees change a process or update a system, they'd know to check for compliance issues or inform the HIPAA officer without being reminded.
As a simple risk management tool, checklists help effectively communicate with employees about your security priorities. Once you have a working checklist in place, make sure every employee who works with PHI receives a copy. You can introduce the checklist in a workshop to help ensure that everyone understands how to implement the procedure.
Checklists can help you create more effective HIPAA training programs, which you must provide to comply with HIPAA. By working through a HIPAA compliance checklist and reviewing best practices, you can create a customized training course that is much more likely to result in positive outcomes.
Training your employees in compliance best practices is far better than correcting bad practices in the workplace randomly as you see them happen. Being proactive is not only the right thing to do but can also greatly reduce the risk for your organization.
The documents used in creating a HIPAA compliance checklist also satisfy some of the administrative safeguards mandated by the HIPAA Security Rule. Aside from advancing your compliance efforts, the documents may aid an investigation process and reduce your costs if your organization experiences a breach or is selected for a HIPAA audit.
The HHS does not provide a standardized HIPAA compliance checklist because no two organizations face the same HIPAA compliance risks. Checklists should be designed specific to an organization's operations and needs.
To create a HIPAA compliance checklist, it's best to partner with a consultancy or managed services provider (such as Medicus IT) with HIPAA expertise or work with an experienced HIPAA officer.
Begin by conducting a systematic HIPAA risk assessment to identify critical infrastructure vulnerabilities that can put PHI at risk. From there, review each of the potential risk areas and create a plan to address them. Finally, create a customized checklist for your organization by considering a broad range of compliance areas such as:
We strongly believe in the value of using a HIPAA compliance checklist. As such, we have created a HIPAA SRA checklist template, which you can download here to jumpstart your effort.
Even with the best-laid plans, cybercriminals can still potentially exploit holes in your security posture. That's why it's a good idea to consider what the threat landscape looks like and what your organization can do in response.
Cybercrime is a billion-dollar black market, and the healthcare industry is a prime target. It's been among the most popular for cybercrime in recent years. Staying on top of the latest cybersecurity best practices and changes in HIPAA legislation can be challenging. Yet, healthcare organizations can't afford to have compliance gaps that can be exploited by cybercriminals.
It's therefore critical to understand the most significant threats to HIPAA cybersecurity compliance and healthcare systems. Below are some common HIPAA cybersecurity threats and obstacles to HIPAA compliance success. They show how organizations may go awry with compliance and how you can put in the necessary measures to better keep your organization protected.
Phishing is one of the top causes of data breaches. Simple in concept, phishing schemes rely on gaining key information by fooling unsuspecting employees into doing something via email (e.g., downloading malware or clicking on a malicious link.) The goal is to infiltrate an IT system.
Many phishing schemes are designed to deliver malware, which can hide in downloads. Malware can include viruses, trojans, adware, spyware, ransomware, and other malicious programs. It can remain largely hidden to collect information or lock up an entire system. In 2015, the University of Washington School of Medicine was fined $750,000 after 90,000 patient records were potentially exposed in a phishing incident. One employee opened a likely-forged email to review a document that looked reputable. This misstep resulted in fines, public reputation damage, and the expense of corrective actions.
Ransomware is a type of malware that's a growing threat. Ransomware encrypts important files and systems so an organization cannot access and use them. This can slow down essential processes or render them inoperable. Once files are encrypted, cybercriminals typically demand payment in cryptocurrency to release the files. However, there is no assurance that the criminals will release the files after payment is made.
Here are four strategies to increase resilience to phishing and malware you should add to your HIPAA cybersecurity program:
A legacy system is an outdated system no longer actively patched and maintained. Its vulnerabilities can become well-known. Cybercriminals are more likely to infiltrate a network through outdated programs. Yet, many healthcare providers still use legacy systems because of the expense and administrative disruption that they believe an overhaul can cause. Surveys have shown that many individuals and business using legacy systems. One of the most common is Windows 7, which was added to the list of obsolete software as of January 2020.
It is critical to determine what legacy systems are still in use by your organization and devise a plan to perform necessary upgrades or replacements.
"Clinicians and team members working virtually may access PHI only on authorized devices and must avoid downloading them to unsecure locations."
Proper training must emphasize this rule, as well as the one that requires covered entities and their business associates to limit access to PHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and has garnered a lot of attention. For instance, HIPAA Journal cites the example of Anthem, which paid $16 million in fines for access control failures and other HIPAA violations.
"For paper records, this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures."
It might seem simple, but as recently as 2019, Becker's Hospital Review reported that seven healthcare providers disclosed that patient and employee records were dumped in unsecure locations.
You could risk a HIPAA violation if you engage with third-party vendors and business associates whose work involves handling sensitive data but are non-compliant with HIPAA rules. Even when business associate agreements (BAAs) are in place for your partners, they may not be HIPAA compliant or continually assessing their risks.
Healthcare providers must do their best to verify that any partners responsible for managing PHI follow HIPAA policies and procedures. Regularly reviewing and updating business associate agreements should be an item on your HIPAA cybersecurity checklist.
Loose security standards can put your organization at risk of theft. Even if theft cannot be proven, the inability to account for records represents an equal risk.
Although encryption is not a requirement, it's a HIPAA cybersecurity best practice for defending against threats. According to HIPAA Journal,
"Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also stolen."
When weighing whether to implement encryption, consider the cost implications of not adding this safeguard. In 2017, the Children's Medical Center of Dallas received a $3.2 million civil monetary penalty for:
"failing to take action to address known risks, including the failure to use encryption on portable devices."
Any disclosure of protected health information not permitted under the HIPAA Privacy Rule can result in a financial penalty. OCR reports that it has investigated and resolved more than 28,000 cases by
"requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates."
The investigation yielded some important insights. For example, the report states that among the compliance issues most often alleged in complaints, "impermissible uses and disclosures of protected health information" tops the list in terms of frequency.
The impact of overlooking this issue could have staggering consequences. The OCR reports that it has settled or imposed a civil money penalty in close to 100 cases resulting in a total dollar amount of more than $135 million.
HITECH recommends that healthcare providers use electronic health records to increase efficiency and portability while better ensuring HIPAA compliance. Proposed rules that aim to enhance patient access to PHI, boost information-sharing, and improve case management across the care continuum are making the digitalization of PHI even more urgent.
Healthcare organizations often make the mistake of using a mix of paper and e-forms. This can result in information being stored in different places and make compliance even more challenging. Additionally, not using the right software or workflows to manage e-forms can make an organization more volume and increase opportunities for hackers to access PHI.
Lastly, don't overlook the importance of identifying and protecting remote access points from cyberattacks as you migrate PHI to digital format. You can read more about how to strengthen remote access security and ensure patient confidentiality here.
Devices on which PHI is stored must be disposed of properly or you could risk having the information stolen by malicious actors. Here are some common mistakes to avoid in this area:
HIPAA regulations apply to all forms of patient communication, including phone calls, voice messaging, text messages, call recording, and video calls. If you communicate with your patients via phone, you must use a HIPAA-compliant phone service.
Your phone service must satisfy the conditions specified in the HIPAA rules. In particular, your VoIP vendor must offer features including:
A HIPAA-compliant phone service helps you stay compliant, protect patient information, ensure a secure IT system, support a remote workforce, and facilitate the shift to telehealth services.
If you are found to have violated HIPAA regulations during a compliance audit, you may face a significant fine. As the HIPAA Journal notes,
"More recently, the majority of fines have been under the 'Willful Neglect' HIPAA violation category, where organizations knew — or should have known — they had a responsibility to safeguard their patients´ personal information. Many of the largest fines — including the record $5.5 million fine issued against the Advocate Health Care Network — are attributable to organizations failing to identify where risks to the integrity of PHI existed."
Healthcare organizations that fail to ensure the safety and integrity of their patients' PHI are putting their organization, financial stability, and patients' data at risk. HIPAA security risk assessments should always be performed by a qualified third party with healthcare experience and expertise. Even if you have your own in-house IT team, it's best to work with an experienced healthcare IT firm for your risk assessments.
Why? An IT firm that specializes in HIPAA compliance will be more likely to identify shortcomings. With an unbiased and objective viewpoint, they are better positioned to catch overlooked problems and deficient processes. As the saying goes, you don't know what you don't know. Not to mention, regular and comprehensive risk assessments can help you identify many of the pitfalls we discuss here, so you can prevent them from festering into costly issues.
With all of that said, the effectiveness of these assessments will depend heavily on how your company chooses to optimize their usefulness.
Violating HIPAA regulations can have serious consequences for organizations and patients. A proper HIPAA risk assessment is crucial to complying with security standards and achieving compliance.
A HIPAA risk assessment provides an accurate and thorough evaluation of the potential risks and vulnerabilities to protected health information in your organization. In fact, it must be conducted whenever certified EHR technology is adopted in the first reporting year.
Here's the critical role that a risk assessment plays in helping ensure compliance.
A HIPAA risk assessment is vital for identifying and addressing issues concerning confidentiality, integrity, and availability of PHI. The HIPAA security assessment pinpoints shortcomings, so healthcare providers can take appropriate actions, implement improvements, and mitigate such risks through physical, technical, and organizational safeguards.
Healthcare providers should take the HIPAA risk assessment seriously — not only because of its role in helping safeguard PHI but also to avoid penalties. Security risk assessment (SRA) failures are a common precursor for HIPAA penalties. Many OCR HIPAA settlement actions concerning electronic PHI breaches involve insufficient risk analysis. Healthcare providers that struggle with risk assessment should seek professional help to identify and address vulnerabilities and avoid penalties.
Performing a risk analysis regularly is an integral part of a solid action plan for protecting PHI. The HIPAA Security Rule, section 164.308(a)(1)(ii)(A) states that a risk analysis is required. Specifically, the Guidance on Risk Analysis states that every organization must "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."
Acquiring written proof of compliance by conducting a risk analysis does more than fulfil a requirement. It identifies vulnerabilities in the security of your organization, so you can strengthen security and better protect patient information. Without a risk analysis, weak points could go unnoticed. They may worsen over time, putting your patients' privacy and your organization in even greater jeopardy.
The HIPAA security assessment is a complete audit of all your healthcare organization's systems, processes, hardware, and more. It analyzes every nook and cranny of your infrastructure.
A well-formed and executed HIPAA risk assessment will find problems and vulnerabilities. Once you identify the areas that need addressing, they can be fixed or monitored. You are less likely to encounter unpleasant surprises if your organization undergoes a HIPAA audit.
The preventative nature of an SRA allows you to identify vulnerable systems before problems arise to avoid fines. It is important to note that SRAs will only help improve compliance if executed correctly.
HIPAA risk assessments can be very effective — when done thoroughly. Assessments are intended to essentially examine every inch of your infrastructure, so the process can feel arduous. How can you make sure the job is done right? The Office of the National Coordinator for Health Information Technology (ONC) offers a few resources to streamline the process, one of which is a security risk assessment tool.
This tool guides small companies through the HIPAA security assessment process. When you enter information into the SRA Tool, data is stored locally on your device. HHS doesn't receive or access your data in any way, so you don't have to worry about data security.
After completing the assessment, you'll receive a results report. You can use it as a guide to locate risks and strengthen policies, processes, systems, and methods that require attention. The SRA Tool undergoes periodic updates, including one in September 2020. New features are intended to make the new SRA Tool easier to navigate while delivering a more in-depth risk assessment. Expanded exporting capabilities make reports easier to share.
While the SRA Tool can be a helpful resource, it has some shortcomings. The federal government notes that the SRA Tool
"… is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks."
The target audience of the tool is smaller organizations (with 1-10 healthcare providers,) so it may be inappropriate for larger organizations. Also, organizations that only use the SRA Tool to perform their HIPAA risk assessment may overlook the value and importance of engaging with external HIPAA experts.
To best ensure that your HIPAA security assessment catches all potential vulnerabilities, outsource your SRA to a specialist in HIPAA compliance. While it's possible for small providers to complete risk assessments without outside help, partnering with experts will give you a thorough and dependable risk analysis to effectively identify risks, protect data, and better avoid penalties.
Not to mention, a third-party healthcare IT firm is more likely to provide an objective report that identifies overlooked problems and deficient processes. A proper HIPAA security risk assessment includes a consultation so you can get your questions answered, learn simple solutions, discuss the next steps for improvement, and receive training.
Download this HIPAA security risk assessment template checklist to see what you should expect from an assessment. Getting the assessment is only the first step, however. It's what you do with the results that really matters.
A comprehensive HIPAA assessment will almost always find problem areas and vulnerabilities that might affect HIPAA security compliance. If you work with an experienced healthcare IT service provider, you should receive a detailed results report following the assessment. This report will flag risks and identify policies, processes, or workflows that should or must be revised.
The good news is that once you know what to address, you can either immediately get to work on fixing the problems or set up processes to monitor shortcomings until you can resolve them. This will help keep your healthcare organization HIPAA compliant and better protect your patients' data.
Here are the five key steps you should take after receiving your HIPAA assessment results.