Get it for FREE
When it comes to keeping electronic health information and data secure and protected, healthcare compliance is crucial. Standards like HIPAA help to keep both providers and consumers protected. This blog will cover the following topics and questions associated with HIPAA Compliance:
- What is HIPAA?
- What does HIPAA stand for?
- HIPAA Covered Entities: Who must comply with HIPAA?
- HIPAA Requirements: Three Components to HIPAA
- Privacy Rule
- Security Rule
- Breach Notifications
- HIPAA Violation Examples
- HIPAA Violation Reporting
- HIPAA Fines and Penalties
What is HIPAA? What does HIPAA stand for?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA establishes national standards for electronic healthcare transactions and code sets, unique health identifiers, and security. Congress incorporated into HIPAA provisions that mandated the adoption of federal privacy protections for individually identifiable health information.
HIPAA Covered Entities: Who must comply with HIPAA?
Perhaps you’re wondering: who does HIPAA apply to? HIPAA applies to healthcare providers who electronically transmit any health information, healthcare clearing houses, and health plans. Business associates that act on behalf of a covered entity must also comply (The HITECH Act of 2009) — this includes claims processing, data analysis, utilization review, billing, etc. Researchers are covered entities if they are also healthcare providers who electronically transmit health information in connection with any transaction for which Health and Human Services has adopted a standard.
HIPAA Requirements: Three Components to HIPAA
The three components of HIPAA are the Privacy Rule, the Security Rule, and Breach Notifications.
HIPAA Privacy Rule
The Privacy Rule ensures that the privacy of healthcare information is safeguarded. The Privacy Rule:
- Sets limits on what information can be disclosed based on outlined authorization.
- Gives patients rights over their healthcare information.
- Has numerous requirements such as: breach notification, certain access, reporting, etc.
The Privacy Rule requires compliance with the Security Rule.
HIPAA Security Rule
The Security Rule concerns administrative, technical, and physical safeguards to protect the confidentiality of all information. There are 3 components to the Security Rule:
- Administrative Safeguards: Password management, anti-malware, anti-virus, workforce training etc.
- Technical Safeguards: Authentication, encryption, transmission security etc.
- Physical Safeguards: Cameras, badges, facilities, data storage, etc.
A breach occurs when the security and privacy of protected heath information (PHI) is compromised. HIPAA outlines requirements to be followed by covered entities in the event of a security or privacy breach. The outlined requirements describe the manner of notification, the timeline for the notification to occur, etc. – these stipulations differ based on the organization type and size and other associated circumstances. If Breach Notification guidelines are not followed in response to a breach, fines and penalties will result; the amount of the fine also varies based on organization type and other associated circumstances.
HIPAA requirements include Business Associates, subcontractors, and service providers.
HIPAA requires that covered entities implement a monitoring program and assessment of their subcontractors, service providers, and/or business associates – this ensures that all healthcare data handled by covered entities, including anything outsourced to a service provider, is appropriately protected. Under HIPAA, entities are permitted to outsource business processes; however, the liability of risk cannot be outsourced because of the service being outsourced. In other words, covered entities bear full responsibility for all risk, including any risk that may arise from outsourced processes.
HIPAA Violation Examples
HIPAA violations are easier to encounter than you may realize. Simple acts can be considered in violation of HIPAA, and violations can incur varying fines and penalties. Here are some examples of common HIPAA violations:
• Unauthorized access to information
• Unauthorized disclosure of PHI
• Stolen items and devices
• Inadequate employee training and resources
• Breach Notification guidelines not being followed in the event of a security or privacy breach
HIPAA Violation Reporting
Are you wondering how to report a HIPAA violation? Privacy and security complaints can be filed by anyone. Let’s go over the information about reporting a HIPAA violation from the U.S. Department of Health and Human Services website.
HIPAA Fines and Penalties
There are various well-defined fines and penalties that can occur from HIPAA violations. The penalties range in amount, depending on the severity of the violation, how quickly the violation was corrected, if willful neglect occurred, etc.
HIPAA Complaint Requirements:
• Be filed in writing (mail, fax, email, or through the OCR Complaint Portal)
• Name the entity or business
• Describe what may be in violation of the HIPAA Privacy, Security, or Breach Notification Rules
• Be filed within 5 months of the violation (unless reasonable cause for delay is provided)
Retaliation against those who file complaints is prohibited. The Office for Civil Rights (OCR) should immediately be notified of any retaliatory action.
A HIPAA violation can be reported via mail, fax, email, or through the online OCR Complaint Portal.
To report a HIPAA violation online through the OCR Complaint Portal, follow these steps:
- Go to the OCR Online Portal at ocrportal.hhs.gov.
- Read through the Complaint Portal Assistant text describing Federal Civil Rights Laws, Federal Conscience and Religious Freedom Laws, and the HIPAA Privacy Rule.
- Answer the first question at the bottom of the page: “What is the Nature of your complaint?”
- Answer any remaining questions. If your complaint is eligible for submission to the OCR, you will be directed to the “Complaint Portal” online complaint form.
- Click the “File…” link found under “Civil Rights, Conscience and Religious Freedom, or Health Information Privacy”.
- You will be taken to a page for you to provide the following information/paperwork:
- Complainant (name, phone number, address, and email address)
- Complaint Details (person/agency/organization, their address and phone number, dates of violation, a brief description of the incident, and any additional files)
- Optional Additional Information (necessary accommodations, whether the complaint has been filed elsewhere, and their primary language)
- Signature (privacy information)
- Consent (Complainant Consent Form)
To learn more about HIPAA compliance and chat with a healthcare IT security specialist, contact us. ControlCase’s expertise in HIPAA compliance extends beyond healthcare providers to include service providers (business associates) that fall under newly implemented regulations as part of current healthcare reform.
At the completion of any ControlCase IT assessment, you will receive a detailed report combined with a comprehensive consultation going over:
• Your current compliance posture.
• Recommended steps for improving compliance.
• Additional considerations that may require attention in the future.