The Healthcare Insurance Portability and Accountability Act (HIPAA) has been an important federal law in healthcare since 1996. Part of its purpose was to create standards meant to protect sensitive patient information, and it took on even more important once the digitalization of patient health records became widespread. Now it’s required for certain types of businesses to protect patient health information—or face fines that range from $100 to $50,000 per violation. If you want to avoid these costly fines, it’s critical that you follow the rules regarding how to protect privacy and handle sensitive data. This guide will walk you through the basics of the HIPAA rules you need to know so you can ensure compliance throughout your company.
Understanding the Basics of HIPAA Compliance
First, it’s important to understand who needs to follow HIPAA rules and what happens when they don’t. In general, organizations that handle private health information (PHI) are required to comply with HIPAA. The main group this includes is Covered Entities, which are defined as any of the following:
-
Healthcare providers: Hospitals, clinics, doctors, dentists, psychologists, pharmacies, nursing homes, etc.
-
Healthcare clearinghouses: Groups that process nonstandard health data into standard formats as the middleman between insurance companies and healthcare providers.
-
Health Plans: Health insurance companies, Medicaid, Medicare, company health plans, and HMOs.
In addition, Business Associates are expected to comply with HIPAA. In this context, business associates are those who work with covered entities and have access to PHI, such as lawyers, accountants, third-party administrators, and IT staff.
Finally, Business Associate Subcontractors are required to be HIPAA compliant, as well. This means anyone who provides support for Business Associates needs to follow the HIPAA rules. So if you’re helping a doctor or hospital with cloud backup or other technical assistance, you’ll likely have access to sensitive health data, which is why HIPAA applies to you.
If it’s clear you fall into one of the categories that must comply with HIPAA, yet you ignore this act, you could face financial penalties administered by the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The fines for civil penalties include the following:
-
Tier 1: Unaware of HIPAA rules; $100 to $50,000 per violation, with a maximum of $25,000 per year
-
Tier 2: Reasonable cause to believe that the covered entity knew or should have known about HIPAA compliance; $1,000 to $50,000 per violation, with a maximum of $100,000 per year
-
Tier 3: Willful neglect of HIPAA rules, but the violation was corrected within 30 days; $10,000 to $50,000 per violation, with a maximum of $250,000 per year
-
Tier 4: Willful neglect of HIPAA rules, with no effort made to correct the issue within 30 days; $50,000 per violation, with a maximum of $1.5 million per year
These fines only apply if it’s clear your intent wasn’t malicious. But if an employee has been purposely ignoring HIPAA rules and accessing PHI in order to sell it, criminal penalties may apply. These can cost as much as $250,000, plus up to 10 years in prison.
As you can see, it’s best to avoid breaking any of the rules if you don’t want to pay big fines and possibly face negative publicity for your company. To better understand how to maintain HIPAA compliance, you should get to know the four main rules that make up the HIPAA act.
HIPAA Privacy Rule
One of the key aspects of HIPAA covers privacy. More specifically, it goes over how to handle PHI while maintaining HIPAA compliance. It requires covered entities to have the right safeguards in place to ensure private information is not exposed, while also allowing patients the right to easily get a copy of their own health records.
Here are some examples of how to stay compliant with the HIPAA Privacy Rule:
- Document all privacy policies and procedures.
- Track all disclosures of PHI.
- Notify patients about how their PHI will be used.
- Provide PHI within 30 days of the patient making a written request.
- Get written permission from the patient before sharing or using any PHI.
- Know when you can disclose PHI without patient permission, such as to help healthcare providers give treatment or collect a payment, or to assist law enforcement.
- When you do disclose PHI, use only the minimum data necessary for your purpose.
HIPAA Security Rule
Another major component of HIPAA compliance is knowing the HIPAA Security Rule. The point of this rule is to protect electronic PHI or ePHI. This is any health information that’s in an electronic format, such as medical files stored on a computer. Under this rule, you’re supposed to protect ePHI just as you would PHI in physical format, meaning you should ensure it’s not used or exposed inappropriately and is easy for the patient to access.
The HIPAA Security rule has specific technical, administrative, and physical safeguards you need to adhere to. In particular, to be in compliance with technical safeguards, you must have the ability to protect ePHI throughout all your networks so it’s not exposed to unauthorized parties or disposed of improperly. Whether the ePHI is stored or sent over a network, the data must be properly protected the entire time. This typically means you have to encrypt and decrypt all ePHI, and carefully track all activity related to it so you can see who has accessed it.
The Unified Stack for Modern Data Teams
Get a personalized platform demo & 30-minute Q&A session with a Solution Engineer
As for administrative safeguards, they’re meant to ensure everyone on your staff is HIPAA compliant. This means appointing one person who is in charge of knowing and enforcing the security procedures, who the rest of the staff can report to when there’s been a violation. The administrative aspect of the HIPAA Security rule also ensures everyone on staff has updated training on how to handle ePHI.
Finally, physical safeguards ensure only approved people can access the space where ePHI is stored, such as workstations. In addition, the covered entity has to have policies in place to determine how to remove or dispose of any media that features ePHI. Basically, the HIPAA Security rule addresses the fact that data privacy and protection is important no matter what format it’s in.
HIPAA Breach Notification Rule
This rule governs who you’re supposed to notify if any data breaches occur. In short, you have to tell anyone who may be affected by the data breach when PHI has been inappropriately disclosed or used. More specifically, you’re supposed to provide written notice to individuals who are affected, giving them a clear description of what information was used or disclosed, how it’s being investigated, how they can protect themselves, and how to contact you with any questions.
You also need to alert the Secretary of Breaches, which you can do by submitting a form on the website for this. If more than 500 people were affected by the data breach, you need to alert the Secretary within 60 days. If fewer than 500 people were affected, though, you have until 60 days after the calendar year ends. And if more than 500 people were affected, you have to report the news to the local media within 60 days via press release.
HIPAA Enforcement Rule
The last of the main rules to know to stay in HIPAA compliance addresses how the Office for Civil Rights (OCR) enforces the regulations. For example, this rule asserts that the OCR will investigate any complaints it gets regarding HIPAA violations, at which point it will alert the covered entity of the accusation. Once the accused entity responds with its own account of what happened, the OCR will review all information and then decide if HIPAA rules were broken.
In many cases, if the entity did break a rule, the OCR will request it to take action to make sure it doesn’t happen again. This often means the organization will review what happened, such as an employee accidentally disclosing PHI to an unauthorized party. At that point, they’ll decide if they need to retrain employees on HIPAA or change a policy altogether. Once the action is taken to prevent the same issue from occurring again, the OCR will decide which fine—if any—to impose on the covered entity. This usually depends on whether the OCR believes the entity was aware of the HIPAA rule and how quickly they corrected it.
Why You Should Come to Integrate.io for Help With HIPAA Compliance
As you can see, HIPAA rules can be vast and complicated. It’s not always easy to know for sure who HIPAA applies to, or how to put all the regulations into practice in the office. Yet, the penalties for not knowing and following all the rules can be steep. This is why it’s recommended that you get help understanding and staying in compliance with HIPAA.
A simple way to do with is to start using an ETL tool that can help protect private information during data integration. At Integrate.io, our ETL tool focuses on keeping sensitive information secure while providing all the functionality you need to integrate data. From network and system security to SSL/TLS encryption, our ETL tool has all the cybersecurity offerings you need while being HIPAA compliant. To learn more about how Integrate.io can help, contact us today to schedule a 14-day demo!