September 21, 2021//Ethan Hurt
The Health Insurance Portability and Accountability Act was initially passed in 1996, and it has drastically modernized the healthcare industry as well as increased security surrounding the handling of protected health information (PHI). While HIPAA has done a lot to ensure peace of mind for patients, HIPAA compliance has often become quite a headache for small to large businesses alike. There are six key components of HIPAA and steps you must take toward becoming HIPAA compliant.
Before we get into the specifics of HIPAA, it is important to define exactly what HIPAA aims to protect: protected health information or PHI. Protected health information is anything that can be used to identify the patient or individual within the context of healthcare. This can be anything from their name, date of birth, medical diagnosis, images (full-face or x-rays), and even numbers or account names generated for documentation purposes. For protected health information, context is key. Someone’s home address, while it should never be flippantly shared, isn’t considered PHI when given to Amazon. However, when that same home address is given to a telehealth service provider or doctor’s office, it would be considered PHI. If you think you may use or have access to PHI, it is important to know your role in the data process as well as how PHI is being utilized and stored in your systems.
Originally, only healthcare providers, or “Covered Entities” needed to be HIPAA compliant. Covered entities are those who are directly administering the healthcare or related service. However, with the passing of the Omnibus Rule in 2013, now “Business Associates” are also required to be HIPAA compliant. A business associate is anyone who engages with protected health information in any way throughout their work. This could be anyone from an account manager to an IT specialist. If you work with a hospital or healthcare system, you most likely need to be HIPAA compliant.
Even though the stakes for non-compliance are high, and platforms like Accountable exist to simplify compliance, some companies still do not always take HIPAA compliance as seriously as they should. However, the consequences of non-compliance far outweigh any time or money spent in achieving compliance. Under HIPAA, an organization can be fined up to $1.5 million for non-compliance in the event of a breach or an audit yielding non-compliant findings. It is of the utmost importance that your organization is taking the necessary steps to achieve HIPAA compliance. Now that we’ve established a need for compliance let’s take a look at some practical ways it can be achieved.
Let’s start with an easy win for compliance: assigning an officer to oversee an organization’s security strategy. According to HIPAA, an organization is required to have a designated Privacy Officer to serve as the lead for achieving and maintaining HIPAA compliance. This person also serves as the point of contact in the event of a breach or an audit from governmental authorities. While other legislation, such as the GDPR, has strict requirements for who can and cannot be the ‘Data Protection Officer’, a HIPAA privacy officer does not have the same restrictions. Although, it is typically helpful to choose someone with a certain level of experience with legal and technology as well as authority to implement the proper safeguards to protect sensitive data. This individual can be on the HR team, IT team, or even hired externally specifically for this purpose. All in all, electing a privacy officer is an easy victory on your path toward compliance.
Now that you have a privacy officer selected, it is important to outline your business’ policies and procedures. Policies and procedures are the internal documentation provided to employees that demonstrate the dos and don’ts of the day-to-day business. These are important because they are the physical records of how business is being conducted. The policies and procedures should reflect internal practices and, more importantly, your internal practices should be in line with HIPAA compliance.
A risk assessment should be completed on a regular basis, typically annually, to ensure that policies and procedures are being followed, as well as to ensure business is being conducted in a way that mitigates unnecessary risks. This can be conducted internally or externally, and it must be documented and stored so that an exhaustive record of risk assessments is available in the event of an audit.
Breach notification is an important step in the process. It refers to internally notifying pertinent members of your team in the event of a breach. This requirement ensures that swift action is taken and loss is mitigated as quickly as possible following a breach or hacking. Breach notification should give pertinent internal members notification of what has occurred and give them ample time to notify anyone else who is involved as well as the appropriate authorities. In addition to having a breach notification in place, it is important to have a plan of action in place in the event of a breach.
Another important step in achieving HIPAA compliance is having Business Associate Agreements (BAA) in place with any other companies or services you may be working with who will have access to PHI. This is important for anyone from your accountants to third-party contractors. If they have access to PHI they need to sign a business associate agreement stating they are maintaining HIPAA compliance. These agreements acknowledge that both parties are maintaining HIPAA compliance as well as create shared liability in the event of a breach or an audit. If you work with an organization that is audited due to a breach, you are also subject to be audited under HIPAA.
The next key requirement for HIPAA compliance is making sure each member of your organization who is going to have access to PHI takes regular HIPAA training. Many services offer inexpensive options for training but it remains an important way to ensure every employee has a baseline understanding of HIPAA compliance and encourages a culture of compliance. Because training is one of the main ways employees engage with HIPAA, it often overshadows the other equally important steps of compliance. A robust HIPAA training process, while important, is just one of many requirements in becoming HIPAA compliant.
At face value, HIPAA compliance can seem daunting at first, but like anything, when broken down into actionable steps, it is easier to accomplish. All in all, HIPAA compliance is a complex issue that many small businesses are faced with solving. We hope this article serves as a helpful resource in understanding HIPAA compliance.