HIPAA compliances have become highly mandatory these days and the American government especially expect their healthcare institutes and organizations to follow this specific compliance and its allied regulations to carry out a structured and safe protocol that helps them with better operability and enhanced security when it comes to patients’ data and other medical records.
According to statistics revealed by experts, it states that the US board of health department has imposed a collective fine of USD 28.7 million by 2018 on 10 healthcare institutes who have failed to embed the HIPAA compliance into their existing system, and most importantly this is not even a sample where the filed cases prolongs to 25,912 that includes 431 data breach and theft activities.
In this guide we will be looking at the HIPAA compliance and its various other allied aspects which an organization especially the one related to healthcare must know.
HIPAA compliance is considered or defined as the process of safeguarding an individual’s or group of people data especially the one who got collaborated with a healthcare institute or organization to get treated. Hence the concerned healthcare institute or organization are bound to protect the data of their patients either they do maintain the records digitally or physically, since the operability of all healthcare institutes have become computerized, hence it becomes even more essential for these organizations to protect patients’ data with top most security. Keeping patients’ data records and their safety as the top priority, healthcare institutes needs to adhere HIPAA (Health Insurance Portability and Accountability Act) compliance mandatorily.
Any information that relates to patients’ healthcare details and their allied medical records are considered to be the protected health information which needs to be safeguarded at any point by the healthcare institute or organization who delivers the required treatment to the concerned patient. At times the responsibility also lies on the insurance provider who funds the concerned patient to get treated for their illness based on certain criteria they meet to avail the health insurance or health loan. Hence to conclude protected health information is any content that needs to get secured by the respective healthcare service provider by taking the patient security and their data as top priority.
Covered entity is a person who belongs to the healthcare organization, who possesses the rights and authority to access the confidential healthcare data of a particular patient. The covered entity might be a medical expert, a doctor, a nursing staff, and even an insurance company. Depending on their role their accesses to the patients’ data do vary and get limited at a stage which is again framed under the HIPAA compliance. For instance the authorization provided to a covered entity do vary for a nurse and an insurance provider, where the nursing staff can access only a certain limit of data and the same do apply for the insurer.
Business associates are the working professionals who got indirectly involved into the treating process of the patients and play the secondary role according to HIPAA compliance. It includes the lawyer of the hospital or even the insurance provider, hospital administrator, accountant and even the IT professional. According to HIPAA compliance it is well-detailed that every business associate holds a responsibility to secure the data and medical records of individual patients and it is a part of their working process. The above mentioned business associates would certainly get access to the patients’ data and in that case they just need to follow the required do’s and don’ts that would fair enough to protect the patients’ data.
The HIPAA privacy rule depicts the rules and instructions to be followed by the involved stakeholders i.e. the covered entities and the business associates to protect their patients’ medical records and treating procedures. It clearly depicts all the required do’s and don’ts to be followed by the stakeholders as the part of their HIPAA privacy rules. For example if a concerned stakeholder say the insurer wishes to view a particular confidential medical data of a patient then it requires the permit-able sign of both the involved medical expert and the patient to carry on the process. Moreover, the HIPAA privacy rule and the HIPAA security rule together forms the HIPAA regulations.
HIPAA compliance clearly defines the data that gets protected under their privacy rule that includes the basic information of a patient, the kind of treatment provided to them, the involved healthcare service provider and the medical experts who provide the required treatment to the patients, the involved stakeholders that includes both the covered entities and the business associates, the data accessed by covered entities, business associates, healthcare professionals, and also the patients.
Here is the complete list of data protected under HIPAA privacy rule:
- Name of the patient
- Birth date details
- Death date details (if occurred)
- Contact information
- Social security numbers
- Medical record numbers
- Patients’ photo
- Finger prints
- Voice of the patient
- Data accessed by stakeholders
According to the mentioning indicated in the previous questions all the primary and secondary stakeholders are tend to follow the HIPAA privacy rules to collectively safeguard the information and other related details of their patients who gets treated under their healthcare organization. Again the role and responsibility of the involved stakeholder does vary based on their limit of authentication towards the access of patients’ data, people who need to follow the HIPAA privacy rules are:
- Nursing homes
- Health Plans
- Health plans provided by Companies
- Health plans provided by government
- Healthcare firms that share the information for treatment purpose
- Healthcare insurance providers
- Related lawyers and legal professionals
- Accountants, IT professionals and Administrators
The omnibus rule implemented by HIPAA broadened the perspective of healthcare data security and included several players into its compliance that widens the business associate and cover entity players and give them their respective roles and hierarchy where they need to follow the guidelines to protect the secrecy of patients’ data. For example the players in business associate got widened to sub-contractors, consultants, and even storage companies who will be accessing the patients’ data at some point of time and hence they are not allowed to leak out those details according to HIPAA, hence the arrival of omnibus rule brought in the required stringentness and maintained the discipline of withholding patients’ data secrecy despite the fact that the involved players got expanded.
The HIPAA security standards expect the involved covered entities to completely know about the guidelines that they need to follow to protect the patients’ data while handling their respective PHI which is available in the digitized format. When it comes to mentioning the covered entities it includes the nursing staffs, administrative professionals and other co-workers of the hospital. HIPAA further stretches that the involved covered entities of the hospital must stick with these guidelines and follow them without any second thoughts.
The enforcement rule of HIPAA deals with the violation done by any of the individual or the healthcare institute collectively in improper accessing of patients’ data that led to the security breach. If the violation is found to be occurred then it needs to be reported to the Office of Civil Rights (OCR) who will be investigating the happened scenario of patient’s data breach. If the OCR team finds the involved individual to be guilty then they must first fix the issue on their own, and also perform the act that satisfies the involved patient whose data is been misused. On the other hand, if the individual doesn’t find guilty then they will be severely punished by the OCR team by imposing fine or even superior level of castigation.
HIPAA breach violation indicates the security impediment is broken by the hackers who intend to steal and misuse the patients’ data. Any kind of this similar act is considered to be HIPAA breach violation and the concerned healthcare institute must take necessary actions to intimate the happening to the respective government bodies and also take measures to prohibit the occurrence in future.
According to the rules of HIPAA breach notification, the healthcare institute needs to intimate the happening to the concerned individual i.e. the patient regarding their data theft within the 60 days of happening and if the breach level exceeds the limit 500 numbers then it need to mentioned in the press release and intimate to the Department of Health and Human Services, where that department will release the order to OCR to take necessary actions.
If the healthcare institute faces less than 500 breaches, then it can update the same once a year without fail. On the other hand, if the hospital find things more complicated to move on and handle the breaches, then they must follow the below mentioned steps:
- • A complete list of PHI which got exposed to the data breach and what made it to happen?
- • Need to mention the person or group who accessed the patients’ data in an unauthorized way.
- • If the data is not used, then the healthcare institute needs to prove that the data is still not accessed but hacked.
- • What are the necessary steps taken, to overcome the issue at the current situation and in future?
To make things simple, HIPAA violation is the happening where the securely stored data of a patient who gets treated is hacked by the online stealers or the involved healthcare institute has not amended the HIPAA compliance and its guidelines properly so that the unauthorized working professional or employee, who belongs to the hospital or its allied partner get or attain access to the patients’ data which are completely unethical.
Some of the common HIPAA violations are:
- Theft of equipment which contains the PHI data
- Abducting data through hacking, malware or ransomware
- Doing office break-in
- Sending the PHI to the unauthorized person
- Discussion of PHI in public
- Social media posting of PHI
The fine ranges from an initial amount to a huge amount based on the type of violation and the impact it creates, hence the first level of violation is termed as “doesn’t know” where the involved individual or the hospital team collectively doesn’t have any idea on the data breach and here the initial level of fine starts with USD 100 per incident. Following it, if the security breach would have happened with simplest reason then the fine level increases to USD 1000 in the initial stage, and the third and final level of fine impediment will be very high up to USD 50,000 that happens because of the negligence of the healthcare institute.
According to the norms and believes of the Office of the Inspective General (OIG) who belongs to the department of Human and Health Services needs to impend the seven effective elements of HIPAA compliance in every healthcare institute to carry out the entire program successfully.
- Properly implementing the written policies, compliances, standard rules, and other guidelines of HIPAA
- Appointing a dedicated compliance officer to manage HIPAA guidelines and forming a committee to carry out the allied process
- Conducting proper training to the involved covered entities and business associates who comes under the category of people using PHI according HIPAA
- Communicating in a better way about the implementation and execution of HIPAA compliance
- Conducting proper monitoring and auditing of HIPAA compliance
- Implementing HIPAA based standards by publishing the right guidelines
- Detecting the data breach and other offensive acts instantly and taking corrective measures to it immediately
The Office of Civil Rights (OCR) has published a detailed and proper set of guidelines that specifically includes the elements which assess the risk in HIPAA compliance and they are depicted below:
Scope of Analysis
It finds where the residence of all the PHI data and the access control the healthcare institute possess over it that includes its’ security and the total number of storage incurred to place the entire PHI.
Gather and assemble all the stored PHI data of the patients and sort them according to a particular hierarchy and group to select one when required.
It becomes essential to assess the vulnerabilities of the stores patients’ data to take preventive measures and safeguard them from future hacking or any kind of data breach that leads to unnecessary chaos.
Similar to assessing the vulnerability factors, it is also found to be essential to gauge the security measures taken at the current scenario, which helps the team to decide and execute required operations to strengthen the security if needed.
Sensing attack possibility
It is equally important to predict and forecast the future occurrence, especially in terms of sensing the attack, its rate of influence and the damage it could cause and this can be estimated using the vulnerability of the data and the range of security measures taken.
The HIPAA handling committee must analyse the involved risk that could happen if the PHI data gets attacked and the damage it could cause. Hence the risk assessment involves the loss that the healthcare institute need to be faced, the compensation measures, and the further process involved in tightening the security.
Post analysing all the aspects and possible occurrence to happen in future the HIPAA regulatory body needs to create an accomplished and well-structured document that could certainly help them in hack related crisis.
Frequent Review and Update
The governance body must not stop their process once the final documentation gets completed, where they need to maintain it properly by carrying out frequent cross checks and updates that makes it a useful and productive asset to save PHI data.
There are certain transactions that need to be carried out in the HIPAA compliance deployment and execution process and it is processed by the involved authorities (covered entities and business associates) who hold the right access.
Any kind of standards processed by HIPAA must adopt either one of the X12 or NCPDP protocols
- Medical claims and related encounter information
- Advice regarding payment and remittance
- Knowing the claim status
- Assessing eligibility
- Enrolment and disenrollment
- Foreseeing referrals and authorizations
- Coordinating about benefits
- Making premium payments
- Find where you have stored all your patients’ PHI data and frame a detailed digital map regarding their residence (that includes their cloud storage).
- Know who is having the access to HIPAA data currently and to whom should the authorization for access to be given in future?
- Create different kind of alerts when a modification or update happens with HIPAA data both normally and abnormally and also create custom-made data analytic tools that could sense the exact accessing person who does it in an unauthorized way.
- Implement all the possible format of security factors like perimeter fencing, strong password protection, accurate monitoring, two-factor user authentication, endpoint security, and security locks for server rooms to deny the happening of data breach at any instance.
- Maintain a continuous monitoring on the activity of all the involved stakeholders to ensure they are not crossing their limits in terms of authorization to access PHI data.
Considering the overall operation of the entire healthcare industry in this world, HIPAA governance body has framed the best security rules which could be easily followed and implemented by the hospital which maintains patients’ record in a secured way by following HIPAA guidelines. HIPAA framed several security rules and factors that could protect a patient’s data in all possible ways and it is up to the healthcare institute who needs to adapt it in a proper way.
Security Management Process
The initial step taken in creating the security rules for HIPAA is the implementation of the security management process, where the complete evaluation takes place in terms of the security measures taken to control the occurrence of data hacking, risk evaluation that estimates the possibility of the happening of hacking, and the monitoring process that could instantly sense the access violation at any conditions.
Responsibility to impend security
The healthcare organization must appoint one exclusive person who got well versed with all these security norms, standards, guidelines, and rules related to HIPAA and the person needs to be the sheer controller and decision making authority of implementing the security factor in the hospital with the sole intent of safeguarding the patients’ data.
Security on workforce
Controlled access to the PHI data must be given under continuous surveillance by the authority board appointed by the hospital to make sure the employees doesn’t cross their limit in accessing patients’ data.
Information Access Management
The successor of the above mentioned security rule, where the regulatory body of the governance and the committee of the hospital would involve in a decision-making process of providing the permission to access the e-PHI data for the employees.
Security awareness and training
It becomes essential for the organization or the concerned healthcare institute to train their employees and other involved stakeholders like covered entities and business associates to provide proper training for the accessing people regarding the wear and tears about the HIPAA compliances and its security acts before using it.
Security incident procedures
It shows the way the security standards and the rules allied to HIPAA compliance need to be framed, because if the security standards are framed in the right way then the breaches to happen will be avoided right in the initial phase.
This is the most crucial factor of a security rule framing process, where the emphasis on backup factors and plans is focused, and it implies the data recovery backup plans and the storages which holds the backup plus the backup plan in terms of strategy and guidance deployment if in case a breach does happen against the existing set of rules.
The phase where the concerned in charges of handling the HIPAA compliance for the hospital need to review their workability nature, their approach towards the data protection plans and they update themselves regarding the HIPAA rules that keep changing for better security implementation.
3rd party contracts
This particular section depicts about the contract that a hospital signs with their 3rd party collaborator and get ensured with them by signing proper agreement that the involved third party and their employed business associates won’t be leaking any of the information regarding PHI.
Facility access control
Denying the unauthorized physical access is also essential when it comes to securing the patients’ data, and hence being a part of it, the storage devices like computers and servers are also need to be protected from unauthorized employees physically.
The involved electronic devices which hold the record of ePHI must get adapted to the guidelines of the HIPAA compliance and its related rules where they need to operate and execute its files and information accordingly stated in the rules to carry out an overall protective execution.
Device usage and access controls
Apart from the primary devices, the secondary usage electronic devices also need to be monitored while utilizing them in the process of ePHI data usage, especially in terms of storage in back-up devices like external hard disks etc.
The involved committee who handles the HIPAA compliance deployment need to maintain a proper access control list which details about the access power withheld by the concerned stakeholder that depicts their limits and authorization in terms of using the ePHI data.
A detailed and fair audit needs to be carried out to know the security measures taken to control or avoid data breach, the possibility of attacks, and the other authorization given to access the patients’ data. The end result of the audit will determine the stiffness of the HIPAA system implemented in the healthcare premise.
Proper integrity practices
The concerned healthcare organization which implements the HIPAA compliance must integrate the required software tools that are strong enough to protect, operates, and recover data despite the conditions and complications prevails around them.
Apart from the involved stakeholders that includes the covered entities and the business associates, it’s the treating medical experts and the patient or their accompanying care taker must also hold a strong and authenticated two-factor password that helps in secured data access.
The most important and crucial part of the entire security cycle, where the hospital premise and the involved committee needs to implement high-end security practices like encrypted private key-enabled email, HTTPS file transfer or the VPN usage to transmit the ePHI data with sheer security.