Understanding HIPAA Compliance

One of the most commonly asked questions we get is “What is HIPAA compliance?” so it’s important to define compliance.

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

Defining HIPAA

“The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.”

Centers for Disease Control and Prevention

Why is Compliance Important?

HIPAA exists to secure Protected Health Information (PHI). What is PHI? Well, PHI is any demographic information that can be used to identify a patient or client.

Examples of PHI include, but aren’t limited to names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full-facial photos.

If you had a choice between your personal information being readily available to scammers and identity thieves or being protected to spare you any financial or other anguish, which would you choose? HIPAA compliance exists to make sure that your information, and information that your organization handles, is secure from malicious intent.

Industries where compliance matters most:

All industries, especially with advancements in data collection and storage, should be compliant to some degree. Companies across all industries are viewed as farms for personal information, and if the security protocols are weak, the information is readily available for harvest and misuse.

What industries have more PHI and need to practice compliance more than others?

  • Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
  • Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.

Source: Compliancy Group

Contact us to get help with HIPAA and get your FREE HIPAA Compliance Checklist!

How do I become HIPAA Compliant?

The easiest way for your organization to become HIPAA compliant is to find a reputable HIPAA training company. We can help you work with companies that specialize in providing qualified HIPAA training and support and that are able to present all the information to create awareness and a basic understanding of HIPAA guidelines.

What is required for HIPAA Compliance?

  • Self-Audits – HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
  • Remediation Plans – Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
  • Policies, Procedures, Employee Training – Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures. Learn more about free HIPAA training.
  • Documentation – HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.
  • Business Associate Management – Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
  • Incident Management – If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule. Specific details about the HIPAA Breach Notification Rule and explored below.

Source: Compliancy Group

Our Compliancy Partner

For many years, we’ve worked with and trusted the industry leader in HIPAA compliance – Compliancy Group.

Why do we work with Compliancy Group?

  • We’re in Healthcare too! – Well, sort of. Because we work with clients in healthcare, we too need to be protected from malicious intent and attacks that are related to harvesting PHI.
  • Resources & Documentation – Compliancy Group has a massive library of resources available to ensure that all partners and their organizations are educated on HIPAA compliance and best practices.
  • Expert Solution – Thanks to their simple software solution, Compliancy Group makes it easier to become and maintain compliance.

Curious to know more about compliance?

We’d be happy to talk to you about common HIPAA violations, creating and maintaining effective compliance programs, and assisting you in implementing compliance protocols throughout your organization!

Call us today at 501-907-7700 to talk to an expert about compliance.

HIPAA 101 – What is HIPAA? (Video)