How to be HIPAA Compliant?

HIPAA compliance is more important than ever. More than 90% of consumers believe companies should do more to protect their privacy. Indeed, there is an increasing awareness of risks linked to personal data, and with good cause. In fact, in 2020, over 155 million records were exposed.

What happens when medical records leak? Besides the loss of privacy, Patients have to worry about identity theft. This type of crime went up by 113% in 2019 alone.

In addition, there is a growing illegal market for stolen data. Criminals can purchase stolen PayPal credentials for $1.50 on average on the dark web. Medical records fetch an even higher price. Hackers go after these records because they sell for up to $1,000 a piece.

Thus, ensuring cyber security is the first step toward security rule compliance . However, you should also know that hackers are only one of the many risks to watch out for.

Individual compliance plans are key because violations can occur in a number of settings. For instance, a physician can discuss a case with someone who isn’t authorized. Or, messages or emails without proper encryption can cause a breach. Physical access to a server room or computer can also result in violations.

HIPAA compliance should be a key process for any healthcare organization. Besides preventing fines, it creates an environment of trust. At SecureTech, we have a long track record of helping organizations become HIPAA compliant. We are here to help you, and that starts with understanding the basics of HIPAA.

What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and creates a set of rules for protecting patients. By following these rules, you can reduce the risks of having your medical records exposed or stolen.

Healthcare providers and organizations handling Protected Health Information (PHI) should monitor breach risks, deploy strategies to prevent them and always look for new ways to improve security as threats evolve.

Digital records and IT are important components to monitor, but your HIPAA compliance process should have a broader scope. Since there are risks associated with physical access to patient information, it’s important for providers to consider network security and control access to the data.

It’s also important to choose the right vendors. Some partners might have access to your medical records. So, you need a strong due diligence process. Vet vendors for compliance to make sure they will follow HIPAA rules.

What are the HIPAA rules?

The first step toward security rule compliance is to understand HIPAA rules.

Who do the rules apply to?

There are two types of entities that should follow these rules: covered entities and business associates.

What are covered entities?

This describes healthcare organizations that work with PHI (create, update or share it). This category includes doctors, clinics and pharmacies. Health insurance providers and clearinghouses are also covered entities.

Who are business associates?

Healthcare organizations rely on vendors and partners to do their job. In some cases, these partners have access to PHI. Business associates are these vendors. Under HIPAA rules, they have to follow standards to protect patient data.

Business associates can work in a wide range of fields. Some offer legal services, while others provide analytical tools or work with data in other ways. This includes financial services, consultants and more.

In 1996, HIPAA became law with two main goals:

  1. Reduce healthcare fraud and waste.
  2. Make health insurance more portable.

With cybercrime and identity theft on the rise, the need for data protection increased. As a result, the Department of Health and Human Services (HHS) introduced more HIPAA rules over the years.

There’s been a total of five main HIPAA compliance rules added to the law.

HIPAA Privacy Rule

The HIPAA Privacy Rule was introduced in 2000. It defines what kind of data to protect, namely individually identifiable health information. This is any data about a patient’s health, both physical and mental. It also includes treatment and payment history.

This rule covers matters that can connect data to an individual. If a name, phone number, birth date or Social Security Number is present, the record falls under this rule.

It also defines the scope of what you’re responsible for. You need to protect this data in electronic and paper format. Also, the HIPAA Privacy Rule extends to what you share during conversations. This is why even talking about a patient with a colleague can be against the law.

The Privacy Rule creates a framework for what you can and can’t do with the data. It explains what exactly you can share without getting consent from the patient. It also lists who you can share this with.

In addition, there’s a provision that gives patients the right to access their information and request copies of their records.

Lastly, this rule requires you to create privacy policies. You need to notify patients of these policies (in writing) and ensure your staff is trained in HIPAA compliance once a year.

HIPAA Security Rule

The HIPAA Security Rule explains how to protect PHI. It was adopted in 2005. Its purpose is to set standards for different security measures. Essentially, there are three major requirements to meet: administrative, physical and technical safeguards. (More on these requirements below.)

This rule also explains electronically protected health information, or ePHI. Put simply, this law outlines standards for maintaining and sharing this data.

HIPAA Omnibus Rule

The HHS realized that the previous rules had some policy gaps, especially when it came to business associates. Thus, the HIPAA Omnibus Rule was introduced in 2013 to fix this issue.

This rule focuses on Business Associate Agreements, or BAAs. These written agreements outline your duties when it comes to PHI, as well as your vendor’s.

Separately, in 2009, the HITECH Act became law. It pushed for the adoption of EHR. It also improved privacy protection and introduced serious penalties for those who don’t follow the rules.

The Omnibus Rule includes provisions to support the adoption of the new standards set by the HITECH Act.

Breach Notification Rule

The HHS created the Breach Notification Rule to determine what you should do when a breach occurs. It requires you to notify the Office for Civil Rights (OCR).

This rule also explains what a breach is and how to report it. It establishes the difference based on how widespread a breach is. For example, any minor breach with fewer than 500 records exposed has to be reported. However, the OCR will not make it public. Plus, you don’t have to report it right away.

A meaningful breach, on the other hand, is an event that affects more than 500 people. The OCR publishes these incidents on their Breach Notification Portal. You need to report these incidents within 60 days.

HIPAA Enforcement Rule

The HIPAA Enforcement Rule gives the HHS more authority to enforce the rules mentioned above.

It also allows the OCR to look into complaints. Additionally, the OCR can perform reviews, offer education and outreach, charge fines of up to $1.5 million for failure to meet its standards.

Since 2003, the OCR has issued fines in 99 cases. The total amount paid in fines is $135 million. The OCR solves a majority of cases by requiring new privacy policies. However, sometimes, it asks for corrective actions instead.

HIPAA compliance checklist 2021

You need to adapt your HIPAA compliance process to your practice. In addition to knowing the rules, you need to apply them. A good place to start is to identify the processes and roles that use PHI.

Check your current compliance levels first. Are there steps you could take to improve privacy policies? Are your current policies adapted to all the departments that use PHI?

Introducing best practices gives employees the tools they need to avoid breaches. It will also make compliance one of your core values.

Use this HIPAA compliance checklist 2021 to help evaluate your situation:

  • Perform a Security Risk Assessment to go through your current practices.
  • Go over HIPAA rules to figure out which audits you have to do. Rules can vary based on whether you’re a healthcare organization or business associate.
  • Document every assessment. Go over your findings to identify the areas you need to improve.
  • Once you find gaps, make plans. Do you need a new privacy policy? Should you replace an old messaging system? Develop a list of action items.
  • Put this plan in action. You’ll get better results if you set goals and measure your progress. Besides, you should collect feedback from the employees who are affected by the changes.
  • Identify who is in charge of compliance. Hiring a HIPAA compliance officer can make a huge difference.
  • Create a multi-disciplinary team. Get feedback from different departments that work with PHI. This will give you a better understanding of how to include everyone. If you already have a team, consider adding more members to make it more diverse.
  • Train staff once a year to comply with the HIPAA Privacy Rule. Turn training into a chance to improve compliance. Make the training sessions interactive and provide a refresher a few weeks later. Plus, you can adapt training to reflect the issues you found during your audit.
  • Document your training sessions. You need to prove that staff received training. You should also record attestations of HIPAA policies and procedures and keep these documents where you can access them easily.
  • Review your BAAs once a year. You can review the best practices your partners use. Besides, you’ll get a refresher on how you decided to share duties.
  • Communicate with vendors regularly. Find out what they do to keep improving HIPAA compliance. It’s important to perform due diligence when you choose a new vendor, but it’s not a set-it-and-forget-it process.
  • Review your best practices for handling breaches. What is the process for reporting breaches? How do you pass this information along to the OCR? Does it take long to notice breaches?

You can improve any aspect of HIPAA compliance by having tighter control over security. Most importantly, increasing awareness in your teams can go a long way to help avoid breaches and fines.

How to become HIPAA compliant

To be in compliance, you must conduct an annual self-audit to look for gaps in processes and identify risks. You should develop a plan after conducting that audit to rank those risks and implement strategies continuously to improve PHI safety.

The scope of HIPAA compliance also covers training, policies, best practices and notifying patients when a data breach occurs.

The best way to ensure compliance is to create an ongoing program dedicated to assessing current practices and identifying ways to improve compliance.

To begin, the HIPAA Security Rule goes over a series of steps to take to become compliant. You’ll find a total of 14 standards across three categories. The first one is about the tech you use. The second is about physical safeguards, and the last one covers administrative demands.

Some of these standards are hard requirements, meaning you have to meet them. However, others are addressable. If you find that the “addressable” areas are risks for you, then you must implement those safeguards too. If you decide that an addressable standard is not reasonable or appropriate for your organization, you don’t have to implement it. However, you still must document the reasoning behind ruling it out.

Technical safeguards

These standards regulate the tools you use to work with PHI. It’s important to understand that you don’t have to use specific tools. You’re free to select the tech products that address your needs, as long as they meet a few conditions.

Among the required standards, you’ll find access control. You need to use unique names or numbers to track users. Plus, you’ll have to develop procedures for accessing PHI during an emergency. Automatic logoffs and encryption are common practices for better access control.

You also have to meet audit controls. You need to record activity for systems that use or store PHI.

The third required standard is authentication. You have to verify that users who access ePHI are the person they claim to be.

There are two other technical standards that are addressable. The first one is an integrity standard. It calls for verifying whether someone modified or deleted ePHI without authorization. The second one is transmission security. It prevents changes to ePHI when you share it and helps make sure you use encryption.

Physical safeguards

Some HIPAA violations occur because a user accessed a computer with patient records on it. There are four physical standards you can implement to prevent this type of incident.

Facility access controls help you keep track of who is in your building. There are four major steps you can take:

  • Find a way to restore lost PHI data as part of your disaster recovery plan.
  • Create a security plan to protect your facility and equipment from theft.
  • Verify that people have permission to access your building. Go further by limiting access to certain areas.
  • Keep detailed records of who accessed your facility. For example, a security record can tell you who repaired workstations or who was physically present in the area at any time.

You should also keep an eye on who uses your computers through workstation use requirements. Document your best practices for using computers and reduce risks by only allowing PHI access on some of your computers.

However, you must go further with workstation security. You should have physical safeguards to limit who can access computers with ePHI on them.

The next HIPAA compliance requirement is about device and media controls. Remove ePHI from hard drives and other media before you re-use them. Plus, you can record who uses these devices. Keep track of movements for these devices and always have backups of PHI on hand. These last two items are not hard requirements.

Administrative safeguards

This section of the Security Rule prevents incidents at the administrative level. There is a total of nine standards. You’ll find a mix of hard and addressable requirements in this category.

The first standard is security management. You need to:

  • Perform a risk analysis to understand how you use PHI. Determine where a breach could occur.
  • Take action to reduce these risks.
  • Adopt sanctions for employees who don’t follow the rules.
  • Go over your logs regularly.

Next, you’ll have to meet the assigned security responsibility. This means you need to have HIPAA security and privacy officers on your staff.

The third standard, workforce security, is something you can address. You can create some best practices for supervising employees who work with PHI. Plus, you should end permissions when someone stops working for you.

Prevent partners from accessing PHI to meet the information access management standard. This rule doesn’t apply to your business associates, but you can go further with an optional practice that consists of documenting PHI access.

You already know that you need to provide training once a year. The security awareness and training standard encourages you to go further with HIPAA compliance through four things you can address:

  • Use an antivirus.
  • Monitor logins.
  • Manage passwords.
  • Send reminders about privacy policies.

The security incident procedure safeguard is about how to handle breaches. You need to actively look for incidents. If you find one, document it. You should also take action to address the issue. This safeguard is a hard requirement.

The seventh administrative standard is about contingency plans. There are two requirements:

  • Create a backup of your ePHI. You should be able to access this backup during an emergency. You should also have a plan for restoring lost PHI.
  • Make plans for an emergency mode where you can function while protecting ePHI.

The Security Rule also suggests that you test and improve these plans.

The next required standard is about evaluations. Your organization is going to change, and new risks might appear. Also, new HIPAA rules might be adopted. You have to keep up with these changes to comply.

Lastly, you need to establish Business Associate Agreements with your partners who access PHI.

What about the Privacy Rule?

The HIPAA Privacy Rule states that business associates should follow all the rules listed above. They should also prevent any illegal use or disclosure of PHI.

Also, vendors need to make sure clients can access their records. If a breach occurs, the vendor has to notify the client. If the HHS needs to access PHI, vendors will have to disclose this data and keep track of these disclosures as well.

How to comply with the Breach Notification Rule

The Breach Notification Rule kicks in if a violation occurs in one of the above standards. You will have to notify the OCR. If it affects more than 500 patients, you will also have to make the breach public.

HIPAA compliant email

The number of HIPAA breaches has been going up. In 2018, 368 breaches with more than 500 exposed records happened. This number jumped to 642 in 2020. Before 2015, loss and theft were the main causes of violations. For the past few years though, IT incidents have become the leading cause of HIPAA breaches.

Emails are at the source of many of these IT-related violations. Whether you’re a healthcare organization or a partner, it’s your responsibility to protect ePHI in transit. Your liability ends when the message arrives.

You need to work with a HIPAA-compliant email provider. They will have to handle messages and count as business associates. It means you need to establish a BAA with them.

Encryption is an important step for protecting PHI. It helps secure your records during transit and also protects them in your mailbox. Besides, you can use encryption to store emails in an archive. It’s easy to access encrypted emails as needed, and you can use this archive for disaster recovery.

Encryption isn’t a hard requirement. However, it’s a common practice because there is no better way to protect PHI in transit. It’s a risk that will come up during your security audit. If you decide against using encryption, you’ll have to document this decision.

You have to go further to meet HIPAA compliance requirements. Encryption alone isn’t sufficient. You need to authenticate users and monitor how they share PHI. There should also be an audit trail for your emails. If you store PHI in a mailbox, you need to control its access.

A growing number of healthcare organizations are using messaging systems for internal communication. It’s a safe and convenient option. You can control access with login credentials. The app can monitor activities to create an audit trail. Besides, a messaging app can encrypt messages. It can also prevent users from sending PHI outside of your network. You can add a layer of protection with features like automatic logoffs.

Regardless of the solution you decide to use, emails and messages should be an important aspect of your HIPAA compliance process. SecureTech offers a comprehensive email solution that meets all the HIPAA requirements for ePHI in transit and access controls.

SecureTech helps you with HIPAA Compliance Services in San Antonio

We at SecureTech understand that IT and digital communications require special attention in the context of HIPAA compliance. That’s why we offer HIPAA-managing services designed to help you create a safe environment for storing and handling protected health information (PHI). We will help you How to be HIPAA Compliant and much more. Let us to be in charge!

Our email encryption service is a valuable tool that supports communication between health care providers and vendors. Deploying that solution will help protect PHI in part by requiring authentication to open emails.

To guard against a data breach that could expose PHI, our endpoint security and network infrastructure-monitoring services can protect PCs and servers, filter traffic and provide real-time alerts.

Our IC Armor Security Suite is an add-on that includes multi-factor authentication and phishing protection. Health care providers and vendors can benefit from those tools since they create an additional layer of security against unauthorized network access.

Encryption is a crucial element of HIPAA compliance since it renders data useless if a user doesn’t have an encryption key. We can encrypt data stored on hard drives and in emails, and offer a secure backup-and-recovery solution. We can remotely wipe off a hard drive that is lost or stolen and help you meet the HIPAA guidelines’ backup and recovery requirements with our secure datacenter.

We see ourselves as long-term partners who can help you improve your current HIPAA compliance process. Our HIPAA-managing services will help you create a secure network, control who has PHI access, provide physicians with a safe way of sharing patients’ records and provide you with an HIPAA-compliant way of backing up your data.

Get in touch with us in San Antonio, TX to learn more!