Guest post by John Burkhalter: In today’s increasingly digital world, the risk of cyber threats…
Practical Things Everyone Needs to Know About HIPAA Compliance
A Little Free Library is an innovative way to promote education, bring a community together, and share with others.
The concept is simple: A steward sets up a public bookcase and invites anybody to take or borrow a book for free, or to contribute books of their own. There’s no shopkeeper, no librarian, no guard – Little Free Libraries run on the honor system.
While most neighborhoods gladly welcome a Little Free Library, they aren’t without risk. Occasionally, a rogue “patron” cleans out the entire library, selling the charitable contributions for profit at a local bookstore. To checkmate this threat, some Little Free Libraries started stamping books and asking local bookstores not to buy books with their unique stamp.
The honor system works up to a point, but once the violations become pernicious, communities have to create specific rules. For health information, the stakes are high, and the rules are important. The Health Insurance Portability and Accountability Act (HIPAA) sets the rules for how covered entities record, store, and share protected health information – replacing the “honor system” that healthcare companies had used previously.
HIPAA compliance is important for many reasons:
- Protects patient’s privacy
- Protects organizations from hefty fines and settlements
- Promotes trust among consumers and organizations
In this video, Cyber Trust Alliance CEO and co-founder Randy Steinle shares some practical things about HIPAA compliance that are important for everyone to know.
What Is HIPAA and What Does It Protect?
For most of the 20th century, there was no federal law protecting the privacy of health information. Some states had their own laws, but most institutions were free to establish their data security policies.
That changed in 1996 when then-president Bill Clinton signed the HIPAA into law.
As this video from Compliancy Group – a HIPAA compliance solution – explains, HIPAA establishes federal rules that covered healthcare entities must follow to protect the privacy of sensitive patient information. Lawmakers have amended HIPAA several times – recently with the Final Omnibus Rule of 2013, which clarified some gray areas and updated terminology to reflect current technology.
Covered Entities
This video explains the four types of entities HIPAA covers under the law:
- Healthcare providers – such as hospitals, clinics, and private practices of any size
- Health plans – including government-, employer-, and church-sponsored plans
- Healthcare clearinghouses – which are essentially the middleman between healthcare providers and health plans
- Business associates – like data analysts who provide a service for a covered entity
While all of these entities fall under HIPAA regulation, Randy says that 84% of organizations are falling short in their compliance practices.
Protected Health Information
Compliancy Group describes covered information under HIPAA as Protected Health Information (PHI). The HIPAA recognizes 18 PHI identifiers:
- Names
- Geographical subdivisions smaller than a state (such as city, county, or street address)
- All dates related to an individual (birth date, admission date, etc.)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- VINs or license plate numbers
- Device serial numbers
- URLs
- IP addresses
- Biometric identifiers (fingerprint, voice prints, etc.)
- Full face photographs
- Any other unique identifying number, characteristic, or code
Patient Rights Under HIPAA
The most fundamental right patients have under HIPAA is that covered institutions may not disclose the patient’s protected health information to unauthorized entities. There are five rules within HIPAA:
- Privacy Rule – governs how covered entities use and disclose PHI
- Transactions and Code Sets Rule – creates national standards for transactions and identifiers
- Security Rule – protects PHI when it’s stored digitally (which the rule calls “electronic protected health information” or “e-PHI”
- Unique Identifiers Rule – requires providers, plans, and clearinghouses to use a National Provider Identifier (NPI)
- Enforcement Rule – sets fines and penalties for HIPAA violations
Within these rules, patients have some unique rights under HIPAA.
Right to Access Health Information
While HIPAA doesn’t permit covered entities to disclose PHI, they are not only allowed but are required to disclose PHI to the patient themselves at their request. HIPAA gives patients the right to access their own health information, including protected health information.
In this interview, Randy explains that this right to access healthcare records has led to a dramatic increase in government scrutiny in recent years.
Right to Release Records
A patient may want their family to have access to their health records, or they might want to keep family out of their records. Under HIPAA, patients have the right to release records but also the right to restrict records.
Right to Modify Records
When the patient accesses their own health information, they have the right to make legitimate corrections to the record. There’s a caveat to this right: Their corrections must be accurate. HIPAA does not permit patients to simply erase or fabricate their own records, but they can request changes to inaccurate information.
Right to Access Disclosure History
There are exceptions to the privacy rule – for example, hospitals may disclose certain information to the patient’s own health insurance provider, to law enforcement under certain circumstances, or certain kinds of information to public health data analysts. While HIPAA allows certain exceptions, patients have the right to see the history of how covered entities have disclosed their information.
Common Causes of HIPAA Breaches
HIPAA breaches are serious violations of privacy and carry heavy fines, but breaches do inevitably occur. In fact, Randy explains that over 50 million records are compromised each year. While there is no single strategy, understanding the common causes of HIPAA breaches can help you take a proactive approach to compliance.
Organizations like Compliance Group help organizations stay compliant by creating HIPAA programs and assigning dedicated compliance coaches, but there are steps your organization must take on its own:
Training
On the surface, HIPAA is straightforward: Don’t share PHI. In practice, however, the various types of data, various types of entities, and exceptions can make HIPAA compliance a complicated task.
Consider an example: Jane Doe is 15 years old and suffers from anxiety. After a counseling session, her parents ask the healthcare provider how her treatment is going. Is the counselor allowed to share Jane’s information with her parents?
The answer depends on the state. While HIPAA generally authorizes parents to access their minor dependent’s records, many states make exceptions for certain types of sexual, substance abuse, or mental health information for adolescents.
This is just one example of the nuances of HIPAA. Because there are so many potential complications, HIPAA training should be comprehensive and ongoing. Randy shares that at a minimum, federal law requires entities to train their staff on HIPAA at least once a year. Many HIPAA breaches come from well-intentioned employees who simply didn’t know better.
In this interview, Terminal B’s David Reimherr points out that training isn’t just necessary to get a good insurance rate – it’s necessary to get an insurance policy at all. Training is the most important investment you can make in your HIPAA compliance.
Mishandling
In a busy workplace, it’s easy for a healthcare worker to accidentally leave a file on a counter, walk away from an unlocked computer, or talk to a colleague within earshot of others. These are all examples of simple data mishandling that can lead to breaches in HIPAA compliance.
Technology has helped to mitigate data mishandling as tools, like keycard access to computers, layered security for sensitive documents, and digital documentation, have lessened the risk of mishandling physical documents. However, user error (even among well-trained workers) is still an unsolved risk element for covered entities.
As Randy points out, many organizations fall short because they try to replace IT tools with DIY solutions that don’t address the whole picture of security and compliance. While training goes a long way toward HIPAA compliance, organizations should be mindful of other tools they can use to stay safe and compliant.
Carelessness
“Did you hear that a famous actor was at my hospital?” “How’s your dad recovering from his accident? I saw him on my last shift.” “My mom said she was fine, but I looked up her chart, and she needs treatment.”
These are all seemingly mundane yet serious examples of careless gossip that is not HIPAA compliant. Looking up records for a patient you are not treating (such as a celebrity or even a family member) and discussing patients with others (even if the patients are public figures or relatives) are serious HIPAA violations.
Malignant Data Breaches
While the other examples of HIPAA breaches have boiled down to human error, malignant data breaches are intentional.
On the black market, payment card information (such as a credit card number) is only the second most valuable type of data. The most valuable? Healthcare records.
Healthcare records are over 45 times as valuable as a credit card number on the black market. This makes healthcare data a lucrative target for bad actors like hackers and thieves.
This is where data loss prevention solutions can help covered entities like healthcare providers and health plans. As technology moves forward in leaps and bounds, hackers are constantly finding new ways to circumvent security, and organizations must be proactive about addressing these vulnerabilities.
Data loss prevention solutions help to identify, monitor, and protect sensitive information like PHI, and these solutions can put your organization on a level playing field by taking advantage of the same advances in technology that malicious actors are using.
Exceptions to HIPAA
As this guide has alluded to, there are some exceptions to HIPAA that covered entities need to know about. These permitted uses and disclosures help clarify what types of use HIPAA permits and doesn’t permit.
- Disclosure to the individual. Not only are individuals allowed to know their own healthcare information, but they also have the right to request and receive it.
- Treatment, payment, and healthcare operations. Imagine that you are hospitalized for several days. Every 12 hours or so, nurses and doctors change shifts. Should each new nurse start with zero information? HIPAA permits covered entities to disclose PHI both internally and externally when it’s necessary for treatment, payment, or healthcare operations. This includes sharing PHI internally among clinicians, as well as externally to collect payment through your health plan.
- Opportunity to agree or object to the disclosure of PHI. Patients have the right to control the disclosure of their own PHI. Non-permitted entities, on the other hand, have the right to request this information from patients directly as long as the patient has the opportunity to agree or object.
- Incident to an otherwise permitted use and disclosure.
- Limited dataset for research, public health, or healthcare operations. Entities can use certain types of data (usually aggregated/non-identifiable) for legitimate research, public health, or healthcare operations.
- Public interest and benefit activities, such as when required by law, when it’s needed for identification or donation for a deceased patient, or in the event of a serious threat to safety.
Stay Compliant with Terminal B
Compliance is not a luxury – it’s a necessity: Not only to protect yourself from the fees and penalties for noncompliance but also to protect consumer privacy. Randy suggests starting with online templates but points out that for most companies, that isn’t enough. To stay compliant, you need the help of dedicated IT professionals.
While there’s no easy button to staying compliant, Terminal B is here to help. By helping take the guesswork and stress out of HIPAA compliance, Terminal B can help you wherever you are on your IT journey.
HIPAA is complex and high-stake, but with the right team of experienced professionals on your side, HIPAA doesn’t have to be stressful. At Terminal B, our experience is your competitive advantage.
To learn how Terminal B can help you stay compliant and productive, contact us today.
Randy is the CEO and Co-Founder of Cyber Trust Alliance. A 30 year technology veteran, Steinle has led multi-million dollar organizations in higher education, manufacturing, IT services and healthcare. He is passionate about providing affordable and achievable solutions for underserved markets in the healthcare space. In his spare time, Steinle manages the global partnership between Microsoft and the International Association of Microsoft Channel Partners (IAMCP) serving over 5,000 partners globally. He’s married to Beth, a Professor and Sr. Associate Dean at the University of Texas in Austin and the proud father of 4 grown children.