Direct Mail

HIPAA Compliance: What is it and Complete HIPAA Compliance Checklist

By 8 March 2022No Comments
hipaa compliance

HIPAA Compliance: What is it & Complete HIPAA Compliance Checklist for 2022

Are you an individual or an organization that regularly deals with people’s health data? If yes, you or your organization need to ensure that you are compliant with the HIPAA regulations unless you want to pay a hefty fine.

All healthcare organizations need to protect the personal health data of their patients. The US government created HIPAA rules and regulations to safeguard the personal health information of each individual. Any person or entity found using the Protected Health Information or PHI without HIPAA compliance is subjectable to heavy fines that range up to $50,000!

hipaa compliance

So, unless you want to shell out this kind of money, every organization that deals with PHI must become HIPAA compliant. A HIPAA checklist can help health care entities and their associates easily navigate the complex HIPAA compliance requirements.

This guide will help you holistically understand HIPAA compliance. Furthermore, we discuss every primary HIPAA rule you need to know before becoming HIPAA compliant. We will also provide you with a holistic HIPAA checklist to help you navigate through HIPAA requirements by the end of the article.

Keep reading to learn more about using patients’ Protected Health Information as per HIPAA requirements.

What is HIPAA Compliance?

HIPAA, or Health Insurance Portability and Accountability Act, is a regulatory act implemented in 1996 in the US. The purpose of HIPAA is to safeguard American citizens’ Protected Health Information (PHI). In other words, HIPAA is a law that outlines how a covered entity can lawfully use and disclose PHI.

Now, you might be wondering, “what is a covered entity?” We will talk more about it as we proceed further. For now, let’s just say that HIPAA regulates a person or organization from misusing the Protected Health Information of an individual.

A more pressing question at this point is, “what are the HIPAA compliance requirements?” However, the answer is not as simple as you might think because the HIPAA requirements are vague by design in some places. HIPAA compliance is designed like this because it is equally applicable to different covered entities that handle PHI.

What is the Primary Purpose of HIPAA Compliance?

In simple words, the primary purpose of HIPAA regulations is to ensure the integrity of Protected Health Information or PHI. However, understanding HIPAA compliance from a real-life perspective is much more complex.

There are mainly three critical aspects that the covered entities under HIPAA regulations need to concern themselves with, and they are:

HIPAA Privacy Rule

The HIPAA Privacy Rule sets the privacy standards for covered entities, and Business Associates need to maintain when handling PHI data. 

HIPAA Security Rule

The purpose of the security rule is to standardize the electronic handling of Protected Health Information or PHI of individuals (ePHI).

HIPAA Breach Notification Rule

According to the Breach Notification Rule, it is mandatory for covered entities and Business Associates to alert any affected parties whenever the PHI is compromised.

What Is a Covered Entity?

A covered entity under the HIPAA law includes the following:

  • Health care providers
  • Health plan providers
  • Health care clearinghouses
  • Business associates

The common denominator for all the entities listed above is that they handle PHI in one form or another. In other words, any entity that uses PHI in its everyday activities is classified as a covered entity under HIPAA.

However, there are a few exceptions. For example, most health care professionals working in a hospital are not considered a covered entity under HIPAA. The covered entity is the Hospital and not its employees in such cases.

Hybrid Entities

You might have noticed that employers also keep their employees’ Protected Health Information (PHI). Naturally, you may also assume that the employer is a covered entity, whether a person or an organization. However, that is not necessarily true in all cases.

An employer is like a covered entity only if they provide self-insured health cover or other similar benefits like the Employee Assistance Program (EAP). Such companies or employers are termed as “hybrid entities.” Any unauthorized use or disclosure of PHI in such cases is effectively considered a HIPAA breach.

What is Protected Health Information or PHI?

Protected Health Information or PHI is any demographic information that can reveal a patient’s identity. Of course, the patient or client must be a covered entity to tet the demographic information as PHI.

PHI Examples

Some of the most common examples of PHI include

  • Names
  • Addresses
  • Phone numbers
  • Social security numbers
  • Medical records
  • Driver’s license information
  • Biometric Identifiers like finger and voiceprints
  • Account Numbers
  • Numbers of health plan beneficiaries
  • Vehicle IdentificationIdentifies, including license plate numbers
  • IP Addresses
  • Full face photographs

Electronically Stored Information and HIPAA Compliance

If you were wondering whether electronically stored information is also subject to HIPAA compliance, the answer is yes! Any PHI that you transmit, store, or access electronically is subject to HIPAA’s regulatory standards.

For electronically stored information, the HIPAA regulatory standards are also called electronic Protected Health Information or ePHI. Similar to regular PHI, ePHI is protected by HIPAA security rules. These rules are the same as the standard HIPAA rules, except that these are appended. It is done so that the covered entities can account for the changes in medical technology.

What is a Business Associate?

Sometimes HIPAA-compliant entities such as hospitals may be associated with a person or business with whom they may have to share their PHI. A Business Associate is any such person or business who has access to the PHI of a covered entity. 

Examples of Business Associates include the following:

  • Direct Mail Service Providers
  • Lawyers
  • IT Contractors
  • Accountants
  • Cloud Storage Services
  • Email Encryption Services and more.

Business Associate Agreement

Before a person or business can access PHI, they must sign a Business Associate Agreement with the covered entity. The agreement states how and when the prospective Business Associate can access the covered entity’s PHI.

Furthermore, the agreement also specifies how the prospective Business Associate can use the PHI. It states that the Business Associate has to return the PHI or destroy it once the required task is completed. 

Additionally, it is worth noting that when the Business Associate has the PHI, it is also obligated to keep HIPAA compliance. Hence, covered entities must ensure that their Business Associates are HIPAA compliant.

Understanding The Role of Business Associates

To help you better understand the role of a Business Associate, let’s consider the example of hospitals and direct mail service providers. It is the responsibility of health care organizations like hospitals, clinics, etc., to implement and enforce their compliance with HIPAA. Furthermore, health care organizations also need to ensure HIPAA compliance of any services they outsource, such as direct mail service.

Suppose a hospital wants to send many hospital/lab invoices. In that case, they need to outsource a HIPAA-compliant direct mail service. PostGrid is one of the ideal examples of a HIPAA-compliant direct mail service provider. You can send bulk mail, including invoices, patient statements, etc., using an automated direct mail software like PostGrid.

HIPAA Privacy Rule

The HIPAA Privacy Rule is an integral part of the HIPAA regulations. Covered entities and Business Associates must familiarize themselves with the HIPAA Privacy Rule for understanding HIPAA compliance accurately.

What is HIPAA Privacy Rule?

As we mentioned before, HIPAA was introduced in 1996. However, it has had some significant amends over the years. The HIPAA Privacy Rule is one of the most crucial amendments made to the HIPAA. It was first enacted in 2002 with its main goal set as protecting the confidentiality of the patients.

Furthermore, the HIPAA Privacy Rule allows the flow of patient health care information only when necessary. You may have also heard of the HIPAA Privacy Rule by another lengthier name – Standards for Privacy of Individually Identifiable Health Information.

What the HIPAA Privacy Rule does is regulate access to PHI. It also defines the circumstances in which the PHI can be shared or used. Hence, any business, organization, or individual following HIPAA compliance must be well-aware of the HIPAA Privacy Rule.

Parties Involved Under HIPAA Privacy Rule

Many people and organizations assume that the HIPAA Privacy Rule only applies to healthcare organizations. In actuality, the HIPAA Privacy Rule applies to any entity (individual or organization) that can access the patient’s personal information.

Hence the covered entities that need to follow the HIPAA Privacy Rule include the following:

  • Health Insurers
  • Health Care Clearinghouses 
  • Employer-Sponsored Health Plans 
  • Third-Party Medical Service Providers

Risk of Disclosing PHI to Third-Parties

The same HIPAA Privacy Rule applies to all concerned entities, including third-party service providers such as PostGrid. It is because there are a lot of risks involved when you share a patient’s health care data.

Some of the significant risks associated with sharing the patient’s health data include the following.

  • The third party could use the information to harm the patient’s finances.
  • Leaking the personal health information of individuals might affect their reputation.
  • The third-party service provider can use the PHI to commit health care fraud.

What is The Data Protected Through HIPAA Privacy Rule?

HIPAA Privacy Rule includes an extensive range of “Individually Identifiable Health Information.” Hence, it is impractical to list each piece of data protected by the HIPAA Privacy Rule. Furthermore, insurance providers and clearinghouses often access PHI for billing information.

Individually Identifiable Health Information

When researching for HIPAA Compliance, you would come across the term “Individually Identifiable Health Information” at some point. Any information or data, including demographics that relates to an individual or reveal their identity, can be termed Individually Identifiable Health Information.

Here is a quick guide you can use to determine whether a piece of information you have is Individually Identifiable Health Information or not. The data or information you have is considered an “Individually Identifiable Health Information” if it relates to

  • A person’s past, present, or future health or condition (including physical and psychological health)
  • The health care provision to a person or individual
  • The payment for health provisions of an individual

As you can imagine, there are several standard identifiers in Individually Identifiable Health Information, such as

  • Name
  • Address
  • Birth Date
  • Social Security Number
  • Credit Card Information
  • Vehicle Registration Plate Numbers
  • Examples of a Patient’s Handwriting (Electronically-Stored)

Difference Between PHI And Individually Identifiable Health Information (IIHI)

At this point, you are probably wondering what makes Individually Identifiable Health Information different from PHI. Furthermore, some of you may also be concerned about processing your IIHI data without having a HIPAA process.

IIHI only becomes Protected Health Information in the hands of a covered entity or Business Associate. So, suppose you are not a covered entity or Business Associate that creates, stores, uses, or discloses IIHI. In that case, you don’t have to worry about using IIHI.

Note:  Personally Identifiable Information or PII is another data or information type that you may be familiar with. However, PII is generally not considered protected health information or PHI unless it contains the patient’s health care information. Hence, if the PII only contains the name and telephone number, it is not considered a PHI. 

HIPAA Privacy Rule For Videos And Images 

Many people or organizations think the HIPAA Privacy Rule only applies to PHI in written format. Moreover, covered entities often forget even to consider that their IIHI data can be any format other than writing. 

It is also worth noting that you need to ensure HIPAA compliance for electronically stored information. The HIPAA Privacy rules apply to all formats if it contains any Individually Identifiable Health Information (IIHI). 

Hence, videos and images are also protected by the HIPAA Privacy Rule as long as it contains any Individually Identifiable Health Information (IIHI). For example, let’s say you are a health care provider, and a patient walks in with an open wound seeking medical help.

Let’s also assume that you must take pictures of the wound. In this case, the image may reveal the patient’s identity, perhaps through a distinguishing feature captured in the image. Hence, the image is also protected under the HIPAA Privacy Rule.

Minimum Necessary Rule For PHI

We know that the HIPAA Privacy Rule establishes the essential constituents for PHI or Protected Health Information. However, that’s not all the HIPAA Privacy Rule does. It also helps you determine when and how to disclose Protected Health Information or PHI.

Generally, covered entities or Business Associates can not disclose any PHI relation to a patient without authorization. Furthermore, the PHI must remain secure for the patient’s past, present, or future health care information. The security aspect of PHI must remain intact for the physical and mental health of the patient.

Hence, the concerned entities must get authorization from the patient or their legal representative to disclose PHI.

What is the Minimum Necessary Rule?

According to the Minimum Necessary Rule, covered entities must limit the disclosure of PHI to the bare minimum. It also states when the covered entities are authorized to disclose a patient’s PHI. Hence, covered entities must ensure that they disclose PHI only in these authorized situations.

However, there are exceptions to the Minimum Necessary Rule in a healthcare environment. Because in real-life situations, it is often necessary for a health care provider to access a patient’s medical records. But, apart from these, any non-routine disclosure of PHI needs a case-by-case review.

Furthermore, the review process is necessary even for cases where the patient gives authorization for PHI disclosure. The patient can authorize a PHI disclosure for several reasons, including

  • Research
  • Marketing
  • Fundraising projects

When are PHI Disclosures Authorized?

The organizations that handle PHI may be required to share the patient’s private health information. Following are the situations when a covered entity would have to disclose a person’s PHI.

PHI Disclosure Required By Law:

Sometimes, covered entities may have to disclose a person’s PHI because the law requires it. For example, a law officer can use the PHI data to prove a person’s innocence in a court of law. The covered entity can share the patient’s PHI without compromising their HIPAA compliance in such situations.

In The Interest of The Patient/Public:

The covered entity is authorized to share the PHI for the patient’s benefit. It means that the patient can use their PHI to get a second opinion from health care experts or any other purpose.

Similarly, the concerned entity can reveal the PHI of individuals in cases where there is a risk to public health. For example, in the case of a potential epidemic or pandemic situation, the concerned authority can disclose a patient’s PHI.

Sharing PHI with HIPAA Covered Entity:

Health care organizations often have business relationships with other HIPAA-covered entities and Business Associates. For example, Healthcare organizations, labs, and even insurance providers use HIPAA-compliant direct mail services like PostGrid. It allows covered entities like hospitals to conveniently and securely send patient billing statements, notices, and invoices.

Does The HIPAA Privacy Rule Affect You?

It is vital that individuals and organizations that process PHI determine whether the HIPAA Privacy Rule applies to themselves. Organizations need to assess operations or situations that require using a patient’s personal information.

Just keep in mind that the purpose of the HIPAA Privacy Rule is to protect individual PHI. It governs how all covered entities use or disclose the PHI. The covered entities range from doctors and nurses to health insurance providers.

As mentioned above, covered entities are people or organizations that can access and process PHI data. Covered entities must maintain HIPAA compliance, including conformance with the HIPAA Privacy Rule.

The following table highlights the essential individuals and organizations covered under the HIPAA Privacy Rule.

Health Care Providers Health Insurance Companies Health Care Clearinghouses
  • Doctors
  • Psychologists
  • Chiropractors
  • Clinics
  • Pharmacies
  • Nursing homes
  • Health Plan Providers
  • HMOs
  • Company Health Plans
  • Health Care Plans From The Government 
  • Any entity that processes health care data into a standard format after receiving it from another covered entity.

HIPAA Security Rule

Administrative and clinical tasks are often complex and time-consuming. At one point, it became necessary to implement intelligent solutions to minimize the burden of these tasks. As a result, solutions like electronic health records (EHR) and computerized physician order entry (CPOE) systems were created.

The advantage of this new system is that health care providers can conveniently access patient information. Furthermore, it does not require a centralized terminal, making accessing the required information even more effortless.

However, these new systems did not have the advanced security protocols to protect precious information. The HIPAA Security Rule standardizes the measure that covered entities and Business Associates need to take for accessing PHI data in electronic form (ePHI).

What is the HIPAA Security Rule?

The HIPAA Security Rule is another vital part of the HIPAA regulation. The purpose of the HIPAA Privacy Rule is to regulate the storing and transferring of PHI data. Furthermore, the HIPAA Privacy Rule also defined who can access PHI data.

However, the HIPAA regulation still lacked standardization measures on who can access the PHI data electronically. Hence, the HIPAA Security Rule was brought in to solve the problem. You could say that the HIPAA Security Rule is the medical workforce’s baseline per the federal mandate. 

It governs the HIPAA ePHI and gives you more details than the Privacy Rule for understanding HIPAA compliance. According to the HIPAA Security Rule, there are three security safeguards that organizations need to meet to become HIPAA compliant. The three safeguards are as follows:

  • Administrative Safeguarding
  • Physical Safeguarding
  • Technical Safeguarding

What are the Administrative Safeguards Required for HIPAA Compliance?

The strictest regulations around the administrative aspects of HIPAA compliance are usually the result of the HIPAA Security Rule. More than fifty percent of the requirements for HIPAA-compliant entities are administrative safeguards.

As per the ruleset concerning the ePHI and its transmission, the administrative policies and actions must establish security measures around:

  • Selection Management
  • Security Maintenance
  • Implementation
  • Conduct Management

Hence, it is vital that you thoroughly investigate the standard administrative safeguards in their present state. It will help you evaluate the security controls you have in place and calculate the risk factors associated with them. Furthermore, these risks are unique for different covered entities, and this assessment is a necessary part of HIPAA compliance.

Security Management Process

Security Management Process is the first administrative standard covered entities need to meet. The Security Rule specifies the administrative procedures and processes for creating a security posture based on unique environments. There are four specifications that organizations need to consider for this standard, and they are as follows:

Risk Analysis

Here, covered entities have to assess the potential risks within their organization. Anything that can compromise the confidentiality and integrity of ePHI is a potential risk. Furthermore, the unavailability of ePHI is also considered a security risk in this aspect.

Risk Management

After the risk analysis, covered entities need to create a security system that includes multiple measures for reducing these risks. As mentioned before, these risks are unique for different organizations. The measure you put in place must reduce these risks at a reasonable scale.

Sanction Policy

When creating sanction policies, the covered entities need to ensure a reasonable level of sanctions. In other words, the sanctions must effectively deter the failure rate of the workforce. Not being able to do so would show that your organization’s administrative standards are below par for HIPAA compliance.

Review Information System Activity 

The Information System Activity Review standard requires covered entities to learn about the inappropriate ePHI disclosures. In other words, the covered entities must review their activities regularly to weed out any inappropriate ePHI disclosure.

Assigned Security Responsibility

Assigned Security Responsibility is another vital administrative standard. Its purpose is to create a final liability point. Therefore, Assigned Security Responsibility holds an individual responsible for ensuring the administrative standard.

Workforce Security 

The third administrative standard covered entities need to consider is Workforce Security. It is put in place to ensure that the workforce members get reasonable access to ePHI. Hence, the ePHI access should be sufficient for the workforce to complete their work responsibilities.

The covered entities also need to specify who is responsible for setting the authorization levels. Furthermore, they need to set up a termination process for restricting access to ePHI once the work no longer requires the data.  

Information Access Management

The fourth administrative standard is related to the information access of covered entities. As we saw in the HIPAA Privacy Rule for regular PHI, a minimum necessary rule applies for ePHI. It ensures that the ePHI data remains protected unless it needs to be disclosed for whatever reason.

The minimum necessary ePHI helps covered entities minimize the risk of inappropriate or unauthorized ePHI disclosure. Furthermore, it also safeguards ePHI from alterations and protects its integrity which ultimately aids you to achieve HIPAA compliance.

Periodic Training And Security Awareness 

Many of the covered entities under HIPAA regulation update their policies and procedures regularly. Hence, proper and regular training is required to keep up with the tasks without compromising the ePHI.

Furthermore, covered entities must also account for the newly implemented software and new amendments to the HIPAA Security Rule. Missing even one of these updates can be fatal in data security.

Security Incident Procedures

Security Incident Procedures are an administrative standard requiring the covered entities to address all their security issues. In other words, each security incident the covered entity encounters must never go ignored, and the entity has to address the same.

Even with the best security solutions, it is impossible to create a system that does not have a single security incident. However, that does not mean that the covered entity can ignore a security incident, hoping to have a safe margin of error. 

It means even a minor error or security incident, and the entities must address it without any delays. Examine the security incidents you encounter and try to find their root cause. Doing so will help you identify and resolve potential security risks.   

Contingency Plan

The contingency plan is a standard that helps covered entities develop a retrieval strategy for the ePHI. It is an administrative standard vital for organizations to maintain their HIPAA compliance.

Without this standard, covered entities can not form an effective strategy for retrieving ePHI. The covered entities must have a contingency plan in an emergency or fatal operation disruptions.

Evaluation 

The Evaluation standard is an administrative safeguard for ensuring that the covered entities regularly review their safeguards. By continually reviewing safeguards, covered entities can maintain a desired level of safeguards. As a result, it helps companies stay HIPAA compliant.

Business Associate Contracts and Other Arrangements

Business Associate Contracts And Other Arrangements is the last and final administrative standard. A bulk of the HIPAA Security Rule comprises Business Associate contracts and similar arrangements. These contracts or agreements govern the relationship covered entities have with Business Associates.

It ensures that the people or individuals that a covered entity forms ties with meet the definition of Business Associate. Furthermore, the contract guarantees that the Business Associate will safeguard the ePHI data from the covered entity.

Hence, covered entities must ensure that their Business Associates are HIPAA compliant before drawing up a contract. Always opt for HIPAA compliant Business Associates like PostGrid, which offers specialized HIPAA compliant services for healthcare organizations, insurance providers, and more.

What Are The Physical Safeguards Required For HIPAA Compliance? 

The HIPAA Security rule also comes with a physical safeguard component. As the name suggests, the physical safeguard component protects the ePHI with physical security. Like the other safeguards in the HIPAA Security Rule, the physical safeguard is also necessary for HIPAA compliance.

Hence, HIPAA Security Rule requires covered entities to conduct an in-depth analysis of their existing security posture, documentation, and potential risks. In other words, physical safeguards are any policies, procedures, and physical obstacles that protect a covered entity’s ePHI.

Following are the essential physical safeguards a covered entity needs to cover.

Facility Access Controls

Facility Access Control is the first standard in physical safeguards for the HIPAA Security Rule. The policies and procedures created under this safeguard ensure only authorized personnel can physically access ePHI data.

Furthermore, these policies should also address the procedures for identifying individual workforce members/Business Associates. This identification must be possible through their job function or title. The standard also dictates that the concerned entities establish protocols for physical ePHI Access.

Hence, the established protocols should specify who can physically access areas where the covered entities hold their ePHI. It should also specify the circumstances when this physical access is permissible.

Workstation Use

According to the Workstation Use standard, covered entities must establish security protocols and procedures for accessing workstations. Additionally, these established protocols and procedures also govern the workstation environment. 

Workstations are often weak points for ePHI storing and processing ePHI data. There is a significant threat of unauthorized ePHI disclosure in workstations. It is possible that individuals with workstation entry to a network risk virus attacks, data hijacking, and confidentiality breaches.

Additionally, this standard is not confined to a facility or on-premise workstations. Even the workforce members of covered entities and Business Associates that work remotely have to align with this standard.

Workstation Security

We saw that the Workation Use standard ensures the appropriate implementation of policies and procedures. Workation Security, on the other hand, is a standard that dictates how covered entities need to protect workstations from unauthorized physical access. 

For example, a workstation can equip secured rooms behind locked doors and place the ePHI inside them. Such a setup or similar workshop security for physical access to ePHI data can ensure HIPAA compliance for the entity.

Device and Media Controls

As you can guess from the name, “Device and Media” control is a standard that deals with the transfer of electronic and hardware media. Of course, the media is only relevant if it contains ePHI data. It governs the policies and procedures for devices and media that help them in

  • Tracking
  • Identifying
  • Disposing
  • Reusing

It applies to every hardware and electronic media, including hard drives, magnetic tapes, optical disks, digital memory cards, and more.

Covered entities must put physical measures and policies as safeguards against potential risks. In short, the physical safeguards should protect the ePHI from unauthorized access from individuals and environmental hazards.

What Are The Technical Safeguards Required For HIPAA Compliance?

The technology used in day-to-day operations keeps on changing and evolving. Hence creating policies and procedures concerning technology is becoming more and more complex every day. The third part of the HIPAA Security Rule tries to make HIPAA compliance technology-neutral.

Advancement in technology makes it easier for the healthcare workforce to access and use ePHI conveniently. But on the other hand, it also raises the risk associated with accessing and sharing ePHI data. Hence, HIPAA compliant entities need to ensure that they put up technical safeguards to protect the ePHI data.

One of the best things about the HIPAA Security Rule is that it is designed to be flexible to accommodate a new technology implementation. Hence, the HIPAA Security Rule does not dictate the specific technologies covered entities need to use as safeguards. 

It is not practical to specify particular technology as a safeguard because it may go obsolete soon. Therefore, the better option here is to ensure that the procedures and policies surrounding technical safeguards stick to certain core principles.

Access Control

Access Control is the first standard covered entities need to consider under Technical Safeguards. The first technical standard set a precedent for the covered entities on what kind of access controls they should use. 

However, a covered entity can use an extensive range of access control methods and technical controls. The HIPAA Security Rule does not specify which methods the covered entity needs to use. 

According to the Security Rule, it is only mandated that the covered entity implement the necessary policies and procedures. 

Audit Controls

Most of the data centers in the market today provide their users with minimum level audit control such as audit reports. According to HIPAA compliance requirements, covered entities must submit recordings and information system activity. Individuals or organizations will then use it to identify potential security violations.

As mentioned before, the HIPAA Security Rule tries to remain technology-neutral. Hence, it does not mandate the covered entities to review specific data or dictate the frequency of review. Furthermore, each covered entity has unique circumstances and data they handle. 

Hence, the covered entity needs only to maintain a reasonable level of auditing controls over their information system. And this is only applicable for the systems that hold ePHI.

Integrity 

The integrity standard is a technical safeguard that governs alteration to the ePHI. As you can guess, any unauthorized alterations to the ePHI or even destroying it can lead to security breaches. It can even affect the clinical quality unpleasantly. 

The integrity of the ePHI is crucial, and any accidental alterations or destruction to it is never a good sign. Hence, the Integrity Standard requires covered entities to implement procedures and policies for ensuring the integrity of ePHI. These safeguards must protect the ePHI from human and electronic interventions.

Person or Entity Authentication

According to this technical standard, covered entities are responsible for ensuring the validity of individuals accessing ePHI. The standard requires entities to ensure that an individual accessing the ePHI data is the same person with authorized access to sensitive data.

There are several ways to authenticate the person’s proof of identity accessing the ePHI data. Some of the ways you can consider for authenticating the proof of identity are as follows:

  • Ask for security information such as a password or PIN.
  • Assign a smart card, token, or key for accessing ePHI.
  • Implement biometric authentication (Fingerprint, iris pattern, etc.)
  • Implement two-factor authentication.

Transmission Security

Another important aspect of technical safeguards under the HIPAA Security Rule is the Transmission Security standard. According to this standard, covered entities must review all their existing methods for transferring and transmitting ePHI.

After the review, the covered entities must ensure sufficient technical safeguards for their data delivery methods. It is the responsibility of the covered entities to ensure the safety of the data during transmission.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule is the third rule covered entities need to follow for HIPAA compliance. One of the first things the HIPAA Breach Notification Rule does is differentiate between a data breach and a HIPAA violation.

More importantly, the rule specifies the necessary actions a covered entity or Business Associate must take if they encounter a data breach. Furthermore, there are different types of breaches as far as the HIPAA Breach Notification Rule is concerned.

Following are the types of breaches associated with HIPAA compliance.

Minor Breach 

The HIPAA Breach Notification Rule considers a minor breach as an event that affects no more than 500 individuals. Furthermore, all the individuals must be within the parameters of a single or same jurisdiction. 

As per the HIPAA Breach Notification Rule, organizations are mandated to document every single breach that spans the length of a year. The covered entity must report it to the Health and Human Services (HHS) Office for Civil Rights (OCR). Furthermore, the rule requires the covered entity to notify the individuals affected by the breach. 

Individual Notice

The covered entities are mandated to send the breach notification to the concerned individuals within 60 days of breach detection. HIPAA compliance is very stringent about these breaches, and the timelines covered entities need to follow. Hence, it is best to report and notify the breaches within the specified time.

Ultimately, serving the breach notification to the individuals is the covered entity. However, they can delegate this responsibility to a Business Associate such as PostGrid. Using a direct mail solution like PostGrid helps covered entities to send the breach notification to individuals accurately.

Notice To The Secretary

The notice is served to the Secretary on breaches of unsecured protected health information. Suppose all the HIPAA breaches of an organization are minor ones (below 500). In that case, the covered entity need only submit an annual report. 

However, the notification is due to the Secretary no more than 60 days after the end of the calendar year. 

Meaningful Breach

According to the HIPAA Breach Notification Rule, a meaningful breach is an adverse breach situation affecting more than 500 individuals. Like a minor breach, all individuals victim of the breach must be within the parameters of a single jurisdiction. 

As you can guess, this type of breach is much more severe than a minor breach. In the case of a minor breach, the covered entity has to report all the breaches once a year. When it comes to meaningful breaches, the covered entity must report them within 60 days of breach detection. 

Media Notice

In the event of a breach affecting more than 500 individuals, the covered entity is required to provide a media notice. Covered entities must inform the prominent news outlets in the state or jurisdiction about the breach. 

Usually, the notification for media outlets or news channels is served in a press release. Similar to the individual notice, the media notification must also happen within 60 days after the breach detection.

Notice To The Secretary

Covered entities must notify every breach of the PHI or ePHI data to the Secretary of breaches of unsecured protected health information. The report or notification is mandatory regardless of how big or small the breach is.

While we saw that the organizations could notify the Secretary on minor breaches annually, the same is not possible for more significant breaches. The notification must be sent to the Secretary within 60 days of detecting the breach.

Notification By Business Associates

It is also possible that the breach of PHI data occurs in a business associate’s hands. In that case, the HIPAA compliant Business Associates must notify the covered entity after detecting a breach.

Here also, the Business Associate has 60 days to notify the covered entity of the breach. For example, let’s say a HIPAA-compliant Business Associate like PostGrid encounters a breach of PHI or ePHI data. In this case, PostGrid has 60 days to notify their client or the covered entity.

Furthermore, a reliable Business Associate like PostGrid will also provide other details of the breach to its clients. Details such as the identity of each individual affected by the breach and other available information are passed to the covered entity.

PostGrid provides specialized HIPAA compliant direct mail service for the healthcare industry. Learn more about how PostGrid can help your healthcare business here.

HIPAA Final Omnibus Rule

The HIPAA Final Omnibus Rule is relatively new among the HIPAA compliance rules and regulations. It first came into effect back in 2013. The primary focus of the rule is on privacy regulations and their changes.

However, that is not all the HIPAA Final Omnibus Rule deals with. It also made significant changes to the following aspects:

  • Breach Notification Requirements
  • Business Associate Liabilities
  • Business Associate Agreements

According to the HIPAA Final Omnibus Rule, any inappropriate disclosure of the PHI data is a breach. Hence, such a situation should automatically warrant notification requirements from the covered entity. The only way covered entities can avoid sending such notifications is to conduct a risk assessment to prove that the breach didn’t happen.

Additional Changes Made By Final Omnibus Rule

The HIPAA Final Omnibus Rule brought in more regulations for protecting the patient’s personal information. As a result, the HHS OCR (Office for Civil Rights) has more power, such as ensuring the compliance of HIPAA rules and levying fines.

Furthermore, the Omnibus Rule also changed the Genetic Information Nondiscrimination Act. As per the new rule, even genetic information is classified as PHI or Protected Health Information. Furthermore, the rule also imposes certain restrictions and stops things like health plans from accessing genetic information.

Following are the other significant changes made by the HIPAA Final Omnibus Rule.

  • It gives more power to the patients, such as the right to receive copies of their health care records in electronic format if available.
  • The Omnibus Rule broadens the definition of Business Associates to include all organizations that interact with PHI on behalf of covered entities.
  • It expanded the privacy and security rules compliance to the Business Associates and their subcontractors.
  • It brought new or additional limitations on how covered entities can use PHI for marketing and fundraising purposes.
  • The HIPAA Final Omnibus Rule prohibits selling patients’ PHI without their explicit consent.
  • Under the Omnibus Rule, the covered entities must modify and redistribute individual notices regarding privacy practices.

What Happens When You Violate HIPAA Regulations?

As per the Breach Notification Rule, healthcare providers have to report if the PHI data is compromised in any way. Whether someone steals it or gets altered or compromised in any other way, it needs to be notified to the relevant parties.

Suppose the PHI data of a large number of individuals are compromised. In that case, the covered entities have even more responsibility. Apart from notifying the individuals and the HHS Secretary, the covered entity must inform the media.

More importantly, all this must happen within the specified time frame prescribed for HIPAA compliance. But what happens when a covered entity or Business Associate violates the extensive list of HIPAA rules and regulations?

HIPAA Regulations and Fine Per Incident

According to the HIPAA Enforcement Rule, there are four levels of HIPAA violations. The minimum fine per incident varies for each level. The following table will help you better understand the severity of HIPAA violations and their cost.

HIPAA Violation Level Minimum Fine Per Incident
Level 1

Here, the entity is unaware of the breach unless and until an external agency makes them aware of it.

$100 to $50,000
Level 2

Level 2 of HIPAA violation is where the entity was aware of the violation but had “Reasonable cause.” 

It implies that the HIPAA violation was caused by an ordinary person’s unavoidable action or response.

$1000 to $50,000
Level 3

In level 3 HIPAA violations, an entity willfully neglects the violations. However, in this case, the entity rectifies its intentional avoidance within 30 days.

$10,000 to $50,000
Level 4

A level 4 HIPAA violation is where the entity willfully neglects the violation. In this case, the entity does not mitigate the issue within 30 days.

$50,000

How Can Individuals and Organizations Become HIPAA Compliant?

Regardless of how many advanced solutions they have, organizations that use PHI still need to pass HIPAA scrutiny. A HIPAA checklist is one of the best places for individuals and organizations to start their HIPAA compliance journey.

What is so great about these checklists is that they are available for public access, free of cost. You can either use the checklist from the HHS or opt for any other reliable one online. Although a checklist can make things a lot easier, it does not mean that there won’t be any challenges ahead.

As you may have noticed, covered entities and Business Associates have to satisfy numerous rules and regulations to become HIPAA compliant. We have already discussed all the major HIPAA rules and regulations above and their ramifications. 

Some of the significant aspects that an individual or organization needs to address for ensuring HIPAA compliance are listed below.

Self-Audits

According to the HIPAA regulations, both covered entities and Business Associates must undergo a yearly audit. The purpose of the audit is to assess an organization’s PHI policies and procedures. It checks whether these policies and procedures comply with the HIPAA Privacy and Security standards.

Remediation Plans

Cover entities can start thinking about remedial actions after the self-audits reveal or detect the HIPAA compliance issues. The remedial plan must correct any HIPAA violations within the organization. Furthermore, the remediation plan should be documented carefully and include milestone dates you hope to reverse the HIPAA violations.

Policies and Procedures

You would have read the term policies and procedures throughout this article numerous times. It is an essential item covered by entities, and Business Associates need to ensure HIPAA compliance. Hence, all organizations need to ensure that their policies and procedures are aligned with the HIPAA regulatory standards.

Furthermore, entities must make sure that they regularly update their procedures and policies. Regular updates help organizations implement new technology and bring in more changes. An organization must also ensure that its staff is well-informed on company procedures and policies updates. 

Documentation

To maintain their HIPAA compliance, covered entities and Business Associates must document their efforts to become HIPAA compliant. It will help you establish to the relevant authorities that your organization has made earnest efforts to ensure HIPAA compliance. Furthermore, the documentation can be beneficial in the event of an OCR audit.

Business Associate Management

Effectively managing the Business Associates is another prerequisite for HIPAA-compliant entities. Hence, organizations must keep well-maintained documentation of all Business Associate Agreements they make. 

In addition to this, organizations must also review the agreements annually. The review will help organizations align their Business Associates to the current operating environment of the organization.

Incident Management

Last but not least, covered entities and Business Associates must equip themselves with an established and documented protocol for breaches. It must outline the protocol after detecting a PHI leak and explain how to remediate the issue.

Furthermore, covered entities must ensure that the individuals whose PHI data get compromised get notified about the same. One of the ways to do this is by employing an automated direct mail solution like PostGrid. As PostGrid is already HIPAA-compliant, it can be the perfect Business Associate for communication with the patients. 

Want to learn how you can use automation in health care operations? Read our previous blog, “Automation in Healthcare Operations,” to find out!

How to Ensure Your Staff are HIPAA Compliant?

There are several practices that an organization can employ to ensure that their staff is HIPAA compliant. Some of the most effective practices to ensure that an organization’s staff are HIPAA compliant are listed below.

Up-To-Date Training Programs

One of the best ways to ensure that an organization’s staff are HIPAA compliant is to provide them with the latest training programs. The training programs must teach the proper handling of PHI for employees whose duties include health plan administrative functions.

Never Share Sensitive PHI 

Ensure your employees know how sensitive PHI data is and the repercussions of sharing it with unauthorized personnel. Covered entities must also ensure that their staff understands they can’t share the PHI data with any unauthorized person or entity. It doesn’t matter whether it is a coworker or a long-time friend; the PHI data must always remain confidential.

Minimize The Access to Patient Records

Covered entities need to ensure that patients’ records are only disclosed when necessary. Hence, covered entities must limit the disclosure of PHI for work-related purposes of covered entities or with written permission from the patient.

Secure All Paperwork Containing PHI    

Covered entities must ensure that any paperwork containing PHI data is securely stored when it is not in use. Furthermore, covered entities must make sure that they never leave PHI-related documents and records unattended.

Close Computer Programs Containing PHI 

Organizations must tell their staff that they need to close any computer programs containing PHI or ePHI data when it is not in use. The organization can also consider implementing Practice Management Systems that automatically times out the user from the windows when idle.

HIPAA Checklist

Now that we have told you everything you need to know about HIPAA Compliance, we will provide you with a holistic HIPAA Checklist. The HIPAA compliance checklist will give you a quick overview of what you need to do to become HIPAA compliant.

Administrative Checklist

  • Detect potential gaps in administrative operation by conducting an ongoing risk assessment.
  • Ensure that you have an adequate PHI security set in place by conducting risk management.
  • Conduct staff training sections to teach them ePHI access protocols and reduce the chances of cyber-intrusion.
  • Develop contingency plans so that your business operations are not compromised or delayed.
  • Regularly test the effectiveness of your contingency plans and optimize them.
  • Make sure to create and sign Business Associate Agreements with any vendors/Business Associates that can access your ePHI.
  • Ensure that you record every breach of PHI or ePHI data even if the attempt is unsuccessful.

Physical Checklist

  • Build a monitoring system and control access to areas where the PHI or ePHI data is stored.
  • Create a written policy that deals with the workstation habits for preventing accidental PHI disclosure.
  • Design policies for governing the storage and transfer of mobile devices that, at any point, contain ePHI data.

Technical Checklist

  • Ensure that you encrypt all transmitted ePHI to meet the NIST cryptographic standards.
  • Provide authorized personnel access to PIN codes, keycards, and passwords for securely accessing ePHI.
  • Ensure regular authentication of ePHI to protect its data integrity.
  • Protect any device (remote and local) that has access to ePHI with security encryption.
  • Ensure continuous monitoring of the logs of ePHI access attempts to find any unauthorized attempts.
  • Implement auto-logoff systems for ensuring the workstations are secured as soon as the authorized personnel. 

HIPAA Privacy Rule Checklist

  • Always ensure that you respond to patient access requests within 30 days. 
  • Ensure that your patients and subscribers are informed about your data sharing policies via the Notice of Privacy Practices (NPP) form.
  • Make sure you receive permission from patients before using their PHI for purposes such as marketing, research, and fundraising.
  • Conduct privacy training programs for the workforce to help them understand HIPAA Privacy Rule.
  • Ensure your documentation accounts for situations such as ePHI disclosure to health plans. Furthermore, you should also ensure that the patient has the right to their electronic records.

HIPAA Breach Notification Rule Checklist

  • Ensure that you understand the distinction between a minor breach and a meaningful breach.
  • Learn the required measures a covered entity must take once a breach occurs, depending on whether it is a minor or meaningful one.
  • Ensure the breach notification include all the necessary details, such as ePHI description.
  • Identity of the intruder. An intruder is any person or organization who accesses the ePHI data without authorization.
  • The Degree of corruption of ePHI data.
  • Information on the effectiveness of the safeguards in protecting ePHI data.

HIPAA Final Omnibus Rule Checklist

  • Make sure to update your Business Associate Agreements to house the amendments made by the Omnibus Rule.
  • Ensure that you retrieve the newly signed copies of BAAs that contain the Omnibus information.
  • The privacy policies of a covered entity must be modified or updated to include the Omnibus changes.
  • To address the changes to authorizations and the right to privacy, you must update your NPPs.

The checklist gives you a broad idea of the operations, procedures, and policies you need to implement for ensuring HIPAA compliance. However, it is impossible to cover all the finer details and exceptions in this HIPAA Checklist. Hence, covered entities should do their research to become HIPAA compliant.

Conclusion

HIPAA compliance is complex and often comes with many exceptions based on numerous factors. Covered entities and their Business Associates have to comply with all the HIPAA rules and regulations to become HIPAA compliant.

However, the three main rules for organizations to become HIPAA compliant are

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule

Additionally, covered entities must also familiarize themselves with the HIPAA Final Omnibus Rule. HIPAA has so many rules, regulations, and exceptions associated with it. Hence, it may become difficult to keep track of HIPAA regulations. A HIPAA checklist is an easy way to get a broad understanding of HIPAA compliance.

Additionally, covered entities also need to ensure that their Business Associates are also HIPAA compliant to ensure the safety of PHI or ePHI. Health care organizations, including hospitals, clinics, and more, can streamline their communications with a service provider like PostGrid.

PostGrid is a perfect example of how an ideal Business Associate should be. The HIPAA compliant direct mail provider automates even complex and bulk printing of patient statements and mailing them. As a HIPAA compliant Business Associate, it ensures the safety of your PHI and ePHI data.

Want to learn more about how you can send automated printing and mailing services for sending patient statements? Read our blog “Patient Statements: Automated Printing and Mailing Services.”

Furthermore, it uses an automated system for printing and mailing every PHI-related document. Hence, covered entities do not have to constantly worry about their HIPAA compliance when engaged with a Business Associate like PostGrid.

Ready to Get Started?

Start transforming and automating your offline communications with PostGrid

SIGN UPREQUEST A DEMO