Here, we address some of the most frequently asked questions about HIPAA compliance.
Who has to comply with HIPAA?
HIPAA defines covered entities as an organisation that is required to comply with its laws. These include healthcare providers, health plans, and clearinghouses. Healthcare providers include doctors, hospitals, caregivers, dentists, and other associated organisations.
If a third-party provides a service to a CE which results in them coming into contact with PHI, they are called a ‘business associate’ (BA). Although these BAs may not create, receive, maintain or transmit PHI, they must comply with HIPAA’s Rules and ensure adequate safeguards are in place to protect patient data.
What is Protected Health Information (PHI)?
PHI is any information which could be used to identify a patient associated with a particular healthcare record. The eighteen so- called ‘personal identifiers’, which may be used to connect an individual to healthcare data, include:
- Names or part of names
- Geographical identifiers
- Phone numbers
- Email addresses
- Medical record numbers
- Account numbers
- Vehicle license plate numbers
- Web URLs
- Fingerprints, retinal and voice prints
- Full face or any comparable photographic images
- IP addresses
- Device identifiers and serial numbers
- Certificate or license numbers
- Health insurance beneficiary numbers
- Social Security numbers
- Fax numbers
- Dates directly related to an individual
- Any other unique identifying characteristic
What are the HIPAA Rules?
The Rules address specific security requirements, such as the safeguards that should be implemented or response frameworks that should be in place if a data breach were to occur.
Privacy Rule – defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.
Security Rule – outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.
Breach Notification Rule – outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal. Employees must be informed on how and when to notify the OCR and the media.
Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)
Omnibus Rule – covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI.
Does HIPAA require data to be encrypted?
In general, HIPAA deliberately does not mention any specific technologies so that its legislation is flexible enough to encompass new technological advances. However, the Security Rule does mention data encryption as an addressable specification. HIPAA- covered entities must consider using encryption, but it is not mandatory for ePHI to be encrypted at rest or in transit. If an organisation chooses not to use encryption, it should document this decision and explain why an alternative safeguard was used instead.
What are the penalties for HIPAA non-compliance?
The US Department of Justice may levy a fine of up to $250,000 for violations, or up to 10 years of imprisonment, for knowing abuse or misuse of PHI. The Department of Health and Human Services’ Office for Civil Rights can issue civil monetary penalties of up to $50,000 per violation with an annual maximum of $1.5 million.
OCR considers a wide range of factors when determining the appropriate penalty, including the length of time over which violation occurred, the number of people affected, and the breach had done the nature of the data exposed, the financial means of the organisation, and how much damage. OCR also considers the organisation’s willingness to assist with the investigation.