Medical Billing

What Is HIPAA? Understanding Compliance, Rules, and Regulations

In order to run a successful healthcare practice, you need to ensure you meet the necessary HIPAA compliance standards. While HIPAA compliance may seem complicated, it’s essentially just keeping people’s sensitive healthcare data private through the proper protocols. Below outlines the importance of HIPAA compliance, how to confirm your healthcare practice meets HIPAA compliance standards and other valuable information on the topic of HIPAA compliance.

What is HIPAA?

In a nutshell, HIPAA is a federal law that sets standards in the United States healthcare industry to protect sensitive patient data. This is a national standard that protects sensitive patient data from being disclosed without the patient’s knowledge or consent.

What does HIPAA stand for?

doctor taking records according to HIPAA laws

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 [1]. The act’s focus has shifted over time to the data privacy focus we know it as today. Originally, Congress passed this act for two reasons. First, to give employees health insurance coverage when they shifted jobs. And second, to create standards around how to digitize medical data records. Over time, in digitizing large amounts of health records, laws around data protections became a must.

HIPAA has several components, which we’ll examine below in this guide.

What is the primary purpose of HIPAA?

Today, the primary purpose of HIPAA is to determine and regulate the disclosure of protected health information. We mostly associate it with its Privacy Rule, but its regulations have many other functions. These include standardizing medical records, ensuring continuous coverage for employees, preventing health care fraud, and defining employee medical savings accounts.

Who enforces HIPAA?

The Office for Civil Rights (OCR) enforces HIPAA compliance by investigating violations. Meanwhile, the Department of Health and Human Services (HHS) regulates the law.

What information is protected under HIPAA law?

HIPAA law protects any demographic information that individuals could use to identify someone who is covered under it. For example, this protected health information (PHI) can include a patient’s:

  • Name
  • Phone number
  • Address
  • Social Security number
  • Medical records
  • Financial information
  • Facial photos

Why is HIPAA often misunderstood?

Many people have heard of HIPAA and have a general idea of what it is. Yet, the exact coverage of it is often misunderstood (as well as how to spell it: “HIPAA” not “HIPPA”). Namely, people assume the law extends protection to everyone in all settings about any and all health data. In reality, HIPAA has specific bounds that are important to understand.

The 5 Main Components of HIPAA

While there are many details to regulations [2], it has five main rules that are important to know.

  1. Privacy Rule. Firstly, the most well-known of the rules is the Privacy Rule. This rule protects patient PHI and medical records through limitations on disclosures. In addition, the rule grants patients the right to access their records.
  2. Security Rule. This rule regulates procedures related to ePHI protection. It includes three levels of safeguards: administrative, technical, and physical. Additionally, risk management protocols for this data fall under the Security Rule.
  3. Transactions Rule. This rule covers the CPT codes used in transactions. As a result, the proper use of these codes ensures the accuracy and safety of medical records.
  4. Identifiers Rule. This rule establishes three identifiers for entities who use HIPAA-regulated transactions. These identifies are: National Provider Identifier (NPI), National Health Plan Identifier (NHI), and the Standard Unique Employer Identifier.
  5. Enforcement Rule. Lastly, this rule provides standards for violations that happened on or after the HIPAA compliance date. This date is February 18th, 2015.

What is HIPAA Compliance?

Due to the number of regulations that affect each other, you can think of HIPAA compliance as more of a culture of practices that parties must put in place. These practices are key to protecting the privacy and integrity of patients’ data. Thus, an office culture of HIPAA compliance follows regulations by certain standards that influence your practice on a daily basis. Said office culture features HIPAA compliance within its entire healthcare payment processing system, including revenue cycle management and payment posting systems.

Why is HIPAA compliance important?

HIPAA compliance is important because it ensures patient data is adequately protected. It also prevents health care risk and fraud. Furthermore, HIPAA compliance helps preserve an organization’s integrity and reputation, as well as avoid serious fines and even criminal penalties.

What are the requirements for HIPAA compliance?

HIPAA compliance means following a body of federal standards. You can do so by implementing proactive processes and responding effectively to HIPAA compliance gaps. Let’s explore what you will need to implement to be HIPAA compliant.

  • Procedures, Policies, and Staff Training. All parties that fall under jurisdiction must develop policies and procedures to ensure HIPAA compliance. Naturally, parties must update these practices in response to changes in guidelines. Additionally, parties must hold annual staff trainings on the organization’s policies and procedures. These annual trainings must be documented.
  • Documentation. It’s critical to document all efforts taken to follow HIPAA. Why? In any investigation with HHS OCR, you will need to provide proof of documentation in order to pass the audit.
  • Incident Management. In the case of an incident like a data breach, beholden entitities must document the details. Importantly, you must also notify patients under the Breach Notification Rule.
  • Self-Audits. Under the law, organizations must complete annual audits of their organizations to assess areas of improvement. In these audits, you must assess gaps related to privacy and security in three categories: physical, technical, and administrative. A common misconception is that a provider can check this box with their annual Security Risk Assessment. However, this is only one required audit and not enough by itself to be HIPAA compliant.
  • Violation Remediation Plan. Finally, after you identify HIPAA compliance gaps in a self-audit, you must create a remediation plan. This plan must prevent and reverse any violations. Additionally, it requires that providers document the details of these plans. In this documentation, you must include dates by which changes will be completed.

Seven elements of an effective HIPAA Compliance Program

To summarize what you need to do to be HIPAA compliant, the HHS Office of Inspector General created a list of seven fundamental elements that characterize an effective compliance program [7]. The seven elements are as follows:

  1. Implementing written policies, procedures, and standards of conduct.
  2. Designating a HIPAA compliance officer and HIPAA compliance committee.
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal monitoring and auditing.
  6. Enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

Who needs to be HIPAA compliant?

There are two groups that must be HIPAA compliant under the current regulation.

  1. Covered Entities. These entities fall into three main categories: health care providers, health insurance companies, and health care clearinghouses that process medical data. Health care providers and insurers include these groups:
    • Healthcare providers
      • Doctors
      • Psychologists
      • Dentists
      • Chiropractors
      • Clinics
      • Nuring homes
      • Pharmacies
      • Health plan
    • Health insurance companies
      • Government health care plans
      • Company health plans
      • HMOs
  2. Business Associates. This category refers to any parties that work with covered entities. For example, business associates will include contractors who handle medical records in their work on behalf of the above entities.

By falling under the jurisdiction, covered entities and business associates must follow established protocols to secure PHI.

How to Become HIPAA Compliant

doctor showing patient test results according to HIPAA law

To ensure HIPAA compliance, you can take a number of concrete steps within your organization. First, providers can limit client communication to HIPAA-compliant portals. Secure channels like this can provide patients with access to their medical records as well. This can help you avoid a common source of complaints. Additionally, you can implement processes to verify your patient’s identity before discussing any health information. You can also enlist the help of an expert to look over your policies to ensure you’re HIPAA compliant.

HIPAA Rules and Regulations

Several different rules make up the overall regulation, which has changed over time. After HIPAA was enacted in 1996, these rules were passed and became law. The last major update was in 2013 [3] though another overhaul may be on the way.

Let’s dive into the specifics of some of the most important rules.

HIPAA privacy rule

Firstly, it’s important to understand the Privacy Rule and what it does. Simply put, the Privacy Rule sets U.S. standards for a patient’s rights to PHI.

So what are some of the standards this rule outlines?

  • A patient’s right to access PHI
  • A health care provider’s right to deny access to PHI
  • The contents of Use and Disclosure release forms and Notices of Privacy Practices

Does the HIPAA privacy rule affect me?

This rule only applies to covered entities, like healthcare providers, and not business associates. Thus, if you are an associate of a covered entity, you do not need to worry about this rule. If you are a covered entity, you will need to ensure you remain in HIPAA compliance. To do so, covered entities must document regulatory standards in their Policies and Procedures. Additionally, you must document proof of annual employee training on these policies and procedures.

HIPAA security rule

Next, there’s the Security Rule. This rule establishes national standards for electronic protected health information or ePHI. Subsequently, it covers the handling, transmission, and maintenance of ePHI. This includes administrative and physical safeguards.

To whom does the Security Rule apply? Since ePHI sharing affects both, this rule covers covered entities and business associates. Thus, all parties listed above will need to be aware of this rule.

To maintain HIPAA compliance, all healthcare organizations must document the details of the regulation in their Policies and Procedures. Like the Privacy Rule, you must also document proof of annual related employee training.

HIPAA omnibus rule

Lastly, the Omnibus Rule is a key rule to understand and follow. An addendum to regulation, it applies HIPAA to business associates as well as covered entities.

What does this Omnibus Rule do? In general, it has two main parts. First, it mandates HIPAA compliance from business associates. Second, it establishes the rules regarding Business Associate Agreements (BAA). BAAs are contracts between parties that must be completed before any information is shared. This includes both PHI and ePHI. These agreements must be established between any combination of a business associate and a covered entity. Thus, all parties must take care to heed this rule.

What are HIPAA Violations?

To prevent violations, it’s imperative to understand what they are and how they happen. By definition, violations refer to any HIPAA compliance breaches that compromise the integrity of ePHI or PHI. Most often, violations stem from internal actions rather than outside hacks.

Note that violations are not the same thing as data breaches. Data breaches only become violations when the breach occurs due to the failures of a HIPAA compliance program.

Common violations

Unfortunately, violations can be common. It’s all too easy to improperly reveal patient data by misplacing a paper file or making a social media post. These common violations often fall into these five categories:

  1. Access controls
  2. Use and disclosure
  3. Unsuitable security safeguards
  4. Notice of Privacy Practices
  5. The Minimum Necessary Rule

Here are some examples of common causes of violations and fines:

  • Stolen technnology (e.g. a laptop, phone, or USB device)
  • Office break-in
  • Ransomware attack
  • Malware incident
  • Business associate breach
  • Electronic health record (EHR) breach
  • Sending PHI to the wrong person
  • Discussing PHI outside of work
  • Social media

Depending on your business, you may be more at risk for some violations than others. Thus, it’s important to be in the know about the risks you may face.

Fines and penalties

Contrary to what much of the public may think, violations don’t result in a lawsuit between a patient and the alleged offender. Instead, HIPAA’s enforcing arm, the Office of Civil Rights, takes action using fines and criminal penalties.

Since 2016, auditors have levied over $40 million in HIPAA fines [4]. They assign these fines on a sliding scale, ranging from $100-$50,000. The level of fine depends on the level of negligence found by the auditors. Consequently, organizations that fail to meet a “good faith effort” to comply with the law may have to pay huge fines.

HIPAA violation tiers

Fines and penalties fall within a tiered model as follows:

  • Tier 1 Violation. The covered entity was found to be unaware of the violation. Thus, it could not have prevented it. The entity took reasonable care to safeguard the PHI. The minimum fine for this violation is $100. The maximum fine is $50,000.
  • Tier 2 Violation. The covered entity should have been aware of the violation. However, they could not have prevented it with reasonable care measures. The minimum fine for this violation is $1,000, with a max of $50,000.
  • Tier 3 Violation. Willful neglect of the law caused the violation. As a result, the covered entity must try to correct the issue. The minimum fine for this violation is $10,000, with a max of $50,000.
  • Tier 4 Violation. Since this is the most serious form of violation, it counts as willful neglect. The covered entity made no attempt to correct the violation. Consequently, the minimum fine for this kind of violation is $50,000.

Additionally, there’s another reason healthcare organizations will want to avoid violations: the HHS Breach Notification Portal, or “Wall of Shame.” With this searchable database, the HHS archives all violations that affect 500 or more people. The Wall of Shame can cause serious damage to the reputations of healthcare practices.

Stay up to Date on HIPAA Changes

Knowing the importance of HIPAA compliance, how can you ensure you stay updated on any changes to regulations?

First, you should beware that the entities in charge of HIPAA issue regular updates online. These updates respond to new trends, techniques, and conditions. For example, the global pandemic, recent data breaches, and increased healthcare needs have had an impact on the law.

Furthermore, you can keep your eyes open for updates being considered in 2022 [5]. Certainly, you can expect the below changes in the next year in response to public health updates.

  • Updated Violations Penalties. HIPAA may adopt a new violation penalty structure. These new fee levels will be adjusted for inflation.
  • Proposed Privacy Rule Changes. This new rule would change many aspects of privacy. It could allow patients to take photos of their PHI. It could also reduce the max time to provide access to PHI to 15 days, define when ePHI should be offered at no charge, and more. As a result, many changes to privacy practices may be needed in the next year.

How Does COVID-19 Affect HIPAA?

masked doctor following HIPAA while assessing a masked patient

All in all, the COVID-19 pandemic greatly shifted the healthcare landscape, and HIPAA was no exception. Unfortunately, swirling healthcare misinformation amidst the pandemic included fake news about HIPAA’s purpose and protections. Moreover, risks related to securing data have increased as well. Consequently, ensuring HIPAA compliance has grown even more difficult.

Some of the factors that have increased risk to PHI include:

  • Telehealth Visits. As the healthcare field adapted to patient needs during the pandemic, the number of virtual provider visits have soared. Virtual visits mean that patient data is communicated to a variety of locations and sometimes even on the go on a mobile device. As a result, data protection is even more difficult with telehealth visits. In fact, this risk was so great that the HHS CSC suspended HIPAA fines and penalties for a short time in response [6]. Awareness of this risk is key to taking proper precautions to ensure data safety, such as multi-factor device authentication and strategic staff training.
  • Multiple Care Providers. The COVID-19 pandemic caused patients to see more than one doctor for their testing and other needs. For primary care physicians, this means that greater coordination is needed between labs, hospitals, offices, and patients. As a result, increased amounts of data shuffling from one practice to another means greater risk for violation of the law.
  • Increased Patient Count. Many patients clamored for healthcare appointments. Not to mention, healthcare needs have increased in response to the pandemic. In such an environment, offices have been shortstaffed and out of capacity, with less time for training and new complications with physical distancing guidelines. Unfortunately, this is an ideal situation in which HIPAA compliance errors may occur.

HIPAA Resources

To stay in the know about the state of HIPAA, updates are located on the HHS CSC Newsroom or the HIPAA Journal. Here’s a list of other resources:

Final Thoughts

Failing to meet HIPAA compliance standards will cost your healthcare practice, not only monetarily through issued fines, but also in reputational damage. Thus, HIPAA compliance should be one of your top concerns when constructing your patient experience at your healthcare practice. Every step of care, from the registration process to your online invoice software, must meet HIPAA compliance security standards. The good news is that once you’ve cultivated an office culture of HIPAA compliance, it’s easy to sustain, as it’s simply how patient care is executed.

Sources:

  1. CDC. “Health Insurance Portability and Accountability Act of 1996 (HIPAA)“. Accessed Janaury 13, 2022
  2. HHS.Gov. “Health Information Privacy“. Accessed January 13, 2022.
  3. HIPAA Journal. “2013 HIPAA Guidelines“. Accessed Janaury 13, 2022.
  4. Compliancy Group. “HIPAA Fines Listed by Year“. Accessed January 13, 2022.
  5. HIPAA Journal. “Possible HIPAA Updates and HIPAA Changes in 2022“. Accessed Janauary 13, 2022.
  6. HHS.Gov. “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency“. Accessed January 13, 2022.
  7. HHS. Healthcare Compliance Program Tips. Accessed January 13, 2022.

Amanda Lawson

Amanda is a copywriter, ghostwriter, and wordsmith based in NYC. With a background in policy from New York University, she originally began writing in activist spaces, honing the skill of creative storytelling and using narrative to motivate people to care about issues from criminal justice to housing justice. Now she loves to support all kinds of companies in finding the unique words to communicate their visions. Amanda has worked with several clients in the legal, fintech, medical, and crypto fields, telling extremely technical, SEO-optimized, top-notch stories that resonate with all audiences. When not writing, Amanda enjoys painting, dancing, and playing chess.