While some people may only know the Health Insurance Portability and Accountability Act (HIPAA) as the reason you have to sign all those forms at the doctor’s office, people in the healthcare industry understand that understanding and complying with HIPAA is critical to the success of any healthcare business.
HIPAA is a vast, wide-ranging, and complex set of regulations. One of the primary goals of HIPAA is to provide federal protections for personal health information while balancing the need to allow for disclosures of such information when it is needed for patient care and other related purposes. The Privacy Rule is the primary rule that governs protected health information (PHI), including health information that can identify or be linked back to an individual. To ensure compliance with PHI protections, HIPAA sets out a variety of guidelines in the HIPAA Privacy Rule. The HIPAA Privacy Rule governs how patient data is saved, accessed, and shared. To ensure privacy of electronically stored information, HIPAA also established the HIPAA Security Rule, which outlines safeguards for protecting both analog and electronic Protected Health Information (ePHI).
Increasingly, consumers and businesses in the healthcare market are asking an important question: why should I care about complying with HIPAA? The rules and the steep fines that can result from any violation apply not only to those individuals and organizations that provide healthcare services (known under HIPAA as “covered entities”), but also to a wide range of organizations and businesses that deal with PHI (known under HIPAA as “business associates”). A major challenge for organizations seeking to comply with these complex standards is that HIPAA does not define a clear or unambiguous standard for what privacy protections must be implemented. Rather, HIPAA directs that their safeguards be “reasonable and appropriate” in the context of each organization’s risks and capabilities. Consequently, each organization must be scrupulous in developing its policies and procedures for HIPAA compliance. Below, we have outlined tips that aim to assist both covered entities and other organizations that create, receive, or transmit PHI.
#1: Implement Business Associate Agreements
In the dynamic and fast-paced world of healthcare, no business works in a vacuum. Most businesses in the healthcare industry engage in a multitude of relationships with other businesses. HIPAA’s Privacy Rule provides for the possibility that PHI may be properly disclosed in the course of those relationships. If a covered entity needs to disclose PHI to a business associate, then it must enter a Business Associate Agreement (BAA) with the business associate. A BAA requires the business associate to make assurances about its PHI protections.
As a business entity or medical services provider, how do you know if you need a BAA? If your business is creating, receiving, maintaining, or transmitting PHI, or if you are working with a business that does so on your behalf, then you most likely need a BAA. According to the United States Code, a BAA is required under any circumstance in which a business performs any functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Some examples of business associate functions and services include data analysis, billing, and practice management. While each BAA will differ slightly, organizations should look to 45 CFR § 164.504(e) for a list of the required elements that each BAA must contain. An attorney can help craft a strong agreement that will protect both parties.
#2: Identify HIPAA Recommended Officers in your Organization
HIPAA names three officials who must be nominated within an organization in order to develop and implement the organization’s PHI-protection policies and procedures. First, the Security Officer, whose function is described in HIPAA’s administrative safeguards, is responsible for ensuring that the organization can “prevent, detect, contain, and correct security violations.” Both covered entities and business associates must designate a Security Officer. The Security Officer’s responsibilities include overseeing employee security training, conducting audits, assessing risk, enacting a contingency plan for an emergency event or data breach, and ensuring that all BAAs comply with HIPAA’s requirements. Like the other portions of HIPAA, the Security Rule is based on the standard of reasonableness: an organization “may use any security measures that allow [it] to reasonably and appropriately implement the standards.” 45 CFR § 164.308. Further, the Security Rule’s various implementation methods are categorized as either “required” or “addressable.” While the required implementations must be strictly adhered to, each organization can take reasonable efforts to implement the “addressable” standards, taking into account its capacities and any potential dangers to ePHI. 45 CFR § 164.306. The Security Officer plays a key roll in ensuring these requirements are met.
HIPAA also requires a second and third official for “covered entities.” The Privacy Officer is responsible for overseeing employee privacy training, writing, and distributing the organization’s Notice of Privacy Practices, and confirming that BAAs adhere to HIPAA’s privacy standards. Finally, a covered entity must nominate someone to manage and document privacy complaints and coordinate with the Health & Human Services Office of Civil Rights on those complaints.
#3: Cover your Bases and Enroll in a Certification Program
Unfortunately, there is no single government-issued checklist that an organization can follow in order to achieve the HIPAA compliance stamp of approval. However, many certification programs exist which can help to demonstrate an organization’s good-faith effort to comply with HIPAA regulations. Participating in one or more of these programs may assist your organization in defending itself against a potential complaint.
One program that can help your organization demonstrate it is complying with HIPAA is found at HealthIT.gov. Under this program, a covered entity or business associate can certify that its electronic health record (EHR) program fulfills certain functionality and security requirements. The EHR is a critical piece of PHI security because it represents a digital version of a patient’s paper chart and is available securely only to authorized users. Certified EHR software and systems may assure purchasers and other users that the system offers the necessary technological capability, functionality, and security to help meet criteria set out by the Centers for Medicare and Medicaid Services. Certification can also help providers and patients increase their confidence that the software in use can maintain data confidentiality.
Another recommended certification is offered through the Health Information Trust Alliance (HITRUST). The HITRUST Common Security Framework is a healthcare cybersecurity framework that includes federal and state regulations and builds on HIPAA’s general specifications to create a standard certification process. To achieve HITRUST certification, an organization invites a third-party auditor to visit the organization. The auditor validates the organization’s use of specific controls; the standard for sufficient protection may vary based on the organization’s size and complexity.
#4: Hope for the Best, but Put a Contingency Plan in Place
Both covered entities and business associates must develop and implement contingency plans for an emergency event or data breach. The plan development process includes two important steps: 1) a business impact analysis; and 2) a risk assessment. These measures are important because they demonstrate the sequence of system recovery and the risk associated with each. This initial stage is very important and can lead to penalties if not properly followed.
The contingency plan itself (outlined in 45 CFR § 164.308) should ensure that an emergency event will neither interrupt the organization’s critical business functions nor lead to any improper disclosure of ePHI. The plan must contain five elements: 1) data backup; 2) disaster recovery; 3) emergency mode operation; 4) testing and revisions procedures; and, 5) data criticality analysis. While testing and revision procedures and data criticality analysis are “addressable” rather than “required components,” these measures should not be neglected because they allow the organization to evaluate the strength of emergency procedures and data restoration protocols.
#5: Train, Train, and Train Again
With its breadth, range, and complexity, HIPAA can be challenging, even to those who are trained to interpret regulations. It can be particularly difficult for an organization to verify that its staff remains adequately informed and trained in HIPAA protocols. Since HIPAA fines can be devastating to a business, both covered entities and business associates must take care to train their entire staff to comply with HIPAA’s Privacy and Security Rules.
The majority of workforce training falls under the purview of the Security Officer and, in the case of a covered entity, the Privacy Officer. Since covered entities must nominate both officers, an organization may choose to hire two separate individuals or to combine these roles and allocate this responsibility to a single individual. In either case, both covered entities and business associates should ensure that their candidates possess significant HIPAA experience, are well trained and can manage staff to follow HIPAA compliance regulations.
The second key component of training is that the organization must have an effective internal communication network. Both the Security Officer and the Privacy Officer must keep abreast of updates to HIPAA and they must promptly communicate any changes to staff.
HIPAA compliance is a challenge for any business; however, compliance is not impossible to achieve. With the right procedures integrated into your business, covered entities and business associates can achieve a functional level of HIPAA compliance that will ensure success in this heavily regulated industry. If you have any comments, questions or inquiries about this insight, feel free to reach out to us.
The contents of this website are made available by The Uma Law Group for informational purposes only. The contents are not intended to convey any legal advice, nor convey the Firm’s legal position on behalf of any client. Any opinions expressed in the available content do not necessarily reflect the views of ULG, its partners, employees, or its clients. Accordingly, do not act upon the contents of this website without seeking counsel from a licensed attorney. Use of and access to this website and or any communications with ULG, through email, blog posts, or otherwise, does not create an attorney-client relationship between The Uma Law Group and the user or browser.