HIPAA Compliance and Health Information Data Privacy
The U.S. health care industry’s data protection standard was passed nearly three decades ago in 1996.
Originally passed to address health insurance portability, the Health Insurance Portability and Accountability Act (“HIPAA”) included important provisions around how to collect, use, share, and protect critical health information.
HIPAA’s rules have been updated several times to account for changes in how organizations and individuals use and share protected health information (“PHI”).
HIPAA provides three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
The Privacy Rule aims to protect individuals’ health information privacy without interrupting the sharing of relevant data between health care providers.
This rule balances the data privacy needs of patients while controlling how health care providers collect, disclose, and access useful information about a person’s health needs to deliver high quality care.
This information is known as ‘protected health information’ and includes records of a person’s health status, treatments, medicines, and history.
Organizations Covered by HIPAA Audits and Enforcement
The Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services is in charge of HIPAA compliance and enforcement. It regularly runs HIPAA audits of selected organizations and investigates allegations of wrongdoing.
A HIPAA audit is designed to find and fix any issues with data privacy, security, and breach notification processes related to protected health information.
OCR can issue fines to organizations that fail a HIPAA audit or otherwise violate HIPAA and fines are severe – from $100 to $50,000 per violation with a maximum penalty of $1.5 million per year for each violation.
Although HIPAA does not apply to all health care entities, it is important you get advice on whether it applies to your organization.
The organizations it does apply to include:
- Covered entities – health plans, health care clearinghouses, or health care providers, regardless of size, that electronically transmit health information for certain transactions such as referral authorizations, claims, or to check a person’s eligibility for benefits.
Note: Using email to exchange health information does not necessarily mean a health care provider is considered a covered entity under HIPAA if the emails are not connected to standard transactions. - Business associates – Vendors to covered entities that have access to protected health information as part of providing their service.
- Services covered by HIPAA include claims processing, billing and data analysis, and business associates that need to meet HIPAA compliance include lawyers, software providers, insurers, accountants, actuaries and financial services.
Note: Vendors are not considered business associates under HIPAA if they do not receive, use, disclose or maintain protected health information (PHI).
Protected Health Information Under HIPAA
HIPAA protects individually identifiable health information that is collected, stored or transmitted by a covered entity or any of its business associates.
Known as protected health information (PHI), HIPAA covers individually identifiable health information in all forms of data and media including electronic and paper records, as well as verbal communication.
Individually identifiable health information includes common information to identify a person such as their name, birth date, address, social security number or phone number connected with health care information such as:
- Information about a person’s past, present, or future physical or mental health condition;
- Information about health care services provided to a person; or
- Information about payments (past, present and future) for the provision of health care to a person.
Note: The Privacy Rule does not restrict the use or disclosure of de-identified health information, which is health information that does not include any common information used to identify individuals.
Common Challenges to Complying with HIPAA
In TrustArc’s many years’ experience helping organizations manage HIPAA compliance, we have found covered entities and business associates alike face some fairly common challenges including:
- Making new technology compliant to older laws – When HIPAA became law in 1996, most people were just starting to use the internet and there were no smartphones!
- Organizations now trying to build technology to meet older standards often face challenges when deciding when and where to encrypt PHI, whether they are involved in the collection, storage and/or transmission or this data
- Risk Assessments – Organizations must consider regular risk assessments as required by HIPAA as well as risk assessments related to new or changing processes/projects.
- Regular risk assessments can also help organizations be better prepared in case of a HIPAA audit or allegation of violation
- Vendor oversight – Covered entities must do proper due diligence throughout the lifecycle of the relationship with a vendor. They need the right agreements in place to make sure each vendor meets the security, privacy and breach notification requirements of HIPAA at all times
- Integration with other laws – HIPAA’s rules about individually identifiable health information are similar to other privacy laws that cover how Personal Information is collected, stored and shared. Organizations with activities that fall under another jurisdiction must examine where the laws overlap and where they might oppose each other.
- Examples include the EU or UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
How TrustArc Can Help with HIPAA Data Privacy Compliance
In addition to complying with the Privacy Rule and the Breach Notification Rule, organizations must implement the Security Rule’s administrative, physical and technical safeguards to achieve, maintain, and demonstrate compliance with HIPAA.
We help organizations through the lifecycle of HIPAA compliance, including:
- Determining if HIPAA applies to the organization and its activities
- Initial HIPAA compliance audit and employee training
- Privacy impact assessments and data inventory reviews, including with vendors who are considered business associates under HIPAA
- Regulatory oversight and corrective action plans, including meeting HIPAA’s breach notification requirements.
Three Recommended Steps for HIPAA Compliance
Assess your business
Determine if HIPAA applies to your organization and conduct a gap analysis against HIPAA requirements. Review cross-compliance overlaps and map processes to define the scope and reach of HIPAA to your business activities, data, systems, applications and vendors.
Implement HIPAA compliance
Develop or enhance policies to comply with HIPAA. Build a successful vendor management program; implement individual rights mechanisms; and develop a privacy impact assessment.
Maintain compliance
Perform a detailed annual risk assessment and maintain ongoing compliance activities such as policy updates, employee training and vendor compliance assessments.