Your most common questions about the Healthcare Information Portability and Accountability Act, answered.
By Tod Ferran, CISSP, QSA
What is HIPAA compliance?
HIPAA (The Health Information Portability and Accountability Act) is a federal mandate that, among other things, requires organizations to keep patient data secure. Compliance requires a myriad of privacy and security actions outlined in the mandate’s specific rules, such as password policy creation, patient data protection, and employee training.What is required to become HIPAA compliant?
Requirement implementation can vary from organization to organization, but as a general rule, entities are expected to complete a risk analysis, create and complete a risk management plan, conduct regular employee training, andimplement updated policies and procedures.Who is required to become HIPAA compliant?
Any covered entity (CE) or business associate (BA) that stores, processes, transmits, maintains, or touches protected health information (PHI) in any way must be compliant. Examples of covered entities include any healthcare service provider such as a hospital, pharmacy, or physician. Examples of BAs are persons or entities that provide services to a CE that involve the disclosure of PHI, such as a medical records vendor, prosthetic manufacturer, or outside medical consultant.Who is responsible for HIPAA?
Both the healthcare organization and individual staff member who accesses PHI are responsible. The organization is responsible to put all necessary safeguards in place for HIPAA compliance. Every individual (office manager, doctor, etc.) is held responsible for health information they should, can, or do access. Individuals and companies can independently face criminal charges for mishandling PHI.What’s the difference between the HIPAA Security and Privacy rules?
The Privacy Rule addresses appropriate PHI use and disclosure practices by healthcare organizations. The same rules, regulations and policies that regulate Privacy do not necessarily extend to the Security Rule. The Security Rule revolves around safeguarding the systems that house or transmit PHI.
Who enforces HIPAA compliance?
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is the federal organization responsible for enforcing HIPAA compliance.What is the Final Omnibus Rule?
The Omnibus Rule, enacted in January 2013, is an extension of the HITECH Act that expands patient rights, assigns liability to business associates, and increases penalties for security violations. The deadline to comply with the rule was September 2013.What happens if I don't become HIPAA compliant?
If you are found in violation of HIPAA, you could be levied severe fines by both the HHS and state attorney generals. In fact, the HHS assesses fees of up to $50,000 per day per violation.If noncompliance leads to a breach, you are required by law to notify the HHS, your patients, and, if more than 500 records are involved, the media. This could severely damage brand equity and publically embarrass your organization. According to a recent survey, 76% of patients state they will stop dealing with an organization responsible for a privacy breach.
[Webinar] An introduction to the HIPAA Security Rule, including its purpose and components.
What is a HIPAA violation?
Each failure to appropriately implement one or more HIPAA standards, requirements, or implementation specifications is classified as a violation. For example, sharing passwords among nurses, not implementing an industry-standard firewall, and not encrypting emailed patient data are all separate violations.
What’s the difference between a required and addressable rule?
Required rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. Addressable rules are often technical, and allow organizations of varying size the flexibility to implement different security controls that accomplish the requirement’s objective.SEE ALSO: Required vs. Addressable HIPAA Requirements
What does it mean to have a HIPAA audit?
The HHS expects healthcare providers to actively work on their HIPAA compliance and tests them through organizational audits. An entity could be chosen for a HIPAA compliance audit at random, or because of a reported breach by an employee or customer. Entities can best prepare for an audit by having an aggressive and fully functional HIPAA compliance program already in place. Performing a ‘mock’ audit by having an experienced and knowledgeable third party follow the HHS audit protocol can help identify areas of noncompliance.What should I do if I think PHI has been compromised at my organization?
Contact the HHS immediately following the Breach Notification Rule protocols. They’ll tell you what to do next.What do I need to know about business associates?
Every covered entity with BAs (virtually all) is required to obtain assurances that their business associates treat patient data the way the HHS wants them to. You could choose to personally audit each BA, recognize a third party certification, or require documented data security procedures. |
| Sample HIPAA compliance certificate |
What is a HIPAA compliance certificate?
A HIPAA compliance certificate shows that you have completed all the necessary requirements your individual HIPAA consultant requires. Although this document doesn’t disqualify you for random HHS audits, it does show your devotion to HIPAA compliance, the government, and your patients.What is SecurityMetrics' role in HIPAA compliance?
SecurityMetrics assists healthcare entities in achieving true HIPAA compliance. We offer guided HIPAA Risk Analysis (the first and most important step toward compliance), HIPAA compliance, HIPAA audits, HIPAA policy templates, HIPAA training, and other security services.If you have any further questions about HIPAA, contact our HIPAA gurus.
Did we miss a FAQ? Tell us on Facebook!
Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.