em360tech image

Safeguarding sensitive patient health information is crucial for all organisations involved in arranging and providing healthcare services. There are a number of data protection policies in place and in the US, it’s known as HIPAA. If you work within the medical industry, it’s likely you’ve heard of HIPAA.

Here is our comprehensive guide to what HIPAA is, who it applies to, and how organisations can ensure HIPAA compliance.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a set of laws outlining the lawful use and disclosure of Protected Health Information (PHI) in the US. It’s regulated by the Department of Health and Human Services and enforced by the Office for Civil Rights.

Healthcare organisations must adhere to these laws to protect the privacy, security, and integrity of PHI. Alongside ensuring sensitive patient data is protected and secure, HIPAA compliance is crucial for healthcare organisations to avoid legal consequences and financial penalties.

Elements of HIPAA

Patient privacy: Guaranteeing patient confidentiality is critical to maintaining trust between patients and healthcare providers. Unauthorised access to PHI can lead to embarrassment and/or stigma for individuals whose private information is leaked.

Data security: Healthcare organisations deal with significant amounts of patient data daily. This can be a compelling target for cybercriminals seeking financial gain through identity theft or fraud. Through HIPAA, patient information is safeguarded to prevent unauthorised personnel from accessing the data, as well as potential breaches.

Legal compliance: Failure to comply with HIPAA regulations can result in large penalties, such as fines of up to $1.5 million per violation category per year, reputational damage, and even criminal charges.

Does HIPAA apply in the UK?

HIPAA doesn’t apply to UK healthcare organisations. Instead, sensitive patient information is protected by the UK’s Data Protection Act (DPA). The NHS has security policies for England, Wales, and Scotland. While these aren’t mandated by law, the DPA enforces strict security over sensitive health-related information, as well as any single identifier that could enable an individual to be identified by.

That said, any private healthcare providers that operate in the US might adhere to HIPAA compliance.

Why was HIPAA created?

Before HIPAA, a mix of state and federal US laws regulated the healthcare insurance industry. Most group health plans were regulated by state laws. While employer-based and individually purchased healthcare plans were subjected to the Employee Retirement Income Security Act of 1974 and the Consolidated Omnibus Budget Reconciliation Act of 1985.

This original setup put employees at risk of losing their health insurance benefits if they changed their job, creating a scenario called “job lock” in which employees stayed in a role to ensure they didn’t lose their healthcare benefits. This not only affected employees but also employers, as it affected the talent they attracted.

Implemented in 1996, HIPAA modernised the healthcare industry, and reduced fraudulent behaviour. As well as protecting the privacy of individuals, HIPAA ensures continuity of health coverage between jobs and guaranteed coverage for those with pre-existing conditions.

The rules and regulations of HIPAA ensured strict data protection of PHI, especially in more recent times where health information is increasingly stored and managed electronically.

What is classed as Protected Health Information (PHI)?

Protected Health Information (PHI) refers to any individually identifiable health information held or transmitted by a Covered Entity (CE) or its Business Associate (BA).This includes data stored or managed in paper, electronic, or audio form.

PHI includes an individual’s:

  • Medical records.
  • Name, home address, and email address.
  • Date of birth.
  • Biometric data.
  • Social security number.
  • Physical and mental health conditions.
  • Billing details.
  • Treatment plans.
  • Laboratory results.
  • Insurance claims data.

It’s this information HIPAA protects, and includes any past, present or future health-related information.

Why Is HIPAA Important?

HIPAA compliance is important for protecting patient privacy, data security, and maintaining trust between patients and their healthcare providers. It enables healthcare facilities to manage patient information more efficiently. The law has also helped streamline administrative healthcare functions, improve overall efficiency, and ensure PHI is shared appropriately.

Healthcare related information can often be of a sensitive nature, which makes safeguarding patient data imperative.

Alongside protecting patient information, HIPAA outlines how PHI can be processed, managed and stored. It outlines how individuals who require access to this data (e.g. healthcare professionals) to carry out their job can do so securely, as and when they need to.

These set standards also outline standards for recording health data and electronic health-related transactions, reducing the complexity for how organisations process healthcare transactions. All HIPAA CEs use the same code sets and nationally recognised identifiers to maintain confidentiality when managing sensitive data or transferring electronic information between healthcare providers, health plans, and other entities.

HIPAA healthcare worker

Who Needs to be HIPAA Compliant?

HIPAA applies to many organisations operating within health and insurance. These are broken down into two categories: Covered Entities (CE) and Business Associates (BA)

Covered Entities (CE)

CEs refer to those directly involved in providing or administrating healthcare, including:

  • Medical practitioners: Physicians, dentists, pharmacists and nurses in any hospital, healthcare clinic, nursing home or other healthcare providers.
  • Health plans: Organisations offering individual health insurance coverage, such as Health Maintenance Organisations (HMOs), Preferred Provider Organisations (PPOs), and Medicare/Medicaid programs/employer-sponsored health plans.
  • Healthcare clearinghouses: Businesses that process non-standard PHI into a standard format for electronic transmission between CEs.

Business Associates (BA)

Business Associates (BAs) are third-party service providers who access PHI while performing services on behalf of CEs, including:

  • Billing companies: Organisations responsible for processing claims or managing patient accounts.
  • Electronic Health Record (EHR) vendors: Companies that develop, host, or manage EHR systems for healthcare providers.
  • IT service providers: Firms offering technical support, data storage or cybersecurity services to CEs.
  • Consultants and auditors: Those who access PHS while accessing a CE’s operations and compliance status.

BAs include IT contractors and cloud storage vendors.

The 5 HIPAA Rules

There are five rules for healthcare organisations to adhere to in order to be HIPAA compliant. This includes:

HIPAA Privacy Rule

The Privacy Rule is one of two rules that came about after the establishment of HIPPA. It protects patient privacy by properly handling PHI in various situations.

The Privacy Rule sets the national standards for protecting an individual’s medical records and other sensitive personal health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and BAs who transmit electronic PHI (ePHI). The rule came into effect in April 2003 for most organisations.

This rule requires CEs to implement necessary safeguarding practices to protect patient data by preventing unauthorised access to PHI. CEs must also establish policies regarding the use and disclosure of PHI in situations, such as for treatment purposes or public interest matters like disease control.

HIPAA Security Rule

The Security Rule focuses on protecting PHI by setting guidelines for implementing technical safeguards without an organisation’s IT infrastructure. This rule aims to ensure ePHI confidentiality, while maintaining integrity and availability to authorised personnel. It came into effect in April 2005.

There are three main safeguard categories under this rule:

  • Administrative safeguards: This refers to the policies, procedures, and actions which an organisation’s management team undertakes to protect ePHI, including risk assessments, workforce training, and incident response plans.
  • Technical safeguards: The use of technology, such as encryption and firewall tools, to help prevent unauthorised access or disclosure of ePHI. This category also includes audit controls for monitoring system activity and ensuring data integrity.
  • Physical safeguards: This refers to the measures implemented to secure physical access to facilities that store or process ePHI. It includes facility access controls, workstation security practices, and device disposal policies.

The Security Rule safeguards electronic PHI from potential threats using the above safeguarding categories.

HIPAA Breach Notification Rule

This rule requires organisations to notify the affected individuals and the Department of Health and Human Services (HHS) when any unsecured PHI is breached. To avoid HIPAA violations, organisations must notify affected individuals within 60 days of identifying a breach.

HIPAA Enforcement Rule

The Enforcement Rule defines how HIPAA complaints and violations are investigated, and how these investigations are conducted. It also outlines how fines and penalties for violations are determined.

HIPAA Omnibus Rule

HIPAA aims to give patients greater control over who can access their medical records and when. The Omnibus Rule means that CEs must comply with a patient’s request to access or share their medical records.

Compliance with these rules is imperative for organisations dealing with sensitive health information to avoid penalties as a consequence of non-compliance.

laptop with HIPAA on it in a hospital

How Organisations Can Ensure HIPAA Compliance

It’s critical for healthcare organisations to meet HIPAA compliance regulations or face substantial penalties.

For CEs to meet HIPAA compliance, they must develop and implement comprehensive policies and procedures that address the privacy and security of health information. This involves carrying out regular staff training on HIPAA regulations and best practices, as well as keeping documentation to demonstrate your organisation’s compliance efforts.

It’s best practice to appoint a privacy officer to oversee all related-HIPAA compliance activities, including investigating potential violations and implementing correction in the event of a data breach.

Organisations can ensure it meets HIPAA compliance by:

1. Developing policies
Organisations must develop and implement strong cybersecurity standards, policies, and procedures. This includes your admin systems. It’s also important to ensure policies are well-documented company-wide.

2. Implementing safeguarding practices
The purpose of HIPAA is to ensure the safeguarding of every patient’s sensitive information. Organisations must have robust PHI safeguarding practices in place for both physical and electronic health data.

3. Conducting risk assessments
Every CE must undergo an annual HIPAA risk assessment to identify where operations and practices may violate HIPAA compliance. Risk audits need to cover all the administrative, technical, and physical security measures carried out within your organisation.

4. Access violations
In the event of mistakes occurring and compliance potent ially being violated, it’s crucial for organisations to have processes in place to identify root cause and ensure issues don’t persist.

Ensuring HIPAA compliance

In addition to the above actions, here are a few more ways to ensure general HIPAA compliance.

1. Understand HIPAA privacy and security rules
The Security Rule applies to ePHI transmitted by or maintained in electronic media by CEs and BAs. Both rules are closely related. By following the HIPAA Security Rule and implementing the right security protocols, your organisation will also likely be adhering to the Privacy Rule.

2. Identify if the Privacy Rule applies to your organisation
To know whether your organisation has to meet HIPAA compliance, you will first need to identify if the Privacy Rule applies to your business, practice, or healthcare organisation. If you’re a CE or BA, it’s highly likely the Privacy Rule applies to your organisation and operations.

You can pinpoint whether HIPAA applies to your business in the section that specifies which organisations/personnel must adhere to HIPAA compliance. For example, if your organisation provides healthcare services or it conducts the billing services related to healthcare in the US.

3. Ensure you protect the right data
We’ve already detailed the type of PHI organisations need to protect. To be HIPAA compliant, you need to know which types of patient data must be protected and then introduce the right security and privacy measures.

Any information you collect, store, or manage that features identifiable health information must be protected from unauthorised access or usage. This can be in paper form, or electronic, and even audio.

If you process any of the following information, you must implement HIPAA privacy measures:

  • Names and birthdates.
  • Date relating to a patient’s birth, death, treatment plan, or illness and medical care.
  • Contact information, such as phone numbers, addresses, and emails.
  • Social security numbers.
  • Photographs and digital images. e.g. x-rays.
  • Fingerprints and voice recordings.
  • Medical record numbers.
  • Any other form of unique individual health identifier.

4. Prevent HIPAA compliance violations
It’s imperative you understand what counts as a violation and how they can occur to prevent violations from occurring.The most common type of violation is internal, as it typically results from negligence or only partial compliance with the Privacy Rule. For example, a workstation left unlocked or a paper record missing.

You can prevent compliance violations by:

  • Understanding possible data breaches.
  • Recognising the most common types of violations.
  • Anticipating minor breaches (e.g. a breach impacting less than 500 people).
  • Preparing for significant breaches (e.g. a breach that affects over 500 people in a given jurisdiction).

5. Stay informed of HIPAA compliance changes
HIPAA compliance can undergo frequent changes on a regular basis. Even after implementing secure cybersecurity measures and processes for potential responses, your organisation still needs to keep up-to-date with any changes.

6. Consider telehealth operations
Organisations handle PHI from all different locations and on different devices, and these elements must be considered in your compliance efforts. For example, medical professionals working remotely - it’s crucial for your compliance team to review these ways of working and how PHI is managed and stored by building the right processes into your compliance plans.

7. Document everything
Ensuring you’re HIPAA compliant involves recording as much as you can in relation to the types of patient data you have access to, where it’s stored, and how it’s managed. Having records can help demonstrate your compliance.