This article explains HIPAA compliance regulations for healthcare providers, including the Privacy, Security, Breach Notification, and Enforcement Rules. Learn how to create a HIPAA compliance checklist and avoid costly penalties.
Protecting patient data for decades, HIPAA is a federal law that dictates how healthcare organizations should manage the sensitive information they hold.
Non-compliance with HIPAA regulations can mean facing huge financial penalties, and taking a hit to your reputation.
But secure your data in the right way, and you can make sure you’re looking out for your customers, as well as protecting your business.
HIPAA stands for the Health Insurance Portability and Accountability Act. It was brought into law in 1996 in the US, to protect patients’ PHI (Protected Health Information).
HIPAA ensures that any healthcare organizations are taking the right steps to protect data they hold, such as personal details, medical bills, and information on medication that patients may be taking.
The 18 PHI data elements that organisations must protect are:
If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA. There are two main groups that need to comply. They are:
It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.
Read more: Covered Entities v Non-covered Entities
HIPAA consists of four rules: Privacy, Security, Breach Notifications and Enforcement. Let’s take a look at each of them in detail:
The HIPAA website states that:
‘A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.’
Covered entities under HIPAA, such as healthcare providers, health plans, and healthcare clearinghouses, must abide by the restrictions put in place by the Privacy Rule. For instance, they should keep records of when PHI is disclosed, and gain permission from the individual before it’s shared.
The Privacy Rule also grants individuals certain rights over their PHI, including the right to access, amend, and request restrictions on the use and disclosure of their information. Patients should also be notified about how their data is being used.
Non-covered entities, such as wearable tech or health apps, don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA.
While HIPAA was put in place before digital data became widely available, the HIPAA Security Rule was brought in in 2003 to specifically focus on electronic PHI.
Covered entities need to make sure any PHI that’s being stored digitally is protected as well as physical data would be. That means that PHI will need to be protected while it’s being sent over networks, and devices that hold PHI must be secured. If you send PHI over a network, the data must be protected while in transit.
Healthcare organizations that conform to HIPAA need to run frequent data risk assessments, and ensure their employees are educated on procedures they need to follow.
If a healthcare company in the US is hit by a data breach, they’re required to notify everyone who has been affected. They’re also required to tell the US Department of Health and Human Services (HHS) and any other regulatory agencies within 60 days of the breach taking place.
A breach impacting more than 500 people will also require you to notify major media outlets in the area.
Finally, the Enforcement Rule lays out how the Office for Civil Rights can investigate businesses who are not complying with HIPAA.
That could include involving the accused business in an investigation if there have been complaints about them breaking HIPAA rules. The OCR can establish the facts around the incident, enforce penalties, and suggest further actions for the business to take, so they’ll remain compliant in the future.
The fines you’ll have to pay can vary depending on how severe the incident is, and how quickly you were able to fix it.
CEO of Metomic, Rich Vibert says:
“HIPAA isn’t something to take lightly. Get a clear understanding of your duties to your patients, so you know how to protect the data you have on record. You should make sure you have a solid plan in place to maintain a great reputation, and avoid hefty financial penalties.”
Putting a clear strategy together can help you ensure you’re complying with HIPAA at all times.
Tick these tasks off your HIPAA checklist:
If you’re found to have breached HIPAA rules, you’ll be fined based on the outcome of the investigation, and whether you deliberately neglected to comply. Here’s what you could end up shelling out:
You can help keep your SaaS apps HIPAA compliant by implementing a data security software, like Metomic that can automatically redact sensitive data once it’s shared, or after a set retention period. It enables your employees to get on with their jobs, while locking down your most sensitive data.
A tool like Metomic can also help you to educate your employees on your security policies whenever they share sensitive data, with real-time notifications to let them know where they’re going wrong.
Make sure you’re regularly monitoring your SaaS apps to ensure sensitive data is secure, and you’re still compliant with HIPAA. Finally, make sure your Slack environment is protected by multi-factor authentication and the correct access controls to stop bad actors getting into your systems.
For a Risk Audit on your Slack workspace, book a personalised demo with one of our cybersecurity experts.