News / Blog

What Are the Requirements for HIPAA Compliance?

Businesses operating in the healthcare industry are expected to follow the Healthcare Insurance Portability and Accountability Act or HIPAA. This act, regulated by the US Department of Health and Human Services (DHHS), sets standards for critical aspects of healthcare data management.

One of the most important frameworks of HIPAA is data protection. In a nutshell, HIPAA compliance is crucial because it aims to guarantee privacy and confidentiality, allows the patients to access their healthcare data, and reduces fraudulent activities, such as system and security breaches.

For an organization to be HIPAA compliant, they need to meet three requirements: administrative, physical, and technical. Ignorance of the HIPAA requirements can result in fines, regardless of whether these violations were a result of wilful neglect or inadvertence.

What Are the Administrative Requirements for HIPAA Compliance?

The administrative requirements for HIPAA compliance cover the practices, procedures, and policies that bring the Security Rule and Privacy Rule (both rules are discussed later in this article) together. These rules are pivotal elements of your HIPAA compliance checklist.

The administrative HIPAA requirements for compliance include:

• Designate or assign a privacy or security officer who will oversee the business’s HIPAA compliance and data security practices. They will ensure that all of the administrative requirements are set in place and practiced consistently in the workplace.
• Determine which employees have access to patient data and how much access will be given to them. If you’re running a hospital, should all of your nurses have access to all patient data? Or are the nurses handling patient X only allowed to access records of patient X and no one else’s? These questions should be answered as part of the administrative requirements for HIPAA compliance.
• Provide training to your employees to educate them on your business’s privacy policy and how it applies to their respective jobs. This is another important aspect of ensuring that everyone in the workplace understands HIPAA and its importance to their daily duties.
• Require outside parties to sign contracts before allowing them to access protected patient data. The contracts should state that they need to comply with the HIPAA security rules and what the fines are for violating HIPAA policies.
• Have an emergency plan for disasters to prevent information loss. This plan should include ensuring that data backups are in place and developing strategies to maintain communications once a disaster strikes.
• Regularly perform a data security assessment to determine which policies are working and which ones need improvement. Depending on the size of your business and the tools you plan to use, this assessment can be done monthly or annually.
• Create and implement a data breach response plan that addresses compromised IT systems and security breaches. This plan should also notify affected patients once someone attempts to steal or access their information.

What Are the Physical Requirements for HIPAA Compliance?

The physical requirements for HIPAA compliance focus more on the physical access of the electronic protected health information or ePHI. The physical HIPAA requirements also indicate whether ePHI should be stored in a remote data center, on servers, or in the cloud and how mobile devices and workstations should be secured against any unauthorized access.

The physical requirements for HIPAA compliance include:

• Limit access to computers and other services that have access to ePHI by keeping them behind counters, securing them to desks, and keeping them away from the general public. Outside parties will be encouraged to steal patient information if they know that they have access to it.
• Restrict access to secure areas of your business by requiring visitors to sign in and limiting the time they’re allowed to access your business premises. Building safety should also be monitored 24/7 with the use of CCTVs.
• When disposing or upgrading any hardware or software, extreme caution should be practiced. For example, hard drivers should be securely wiped before disposal.
• Provide regular training to all employees and contractors about physical safety best practices. This training should also cover the importance of securing their mobile devices and workstations.

What Are the Technical Requirements for HIPAA Compliance?

The technical requirements for HIPAA compliance are about the technology used in protecting ePHI and providing access to the data. One of the most important elements in the technical HIPAA requirements is to ensure that ePHI is encrypted to the National Institute of Standards and Technology or NIST requirements once it travels outside the business’s internal servers.

The encryption of ePHI is vital to ensure that any breach renders the data unusable, unreadable, and undecipherable. Businesses can select whichever mechanism they want in order to achieve that goal.

Other technical requirements for HIPAA compliance include:

• Any sensitive files that your business sends thru email should be encrypted, and when storing information online, choose a platform that offers encryption.
• Protect your network from hackers and other cyber thieves by using intrusion detection and prevention systems, along with firewalls. These tools provide protection to ePHI and prevent any remote access.
• Conduct regular training to help employees identify and avoid phishing activities. New employees shouldn’t be deployed to the workforce unless they have completed this training.
• All ePHI used and stored by your business should have a backup to ensure that your business continues to operate even if the data was accidentally deleted.
• Authentication, including a password or a callback, should be required when transferring ePHI or any sensitive data to third parties.
• Require your employees to regularly change their passwords and encourage them to use long passwords containing a combination of special characters, numbers, and letters. Ideally, their passwords should not contain any obvious personal information, such as their birthdays or pet names.
• Minimize data entry mistakes by requiring everyone in the workplace to use a checksum, double-keying, and other redundancy techniques. Investing in the timely update of automated systems and leveraging appropriate software tools should also be part of your process.
• Stay up-to-date with your business’s network and technology configurations to ensure your business continues to get the most out of the tools available to it.

What Is the HIPAA Security Rule?

The Security Rule is one of the most important elements of HIPAA. The HIPAA Security Rule was enacted in 2004 to establish national standards in protecting ePHI whenever it’s created, used, or received electronically by Covered Entities (these are defined as healthcare providers who regularly use and transmit patients’ personal health information).

The Security Rule was made and implemented because more and more Covered Entities are replacing paper processes with digital ones.

What Is the HIPAA Privacy Rule?

Simply put, the HIPAA Privacy Rule governs how ePHI should be disclosed and used. Since its implementation in 2003, every healthcare organization and provider of health plans (insurance companies) must adhere to the guidelines set in the Privacy Rule.

Aside from protecting the privacy of patients’ personal health information, the Privacy Rule also sets conditions and limits concerning the disclosure and use of that information without patient authorization. The Privacy Rule provides patients or their nominated representatives the rights to their health information.

Why Are the Security Rule and Privacy Rule Important?

Understanding the Security Rule and Privacy Rule is necessary for HIPAA compliance. These rules have one major goal: to protect the privacy of every patient’s health information while allowing covered entities to embrace new technology as a means to improve the efficiency and quality of patient care.

Educate yourself on how the Security Rule and Privacy Rule work so you’ll know what to do and not to do when protecting patients’ health information.

Are There Any Additional HIPAA Requirements?

Aside from the administrative, physical, and technical HIPAA requirements stated above, there are other requirements that are often overlooked. For example, the facilities access rules are stated under the physical requirements of the Security Rule. These requirements might be inadvertently discounted if your IT department doesn’t have any role in the physical security of its servers.

Never Try DIY

HIPAA was established in 1996 to keep patient and customer information private. Although the requirements set by the law can be overwhelming, being HIPAA compliant can help your business or healthcare organization take the necessary steps to guarantee the safety and security of private healthcare data.

Since being HIPAA compliant requires time and effort, you should work with an experienced and established HIPAA compliance partner, such as the Fenton Jurkowitz Law Group. Working with these professionals will ensure that all items on your HIPAA checklist are properly addressed.