What is HIPAA Compliance?

Although most individuals and organization in healthcare-related industries will be aware of HIPAA and the legal requirement to comply with its regulations, there may be some entities looking to enter a healthcare-related industry asking the question “What is HIPAA compliance?” This article intends to answer the question, explain its objectives, and why it is important to comply with its regulations.

This article will also look at some of the compliance requirements, the steps HIPAA-covered individuals and organizations must take in order to comply with the requirements, and the consequences of failing to comply with HIPAA. If you are still confused about “What is HIPAA compliance?” after reading this article, you should seek professional guidance about your specific compliance obligations.

What is HIPAA?

HIPAA is an acronym for the Healthcare Insurance Portability and Accountability Act. The original motive of the Act was to improve the portability and continuity of health insurance coverage; but, as the Act passed through Congress, amendments were added to (among other things) combat waste, fraud and abuse in health insurance and the delivery of healthcare.

One of the key objectives of the Act when it was enacted in 1996 was to increase the efficiency of the healthcare system by creating standards for the use and dissemination of healthcare information. To this end, the Department of Health and Human Services was tasked with developing Rules to protect patient privacy and the security of their healthcare information.

The result was the publication of the HIPAA Privacy Rule in 2000 and the HIPAA Security Rule in 2003. These rules have since been updated in part by the Health Information Technology for Economic and Clinical Health (HITECH) in 2009 and the Final Omnibus Rule in 2013, and enforced by the HIPAA Enforcement Rule and HIPAA Breach Notification Rule.

Why is it Important to Comply with HIPAA?

HIPAA-covered individuals and organizations have access to patient health and payment information – often referred to as individually identifiable health information or Protected Health Information (PHI). PHI, when disclosed to the wrong person, can be used to commit identity theft, insurance fraud and other crimes. Compliance with HIPAA mitigates the risk that PHI will be disclosed without authorization.

As well as protecting patients, compliance with HIPAA mitigates the risk of insider theft, network infiltration and malware infections such as ransomware. Compliance with HIPAA therefore also protects the individual or organization from theft, fraud and loss – not only financial loss and critical data loss, but also loss of reputation, from which it can take a lot longer to recover.

The third reason why it is important to comply with HIPAA is because it is the law. The Department of Health & Human Services´ Office for Civil Rights has the power to impose fines or pursue criminal convictions or failing to comply with HIPAA. State Attorneys General can also take legal action, as can patients whose PHI has been disclosed without authorization and used to commit fraud.

What are the HIPAA Compliance Requirements?

The HIPAA compliance requirements are contained with the HIPAA Privacy and Security Rules – not in the Act itself. The subsequent amendments in HITECH and the Final Omnibus Rule have been integrated into the original documents, but it is important if you are further researching “What is HIPAA Compliance?” you only review copies of the Rules published after January 2013.

The requirements will vary according to the nature of an individual´s or organization´s business. For example, it will not be necessary for a software development company to distribute a Notice of Privacy Practices to patients, although it will likely be necessary for the software development company to develop and implement policies relating to the physical and technical safeguards of the Security Rule.

One area of the Security Rule safeguards that has caused confusion is the distinction between “required” safeguards and “addressable” safeguards. Guidance given for HIPAA compliance is that both sets of safeguards are required, unless it can be shown that an addressable safeguard is either unnecessary, or that the objective of the safeguard is met by an appropriate alternate measure.

What Steps Must I Take to Comply with HIPAA?

The first step you have to take is to appoint a HIPAA Privacy Office and a HIPAA Security Officer. The role can be performed by the same person, who can either be an existing employee or an expert brought in from outside. The Privacy/Security Officer is responsible for conducting a risk assessment to identify threats and vulnerabilities in your existing security, and thereafter conducting a risk analysis.

The risk analysis will identify any weaknesses in your current procedures and security strategies that could result in the unauthorized disclosure of PHI. These weakness can include (but are not limited to):

  • Your current working practices.
  • The physical security of your premises.
  • The virtual security of software and networks.

Once identified, the Privacy/Security Officer must implement the appropriate measures to protect the confidentiality and integrity of PHI. This may involve changing the way you work with Business Associates, developing new policies and employee training. Each HIPAA-covered individual or organization will likely identify different vulnerabilities and must address them as necessary.

What are the Consequences of Failing to Comply with HIPAA?

The consequences of failing to comply with HIPAA can be significant – even if no breach of PHI has occurred. Whereas several years ago, the Office for Civil Rights would only investigate the cause of a breach once it had been reported to them, it now conducts regular audits of Covered Entities and Business Associates to ensure they are operating in compliance with HIPAA.

Individuals and organizations who fail the HIPAA audit are usually given time to correct their failings unless it is found they have “willfully neglected” to comply with HIPAA – in which case a substantial financial penalty can be issued. Ignorance of HIPAA – i.e. not knowing “What is HIPAA compliance?” – is not accepted as a justifiable argument for failing to comply with HIPAA.

The Office for Civil Rights has a tiered structure of penalties for failing to comply with HIPAA. These range from penalties for violations that could not have been avoided with reasonable care to penalties for failing to take corrective action after an unauthorized disclosure of PHI. The maximum penalty that can be imposed is $1.5 million per violation per year.

For these reasons, it is advisable to not only know “What is HIPAA compliance?” but – if you create, use, store or transmit PHI – to ensure you comply with the HIPAA regulations.