What makes HIPAA compliance so difficult?

The consequences of failing to deploy and maintain effective HIPAA compliance measures have been made very clear in the past few years. Semi-related is also the issue of hospitals and medical offices using outdated technology and solutions that make it difficult to comply with health care compliance as a whole.

Data breaches that expose patients’ health information en masse, and ransomware attacks that seriously jeopardize health care organizations’ ability to provide services, are two of the most recent examples of outdated technology causing issues. Putting aside the monetary damage that failure to comply brings to a health care organization, the impact that these events have on its reputation is even more concerning.

Don’t think that your organization needs to comply with HIPAA? Four types of health care businesses must be aware of and adhere to HIPAA regulation: health plans, health care clearinghouses, health care providers, and business associates. (Failure to realize that your business is noncompliant or that such regulation even exists can no longer be used as a reasonable defense should your business be fined.)

Any company that falls within those four types regularly collects, processes, and stores patient medical and financial data. Already overwhelmed with massive amounts of data, any one of those businesses can inadvertently compromise patient data or the health care network without the help of a HIPAA-specific compliance software or consulting agency.  

However, just because a health care organization or business has decided to take serious strides toward HIPAA compliance doesn’t mean it’s an easy process. And so, we have compiled a checklist that you can use to transform your organization into one that’s deliberately and resolutely compliant.  

HIPAA Compliance Checklist

There are four components of this checklist:

1. Conduct a comprehensive risk assessment of your organization — First things first, you must understand how HIPAA applies to your specific practice, facility or business. You do this by conducting a risk assessment to understand weaknesses, potential vulnerabilities and any gaps in existing measures. You can conduct regular self-audits or you can hire a consulting agency to audit your organization. The end goal is to identify which elements of HIPAA you are at risk of noncompliance.
2. Remediation — Once you have identified the gaps and risks in compliance, you must create plans to make sure those issues are addressed. Something of note: Remediation plans cannot be generic. The plans must be tailored to the different HIPAA rules that exist; policies and procedures vary whether you’re adhering to the HIPAA Privacy Rule, the HIPAA Security Rule or the HIPAA Breach Notification Rule. (We will discuss those different rules and safeguards further down below.)
3. Monitor, report and train — HIPAA compliance solutions offer automated compliance reporting, which is helpful for tasks like identifying, tracking, investigating and reporting incidents. The different HIPAA rules require either administrative, physical or technical safeguards, all of which are made much easier with tools that automate the monitoring and reporting responsibilities. Additionally, health care compliance of any kind is effective only if every single staff member and employee participates. Training is crucial and essential for ensuring that your hard-prepped compliance efforts are maintained.
4. Continuous management — Documentation is necessary to prove your organization is keeping up with compliance efforts. Organizations like the Centers for Medicare & Medicaid Services (CMS), the ONC (Office of the National Coordinator for Health Information Technology), and the HHS (U.S. Department of Health and Human Services) regularly audit health care providers and business associates to make sure they remain in compliance, year after year. In addition, continually managing and evaluating risk will help keep your safeguards in tip-top shape.

Rules to follow (always)

There are four rules of HIPAA that health care organizations follow, regardless of business type. The Privacy and Security Rules are to be complied with at all times. They come with three safeguards. The Enforcement and Breach Notification Rules establish frameworks post-incidents.

1. HIPAA Privacy Rule — The Privacy Rule protects all individually identifiable health information that is shared with or stored by organizations or businesses. The Privacy Rule safeguards protected health information (PHI), both electronically (ePHI) and paper-based, as well as gives patients rights over the access and sharing of their own personal health information. The types of organizations that take extra care of the Privacy Rule are: health care providers, health care insurance clearinghouses, and any business that leverages patient data.
2. HIPAA Security Rule — The Security Rule protects individuals’ ePHI; the rule specifically sets parameters around the creation, sharing and storage of such health information. Maintaining confidentiality while also regulating access to that data are crucial aspects that the Security Rule makes sure health care organizations have. The Security Rule helps organizations identify security gaps that can then be addressed via various safeguards tailored to the differing standards of the organizations.

Safeguards

Safeguards exist to prevent the unauthorized or illegal sharing of PHI, regardless of whether that sharing was done intentionally or unintentionally. Ultimately, these safeguards exist to protect patient information, but they are also meant to protect the health care organization from compromising their compliance efforts.

• Administrative safeguards — Administrative safeguards help establish internal policies and procedures via security management processes, security awareness training, and contingency planning. Medical staff and employees should be able to refer to those policies so they reduce any inadvertent violations of patient confidentiality. Documentation is key to implementing effective administrative safeguards; so is easy access of that documentation by employees.
• Technical safeguards — Technical safeguards help formulate the HIPAA Security Rule via access control, audit control and entity authentication. With technical safeguards, health care organizations can ensure the security and integrity of ePHIs. Additionally, technical safeguards monitor user access to ePHI storage systems.  
• Physical safeguards —  Physical safeguards like controls ordering facility access and device and media usage help guide the creation of the policies that protect the electronic systems that house ePHIs. With physical safeguards, both health care facility and employees can understand and prevent potential threats and unauthorized actions that will jeopardize the maintenance of patient confidentiality.  

Rules to follow post-incident 

1. HIPAA Enforcement Rule — The Enforcement Rule sets and enforces the procedures that must be followed once a possible HIPAA violation is determined. The Enforcement Rule provides the procedures that help health care organizations navigate the fines and penalties that may befall them should that violation require consequence post-investigation. The Enforcement Rule is only set in motion once the Health and Human Services department decides to investigate your organization.
2. HIPAA Breach Notification Rule — The Breach Notification Rule makes sure that health care organizations notify patients after PHIs are compromised. A PHI breach should only happen if your organization is in noncompliance of the HIPAA Privacy Rule, e.g., you have failed to secure your patients’ information.

Equipping your health care facility with the tools and resources to maintain HIPAA compliance is a difficult but necessary measure. Employing solutions like HIPAA-compliant messaging systems can protect the hospital or medical practice from accidentally opening themselves up to liability when all they’re doing is emailing their patient confirmation about an upcoming appointment. Organizations must consider the pros and cons of maintaining patient security and confidentiality versus keeping up with technology that empowers patients to have regular access to their own health care information. With mobile apps like Apple Health Records and diabetes managers or glucose trackers creating what is essentially new EHR and medical technology, the line between sharing and providing access to patient health data, versus adhering to medical release laws, has become blurred.

How to meet HIPAA compliance

So now that you know the different components that go into HIPAA compliance, how do you go about meeting it?

Here are four rules that will help you create and check-off a HIPAA compliance checklist:

1. Standardize clinical documentation and communication — Coding is crucial for medical professionals to document and transmit patient notes. Specific code sets exist to streamline charting, unify health care communication, and encode transmissions. Some common examples of medical codes include: NDC (National Drug Codes) for drug identification and distribution; ICD-10-CM (International Classification of Diseases, Tenth Revision, Clinical Modification) for symptoms diagnosing; and HCPCS (Healthcare Common Procedure Coding System/CPT (Current Procedural Terminology) for medical billing. Most EHRs automate encoding formatting. Make sure that your facility is up to speed in coding best practices.
2. NPI registration — NPI (National Provider Identifier) is a 10-digit number used by health plans, health care providers, and health care clearinghouses to verify and validate financial transactions. HIPAA mandates the usage of unique NPIs when transmitting health care data, so your practice must get and use NPIs to differentiate itself from other similarly named practitioners.  
3. Patient privacy best practices — Develop privacy procedures for your facility, and designate either a point person to keep an eye on their implementation or create an easily accessible database of those policies. Maintain a record of your facility’s PHI, particularly the authorized use and disclosure PHI scenarios, and make sure that your organization requires both continuous training on those privacy procedures and regular risk assessments on the integrity of your security safeguards.
4. Contingency planning — Your health care organization should be prepared to deal with any incidents or breaches that violate HIPAA. Regardless of whether your practice actually violates HIPAA, it’s best to establish procedures that align with the HIPAA Enforcement and Breach Notification Rules. The more prepared your organization is, the more equipped it will be when it comes to investigations.