HIPAA violations can result in penalties of up to $1.5 million per calendar year – and some can even result in jail time for the individuals responsible.
Needless to say, HIPAA compliance is important.
And if you’re interested in learning more about HIPAA IT compliance, you’ve come to the right place. On this page, we’ll dig into the legislation and answer the following common questions:
By the end, you should have a clearer understanding of what the act entails, what needs to be done to ensure your IT systems can be compliant, and how you can make it happen.
Ready? Let’s dive in.
HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996.
According to the CDC, the act “required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”
In other words, the basic point of the act is to protect patient privacy. At a practical level, this has many implications for how healthcare organizations (and the organizations that work with them) collect and care for patient data.
You can read the combined administrative version of the regulation text here. It’s 115 pages of three-column text – so if you want to save time and get the high-level information, keep reading.
To start, let’s define some of the key terms used in HIPAA. There are many of them; the glossary in the full-text version of the law takes up 17 pages. From an IT compliance perspective, though, here are some of the most important terms to know:
A covered entity is the organization that is subject to HIPAA. If you’re processing protected health information, you’re likely a covered entity. If you’re not sure, the government has put together a question-and-answer tool to help you determine your status.
A business associate is any entity that performs a function involving the use of protected health information on behalf of a covered entity. This might include people who process data or a vendor who performs a certain function involving data that’s under the care of the covered entity.
Note that HIPAA now applies directly to business associates as well as to covered entities.
A contingency plan lays out a course of action for emergency response and recovery.
Protected Health Information (PHI)
Protected health information is any individual’s health information that might reasonably be used to identify an individual and relates to a person’s health or the provision of healthcare.
Electronic Protected Health Information (ePHI)
Electronic protected health information is the digital version of PHI.
The HIPAA Privacy Rule includes the regulations at 45 CFR 160 and 164 that detail the requirements for complying with the standards for privacy under HIPAA. This is the crucial piece of HIPAA for IT compliance.
While we won’t cover all of HIPAA’s stipulations (again, see the text of the act for full details), here are some of the key regulations that covered entities must abide by:
Training of the workforce.
HIPAA stipulates that personnel interacting with PHI must be trained on HIPAA compliance.
Self-reporting of HIPAA breaches.
If HIPAA is violated or a data breach occurs, the event must be reported.
Assignment of responsibility.
All covered entities must designate persons to server as HIPAA privacy and security officers. These people will be responsible for ensuring HIPAA compliance.
Implementation and maintenance of written policies.
Basically, covered entities need a documented plan to maintain compliance.
Execution of business associate agreements.
While business associates are now liable under HIPAA, covered entities are still required to execute business agreements that stipulate proper handling of PHI.
Documentation of risk analysis.
Covered entities are required to conduct and document a risk analysis of all information systems. They are then required to implement any needed security measures to keep PHI secure.
For more on these stipulations, check out this helpful article from legal firm Holland & Hart.
Finally, to complete our review of HIPAA, let’s take a look at the five main HIPAA rules. Each rule deals with a specific topic, and together, these five rules make up the HIPAA act.
This rule is concerned with the rights of individuals. It protects PHI and medical records and ensures information can’t be disclosed without the right patient authorization.
This rule is concerned with the protection of ePHI. It regulates practices around ePHI storage, accessibility, and transmission. This rule is key in maintaining HIPAA IT compliance.
This rule deals with code sets used in HIPAA transactions.
This rule distinguishes different types of covered entities.
This rule deals with the penalties for HIPAA violations. For more on this topic, keep reading.
A HIPAA violation is any practice or action that does not comply with HIPAA regulations. As noted above, the Enforcement Rule in HIPAA outlines the penalties organizations will be subject to for HIPAA violations.
Unsurprisingly, for most businesses, the desire to understand and comply with HIPAA stems from a desire to avoid these penalties. You don’t want to get fined – or even charged with a crime – for violating this act.
So, what are some common HIPAA violations to avoid?
Unauthorized access of healthcare records.
The Privacy Rule of HIPAA dictates that health records can only be accessed by certain parties for certain purposes (i.e., for treatment, payment or other healthcare operations). If unauthorized access is allowed – or even if it happens unknowingly because data isn’t properly secured – it’s a violation.
Failure to conduct a risk analysis.
Organizations must regularly conduct risk analyses and act on their findings. Failing assess risks on a regular basis is one of the most common HIPAA violations to incur financial penalties.
Failure to manage security risks.
This is the action part of the risk assessment. If organizations don’t act on security issues within a reasonable timeframe, they’ll be penalized.
No, an ePHI data breach is not necessarily a HIPAA violation. However, HIPAA compliance requires that risks are reduced according to guidelines. A breach that happens because reasonable precautions weren’t taken would be a HIPAA violation.
HIPAA violations are categorized into four tiers:
Tier 1 violations are issues that a covered entity was unaware of and which couldn’t have been realistically avoided. These incur a minimum fine of $100 per violation up to $50,000.
Tier 2 violations are issues that a covered entity was unaware of but couldn’t have been avoided with a reasonable amount of care. These incur a minimum fine of $1,000 per violation up to $50,000.
Tier 3 violations are issues that a covered entity suffered as a direct result of willful neglect of HIPAA rules in cases where an attempt has been made to correct the violation. These incur a minimum fine of $10,000 per violation up to $50,000.
Tier 4 violations are issues where a covered entity has willfully neglected HIPAA rules and made no attempt to correct the violation. These incur a minimum fine of $50,000 per violation with a maximum of $1.5M per calendar year.
Note that the costs of fines are subject to change per inflation.
And, yes, there can be criminal charges for HIPAA violations as well. The bottom line is that you should be vigilant in avoiding any kind of HIPAA violation.
All right, we’ve covered the basics of HIPAA – now, let’s dive into the specifics of how the act impacts information technology and support.
As mentioned above, the key part of the legislation from an IT perspective is the Security Rule. This rule outlines the measures that covered entities must take to remain in compliance when managing ePHI.
To summarize the IT considerations inherent in the Security Rule at a high level, let’s turn to HHS. Here’s how they explain the IT requirements:
“The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:
Carrying out each of the actions noted in those four bullets is the core of HIPAA IT compliance.
Okay, let’s get even more tactical. Here’s a checklist for HIPAA IT compliance. Note that this is not exhaustive, as the exact measures needed to ensure compliance will vary from organization to organization – but it’s a good place to start.
This involves evaluating the likelihood and impact of potential risks to protected health information. HealthIT.gov offers a free security risk assessment tool to help with this. However, for full visibility into your risks, it’s often best to work with a third-party cybersecurity firm.
Risk analyses will identify areas of weakness. Where reasonable, any high-risk areas uncovered by the analysis should be addressed.
Administrative safeguards include:
Access management of PHI. The HIPAA Privacy Rule states that use of PHI should be done to the “minimum necessary.” Access control should limit PHI only to authorized parties for uses that are necessary.
Workforce training. Anyone who works with PHI must be trained in security procedures for safely handling the data.
Physical safeguards include:
Facility access control. Covered entities must have protection around their physical premises to prevent unauthorized access of data.
Device security. This includes the implementation of proper use policies and policies for the management of electronic media.
Technical safeguards include:
Audit controls. Covered entities must be able to see who has accessed ePHI.
Integrity controls. Covered entities must be able to confirm that ePHI isn’t altered or destroyed.
Transmission security. When ePHI is transmitted digitally, covered entities must be able to ensure that it isn’t accessed by unauthorized parties.
HIPAA requires that covered entities adopt “reasonable and appropriate” procedures to meet the Security Rule. This includes maintaining written security policies and plans of action for activities and assessments. Plans must be updated to account for any environmental or organizational changes.
To be HIPAA compliant, you will need to audit your organization and identify areas of risk. Then, you will need to upgrade your IT systems to meet “reasonable” standards. This involves technical hardening (firewalls, antivirus, threat detection), secure process development, and user training. Finally, you’ll need to regularly update your security as the environment and your organization shift.
We’ve discussed what you’ll need to do to ensure your organization is HIPAA compliant – now, a logical next question is: How much will it cost?
The answer (unsurprisingly) is that it depends.
As HHS notes, the Security Rule is “designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.”
In other words, the exact steps your organization will need to take to ensure HIPAA compliance will vary, and so will the cost. The larger your organization is, the more it will likely cost to be compliant. Similarly, the larger the risks your organization faces, the higher the cost.
At a baseline level, though, most small-to-medium-sized businesses are looking at a cost of around $4,000 to $12,000 depending on the remediation that’s needed after a risk assessment.
For most companies, it does make sense to work with an IT consultant to ensure HIPAA compliance.
The rationale is similar to the rationale for choosing managed IT services: it’s simply more cost efficient to outsource HIPAA IT compliance than it is to hire an internal employee to ensure compliance, and an outsourced firm is likely better equipped to perform the required tasks.
HIPAA IT compliance requires both a thorough understanding of HIPAA requirements and extensive technical knowledge across all of the technology systems your organization uses.
Most mid-sized organizations (and many larger organizations, too) don’t have internal resources with expertise in all of this; IT providers, on the other hand, have a full staff of experts and a wealth of expertise in setting up systems for HIPAA compliance.
Considering the cost for a HIPAA violation can quickly range above $50,000 if not handled correctly, investing in compliance is a wise choice.
Hopefully, the information presented here has helped you to more clearly understand HIPAA and its impact on your IT systems. If you’re ready to take the next step and ensure your organization’s IT is compliant, let’s talk.
At Complete Network, we’ve helped businesses in Albany, New York, Charlotte, North Carolina, and Bluffton, South Carolina to create hardened infrastructure and solid policies that maintain compliance.
Schedule a free consultation with our friendly experts today, and let’s make sure that your organization is protected.