Everything You Need To Know About HIPAA Compliance
8/21/2020
For healthcare providers, whether you’re a hospital, doctor, nursing home, health insurance company, lab, IT company, or clearinghouse – if you handle patient data, maintaining HIPAA compliance is essential. Those that don’t toe the line risk huge fines and increase the likelihood of experiencing a serious data breach.
In July 2020 alone, over 1 million patients were affected by data breaches.
Here is everything you need to be aware of where sensitive patient data privacy is concerned, and what you can do to stay compliant with this data privacy regulation.
What is HIPAA?
Signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) outlines the rules and regulations for medical data protection. The act sets out the standards for data handling, security, insider access, and billing.
HIPAA can be separated into different sections:
The Privacy Rule
The HIPAA Privacy Rule dictates the standards for when and how protected health information (PHI) may be used, handled, accessed and disclosed.
The Security Rule
The HIPAA Security Rule specifies the safeguards that must be in place to protect the privacy of patient data.
These safeguards are defined as:
- Administrative: the policies and procedures in place to protect data
- Technical: refers to authentication methods, audit controls, record keeping, and access controls etc.
- Physical: refers to the physical facilities where patient data is kept and how it is accessed
The Breach Notification Rule
The HIPAA Breach Notification Rule describes how organizations should respond to data breaches and which parties need to be informed.
The Enforcement Rule
The HIPAA Enforcement Rule addresses how investigations into compliance should be handled.
The Omnibus Rule
The HIPAA Omnibus Rule expands liability to business associates of entities who control patient data.
What information is protected by HIPAA?
Information covered by HIPAA includes protected health information (PHI) and electronically protected health information (ePHI), or simply put, sensitive patient data.
PHI includes the following information:
- Medical history
- Health care information
- Payments and billing history
- Common patient identifiers such as name, address, date of birth, and social security number
- Medical records
- Communication with healthcare providers
- Medication history
- Health insurance details
Who manages HIPAA compliance?
HIPAA compliance is managed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
OCR enforces HIPAA regulations by investigating complaints and conducting compliance reviews to determine if all requirements are being met. OCR has the power to refer criminal violations to the U.S. Department of Justice.
Incidents that warrant investigation include:
- Data breaches
- Hacking
- Malware attacks
- Insider data breach
- Theft or loss of patient data
- Unauthorized disclosure of patient data
How do I make sure my company is HIPAA compliant?
Becoming and maintaining HIPAA compliance requires a systematic approach and commitment to implementing organization-wide change. A risk assessment is a necessary first step to understand the flow of sensitive patient data and identify deficiencies that need to be addressed.
Following a risk framework, such as the approved system created by HITRUST, is the recommended method of achieving this outcome. Security training and enforcing a password policy are also important steps to ensure buy-in across the organization.
Every effort made towards achieving compliance is a step in the right direction, but sometimes relying on an expert or investing in the right tool makes the process a whole lot simpler. An effective solution for protecting sensitive patient data is the rollout of encryption or data masking, to prevent unauthorized access.
Why data masking is important for securing HIPAA compliance
HIPAA specifically mentions de-identification as a solid solution for safeguarding patient data.
In section 164.514(a) of the HIPAA Privacy Rule, the standard for de-identification is outlined as "health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual."
Data masking is a primary method for employing de-identification. It also complies with the "Safe Harbor" method of hiding statistical elements that could be used to identify someone, including names, telephone numbers, medical record numbers, email addresses, and IP addresses.
Data masking “masks” these elements with similar values of the same format and semantical meaning. This ensures the normal functioning of databases and programs, whilst keeping patient data 100% secure and anonymous.
More than 45% of data breaches are reported by the healthcare industry. Securing the privacy of patient data is the responsibility of everyone who handles it. Hush-Hush data protection products meet the standards of regulations such as HIPAA, HITECH and the GDPR, which all regulate the safeguarding of patient data.
