Stricter HIPAA: The 3 HIPAA Rules and 5 Compliance Pitfalls SMBs Need to Know
Struggling to stay on top of HIPAA compliance while enforcing it is at an all-time high? Find out the most common HIPAA compliance pitfalls and what you can do now to improve your administrative, technical, and physical safeguards.
Government enforcement of HIPAA (Health Insurance Portability and Accountability Act) compliance has steadily progressed over the past decade. It makes sense, considering the steady increase in reported breaches.
For example, in 2018 HIPAA-covered entities reported healthcare data breaches at an average rate of about 1 per day. By the close of 2020, that rate had nearly doubled.
From 2015 to 2018, fines and settlements increased considerably, too. When the Office for Civil Rights (OCR) charged US insurance giant Anthem, Inc. $16 million for a 78.8 million record data breach in 2015, it was the largest HIPAA violation penalty ever.
Just because you don't manage a million records, don't think for a second that you're not at risk of a HIPAA breach. A healthcare breach can happen to an organization of any size. In fact, the OCR announced a drive to review even the small-scale HIPAA breaches, covered entities and business associates everywhere got the chance to see how serious they were.
eTrepid's coverage of HIPAA enforcement expansion over the years
2018 - HIPAA fines for data breaches continue to grow (Anthem, Inc.)
What Are My HIPAA requirements?
If you are a HIPAA-covered organization, you must comply with HIPAA's national standards for protecting Protected Health Information (PHI.) According to HHS.gov, HIPAA Covered Entities and Business Associates are to:
- Manage, request, and disclose only the amount of PHI necessary
- Implement data security procedures, protocols, and policies to protect PHI
- Comply with set standards for electronic transactions
- Notify individuals when their PHI has been breached
The OCR enforces three HIPAA rules that you need to know to avoid the hefty fines, bad publicity and even criminal charges described above.
- The HIPAA Privacy Rule
- The HIPAA Security Rule
- The HIPAA Breach Notification Rule
The HIPAA Privacy Rule
The privacy rule restricts the usage of PHI, which could be used to identify a person unless permitted under the Privacy rule, or the individual has authorized it in writing.
The HIPAA Security Rule
The HIPAA security rule protects PHI in its electronic format (ePHI) and includes all healthcare providers and business associates who create, receive, maintain or transmit ePHI.
The HIPAA Breach Notification Rule
All PHI usage or disclosures not permitted under the Privacy Rule as a breach in the eyes of HIPAA. Upon discovery of a breach, this notification rule requires covered entities to send alerts within 60 days.
To learn more about the HIPAA-3 rules, visit the HHS website.
HIPAA Compliance Pitfalls
Here are some of the common HIPAA compliance pitfalls and how you can overcome them to stay HIPAA audit-ready:
Not Protecting Mobile Devices
Due to recent data breaches reigniting enforcement of HIPAA compliance, many covered entities and business associates allow staff to BYOD. The growing adoption of "bring your own device" in business presents many potential benefits for healthcare organizations and brings increased risk. Employees who use personal devices such as mobile phones, tablets, personal laptops, etc. to access protected e-PHI risk violating stringent privacy and security regulations.
Using the HIPAA Security Rule, be sure to have BYOD policies to direct and control using personal devices to store patient information. Among the policies you should consider:
- Personal device audits
- Multi-level authentication (2FA, MFA)
- Strict security login controls
- Inactivity device locks
- Staff HIPAA and cybersecurity training
Not Using Secure Messaging
As part of safeguarding PHI, locking down internal and external communications such as email and text are essential to maintaining HIPAA compliance. Email and text by themselves are not secure because they lack encryption and user access controls while potentially transmitting through unsecured servers. Legacy systems represent significant vulnerabilities so upgrading to more modern and safe solutions needs to be a top priority for HIPAA compliance.
Not Staying Informed / Training
A recent HIPAA Journal article points out that the top HIPAA and cybersecurity threats are not external hackers or nefarious organizations but employees. The article refers explicitly to a Threat Intelligence Report showing an unexpected statistic: 71% of healthcare industry data breaches are attributed to employee errors and actions.
These are breaches that occur due to ill-trained employees that can include when a staff member:
- Loses a portable device
- Sends ePHI to vendors unsecured
- Posts information online
- Discloses identifiable PHI in conversation
There's more to HIPAA compliance than good passwords and upgraded software. Staff who handle and manage PHI are required to be properly trained on HIPAA regulations to avoid a healthcare breach. The purpose of HIPAA training is for employees to understand what their legal obligations are.
Not Staying on Top of Business Associate Agreements
If your covered entity (CE) healthcare company does business with a third-party company that manages PHI on your behalf, they are known as business associates (BA). Under HIPAA, both CE and BA organizations must be compliant with the law and enter into a Business Associate Agreement (BAA) that ensures PHI remains secure and protected at all times.
For example, according to HHS.gov, the agreement must:
- Describe the permitted and required uses of protected health information by the business associate.
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law;
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
See the HHS.gov Sample Business Associate Contract
Not Safeguarding Physical Documents
While protection of ePHI is vital, a healthcare facility's physical records also need safeguarding per HIPAA mandates. Physical safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity's premises or at another location.
HIPAA 2021 and Beyond Safeguards
For healthcare providers and other HIPAA-covered entities, the 24/7 challenge of HIPAA compliance is a constant battle, often made worse by a lack of training and resources. CEs and BAs need to understand HIPAA compliance clearly and adhere to standards that ensure PHI security by completing annual self-audits and vetting their vendors.
To limit risks from a data breach, healthcare organizations and those who support them have an obligation to implement "reasonably appropriate" protections to secure a patient's PHI.
- Administrative: written policies and procedures that must be customized to apply to an organization's business processes. Company leadership should train all employees on an organization's policies and procedures.
- Technical: cybersecurity measures put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.
- Physical: the security of an organization's physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
With HIPAA enforcement only increasing, staying on top of your HIPAA requirements can get complicated. The stakes are high, but armed with the right partner and the proper knowledge, you can do it.
Register for our HIPAA compliance webinar, where you'll find out...
Partner with a HIPAA-certified MSP for your compliance strategy...