What is HIPAA Compliance and How it Can Cost You
Although HIPAA regulations mandate safeguards, companies must determine what is appropriate for their organization. That's a lot to handle for most companies. Find out why an IT MSSP awarded the HIPAA Seal of Compliance can keep you away from stiff penalties and hefty fines.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and created to ensure that sensitive patient information remains protected. Organizations must secure Protected health information (PHI) through administrative, physical, and technical safeguards.
By establishing an industry standard for healthcare organizations and vendors alike, those working in every capacity of healthcare must be HIPAA compliant or face significant penalties.
Who must be HIPAA compliant?
If your company does business within the healthcare industry, you must follow specific requirements to be HIPAA Compliant.
The HIPAA Act determines how organizations can store, share, manage, and record PHI. If you are a company providing treatment, payment, or healthcare operations, you are considered a Covered Entity (CE).
If you are a company providing a third-party service and use PHI to do business with a CE, you are considered a Business Associate (BA). Under HIPAA, both CE and BA organizations must be compliant with the law.
The HIPAA Privacy Rule and Covered Entities (CE) as Business Associates (BA)
HIPAA implementation and enforcement remains a top priority, and the stakes are high. CEs and BAs need to understand the HIPAA act clearly and adhere to standards to ensure PHI security by completing annual self-audits and vetting their vendors.
HIPAA 2020 Safeguards
In order to limit risks from a data breach, healthcare organizations and those who support them have an obligation to implement "reasonably appropriate" protections to secure a patient's PHI.
- Technical: cybersecurity measures put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.
- Physical: the security of an organization's physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
- Administrative: written policies and procedures that must be customized to apply to an organization's business processes. All employees must be trained on an organization's policies and procedures.
HIPAA Privacy Rule
Since BAs don't work directly with PHI, the HIPAA Privacy Rule applies only to CEs. This rule outlines policies and procedures for organizations that are required and explicitly developed to reflect current business practices ensuring that PHI gets appropriately managed and administered. Internal staff must be trained on these policies and procedures as well as HIPAA standards overall.
To demonstrate that all employees are properly trained, annual training must be documented and signed off on with employee attestations as a binding legal acknowledgment that the employee has undergone HIPAA training and will follow the presented policies and procedures.
CEs must adhere to the "minimum necessary rule" which states that organizations should access only the PHI they need to perform their job functions.
HIPAA Security Rule
The HIPAA Security Rule applies to both CEs and BAs as the industry standard for handling, maintaining, and transmitting PHI.
To ensure the confidentiality, integrity, and availability of PHI, CE and BA organizations must implement administrative, physical, and technical safeguards.
- Administrative: written policies and procedures regarding the handling of PHI that are updated regularly to reflect current business operations. Policies and procedures must be tailor-made for each organization. Employees must be trained on the policies and procedures to ensure that they are correctly handling PHI.
- Physical: the security of an organization's physical site where they store or transmit PHI. Areas in which PHI is stored must be locked to prevent unauthorized individuals from accessing it. An alarm system is also recommended to secure an organization's physical site.
- Technical: the cybersecurity of an organization. Organizations must have adequate technical safeguards to prevent and mitigate the consequences of a breach. Technical safeguards may include encryption, firewalls, and data backup.
Common HIPAA Violations
A recent HIPAA Journal article indicates some surprising discoveries regarding the top HIPAA threats. Making the point that the top HIPAA and cybersecurity threats are not external hackers or nefarious organizations but in fact employees. The article specifically refers to a Threat Intelligence Report showing an unexpected statistic: 71% of healthcare industry data breaches are attributed to employee errors and actions.
HIPAA violations fall under three categories:
The majority of data breaches occur in this category due to stolen or lost data that was not appropriately encrypted. Encrypting information is a safeguard that comes into play if a PHI device is breached or hacked. Encryption is not a strict HIPAA requirement, but you can still receive penalties if PHI is compromised due to unencrypted data, so it is strongly recommended.
Loss or Theft of Technology
Self-explanatory, this category involves losing a device that has PHI on it. No organization can eliminate the risk of theft, so encrypting the data and protecting the device with strong passcodes is a safeguard against unauthorized data access.
Lack of employee Training
These are breaches that occur due to ill-trained employees that can include when a staff member:
- loses a portable device
- sends ePHI to vendors unsecured
- posts information online
- discloses identifiable PHI in conversation
Staff who handle and manage PHI are required to be properly trained on HIPAA regulations so these breaches occur less often.
The Cost of Noncompliance
HIPAA compliance is challenging and comes at a cost. Whether you are a Covered Entity or a Business Associate, the Health & Human Services (HHS) impose stiff penalties for HIPAA violations.
CEs have a more complex compliance task because their HIPAA implementation depends not only on their own actions but also on their BA vendors.
HIPAA Violations Cost?
The cost of noncompliance to HIPAA is based on the perceived level of negligence and ranges from $100 to $50,000 per individual violation, with a maximum penalty of $1.5 million per calendar year of infringements. Even worse, violations can result in jail time for the individuals responsible if the level of negligence warrants.
HIPAA noncompliance penalties are categorized into four tiers:
- First Tier: The covered entity did not know and could not reasonably have known of the breach. Generally, penalties range from $100 to $50,000 per incident up to $1.5 million.
- Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
- Third Tier: The covered entity "Acted with willful neglect" and corrected the problems within 30 days of the breach. Penalties for the third tier can range from $10,000 - $50,000 per incident up to $1.5 million.
- Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.
If the HHS decides that deliberate, malicious activity has occurred, the Department of Justice (DOJ) can and will get involved with criminal penalties possible.
How to Protect Your Company - The eTrepid Solution
eTrepid is a Compliancy Group HIPAA Verified IT MSSP focused on healthcare and defense agencies who need to safeguard patient information while completing their mission. We work with medical and DoD organizations, covered entities, and business associates who need to comply with HIPAA.
As a certified HIPAA Seal of Compliance holder, eTrepid verifies that your organization's policies and procedures are compliant based on the evidence collected and monitors your data to ensure it remains compliant.
We perform a gap analysis to identify where you are in your compliance journey and provide a roadmap to become compliant (POAM/mitigation plan). We have certified compliance methods that monitor and verify your processes so that we can immediately mitigate any issues that occur and reduce your threat exposure.
Coffee and Conversation with eTrepid Presents HIPAA Compliance in the Midst of a Pandemic
Find out what it truly takes to secure privacy in the midst of the COVID-19 pandemic as work environments change and healthcare workers are inundated with requests. Join Paul Redding, VP Partner Engagement & Cybersecurity from the Compliancy Group, on Tuesday, November 17th at 11:00 AM as he discusses:
- What does it take to be truly HIPAA compliant?
- How to assess and secure remote worker environments.
- What has changed about HIPAA because of COVID?
Grab your favorite coffee cup and meet us online for an informative mid-day pick me up during Coffee and Conversation with eTrepid. Limited seating is available so RSVP today and claim your spot.
RSVP and Save Your Spot!
RSVP to this upcoming webinar and receive a $10 Starbucks gift card when you attend and remain on for the entire event.