Health Insurance Portability and Accountability Act (HIPAA) is a US law that provides privacy and security regulations to protect medical information. The law has become increasingly important in recent years as ransomware and cyber attacks on health insurers and providers have led to numerous health data breaches.
HIPAA has two primary purposes: to provide continued health coverage for workers who lose their job or change jobs and ultimately to reduce healthcare costs by standardizing the electronic transmission of administrative and financial transactions. Other goals include improving access to health insurance and long-term care services and addressing abuse, fraud, and waste in health insurance and healthcare.
What does HIPAA stand for?
The acronym HIPAA stands for Health Insurance Portability and Accountability Act of 1996. The original intent of HIPAA was to provide health coverage for departing workers. Since 1996, the scope of HIPAA has changed and expanded.
HIPAA is supervised by the Office of Civil Rights (OCR) on the federal level in the Department of Health and Human Services (HHS). Enforcement is still ongoing, and more than $2 million in fines have been issued to organizations found to be violating HIPAA.
HIPAA was established to enhance how affected companies and business partners store and share personally identifiable health information (PHI). HIPAA regulations include several categories, including HIPAA Privacy, HITECH, OMNIBUS, HIPAA Security, and enforcement rules. All affected companies, business partners, and associates must comply with all HIPAA rules and regulations. HIPAA takes precedence over state laws regarding the security of medical information unless state laws are deemed stricter than HIPAA.
Who must comply with HIPAA?
HIPAA protections for health information cover two different types of organizations, referred to as covered entities and business associates:
Covered entities are organizations that collect, create, and file PHI records. Affected institutions are companies that have direct contact with patients. Covered entities primarily include healthcare providers (i.e., dentists, therapists, doctors, etc.)
These entities must comply with HIPAA when sending patients’ health information in any format. A patient’s PHI can be referred to specialists or insurance providers for settling payments, among other many uses.
Business associates do not see or interact with patients directly but can still create, receive, or transmit a patient’s PHI. Examples of business partners can range from medical transcription companies to lawyers. Other examples of business partners are:
Cloud storage businesses
Email hosting providers
Physical storage companies
Professional shredding companies
Faxing service companies
Medical billing firms
Monolithic Power Systems
What does HIPAA mean to healthcare organizations?
Although HIPAA’s original goal was to reform the health insurance industry, healthcare organizations were the most affected. Almost all healthcare-related transactions are subject to data protection and security regulations. Patients now have more rights over their healthcare data as they can request access, a correction if the data is incorrect or incomplete, and keep track of who their information is shared with.
HIPAA also places a heavy administrative burden on healthcare organizations. Although HIPAA improves the efficiency of the healthcare system by facilitating the secure flow of information, entities covered by HIPAA need to have policies in place for all types of foreseeable events that could affect the confidentiality, integrity, and availability of electronic PHI.
Even employees who are unlikely to encounter PHI in their duties must be trained. For example, all affected entities’ employees must participate in safety and awareness programs, meaning that even a hospital’s environmental services team, for example, must also complete relevant training. However, access controls should be in place to prevent team members who don’t need access from logging into systems containing PHI.
What does HIPAA mean to patients and healthcare workers?
For patients, HIPAA is about protecting their personal information. It is important to reassure patients that their personal data will be protected, as trust is the most critical part of the doctor-patient relationship. Patients tell their doctors and other healthcare professionals confidential details about themselves that they may not even share with partners and family.
When healthcare patients trust that their personal information is safe and share confidential details, it enables healthcare workers to provide more accurate and appropriate healthcare. Better healthcare leads to better patient outcomes, which improves morale and contributes to a more rewarding work experience. Therefore, compliance with HIPAA guidelines for healthcare organizations should not be considered an impediment to getting the job done.
What is a HIPAA violation?
HIPAA violations can occur through ignorance or negligence. In both cases, the resulting violations can result in substantial fines of millions of dollars. OCR determines the fine amount based on the violation’s severity and can impose penalties for each occurrence. Alternatively, they could charge one fine for a series of violations. A corrective action plan may also accompany fines.
Several common types of HIPAA violations are uncovered during audits. For example, OCR can determine whether an organization has granted unauthorized access to a patient’s health information. Or, the office may learn that an organization is not conducting an organization-wide risk assessment. OCR can also determine that a healthcare provider is not eligible to participate in a HIPAA-compliant business associate agreement.
Healthcare providers could also face OCR penalties for failing to encrypt patient data stored on mobile devices. Finally, audits often reveal that organizations are not handling patient information properly. Other HIPAA violations came to light after ransomware or cyber attack breaches.
What are the most common HIPAA breaches?
OCR evaluates breaches on whether it involved patient data and whether the violation was intentional or accidental. Accidental disclosure is still a violation but comes with a much lighter penalty. Alternatively, the OCR considers intentional disclosure to be very serious. As a result, they charge higher fines for such violations.
OCR will usually determine that a breach occurred in one of several common areas:
Lack of practical risk assessment
Risk analysis is an integral part of HIPAA. This assessment aims to identify risks to patient information, which is the first step healthcare providers should take to become compliant.
Sharing patient information
This is where healthcare providers may share information, knowingly or not. Under no circumstances should healthcare providers disclose patient information to unauthorized recipients. Unauthorized recipients may include colleagues, the media, or unauthorized family members of a patient.
Unauthorized viewing of patient information
Reviewing patient information for administrative purposes or to provide care is allowed. However, viewing patient records outside of these two purposes violates HIPAA laws, and staff may only view patient records for specific reasons related to the provision of care.
Improper handling of patient data
HIPAA laws require the secure handling of patient information. Compliance with this rule may include the appropriate destruction of patient data on hard drives, backups, paper, and even on stolen devices.
Lack of access control for patients
HIPAA rules require healthcare providers to control access to patient information. For example, your organization might offer multi-factor authentication, which is a great place to start if you want to ensure that only authorized personnel can access patient records.
Lack of encryption
Such breaches typically occur when healthcare providers fail to encrypt patient information shared over the network. Tools like VPNs, TLS certificates, and secure passwords allow you to encrypt patient data digitally. It’s also a good idea to encrypt patient information you don’t transmit.
Breach notification compliance
Failure to notify OCR of a violation within 60 days of a breach occurring will constitute a violation of HIPAA law.
Improper handling of patient data
Healthcare providers must share patient information through official channels, and employees cannot email patient information from personal accounts. You also should not print out any patient information and take it with you, as any such conduct violates HIPAA.
Unauthorized disclosure of information
Your employees must never provide patient information to unauthorized individuals, which is a violation. However, OCR has relaxed this portion of HIPAA regulations during the pandemic.
Limited access logging
Organizations must keep detailed records of who has accessed patient information. They also need to track changes and updates to patient information.
You never know when your practice or organization may face an audit. If this is the case, the OCR wants to see who accessed which patient information on a particular day. If you fail to provide this information, OCR will assume that you violate the HIPAA rules.
HIPAA has far-reaching implications, changing the way many healthcare providers operate. By meeting HIPAA compliance requirements for software security, you can reduce internal and external threats and ensure that your health-sensitive data remains safe.
However, lack of encryption, insecure communication channels, and inconsistent access controls are common problems with medical software. Additionally, obtaining HIPAA certification for mobile apps and software development for remote patient monitoring can be especially difficult. Even something as trivial as a push notification can constitute a HIPAA violation. Developing secure and HIPAA-compliant software is always a challenge.
At Itirra, we know the ins and outs of HIPAA-compliant software development. Our team has extensive experience developing secure healthcare solutions such as EHR and EMR platforms, ERP and CRM software, and mobile healthcare applications. Contact us today to learn how to achieve and maintain HIPAA compliance while developing healthcare software for your business.