HIPAA Compliance Guide

This comprehensive HIPAA compliance guide provides information that can help organizations comply with the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act – i.e., the HIPAA Administrative Requirements, the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.

The Guide breaks down the key parts of the Administrative Requirements and the Privacy, Security and Breach Notification Rules, describes how HIPAA is enforced, and explains why protecting the privacy of individually identifiable health information and ensuring the confidentiality, integrity, and availability of electronic Protected Health Information is important.

1. The HIPAA Compliance Guide: Introduction

This HIPAA Compliance Guide has been compiled for the benefit of any member of a Covered Entity´s workforce who has been assigned the role of HIPAA Privacy Office and/or HIPAA Security Officer. It should also be of value to Business Associates that have access to Protected Health Information (PHI) for the provision of services to – or on behalf of – a Covered Entity.

However, it is important to be aware that there is no one-size-fits-all solution for achieving HIPAA compliance. Many different types of organizations are required to comply with the Administrative Simplification provisions of HIPAA, and the language of the HIPAA Administrative Requirements, Privacy Rule, Security Rule, and Breach Notification Rule reflects this.

Our intention for this HIPAA Compliance Guide is to provide an extensive outline of what Privacy and Security Officers need to know before implementing measures to comply with HIPAA. Consequently, information provided in this Guide is not legal advice, but rather the foundation for more research depending on the nature of the organization´s operations.

2. Who Must Comply with HIPAA?

There are two categories of organizations that must comply with HIPAA – “Covered Entities” and “Business Associates”. HIPAA Covered Entities are health plans, health care clearinghouses, and healthcare providers that transmit health information in electronic form in connection with a transaction for which the Department of Health & Human Services (HHS) has developed standards.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Business Associates are persons or organizations that create, receive, maintain, or transmit Protected Health Information (PHI) in the provision of a service for or on behalf of a Covered Entity. Subcontractors engaged by Business Associates are also required to comply with HIPAA if they create, receive, maintain, or transmit PHI, as they are Business Associates of Business Associates.

Employees, students, trainees, volunteers, and other persons “under the direct control” of a Covered Entity or Business Associate are not Business Associates but members of the organization´s workforce. Workforce members are required to comply with HIPAA via the policies and procedures implemented by the Covered Entity or Business Associate they work for.

HIPAA Covered Entities Explained in More Detail

It is important for health plans, health care clearing houses, and healthcare providers to read the definitions section of the General Provisions (§160.103) because there are exceptions to Covered Entities for each type of organization. For example, health plans that offer health care coverage as a supplement to automobile liability insurance are not Covered Entities.

With regards to healthcare providers, it is also advisable to review what transactions HHS has developed standards for (see Section 4 – Administrative Requirements) because some healthcare providers do not conduct these transactions electronically. (Note: non-recorded telephone calls and paper-to-paper non-digital fax communications are not electronic transactions).

However, if a health plan, health care clearinghouse, or healthcare provider who does not qualify as a Covered Entity provides a service for or on behalf of a Covered Entity as a Business Associate, the organization has to comply with any Privacy Rule standards stipulated in the Business Associate Agreement along with all Security Rule and Breach Notification Rule standards.

HIPAA Business Associates Explained in More Detail

Business Associates can be any type of person or organization that provides a service for or on behalf of a Covered Entity. The most commonly quoted examples of Business Associates are third party administrators, accountants whose services to a healthcare provider involve access to PHI, and independent medical transcriptionists that provide transcription services.

Since the growth of cloud computing, Cloud Service Providers (e.g., AWS, Azure, Google, etc.) and software vendors that maintain PHI in the cloud have increasingly been used as Business Associates. It is important to be aware that even if a service provider or software vendor cannot access stored ePHI because it is encrypted, it is still necessary to enter into a Business Associate Agreement.

It is also the case that Covered Entities can be Business Associates of other Covered Entities; although there are multiple exemptions to when such arrangements apply. For example, if PHI is disclosed to a Covered Entity for a “permissible use”, or if both Covered Entities are part of an Organized Health Care Arrangement, there is no need to enter into a Business Associate Agreement.

3. The Objectives and Evolution of HIPAA

As the title of the Act suggests, the original objective of HIPAA was to improve the portability of health insurance coverage so that group health plan members could keep their health benefits when they changed jobs. As President Clinton said at the signing of the Act, “No longer need you hesitate about taking a better job because you are afraid to lose your coverage”.

To avoid health plans passing on the cost of HIPAA´s portability provisions as higher premiums for employers and plan members, Title II of HIPAA introduced measures to reduce health insurance fraud and simplify the administration of transactions between group health plans and healthcare providers. These evolved into the Administrative Simplification provisions.

The first of the Administrative Simplification provisions to be published were the Administrative Requirements. These are explained in greater detail below, but they effectively standardized identifiers used by Covered Entities and code sets used for certain “covered” electronic transactions between group health plans, health care clearing houses, and healthcare providers.

The HIPAA Privacy and Security Rules Take Shape

When HIPAA was passed in 1996, Congress instructed the Secretary of Health and Human Services (HHS) to promulgate regulations for the privacy of health information if legislation was not passed by Congress within three years. Consequently, it was not until December 2000 that the Privacy Rule was published – only to be modified and republished with an effective date of April 2003.

The Privacy Rule generally focuses on permissible uses and disclosures of PHI, uses and disclosures of PHI requiring authorization, and individuals´ rights to obtain a copy of their health information, know with whom their health information had been shared, and object to certain uses and disclosures. The Privacy Rule also includes the requirements for workforce privacy training.

The Security Rule came into force two years later in April 2005. The Security Rule deals specifically with electronic PHI (ePHI) and stipulates three classes of safeguards – administrative, physical, and technical – which have the objective of ensuring the confidentiality, integrity, and availability of ePHI. These safeguards have the following primary goals:

  • Administrative– To conduct risk analyses and create policies that control access to ePHI and support business continuity plans.
  • Physical– To control access to facilities in which ePHI is maintained and manage the disposal of ePHI on devices and other media.
  • Technical– To implement audit controls, integrity controls, user verification controls, and measures such as automatic logoff.

Additionally, the Security Rule includes General Rules explaining the “flexibility of approach” concept and the difference between “required” implementation specifications and “addressable” implementation specifications. It also includes an Organizational Requirements section which deals with the assurances that need to be obtained before ePHI can be disclosed to a Business Associate.

The Introduction of the HIPAA Enforcement Rule

By early 2006, HHS had received almost 19,000 complaints from individuals relating to Privacy Rule violations. The Enforcement Rule of 2006 establishes how HHS´ Office for Civil Rights will conduct investigations and determine liability for Covered Entities found to have violated any of the Administrative Simplification provisions (this was subsequently extended to Business Associates).

The Enforcement Rule explains how financial civil penalties will be calculated for HIPAA violations. Initially these were set in the HIPAA Act as a maximum of $100 per violation up to a maximum of $25,000 per year. However, at the time, HHS´ Office for Civil Rights could only impose financial penalties if it could prove “willful neglect” of HIPAA. These provisions were later amended via the HITECH Act and the Omnibus Final Rule.

The HITECH Act of 2009 and the HIPAA Breach Notification Rule

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 had the primary goal of incentivizing healthcare providers to adopt Electronic Health Records (EHRs). HITECH also introduced changes to the Privacy and Security Rules, made Business Associates directly liable for HIPAA violations, and brought in a new tiered structure for civil financial penalties.

A new Breach Notification Rule was also introduced that required Covered Entities and Business Associates to notify individuals when unsecured PHI was accessed or disclosed without authorization or compromised in a data breach. The Rule also required breach notifications to HHS´ Office for Civil Rights and the media. In some states, the Office of the State Attorney General must also be notified.

The Omnibus Final Rule of 2013

The most recent major change to HIPAA was the publication of the Omnibus Final Rule in 2013. The rule codified many of the provisions of HITECH and amended several definitions to address previous misunderstandings – for example the definition of “Workforce” was changed to make it clear the term includes all persons under the direct control of the Covered Entity or Business Associate.

Also codified were the increased civil financial penalties for HIPAA violations – at the time increasing the maximum Enforcement Rule penalties from $25,000 to $1.5 million per year (the current penalty amounts can be found later in the HIPAA Compliance Guide). Importantly, HHS´ Office for Civil Rights no longer had to prove an organization´s “willful neglect” in order to impose a civil financial penalty.

The HIPAA Compliance Audit Program

In 2011, HHS´ Office for Civil Rights commenced a series of pilot compliance audits to assess how well healthcare providers were complying with the HIPAA Privacy, Security, and Breach Notification Rules. The first round of audits was completed in 2012 and highlighted a poor state of HIPAA compliance.

Audited organizations registered numerous violations of the HIPAA Breach Notification Rule, HIPAA Privacy Rule, and HIPAA Security Rule, with the latter resulting in the highest number of violations. HHS´ Office for Civil Rights provided technical guidance to organizations found to be in violation of HIPAA in order to help them achieve compliance.

A second round of compliance audits in 2016/7 focused on the most problematic areas of compliance for healthcare providers:

  • Impermissible uses and disclosures of PHI
  • Lack of safeguards of PHI due to failing to conduct a risk assessment
  • Failure to provide patient access to PHI
  • Lack of administrative safeguards for ePHI
  • Uses or disclosures of more than the minimum necessary PHI

As a consequence of the second round of compliance audits, HHS announced an enforcement initiative against healthcare organizations that failed to comply with the patients´ rights provisions of the Privacy Rule. Subsequently, dozens of healthcare organizations – from small private practices to large healthcare groups – have received civil financial penalties for failing to comply with HIPAA.

Recent and Proposed Privacy Rule Changes (updated for 2022)

Over recent years there have been minor changes to the Privacy Rule to account for issues such as patient access to test results under Clinical Laboratory Improvement Amendments (2014) and disclosing limited PHI to the National Instant Criminal Background Check System (2016). Additionally, throughout the COVID-19 pandemic, several temporary Notices of Enforcement Discretion were issued to allow some non-compliant activities during the public health emergency.

In 2021, HHS´ Office for Civil Rights released a Notice of Proposed Rulemaking which included sweeping changes to some areas of the Privacy Rules. The proposed changes include:

  • Allowing patients to inspect PHI in person and take notes or photographs.
  • Changing the maximum time to provide access to PHI from 30 days to 15 days.
  • Individuals will be permitted to request PHI is transferred to a personal health app.
  • A pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans.
  • The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided will be dropped.
  • Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.”
  • Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
  • The definition of healthcare operations will be broadened to cover care coordination and case management.

The comment period for the Notice of Proposed Rulemaking is currently still open, so it is not yet known whether all the proposed provisions will be enacted and when that might be.

Recent and Proposed Security Rule Changes (updated for 2022)

Although there have been no recent Security Rule changes, a 2021 amendment to the HITECH Act and a proposed implementation of a HITECH Act provision could have significant implications on how the Security Rule is enforced.

The 2021 amendment to the HITECH Act – also known as the Safe Harbor Bill – instructs HHS´ Office for Civil Rights to take into account the security measures a Covered Entity or Business Associate has implemented when considering enforcement action and calculating financial civil penalties. To qualify for enforcement discretion, the security measures must mirror a recognized security framework and must have been in place for the twelve months preceding a reported data breach.

In April 2022, HHS released a Request for Information (RFI) seeking comments on how best to take into account compliance with a recognized security framework. The RFI also solicited opinion on how best to implement an as yet unenacted provision of the HITECH Act (§13410(c)(3)) which calls of HHS´ Office for Civil Rights to develop a methodology for “settlement sharing”, in which victims of data breaches can claim a percentage of civil monetary penalties.

As RFIs can take years to develop into Notices of Proposed Rulemaking – and considering HHS´ Office for Civil Rights has unsuccessfully attempted to implement the settlement sharing provision before – it is not known when – or if – these provisions will be adopted. However, if HITECH §13410(c)(3) is adopted, it may increase the number of HIPAA violations resolved by civil monetary penalties – unless perpetrators can demonstrate compliance with a recognized security framework.

Summary: What Does HIPAA Protect?

HIPAA establishes national standards to protect individuals´ medical records and other individually identifiable information that could be used – if disclosed impermissibly – to commit identity theft and fraud. The protection offered by HIPAA benefits patients and plan members because they are better protected against identity theft, healthcare providers because they are better protected against providing healthcare they may not get paid for, and health plans because they are less likely to be sent claims for payment when treatment has been provided to fraudulent non-members.

HIPAA also protects patients´ rights to have more control over their health information. Explained in more detail below, patients have the rights to request a copy of their health records, request corrections when errors or omissions exist, and instruct a healthcare provider to send a copy of their health information to an alternative healthcare provider. If the proposed changes to the Privacy Rule are enacted, patients will also have the right to request the transfer of PHI to a personal health app.

4. The HIPAA Administrative Requirements

One of the main aims of Title II of HIPAA was to simplify the administration of healthcare-related transactions in order to reduce fraud and abuse, improve efficiency, and reduce costs. Prior to the passage of HIPAA, healthcare providers and health plans often used different code sets in administrative and financial transactions, creating unnecessary complexity and inefficiency.

Consequently, one of the priorities for HHS was to standardize unique identifiers for Covered Entities, adopt nationwide code sets, and stipulate which transactions they would apply to.

Unique identifiers

All Covered Entities are required to use unique identifiers in HIPAA covered transactions. The Administrative Regulations stipulate the source of each type of unique for health plans, healthcare providers, and employers:

  • Health Plan Identifier (HPID)
  • National Provider Identifier (NPI)
  • An Employer Identifier Number (EIN)

Code Sets

The code sets required for HIPAA compliance have changed since they were initially standardized due to the limitations of the ICD-9 disease classification system and Version 4010/4010A1 of the X12 standard. Since 2014, Covered Entities have been required to use the following code sets:

  • ICD-10-CM for diseases, injuries, impairments, other health problems, and the causes of diseases, injuries, impairments, and other health problems.
  • ICD-10-PCS for prevention, diagnoses, treatment, and management.
  • HCPCS for medical supplies, orthotic and prosthetic devices, and durable medical equipment.
  • HCPCS/CPT-4 for physician services, therapy services, radiologic procedures, lab tests, other medical diagnostic procedures, hearing and vision services, and transportation services including ambulance services.
  • National Drug Codes (NDCs) for drugs and biologics.
  • Code on Dental Procedures and Nomenclature for dental services

Applicable Electronic Covered Transactions

There are eight electronic covered transactions that determine whether a healthcare provider is a Covered Entity or not. It is important to be aware that if a Covered Entity conducts some transactions electronically and other by non-electronic channels, all transactions are covered by the HIPAA Administrative Requirements.

  • Health care claims and equivalent encounter information
  • Enrollment and disenrollment in a health plan
  • Health care payment and remittance advice
  • Health plan premium payments
  • Health care claim status requests and responses
  • Referral certification and authorization
  • Eligibility inquiry and response
  • Coordination of benefits

Additionally, all health plans, health care clearinghouses, and healthcare providers that qualify as HIPAA Covered Entities must comply with the Operating Rules required by the Patient Protection and Affordable Care Act.  The Operating Rules specify what information must be included in covered transactions to make the handling of administrative transactions more efficient.

Compliance and Enforcement of the HIPAA Administrative Regulations

While HHS´ Office for Civil Rights is responsible for issuing guidance and enforcing compliance with the Privacy, Security, and Breach Notification Rules, the administration and enforcement of the Administrative Regulations is the responsibility of the Centers for Medicare & Medicaid Services (CMS), irrespective of whether providers accept Medicare or Medicaid.

In 2019, CMS commenced an audit program to assess compliance with the Administrative Regulation. Audits are conducted on a range of healthcare providers to ensure they are adhering to the Administrative Regulation standards; and, if an organization is found not to be complying with the Administrative Regulation, CMS has the authority to impose a Corrective Action Plan.

Importantly, whereas Business Associates have direct liability for violations of the Privacy, Security, and Breach Notification Rules, guidance issued by CMS in March 2022 maintains that Covered Entities are responsible for Business Associate compliance with the Administrative Regulations and will be considered liable of any violations of this subpart.

5. The HIPAA Privacy Rule

5.1 What is the HIPAA Privacy Rule?

5.2 What is PHI?

5.3 When Can PHI be Disclosed?

5.4 HIPAA Authorizations

5.5 The Minimum Necessary Standard

5.6 De-identification of PHI

5.7 Marketing and Fundraising Protocols

5.8 Patient Access to Medical Records

5.9 Charging for Copies of PHI

5.10 Amendments to Healthcare Records

5.11 Accounting of Disclosures of PHI

5.12 Notices of Privacy Practices

5.1. What is the HIPAA Privacy Rule?

“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections”

Definition provided by the US Department of Health and Human Services

The Privacy Rule has just two objectives – to protect the privacy of personal health information by stipulating what uses and disclosures of individually identifiable health information are allowed under HIPAA, and to set standards for individuals´ privacy rights so individuals understand – and can control – how their health information is used and who it is shared with.

It achieves its objectives by creating categories in which uses and disclosures of PHI are required, permissible, require authorization, or are subject to a healthcare professional´s “good faith” judgement. These categories integrate with individuals´ rights inasmuch as – under the Privacy Rule – individuals have the right to request an accounting of disclosures and object to certain disclosures.

However, to add to the complexity of the Privacy Rule, HIPAA pre-empts most other federal and state laws unless a law has more stringent privacy protections and/or gives individuals more privacy rights than HIPAA. Where more stringent protections and/or privacy rights exist, compliance with these laws (or parts thereof) takes precedence over the corresponding HIPAA standard.

Consequently, the designated Privacy Officer not only has to ensure the organization they represent complies with HIPAA´s “federal floor” of privacy protections and individuals´ rights but implements policies and procedures that account for more stringent federal and state laws. As these can vary according to the location of the Covered Entity and the nature of its operations, it is advisable to seek advice from a compliance professional if you are unsure about your compliance obligations.

5.2. What is PHI?

To fully understand what is PHI, you have to return to the definitions section of the General Provisions (§160.103) and work backwards. This is because the General Provisions define PHI as individually identifiable health information that is “transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.”

There are exceptions inasmuch as the individually identifiable health information of students is considered part of their educational records by the Family Educational and Privacy Rights Act (FERPA) and – in a school setting – is not protected by HIPAA. Similarly, the health information of students in postsecondary education is not protected by HIPAA (see 20 U.S.C. 1232g(a)(4)(B)(iv)).

In addition, any individually identifiable health information maintained in an employment record by a Covered Entity is not protected by HIPAA, nor is any individually identifiable health information related to a person who has been deceased for fifty years or more. But what qualifies as individually identifiable health information and what is its connection with the eighteen PHI identifiers?

Individually identifiable health information is defined in the General Provisions as information – including demographic information – that is created or received by a Covered Entity that “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment of health care to an individual.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In the context of explaining what is PHI, the key phrase in this definition is “demographic information” as this can relate to any information that could identify the subject of the health information or could be used with other information maintained in the same designated record set to identify the individual. Therefore, all information maintained in a designated record set should be regarded as PHI regardless of whether it relates to an individual´s health or payment for health care.

The Eighteen PHI Identifiers

The eighteen PHI identifiers are the eighteen personal identifiers most commonly included in designated record sets that could be used – either independently or with other demographic information – to identify an individual. The reason they are often (and incorrectly) used to explain what is PHI is because these eighteen PHI identifiers have to be removed from a designated record set before any health information remaining in the record set is considered to be de-identified.

The eighteen personal identifiers are:

  • Names
  • All geographical data smaller than a state
  • Dates (other than year) directly related to an individual
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol (IP) addresses
  • Biometric identifiers (i.e., retinal scan, fingerprints, Etc.)
  • Full face photos and comparable images
  • Any unique identifying number, characteristic, or code

This list should not be considered as exhaustive. Any information maintained in the same record set as an individual´s health or payment information has to be protected. Therefore, if a designated record set included information about a patient´s emotional support animal, and the information was sufficient to identify the patient, the information must be protected from unauthorized uses and disclosures in the same way as the patient´s name or any of the other identifiers.

What is a Designated Record Set?

A designated record set is defined in the HIPAA Privacy Rule – 45 CFR 164.501 – as a group of records maintained by or for a Covered Entity. A designated record set includes the following types of information:

  • Medical and billing records maintained by or for a healthcare provider
  • Enrollment, claims adjudication, payment, and case and/or medical management record systems maintained by or for a health plan
  • Records that are used, in whole or in part, by or for a Covered Entity to make decisions about individuals, even if that information has not actually been used to make a decision.

The term “Record” includes any items, collections, or groupings of information that includes PHI that is maintained, collected, used, or shared by or on behalf of a Covered Entity.

Individuals have the right to access information maintained in a designated record set for as long as it is held by a Covered Entity or Business Associate. This may include information stored onsite or offsite, in any form, including PHI that originated from another Covered Entity. Individuals´ rights of access and right to request corrections where errors exist are discussed later in this section.

Who Has the Responsibility to Protect PHI?

Although Privacy Officers have the responsibility to develop policies and procedures that comply with the federal floor of privacy protections and any other federal or state laws that apply, every member of a Covered Entity´s workforce has a responsibility to protect PHI – from the C-Suite down, even when members of the workforce have no direct access to PHI.

This is because any impermissible use or disclosure, or any failure to respond to an individual´s right of access in a timely manner, can result in a complaint to HHS´ Office for Civil Rights. Over the past few years, HHS´ Office for Civil Rights has stepped up enforcement action on violations of this type – which may not only be expensive for the Covered Entity but can also disrupt operations.

Consequently, it is important that all members of the workforce receive some degree of Privacy Rule training in addition to the security awareness training required by the Security Rule. Although this is beyond the Privacy Rule HIPAA training requirements – which require members of the workforce to be trained on HIPAA policies and procedures relevant to their roles – the benefits of HIPAA compliance significantly outweigh the costs of non-compliance.

5.3. When Can PHI be Disclosed?

The Privacy Rule limits how PHI can be used and disclosed in order to protect healthcare and payment information while attempting to avoid the creation of unnecessary barriers that could impact the delivery of healthcare. As mentioned previously, It achieves this objective by creating categories in which uses and disclosures of PHI are required, permissible, or require authorization.

There are only two scenarios in which the disclosure of PHI is required – when disclosing PHI to an individual or their appointed representative in response to an access request, and to inspectors from HHS´ Office for Civil Rights during a compliance investigation, an audit, or a review of enforcement action when the enforcement action includes a Corrective Action Plan.

There are multiple scenarios in which the use or disclosure of PHI is permitted – but not required. These include (but are not limited to):

  • Disclosures to the individual or the individual´s appointed representative other than when responding to an access request or accounting of disclosures.
  • For treatment, payment, and healthcare operations (TPOs) – health care operations including performance evaluations, medical reviews, and business management.
  • When a disclosure is incidental to a permitted disclosure, as long as the permitted disclosure and the incidental disclosure were limited to the minimum necessary.
  • When a use or disclosure is for public interest and benefit activities. There are twelve such public interest and benefit activities that can be found under 164.501 onward.
  • When PHI is used or disclosed in a Limited Data Set for the purposes of research, public health, or health care operations subject to a data use agreement being in place.
  • When a Covered Entity of Business Associate receives a subpoena for medical records in connection with a judicial or administrative proceeding.

There are exceptions to the above inasmuch as psychotherapy notes and substance abuse disorder records cannot be disclosed without an authorization from a patient, which – like all authorizations – a patient has the right to revoke. There are also scenarios in which a patient should be given the opportunity to agree or object to a disclosure (for example, to notify families of admission); but, if the patient is unable to agree or object, a healthcare professional can make a good faith judgement.

5.4. HIPAA Authorizations

Prior to any use or disclosure of an individual’s PHI that is not required or permitted by the HIPAA Privacy Rule, written authorization must be obtained from the individual. A HIPAA authorization is a detailed written document that authorizes a Covered Entity to use or disclose an individual’s PHI for the specific purposes outlined in the authorization form. There are several required elements for authorization forms. They must include:

  • Meaningful and specific information about the uses and disclosures the patient is authorizing
  • The name or details of the class of person authorized to use or disclose PHI and the name or class of person to whom the information will be disclosed.
  • The purpose of the use or disclosure
  • The time frame that the authorization covers, including an expiry date.
  • The individual’s signature and the date that the authorization was given

The individual must also be notified on the form that they have the right to revoke the authorization by submitting a request in writing together with either:

  • Exceptions to the right to revoke and details of how the right to revoke the authorization can be exercised; or
  • The extent to which that information is detailed in the organization’s Notice of Privacy Practices.

The authorization must also state the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization.

What HIPAA Information Can be Shared?

To summarize what has been discussed under the Privacy Rule section thus far, all HIPAA information (PHI, policies, risk assessments, training records, patient authorizations, etc.) must be shared with inspectors from HHS´ Office for Civil Rights when requested during a compliance investigation, an audit, or a review of enforcement action. All PHI maintained in a designated record set must be shared with a patient when requested by the patient or the patient´s representative.

Thereafter, there are circumstances when HIPAA information (usually PHI) can be shared with other Covered Entities for treatment, payment, and healthcare operations, or with Business Associates who perform a service for or on behalf of the Covered Entity – provided an appropriate Business Associate Agreement is in place. Disclosures of this nature – and for other permissible use and disclosures of PHI – are subject to the Minimum Necessary Standard (explained below).

The only other circumstances in which HIPAA information can be shared require the written authorization of the patient or plan member. These disclosures are more specific in nature inasmuch as the patient or plan member must authorize what HIPAA is being shared, who it is being shared with, and for what purpose. With these time of disclosures, it is important to limit the time frame during which the HIPAA information is shared, and be aware of the right to revoke authorization.

5.5. The HIPAA Minimum Necessary Standard

In addition to the Privacy Rule stipulating the required and permissible uses and disclosures of PHI, there is also a restriction placed on how much PHI can be used or disclosed under the Minimum Necessary Standard. This standard limits uses, disclosures, and requests for PHI to the minimum amount necessary to achieve the desired purpose. The Minimum Necessary Standard applies to PHI in all forms, including physical records, electronic PHI, and verbal disclosures of PHI.

Covered Entities are required to develop policies and procedures that reasonably limit uses, disclosures, and requests for PHI. However, the Covered Entity has to determine how much PHI is required to achieve a particular purpose – including disclosures to other HIPAA Covered Entities, PHI accessed by workforce members, and disclosures of PHI to Business Associates.

Therefore, under this standard, it is necessary to develop role-based access policies and procedures that limit which members of its workforce may have access to PHI for treatment, payment and healthcare operations, and the amount of PHI that can be accessed. However, there are a limited number of exceptions in which the HIPAA Minimum Necessary Standard does not apply. These are:

  • Disclosures to a healthcare provider for the purpose of treating patients and requests from healthcare providers for PHI for treatment purposes.
  • Disclosures to an individual who is exercising the right to access or to obtain a copy of their healthcare information that is part of a designated record set.
  • Disclosures of PHI that have been compiled for civil, criminal, or administrative actions or proceedings.
  • A use of disclosure pursuant to a valid authorization.
  • Uses and disclosures required by law.
  • Disclosures to HHS during a compliance investigation, audit, or review.

5.6. De-identification of Protected Health Information

The HIPAA Privacy Rule places restrictions on uses and disclosures of identifiable protected health information, but if health information is stripped of all information that identifies an individual, secondary uses of that information are permitted, such as the provision of the information to organizations for research purposes.

The HIPAA Privacy Rule stipulates two methods that can be used to de-identify protected health information: Expert Determination and the Safe Harbor method.

Expert determination requires a person with appropriate experience and knowledge of generally accepted statistical and scientific principles, and techniques for removing individually identifiable information, to apply those principles and methods and determine that the risk of an individual being identified from the data is very small, either using the information alone or in combination with other information that is reasonably available. The methods used and the results of any analyses must be documented and must justify the determination.

The safe harbor method involves the removal of all 18 types of identifiers detailed in the “What is PHI” section of this guide.

When either of these approaches is used, PHI is no longer identifiable and is no longer protected by the HIPAA Privacy Rule.

5.7. Marketing and Fundraising Protocols

Restrictions on the use of PHI for Marketing

The Privacy Rule strictly limits uses and disclosures of PHI beyond those that are required or permitted. For example, the Privacy Rule expressly prohibits Covered Entities from selling PHI to third parties and using PHI for marketing activities without prior authorization from the individual.

The Privacy Rule states that, if a Covered Entity receives “financial remuneration” for disclosing PHI in order to advertise a third-party product or service, then prior authorization must be obtained from the individual. With some limited exceptions, business associates are prohibited from using PHI for marketing purposes.

Refill reminders or other communications about a currently prescribed drug for an individual, including self-administered drugs or biologics (such as insulin pumps) are excluded from this prohibition, but only if any received financial remuneration is reasonably related to the cost of making the communication.

Face to face marketing, including the handing out of written materials such as pamphlets and promotional gifts of nominal value, are also excluded from the authorization requirement so as not to intrude into the doctor-patient relationship, and also so that healthcare providers can leave general circulation materials in their offices for patients to pick up during their visits.

Additionally, communications for the following treatment and healthcare operations purposes, where no financial remuneration is received, are also excluded from these restrictions:

For the treatment of an individual by a healthcare provider or to direct or recommend alternative treatments, therapies, healthcare providers, or settings of care to the individual

To describe a health-related product or service (or payment for such product or service) that is provided by or is included in a plan – including communications about healthcare providers or health plan networks, enhancements to a health plan, and health-related products or services available only to health plan participants that add value to, but are not part of, an existing plan

For case management or care coordination, contacting individuals with information about treatment alternatives and related functions if these activities do not fall within the definition of treatment.

Financial remuneration is defined as “direct or indirect payment from or on behalf of a third party whose product or service is being described” other than payment for treatment of an individual. “Financial remuneration” does not include non-financial benefits, such as in-kind benefits provided in exchange for making a communication about a product or service. If a Covered Entity is currently sending marketing materials to its participants – or is allowing service providers or vendors to do so through its website – the marketing practices should be evaluated to ensure they are in compliance with the HIPAA Privacy Rule.

Disclosure and Sale of PHI for “Fundraising” Purposes

The Omnibus Final Rule of 2013 further clarified the HITECH Act’s prohibition of the sale of PHI. Under the Omnibus Rule, the sale of PHI generally means a disclosure of PHI if a Covered Entity receives direct or indirect remuneration from or on behalf of the recipient in exchange for the PHI. It is not necessary for a Covered Entity to transfer ownership of the PHI for the transaction to constitute a “sale.”

The Omnibus Final Rule expands the definition of PHI that may be used for fundraising purposes (with patient authorization) to include demographic information relating to the individual – including name, address, other contact information, age, gender and date of birth; dates that healthcare was provided to the individual; information about the general department of treatment (e.g., cardiology, oncology, pediatrics, etc.); the treating physician; outcome information, and health insurance status.

If a Covered Entity uses PHI for authorized fundraising purposes, it must still ensure only the minimum necessary amount of PHI is used or disclosed. A clear and explicit opt-out must be included with all fundraising communications; however, Covered Entities are free to decide what methods individuals can use to opt out of future fundraising communications – provided the method does not constitute an undue burden on an individual.

Please note that any use of PHI for marketing or fundraising must be consistent with a Covered Entity’s “Notice of Privacy Practices” – a subject addressed later in our HIPAA Compliance Guide – and may also be subject to state privacy laws with additional authorization requirements that pre-empt the HIPAA Privacy Rule.

5.8. Patient Access to Medical Records

The HIPAA Privacy Rule has always provided individuals with the right to access and obtain copies of health information maintained in provider or health plan record set. Under the existing provisions, when a patient makes such a request, the covered entity has up to 30 days to provide the requested access or a copy of the requested data; however, the provider or plan could take up to an additional 60 days if the information requested is stored off-site.

Patients can be charged a reasonable, cost-based fee for copies of their designated record sets to cover the cost of both labor and supplies. This right of access has been part of the Privacy Rule since it was first implemented; although many patients have faced obstacles when trying to obtain copies of their PHI.

The Privacy Rule covers identifiable health information in both paper and digital form, so this right of patient access has always applied to all forms of PHI. However, in the HITECH Act, Congress made it clear that, when a patient’s information is stored electronically, patients have the right to obtain an electronic copy and to have that copy sent, at their request, to another person or entity, such as a doctor, caregiver, their personal representative, or mobile health app.

New regulations enacted by the Omnibus Final Rule and proposed in the 2021 Notice of Proposed Rulemaking strengthen this mandate and also clarify how this right to digital data can be exercised. Patients have the right to an electronic copy “in the form or format they request” – but only if the provider or plan is capable of producing the copy in the requested format.

The new rules still allow healthcare providers and health plans to ask patients to submit written requests for copies of their health information, although this is not a requirement of the Privacy Rule. However, if the patient wants to have the electronic copy transmitted directly to a third party, the new rules require that this type of request must be in writing and be signed by the patient.

Per existing requirements of the Privacy and Security Rules, healthcare providers or health plans sending identifiable health information per a patient’s request, must take steps to verify the identity of the patient and recipient prior to sending the information. They must also conduct checks to ensure the correct records are sent and must implement safeguards to protect the integrity of ePHI in transit.

Although the Security Rule requires healthcare providers and health plans to implement safeguards for transmitting identifiable health information, patients also have the right to get their copies through unencrypted channels – such as email – if they so choose. Healthcare providers and health plans are required to advise patients of the risk of receiving information through insecure channels.

5.9. Charging for Copies of PHI

As previously mentioned, HIPAA Covered Entities are permitted to impose a fee for responding to requests from individuals who exercise their right to obtain a copy of their health information.

The fees charged must be reasonable and cost-based and can include the cost of creating a summary of health information or providing an explanation – if a summary or explanation has been requested by the individual – the cost of labor for copying information, the cost of supplies such as paper or electronic media if an electronic copy is requested, and postage costs if the individual has chosen to have the information mailed. HIPAA Covered Entities are not permitted to charge for the time it takes to locate, retrieve, and handle PHI.

There are three methods that can be used for calculating fees: Actual costs, average costs, or a flat fee. If the actual cost method is used, an individual should be told in advance approximately how much the fee will be. Average costs can be calculated, and a schedule of costs created for different types of requests. The cost of any media that is required to satisfy the request can be added to that charge. The flat fee method allows a charge up to a maximum of $6.50, inclusive of all labor, supplies, and postage costs for supplying copies of ePHI.

5.10. Amendments to Healthcare Records

One of main reasons why patients should be encouraged to obtain a copy of their health information is to check for errors and omissions. If an error or omission is found, a request to amend the records can be submitted in writing. It is acceptable for Covered Entities to require a reason for an amendment to be provided as long as the individual is notified in advance. It is also necessary for Covered Entities to document the persons or officers responsible for processing these requests.

If the request is accepted, the amendment must be made within 60 days of receiving the amendment request. It is possible to extend this time limit by 30 days provided that the individual is notified in writing and is provided with a valid reason why the delay is necessary. The individual must be notified if the amendment request has been accepted and the covered entity should obtain an agreement from the individual if the amendment needs to be shared with others. That information must then be shared within a reasonable time frame.

It is permitted to deny a request to amend health records if the PHI was not created by the Covered Entity, provided the originator is still able to act on an amendment request. A request can also be denied if the request requires changes to information that is not part of the designated record set, if the record would not be available for inspection, or is accurate and complete.

If the request is denied, the individual must be notified of the reason why the request was denied. They must also be informed that they have a right to submit a written statement disagreeing with the denial, be informed that they have the right to include the request and denial in any future disclosures of PHI, and the individual should be told how a complaint can be filed with the HHS. The contact information of an employee of the covered entity responsible for handling complaints should also be provided.

5.11. Accounting of Disclosures of PHI

HIPAA Covered Entities must create and implement policies and procedures for recording and maintaining a list of disclosures of PHI, both by the Covered Entity and their Business Associates. Disclosures do not need to be recorded if they:

  • Are required for treatment, payment, or health care operations
  • Information is disclosed to the patient or their nominated representative
  • Disclosures are made to individuals involved in an individual’s healthcare or payment for healthcare
  • If the disclosure is pursuant to an authorization
  • Involves the disclosure of a limited data set
  • Disclosures are made for national security or law enforcement purposes

Individuals have a right to an account of disclosures and must be provided, on request, with a list of the recorded disclosures for 6 years prior to the date that the request is made. They should be provided with the date and time of access, the name of the person/entity that accessed the information, a description of what the individual/entity did with the information (created, modified, accessed, or deleted information), and a description of the information accessed.

The request must be acted on within 60 days being received. It is not permissible to charge an individual for exercising their right to be provided with this information in the first instance in any 12 month period. A reasonable, cost-based fee can be charged for processing subsequent requests in the same 12 month period.

5.12. Notice of Privacy Practices

Any use or disclosure of PHI for treatment, payment, or healthcare operations must be consistent with the Covered Entity’s Notice of Privacy Practices (NPPs). A Covered Entity is required to provide patients or plan members with a notice of its privacy practices, including the uses or disclosures of the individual’s information together with the individual’s rights with respect to that information.

The Privacy Rule mandates individuals are informed of the privacy practices of health plans and most healthcare providers. Health plans and covered healthcare providers are required to develop and distribute a notice that provides a clear explanation of these practices and the rights of individuals to request copies of PHI, request corrects where errors exist, and access an accounting of disclosures.

The Notice of Privacy Practices must also explain how the Covered Entity may use and disclose PHI without the individual´s authorization, that – when authorization is required – the individual has the right to revoke the authorization, and how an individual can revoke an authorization. The HIPAA Privacy Rule does not require the following Covered Entities to issue NPPs:

  • Health care clearinghouses, if the only PHI created or received is in the capacity of a Business Associate (see §164.500(b)(1))
  • A correctional institution that is a Covered Entity (e.g., that has a covered healthcare provider component)
  • A group health plan that does not create or receive PHI other than a summary or enrollment/disenrollment information, if benefits are provided through one or more contracts of insurance HMOs/health insurance issuers.

Other than the above exceptions, Covered Entities are required to provide a Notice in plain language that describes:

  • How the Covered Entity may use and disclose an individual’s protected health information.
  • The individual’s rights with respect to PHI and how the individual may exercise those rights, including how the individual may lodge a complaint with the Covered Entity or OCR.
  • The Covered Entity’s legal duties with respect to the information held, including a statement that the Covered Entity is required by law to ensure the privacy of PHI.
  • The contact details for further information about the Covered Entity’s privacy policies
  • The date that the privacy practices are effective

Providing the Notice

A Covered Entity must make its Notice available to any person who asks for it and make it available on any website it maintains if that site provides information about its customer services or benefits. In this regard, it is important to make a distinction: A website privacy policy is not the same as a Notice of Privacy Practices (NPP).

Health Plans must also:

  • Provide the Notice to individuals already covered by a health plan and to new enrollees at the time of enrollment.
  • Provide a revised Notice to individuals covered by the plan within 60 days of a material revision.
  • Notify individuals covered by the plan of the availability of, and how to obtain, the Notice at least once every three years.

Covered Healthcare Providers must also:

Provide the Notice to the individual no later than the date of first service delivery and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the Notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In an emergency treatment situation, healthcare providers are required to provide the Notice after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals.

Make the latest Notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility (posted for viewing) for individuals to request and take away with them. A Covered Entity may email the Notice to an individual if the individual agrees to receive the Notice electronically.

Organizational Options

Any Covered Entity, including a hybrid entity or an affiliated Covered Entity, may choose to develop more than one Notice, such as when an entity performs different types of covered functions and there are variations in its privacy practices among these covered functions. Covered Entities are encouraged to provide individuals with the most relevant notice possible.

Covered Entities that participate in an Organized Health Care Arrangement may choose to produce a single joint notice if certain requirements are met. For example, the joint notice must describe the Covered Entities and the service delivery sites to which the Notice of Privacy Practices applies. If any one of the participating Covered Entities provides a joint notice to an individual, the Notice distribution requirement with respect to that individual is met for all Covered Entities in the Organized Health Care Arrangement.

6. The HIPAA Security Rule

6.1 What is the HIPAA Security Rule?

6.2 What is the Difference between PHI and ePHI?

6.3 Administrative Safeguards

6.4 Physical Safeguards

6.5 Technical Safeguards

6.1. What is the HIPAA Security Rule?

“The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic Protected Health Information”.

Definition provided by the US Department of Health and Human Services

Whereas the HIPAA Privacy Rule applies to PHI in general, the HIPAA Security Rule applies to the subset of PHI created, received, maintained, or transmitted electronically by Covered Entities and Business Associates.

The reason electronic PHI (ePHI) has its own subset is that ePHI can be acquired and used impermissibly in greater volumes than PHI maintained on paper. Unsecured ePHI can be worth more on the black market than most other data types because, with stolen medical records and personal identifiers, hackers can commit identity theft to obtain loans or credit in the victim´s name, get free medical treatment, or acquire drugs that can be resold.

It is not only individuals who suffer in data breaches. Insurance companies can be billed for treatment that has never taken place or for medical equipment that has never been delivered. Furthermore, medical identity theft is often not immediately identified by a patient or their provider – giving criminals years to milk stolen data. That makes medical data considerably more valuable than (say) credit cards, which tend to be quickly canceled by banks once fraud is detected.

6.2. What is the Difference Between PHI and ePHI?

As mentioned above, the acronym PHI relates to all individually identifiable health information and any personal identifiers stored in the same designated record set regardless of format. The acronym ePHI relates to individually identifiable health information and personal identifiers created, received, maintained, or transmitted electronically.

Because of the threat of ePHI being used impermissibly in greater volumes, the Security Rule consists of comprehensive Administrative, Physical, and Technical safeguards that address potential security gaps and vulnerabilities which could be exploited by hackers to gain access to ePHI. The technical safeguards in particular prevent the exposure of ePHI should a device be lost or stolen.

The requirements to protect ePHI apply irrespective of whether data is “at rest” or “in transit”. For clarity, the term “at rest” relates to ePHI saved on any electronic media (cloud server, computer hard drive, flash drive, personal mobile device, etc.) and the term “in transit” relates to any electronic communication of ePHI (text, IMS, email, pager, file transfer, etc.).

However, before implementing measures to comply with the Security Rule, it is necessary to understand the “flexibility of approach” concept that appears in the General Rules of the Security Rule (§164.306) and the difference between “required” implementation specifications and “addressable” implementation specifications.

The Flexibility of Approach Concept

The flexibility of approach concept gives Covered Entities and Business Associates flexibility in deciding which security measures are “reasonable and appropriate” to meet the implementation specifications in the Administrative, Physical, and Technical safeguards. When exercising the flexible approach, Covered Entities and Business Associates should consider the following:

  • The organization´s size, complexity, and personnel capabilities.
  • The organization´s existing technical infrastructure, hardware, and software security capabilities.
  • The cost of implementing measures to comply with the safeguards.
  • The probability and criticality of potential risks to ePHI.

As mentioned in the following Administrative safeguards, Covered Entities and Business Associates must assign the responsibility for Security Rule compliance to a HIPAA Security Officer. The Security Officer is responsible – among other tasks – for conducting risk analyses and determining which security measures are reasonable and appropriate in the context of the above considerations.

Required and Addressable Implementation Specifications

As the name suggests, “required” implementation specifications must be implemented. “Addressable” implementation specifications must be implemented unless they are unreasonable and/or inappropriate. In the latter case, the reason why the implementation specification if unreasonable and/or inappropriate must be documented, and an alternative measure with at least the equivalent protections used in its place.

6.3. Administrative Safeguards

The Security Rule states the Administrative safeguards are, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

The standards for the Administrative safeguards consist of:

  • The Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Planning
  • Evaluation
  • Business Associate Contracts and Other Arrangements

The Security Management Process

The Security Management Process covers the implementation of policies and procedures to prevent, detect, contain, and correct security violations.

These are categorized into 4 implementation specifications:

Risk Analysis (Required)

A risk analysis is one of the most important elements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance, as was highlighted by both the pilot and second phase HIPAA audit programs. A risk analysis is a procedure by which the entire organization is assessed for potential security vulnerabilities and risks to the confidentiality, integrity, and availability of ePHI.

If a risk analysis is conducted that is not comprehensive – i.e., does not cover all aspects of data security for both physical PHI and ePHI – security vulnerabilities are likely to remain that could place the confidentiality of health records in jeopardy. Only by identifying ALL risks can an organization take action to effectively manage those risks.

A risk analysis is not a onetime action, but a continuous process of reevaluation and assessment that should take place at regular intervals – in particular after a material change in HIPAA legislation or as part of the process of implementing new software or computer systems that have potential to come into contact with ePHI.

An incomplete or non-compliant risk analysis is one of the most common HIPAA violations uncovered by OCR when investigating complaints and data breaches, and conducting compliance audits. Due to these failures and the importance of the risk assessment, OCR has released guidance on this vital implementation specification. The guidance can be downloaded on this link (PDF)

The risk analysis should not be confused with a gap analysis. A gap analysis is a partial assessment which provides a high-level overview of controls that have been put in place to secure ePHI and identify any areas where gaps may exist.

The gap analysis can be conducted to review compliance with certain implementation specifications of the HIPAA Security Rule and is defined by OCR as “a narrowed examination of a Covered Entity´s or Business Associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule have been implemented.”

A gap analysis is not a substitute for a risk analysis, which is much more in depth and applies to all risks to all ePHI created, received, maintained, or transmitted by a HIPAA-Covered Entity or Business Associate.

Risk Management (Required)

Once a risk analysis has been conducted, and all potential security vulnerabilities identified, covered organizations must then implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.

Sanction Policy (Required)

A sanction policy must be put in place to allow Privacy and Security Officers to take action against workforce members who fail to comply with HIPAA policies and procedures. All members of the workforce should be made aware of the HIPAA Privacy and Security Rules and must agree to abide by them. The sanctions policy must stipulate the penalties for each type of violation (accidental, lack of care, knowing, etc.).

Information System Activity Review (Required)

It is essential all Covered Entities implement a system – preferably automated – that logs user activity; in particular any requests to access patient records or make amendments to ePHI. Audit logs must be created, and the system must be capable of generating security incident tracking reports.

Even the most robust security systems cannot prevent authorized users from accessing ePHI improperly, so it is essential all attempts to view or alter ePHI are logged, and that these logs are regularly checked for inappropriate access. Inappropriate access – such as employees snooping on patients´ medical records – is a leading cause of data breaches.

Assign Security Responsibility

A HIPAA Security Officer should be appointed and given responsibility for the development, implementation, and enforcement of HIPAA policies and procedures relating to data security.

Individuals can be assigned granular responsibilities such as network security, device management, or site security, provided they report to the Security Officer with overall responsibility for HIPAA compliance. In large organizations, it may be necessary to assign tasks to numerous individuals or a compliance team.

Workforce Security

Access to ePHI must be restricted and carefully controlled, yet healthcare professionals do require access to ePHI in order to do their jobs and provide healthcare services to patients. This means policies and procedures must be developed to ensure members of the workforce have appropriate access to ePHI, as required under the Information Access Management standard, while other members of the workforce must be prevented from viewing ePHI.

The workforce security standard comprises three implementation specifications:

Authorization and/or Supervision (Addressable)

Policies must be developed, and procedures implemented, which allow users to be granted authorization to access or amend ePHI commensurate with their position. In practice this means assessing job descriptions to determine what degree of role-based access is required.

Workforce Clearance Procedure (Addressable)

A clearance procedure must exist that assesses whether the level of access to ePHI an individual workforce member needs to perform his or her duties is appropriate. A clearance procedure must verify an individual has an appropriate level of access to perform their duties.

Termination Procedures (Addressable)

Just as procedures must be developed to grant users access to essential ePHI, procedures must also be in place to terminate those access rights when they are no longer required, such as following a change in the individual’s duties or after the termination of an employment contract.

Information Access Management

The fourth standard covers the management of access to ePHI by members of the workforce who need to view, amend, or update ePHI as part of their regular duties. Controlling access is an essential element of data security that limits the potential for accidental or deliberate disclosure of PHI to non-authorized individuals, while also limiting the possibility of erasure or alteration of ePHI.

The Information Access Management standard has three implementation specifications:

Isolating Healthcare Clearinghouse Functions (Required)

If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that isolate ePHI used or disclosed during HIPAA-covered functions and protects it from unauthorized access by the larger organization.

Access Authorization (Addressable)

This specification is similar to that stated in the Workforce Security standard, but instead of determining access rights, Access Authorization requires policies and procedures to be implemented for granting access to ePHI, such as through a particular workstation or for specific transactions, programs, processes, or other mechanisms.

Access Establishment and Modification (Addressable)

A Covered Entity must implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Security Awareness and Training

One of the most important elements of the Administrative safeguards is the provision of training on the HIPAA Security and Privacy Rules, not only for members of the workforce granted access to ePHI or who may otherwise come into contact with it, but for all members of the workforce, including management. Even the most robust security policies can be easily compromised due to poor or non-existent training.

In addition to providing relevant training on Privacy Rule policies, all members of the workforce must be provided with security and awareness training to teach best practices and alert them to the methods used by cybercriminals to gain access to ePHI – such as phishing, business email compromise, and social engineering.

The Security Awareness and Training standard includes four implementation specifications:

Security Reminders (Addressable)

The provision of training ensures the workforce is fully aware of the HIPAA Privacy and Security Rules; however, policies frequently need to be updated and these changes must be communicated to staff. It is also important to provide the workforce with reminders on the importance of data security policies and procedures.

All reminders must be documented and a record maintained, while the procedures must govern the issuing of reminders, such as via electronic bulletins, the posting of security reminders on notice boards, and the creation of agendas for periodic security meetings etc.

Protection from Malicious Software (Addressable)

Covered Entities must put procedures into place which guard against, detect, and report malicious software, including computer viruses such as Trojans, worms, keyloggers, malware, and ransomware. Viruses and malware can be used by external parties to gain access to data or to convince authorized personnel to divulge login credentials and security keys. Both ransomware and malware can also damage, delete, or otherwise alter data. See the Contingency Planning section for more information.

All members of the workforce must receive training to help them identify potentially dangerous software and staff should be aware of how, and to whom, they should report the potential installation of malicious software. This includes developing policies that restrict how the Internet is used and what can be downloaded.

Log-in Monitoring (Addressable)

Procedures must be developed for monitoring log-in attempts and reporting discrepancies. A system must be in place that can log access attempts, such as multiple attempts to gain access to ePHI using incorrect passwords or usernames. Systems can be configured to log these attempts and generate security reports or alerts, or even to block access for a particular user or device. One measure which can be employed is the blocking of a login after a set number of access attempts have failed – termed rate limiting.

Password Management (Addressable)

Procedures must be developed for creating, changing, and safeguarding passwords used to access ePHI. If passwords are not automatically assigned, training must be provided on creating secure passwords – i.e., not using dates of birth, children’s names, dictionary words, or any commonly used insecure password that can easily be guessed (password, 12345678, etc.).

Best practices for passwords often change. The effectiveness of forced password resets every 3 months has been questioned, as has the use of random strings of digits, letters, and symbols, as these often have to be written down in order to be remembered. Covered Entities should consult the guidance issued by NIST on passwords and best practices – See NIST Special Publication 800-63B for further information – and keep abreast of changes to access control recommendations.

Security Incident Procedures

Even the most security conscious healthcare organizations that have implemented multi-layered security defenses and are fully HIPAA-compliant may, at some point in time, experience a security incident. While it is possible to reduce and manage risk, it is not possible to eliminate it entirely. Covered Entities and Business Associates must therefore implement procedures that allow these incidents to be reported quickly to the appropriate persons(s).

There is only one implementation specification:

Response and Reporting (Required)

This specification states that all HIPAA-Covered Entities and Business Associates must be able to “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are identified; and document security incidents and their outcomes.”

There are numerous types of security incident, and workforces must be aware how to “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are identified; and document security incidents and their outcomes.”

Examples of security incidents include, but are not limited to:

  • Loss or theft of portable devices containing unencrypted ePHI
  • Stolen or divulged passwords
  • Potential phishing attacks and suspicious emails
  • Computer viruses and malware
  • Corrupted backups that do not allow ePHI to be restored
  • Break-ins resulting in the theft of devices containing ePHI
  • The use of old logins – such as those of terminated members of staff – to access ePHI
  • The accessing of ePHI by non-authorized members of the workforce

Procedures must be developed which allow a rapid and adequate response to each of these threats, and any others that may exist in a particular organization.

Contingency Planning

Access to ePHI must be maintained at all times, even during emergencies. Procedures must therefore be developed to ensure that this is the case. Consequently, Covered Entities and Business Associates are required to “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.”

The Contingency Planning standard consists of five implementation specifications:

Data Backup Plan (Required)

Organizations must establish and implement procedures to create and maintain retrievable exact copies of ePHI. All data, including health information, diagnostic images, medical records, accounting information, and other electronic documents must be frequently backed up; and any physical backup media, if used, must be stored off-site in a secure location protected by the Physical safeguards mentioned above.

Backups are one of the most important defenses against ransomware attacks that encrypt ePHI to prevent access. Without a backup, it may not be possible to recover data. Even payment of a ransom is no guarantee that valid keys will be supplied to unlock files encrypted by ransomware. Ransomware can also encrypt on-site backup copies of ePHI and delete Windows Shadow Copies. At least one copy of ePHI should therefore be stored on an air-gapped device – i.e., one which is not connected to the network or Internet.

Disaster Recovery Plan (Required)

Covered Entities and Business Associates must establish and implement procedures to restore any loss of data, and this plan must be reviewed, revised, and tested frequently.

Emergency Mode Operation Plan (Required)

Even during a power outage or other emergency situation such as a server malfunction, procedures must exist to ensure the continuation of critical business processes and the protection of ePHI while the organization is operating in emergency mode.

Testing and Revision Procedures (Addressable)

All Contingency Plan implementation specifications must be subjected to tests to ensure data can be restored. Emergency operational procedures must similarly be subjected to live tests to ensure they are effective. These tests should be conducted on a regular basis, and policies and procedures revised as appropriate.

Applications and Data Criticality Analysis (Addressable)

Organizations are required to “assess the relative criticality specific applications and data in support of other contingency plan components.” This means that all software and computer systems must be evaluated and given priority for backups – and restoration of data from backups and devices – based on their importance to the running of the organization and the provision of patient healthcare services.

Evaluation

This standard covers the monitoring and evaluation of all security measures to ensure they continue to offer the appropriate level of protection to keep ePHI secure.

Over time, systems and personnel will change, new technology will be introduced, and operational environments are also subject to change. Naturally, policies and procedures must be updated to take these new occurrences and changes into account.

There are no implementation specifications under this standard. Covered Entities and Business Associates are just required to “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of ePHI that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”

Business Associate Agreements and Other Arrangements

The last standard under Administrative safeguards covers Business Associates – and their subcontractors. A Covered Entity is required to enter into a Business Associate Agreement with any third party that creates, receives, maintains, transmits, or otherwise comes into contact with ePHI in the provision of a service for or on behalf of the Covered Entity.

This is a required element, and “a covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information.”

There is a single implementation specification for this standard:

Written contracts (Required)

Covered entities must “Document the satisfactory assurances required by paragraph (b) (1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a) [the Organizational Requirements].”

With regards to this standard, it is also important that Covered Entities and Business Associates comply with the Organizational Requirements of the Security Rule (§164.314). The Organizational Requirements include the standards and implementation specifications for Business Associate Agreements and stipulate when it is necessary for a Business Associate to report any security incident to the Covered Entity it is providing a service to.

6.4. Physical Safeguards

The Physical safeguards are the standards that relate to physical access to ePHI and how ePHI is stored. There are four standards in the Physical safeguards:

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Devices and Media Controls

Facility Access Controls

The facility access controls outline the policies and procedures that Covered Entities and Business Associates must put in place to properly authenticate and authorize access to places where ePHI is maintained. In today’s world, this means putting proper procedures in place to ensure that only essential and authorized personnel have access to data centers, server cabinets, storerooms, and any other locations where ePHI is stored. This includes IT storerooms where old computer equipment is held. Many digital devices contain stored ePHI, including digital photocopiers, scanners and printers, and access to these devices must also be controlled.

Contingency Operations (Addressable)

The first implementation specification in the facility access controls standards is “Contingency Operations”. In short, Covered Entities and Business Associates must have a plan in place that ensures that, in an emergency, the right people have access to the facilities where ePHI is physically housed. Effectively, this means putting together a plan so that in an emergency – a data center outage for example – it is possible for ePHI to be accessed or a backup copy of ePHI to be recovered.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

It is also important to make sure there is a way to restore the data elsewhere if needed. The data restoration step is typically part of a disaster recovery plan. For example, if the data center housing a HIPAA compliant application loses power, it has to be possible to restore or bring up the application in a second data center (which is why cloud computing is a popular option due to its redundancy and failover capabilities).

The rationale for this implementation specification is pretty straightforward. It ensures that even in an emergency situation, access to ePHI is not interrupted. Just because a computer system is down, doctors still need access to patient records in a timely manner to ensure the provision of healthcare services is not interrupted.

Facility Security Plan (Addressable)

The second implementation specification is called the Facility Security Plan. As the name implies, Covered Entities and Business Associates need to implement policies and procedures to properly secure and protect the physical facility where ePHI data is housed. Covered Entities and Business Associates must develop and implement plans to reasonably and appropriately prevent unauthorized physical access, tampering, and theft of ePHI.

Whether organizations have an on-site server room, or they host applications in a shared data center or the cloud, it is their responsibility to ensure the facility is properly protected – either directly or via a Business Associate Agreement. The protection deployed will depend on many factors, such as the size and type of the organization, the volume of data stored, and the nature of the data held.

Protection measures could range from making sure a server room is always locked to adding a digital keypad to the section of the building where the server room is located. It may also be appropriate to employ a private security company to patrol the facility. What is important is that there is a plan in place, that it is documented and actioned when necessary, and that all appropriate personnel are aware of it. The plan must also be regularly tested and verified to be effective.

Control and Validation Procedures (Addressable)

This specification calls for Covered Entities and Business Associates to put procedures in place to ensure people accessing the facility where ePHI is housed are indeed who they say they are, and that their access to ePHI is in accordance with his or her role in the organization.

For example, if someone shows up at a location where ePHI is housed claiming to be a computer server technician dispatched to replace a faulty hard drive, the facility procedures must ensure that access to ePHI is not inadvertently provided to an unauthorized person.

Maintenance Controls (Addressable)

The fourth and final implementation specification in the facility access controls standards calls for Covered Entities and Business Associates to implement procedures to document any modifications to the facility where ePHI is housed that may affect the facility’s security.

The procedures put in place should document any additions, changes, removals, and repairs to the physical facility housing the ePHI data. Common items logged may include replacing a broken digital keypad, upgrading a video surveillance system, rekeying server room keys, and even the reissue of a security badge to authorized personnel.

Workstation Use

The Workstation Use standard states that Covered Entities and Business Associates must define what each workstation can be used for, how work on the workstation is performed, and how the environment surrounding workstations should be designed in order to prevent unauthorized disclosures when workstations are used to access ePHI.

A workstation, in the eyes of the Department of Health and Human Services, is any electronic device that can be used to access ePHI. Therefore, this definition includes desktop computers, laptops, mobile devices (including personal mobile phones that have access to ePHI), and tablets. The definition as it is written in the Security Rule is purposely broad to account for all future devices that have not yet come to market.

As well as documenting what workstations can be used for, it can also be a best practice to document what they cannot be used for – for example, checking personal emails. When policies are defined for this standard, it is possible to be workstation-specific (e.g., by workstation asset ID) or location-specific (e.g., workstations in building 3) or even by workstation type (e.g., every company issued tablet).

Next, the manner in which work is done on the workstations has to be defined. For example, the patient billing system cannot be used with other software, like a web browser, running in the background. Or each user password for the EHR system must be a minimum of eight alphanumeric characters in length, contain a combination of upper- and lower-case characters and cannot include words found in a dictionary.

Finally, the environment surrounding workstations has to be defined when workstations are used to access ePHI. Covered Entities and Business Associates can again be very specific and restrict ePHI access to only workstations on the third floor, for example.

Parameters can be set around how data is accessed, such as allowing laptops to be used to access ePHI while off company property as long as they are not connected to the internet via public Wi-Fi, and provided that the connection is through a secure VPN. Indeed, when policies relating to workstation use are being defined, keep in mind employees who work in satellite offices or from home. Policies and procedures have to be in place for them as well. Also do not neglect to consider personal mobile devices brought into the workplace or the use of personal devices at home that can potentially be used to access ePHI.

Workstation Security

Workstation Security is closely related to the workstation use standard, but there is an important distinction between the two. The workstation use standard addresses the policies and procedures for how workstations should be used, whereas the workstation security standard addresses how workstations are to be physically protected from unauthorized users.

Every organization is different, and the Security Rule calls for reasonable and appropriate measures to be put in place by each entity. In other words, risk assessments should be conducted to determine the level of physical security that is required around each workstation.

Some measures that are easy to implement include ensuring that workstations are positioned in such a way to prevent unauthorized individuals from viewing the screen – by using privacy filters for example – and measures to make it harder for the devices to be improperly accessed. It may also be appropriate for Covered Entities and Business Associates to place workstations with access to ePHI in locked rooms.

Only by conducting a full and thorough risk assessment is it possible to determine the risks that exist in a particular facility. The results of that assessment can then be used to develop the appropriate controls based on the organization´s physical set-up and requirements.

Device and Media Controls

The fourth and final standard in the Physical safeguards is Device and Media Controls. This standard calls for Covered Entities and Business Associates to “implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

The definition is a bit long-winded, but this is because in the eyes of the Department of Health and Human Services, electronic media is any media that can be used to store or transfer ePHI, and this includes: Computer hard drives, removable flash drives, portable USB drives, and DVDs. Technically, an iPad or any other personal mobile device is also considered electronic media since it can be used to store ePHI either directly, when mapped as a portable hard drive, or indirectly using apps like Google Drive or Box.

Disposal (Required)

The first required implementation specification for this standard is Disposal. Organizations must put in place policies and procedures to “address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.” In other words, when each electronic media device reaches end of life, organizations must properly process the electronic media and be absolutely sure all ePHI stored on the digital media has been permanently erased.

Bear in mind that digital devices which are not specifically used to store ePHI may also come into contact with protected health information and maintain a record of that information. This includes digital printers, scanners, photocopiers, and fax machines. When files are sent to digital printers, they can be stored on internal memory chips and hard drives, and these will similarly need to be erased before recycling or returning to a leasing company.

There are several ways to accomplish this. One way is to degauss the electronic media. Degaussing is a process in which a strong magnetic field is applied to magnetic-based electronic media – such as some computer hard drives – which permanently erase the stored content. The degaussing process does not work on newer storage media such as solid-state drives and flash drives which are impervious to magnetic fields.

Many academic institutions have looked for ways to effectively erase content on non-magnetic drives and have concluded the only sure method is to completely destroy the media. Covered Entities and Business Associates need to carefully take inventory of the electronic media currently in use and come up with steps to properly erase content before disposal.

Media Re-Use (Required)

The next required implementation specification is titled Media Re-Use. If Covered Entities and Business Associates wish to re-use electronic media rather than dispose of them, they are required to put plans in place to ensure all ePHI stored on those devices is permanently destroyed or rendered unreadable before re-use. As pointed out previously, while clearing content on magnetic-based storage devices is a fairly easy process, clearing content on non-magnetic storage devices is much more difficult.

For example, deleting files from a desktop computer and emptying the recycle bin is not sufficient, as even deleted data can be restored or reconstructed. So once again, a careful review of the electronic media currently used should be conducted and procedures developed to ensure all data is permanently erased.

Accountability (Addressable)

Accountability is the next implementation specification. This implementation specification calls for Covered Entities and Business Associates to keep records of the movement of hardware and electronic media used to access or store ePHI, and to log the person accountable for the move.

Covered Entities and Business Associates have the flexibility to decide what is considered to be reasonable and appropriate record keeping. Ideally, if a server is removed from the server room for servicing, or if a faulty hard drive is replaced for example, procedures should be in place to log the specific device involved and the person who has authorized the change.

Data Backup and Storage (Addressable)

The last implementation specification is Data Backup and Storage. Before any hardware and electronic media are physically moved, a backup of the ePHI contained on each media device must be made. This ensures if anything were to happen to the hardware during a move – such as damage, loss, or theft – the contained ePHI is protected and data loss is prevented. Given the rise in the use of ransomware, backups are more important than ever. Multiple copies of ePHI should be made and at least one copy should be stored securely off site.

6.5. Technical Safeguards

The Security Rule Technical safeguards concern the technology and related policies and procedures that protect ePHI and control access to it, and they apply to all forms of ePHI. The HIPAA Security Rule requires Covered Entities and Business Associates to comply with the Technical safeguards; however, it does not go as far as to stipulate the exact methods to protect ePHI because of the “flexibility of approach” concept discussed earlier.

However, together with reasonable and appropriate Administrative and Physical safeguards, successful implementation of the Technical safeguards will help organizations best ensure the confidentiality, integrity, and availability of ePHI.

The Technical safeguards are:

Access Controls

These controls ensure ePHI can only be accessed by authorized users who have been granted access rights. Mechanisms should be implemented that identify and track user activity, automatically log the user out of the system after a period of inactivity, and allow access to ePHI during an emergency.

Unique User Identification (Required)

Each user must be assigned a unique name and/or number to identifying users and tracking user activity. It is important usernames and numbers are not shared between members of the workforce as this practice invalidates this implementation specification and may give users higher permissions than required.

Emergency Access Procedure (Required)

This implementation specification is similar to the procedures required by the Physical safeguards inasmuch as Covered Entities and Business Associates must establish procedures for accessing necessary ePHI during an outage or emergency.

Automatic Logoff (Addressable)

This implementation specification is necessary to prevent unauthorized access to ePHI when a device is left unattended. Most modern technologies have a capability to send a device to sleep after a period of inactivity, but this is not the same as logging a user out of a device and does not meet the requirement of this specification.

Encryption and Decryption (Addressable)

Although this is an addressable implementation specification, it is difficult to conceive of a measure as effective as encryption to render ePHI unreadable, undecipherable, and unusable in the event of a security incident. Organizations should ensure the system of encryption used meets the minimum NIST recommendations.

Audit Controls

This standard requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. There are no individual implementation specifications for this standard.

Integrity

This standard has just one addressable implementation specification – that mechanisms are implemented to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. Ideally, this standard should be applied to both ePHI and physical PHI wherever possible and should cover ePHI both in transit and at rest.

Person or Entity Authentication

This safeguard exists to ensure that a person who wants access to ePHI is who they say they are. This is usually achieved by passwords or PINs being allocated by an administrator, who has the ability to PIN-lock a device if a risk assessment shows that there is the threat of an ePHI breach such as if a device is lost or stolen. This standard should also be applied to open-network apps.

Transmission Security

This standard requires Covered Entities and Business Associates to implement measures to guard against ePHI being accessed without authorization during transit. This standard has two implementation specifications:

Integrity Controls (Addressable)

This implementation specification requires organizations to put mechanisms in place to ensure ePHI is not modified or deleted during an electronic communication.

Encryption (Addressable)

This implementation specification stipulates that a method of encryption and decryption should be used “whenever deemed appropriate” to protect the integrity of ePHI in transit.

7. The Breach Notification Rule – What to do in the Event of a Breach

  1. 7.1 The HIPAA Breach Notification Rule
  2. 7.2 OCR Settlements and Civil Monetary Penalties

7.1. The HIPAA Breach Notification Rule

Even with all the safeguards in the world, healthcare and payment information can be compromised. Risks can be managed and mitigated as much as possible, but it is impossible to prevent members of the workforce snooping or prevent human error. Additionally, even with multi-layered defenses, cyberattacks can still be successful.

If Covered Entities and Business Associates apply the Administrative, Technical, and Physical Safeguards of the Security Rule – and ePHI is encrypted to a standard that would make it “unusable, indecipherable or unreadable” – it may not be necessary to report electronic data breaches. Data breaches only need to be reported when there is a breach of unsecured (non-encrypted) ePHI or a breach of physical PHI (for example, the incorrect disposal of paper prescriptions).

The definition of a breach provided by the US Department of Health and Human Services is as follows:

“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the Protected Health Information.” An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that PHI has been compromised based on a risk assessment that includes at least the following factors:

  • The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used or accessed PHI or to whom any disclosure has been made
  • Whether PHI was actually acquired or viewed
  • The extent to which the risk to PHI has been mitigated

If, despite all precautions, a breach occurs which potentially could result in the unauthorized disclosure of healthcare and/or payment information, the affected individual(s) must be informed within 60 days of the discovery of the breach. The Secretary of the Department of Health and Human Services must also be notified, by submitting a breach summary through the Office for Civil Rights breach portal.

Informing an Individual of a Breach of ePHI

To inform an individual of a breach of PHI or ePHI, a notification must be sent by first class mail to the individual´s last known address, the next of kin if the individual is deceased, or the parent or guardian of a child under the age of eighteen whose healthcare information has been compromised.

If the breach requires urgent attention because of possible imminent misuse of PHI, the individual should also be contacted by telephone or by any other means of communication that is considered appropriate. The content of the notification should include:

  • A brief description of what happened, including the date of the breach and the date of discovery of the breach
  • A description of the types of information that were compromised in the breach (personal identifiers such as name, address, Social Security number, account numbers, etc.)
  • The measures individuals should take to protect themselves from potential harm
  • A brief description of what the Covered Entity is doing to investigate the breach, to mitigate harm, and prevent a repeat of the breach
  • Contact details for individuals to ask questions or request further information, which should include a toll-free number, an email address, website, or postal address

Informing the Department of Health and Human Services

Informing the Department of Health and Human Services (HHS) that a breach of PHI has occurred is done using the HHS´ Office for Civil Rights´ online portal. The procedures for reporting a breach of PHI differ depending on the number of records that have been compromised (or have potentially been compromised):

Data Breaches Affecting Fewer Than 500 Individuals

If a breach of unsecured PHI affects fewer than 500 individuals, a Covered Entity must notify HHS of the breach within 60 days of the end of the calendar year in which the breach was discovered.

This does not mean that a Covered Entity must wait until the end of the calendar year to report breaches affecting fewer than 500 individuals. As a “best practice” it is advisable to report the breach as soon as the details of the breach are known.

A Covered Entity may report all of its breaches affecting fewer than 500 individuals on one date, but a separate notice must be issued for each breach incident. Additionally, while HHS is prepared to wait to find out about these smaller breaches, the individuals affected by the breach must still be notified within 60 days of the discovery of the breach.

Data Breaches Affecting More Than 500 Individuals

If a breach of unsecured PHI affects 500 or more individuals, a Covered Entity must notify HHS of the breach without unreasonable delay, and in no case later than 60 calendar days from the discovery of the breach.

If the number of individuals affected by a breach is unknown, the Covered Entity should provide an estimate and amend the breach report at a later date when more information is available.

Breaches of 500 or more records also require a breach notice to be published on the Covered Entity´s website and linked to from the website´s Home Page. A notice about the data breach should also be submitted to a prominent media agency serving the area or region affected by the breach.

Data Breaches Caused by a Business Associate

A Business Associate must notify the Covered Entity they are providing a service for or on behalf of as soon as possible after the discovery of a data breach. The notification must identify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach.

Changes introduced via the HITECH Act and Final Omnibus Rule mean that Business Associates can be held liable for data breaches. Furthermore, there is a burden of proof on Covered Entities and Business Associates to demonstrate that breach has not occurred if failing to report an impermissible use or disclosure to HHS.

Previously the onus was on the Office for Civil Rights to prove that a HIPAA breach had occurred before it was able to pursue enforcement action. Now, any potential exposure of unsecured PHI is considered to be a breach unless the Covered Entity can prove otherwise via a risk assessment – the criteria for which was previously discussed.

7.2. OCR Settlements and Civil Monetary Penalties

Later in our HIPAA Compliance Guide we discuss how HIPAA is enforced and what happens after the Department of Health and Human Services’ Office for Civil Rights has been notified of a breach. However, this is a suitable point to discuss the fines that can be issued by HHS´ Office for Civil Rights, and other penalties that can be applied following a violation of HIPAA – regardless of whether the violation is responsible for a breach of PHI or ePHI.

HIPAA Breach Financial Penalty Structure

In most cases, HHS´ Office for Civil Rights resolves investigations into patient complaints and breach notifications by providing technical assistance or imposing a Corrective Action Plan on a Covered Entity or Business Associate. When a violation is of a serious nature, or when HHS´ Office for Civil Rights is “sending a message”, the agency will issue a civil monetary penalty or reach a financial settlement with the non-compliant party.

As mentioned previously in the HIPAA compliance guide, when Congress passed HIPAA in 1996, it set the maximum penalty for violating HIPAA at $100 per violation with an annual cap of $25,000. These limits were applied from the publication of the Enforcement Rule in 2006 until the passage of HITECH in 2009 and the provisions of HITECH being implemented via the Final Omnibus Rule in 2013.

The HITECH Act mandated a four tier penalty structure for HIPAA violations and new minimum and maximum penalties for violating HIPAA. The four tiers were based on the level of culpability associated with the violation:

Tier 1 – Lack of Knowledge:  The person did not know (and, by exercising reasonable diligence, would not have known) that the event was a violation of HIPAA.

Tier 2 – Lack of Oversight: The violation was due to reasonable cause and not willful neglect to comply with the HIPAA regulations.

Tier 3 – Willful Neglect: The violation was due to the willful neglect of the Covered Entity or Business Associate but corrected within 30 days of discovery.

Tier 4 – Willful Neglect, Not Corrected: The violation was due to the willful neglect of the Covered Entity or Business Associate but not corrected within 30 days of discovery.

The Penalties for Violating HIPAA Change after Review

Originally, due to “inconsistent language” of the HITECH Act, HHS´ Office for Civil Rights interpreted HITECH´s minimum and maximum penalties per tier as follows:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Lack of Knowledge $100 $50,000 $1,500,000
Lack of Oversight $1,000 $50,000 $1,500,000
Willful Neglect $10,000 $50,000 $1,500,000
Willful Neglect not Corrected in 30 days $50,000 $50,000 $1,500,000

However, following a review of the penalty tiers by HHS´ Office of General Counsel, the annual caps were amended in 2019 to align with those mandated by HITECH:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Reasonable Efforts $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected in 30 days $50,000 $50,000 $1,500,000

This resulted in the annual limit for a Tier 1 violation being less than the maximum penalty for violating HIPAA in Tier 1 – an inconsistency that has continued as the penalties for violating HIPAA have been adjusted to account for inflation. Subsequent changes also saw the maximum penalty for violating HIPAA in Tier 4 being increased. The current (2022) penalties for violating HIPAA are:

Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Lack of Knowledge $127 $60,973 $30,133
Lack of Oversight $1,280 $60,973 $121,946
Willful Neglect $12,794 $60,973 $304,865
Willful Neglect not Corrected in 30 days $60,973 $1,919,173 $1,919,173

The Penalties for Violating HIPAA are per Violation Type

It is important for Covered Entities and Business Associates to note be aware that the penalties for violating HIPAA are per violation type. This mean that if a healthcare provider (for example) fails to conduct a risk assessment, fails to prevent a foreseeable breach, and fails to notify patients when a breach occurs, the healthcare provider could receive three maximum penalties for one breach.

It is also important to note that State Attorneys General have the authority to impose further civil monetary penalties in addition to those issued by HHS´ Office for Civil Rights. Consequently, penalties for violating HIPAA can be considerably more than the limits published in the Federal Register. In some circumstances, it may also be possible for affected individuals to bring a private right of action against the non-compliant party.

This is what happened in the case of Anthem Inc., who – following a data breach of 78.8 million records in 2015 – settled a HIPAA enforcement action for $16 million and was fined $48.2 million by State Attorney Generals, prior to a settling a class action for a further $115 million. Anthem also incurred further indirect costs complying with a Corrective Action Plan that was required as part of the settlement with HHS´ Office for Civil Rights.

As a final note in this section, although civil monetary penalties are calculated according to nature of the breach, the number of records exposed, and the actions taken after a breach to mitigate any damage caused; historically, Covered Entities and Business Associates have been treated more leniently when it can be shown they have made an effort to comply with HIPAA.

This historic leniency was reinforced in a 2021 amendment to the HITECH Act that instructed the Secretary of the Department of Health and Human Services to consider “recognized security practices” that have previously been adopted by the breached entity when considering HIPAA fines and other sanctions and remedies.

8. The HIPAA Enforcement Rule – How is HIPAA Compliance Enforced?

How OCR Regulates HIPAA Privacy, Security, & Breach Notification Rules

OCR is responsible for enforcing compliance with the HIPAA Privacy, Security, and Breach Notification Rules. One of the ways that OCR carries out this responsibility is to investigate complaints that have been made against organizations. OCR may also conduct compliance reviews to determine if Covered Entities have implemented the appropriate policies and procedures required by HIPAA.

OCR also issues guidance and performs education and outreach programs to foster compliance with all requirements of the HIPAA Rules. However, the agency has the discretion to choose which complaints it will investigate. See what OCR considers during intake and review of a complaint for a description of the types of cases in which it cannot take action or commence enforcement actions.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

If OCR accepts a complaint for investigation, it will notify the person who filed the complaint and the Covered Entity or Business Associate against whom the complaint is made. The complainant and the allegedly non-compliant organization are then asked to present information about the incident or problem described in the complaint. OCR may request specific information from each party to gain an understanding of the facts of each case. Covered Entities and Business Associates are required by law to cooperate fully with all complaint investigations.

If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for further investigation.

In addition to complaints, OCR investigates all breaches of 500 or more records that are reported through the breach portal to determine whether the breach was the result of noncompliance with HIPAA and whether, through HIPAA compliance, the breach could have been prevented. If some evidence of noncompliance is discovered, a more comprehensive compliance review may be initiated.

OCR reviews all information, or evidence, that it gathers in each case. In some cases, it may determine alleged non-compliant organization did not violate HIPAA requirements. If evidence indicates the Covered Entity or Business Associate was not in compliance with HIPAA, OCR will attempt to resolve the case through:

  • Technical assistance,
  • A Corrective Action Plan, and/or
  • A resolution agreement.

Most Privacy and Security Rule investigations are concluded via technical assistance or Corrective Action Plan. Once resolved, OCR notifies the person who filed the complaint and the Covered Entity or Business Associate in writing.

If the Covered Entity or Business Associate does not take action to resolve the matter in a way that is deemed to be satisfactory, OCR may decide to impose civil money penalties (CMPs). If CMPs are imposed, the organization may request a hearing in which an HHS administrative law judge decides if the penalties are appropriate and are supported by the evidence. At present, complainants do not receive a portion of CMPs collected by OCR. Instead, penalties are deposited with the U.S. Treasury.

9. The Benefits of HIPAA Compliance

  1. 9.1 Why is HIPAA so Important?
  2. 9.2 The Benefits of HIPAA Compliance

9.1 Why is HIPAA so Important?

To explain why HIPAA is so important, you have to back to the origins of the Act and its original objective of improving the portability of health insurance coverage. This provision, and other provisions included in Title I of HIPAA – such as prohibiting the denial of coverage for workers with pre-existing conditions – would have significantly increased health insurance premiums for employers and plan members.

To avoid this situation, Congress introduced measures in Title II of HIPAA to reduce the level of health insurance fraud and make the administration of health care claims more efficient – thus saving health plans money and reducing the rate at which health insurance premiums increased. Consequently, it is fair to say that HIPAA is important because it made health insurance more affordable for more people.

Thereafter, as HIPAA has evolved, further measures have been introduced to better protect the privacy of individually identifiable health information, better secure electronically maintained PHI, and better inform individuals when a data breach occurs that could impact their personal lives. This area of HIPAA helps protect individuals from identity theft and financial loss – or, at least, empower individuals to mitigate loss as much as possible.

From the perspective of healthcare organizations, HIPAA was the steppingstone to a federal “floor” of privacy protections which facilitated the digitalization of healthcare via the HITECH Act and Meaningful Use program. According to the FDA, digitalized healthcare helps providers reduce inefficiencies and costs, increase quality, streamline the provision of health care, and make medicine more personalized for patients.

9.2 The Benefits of HIPAA Compliance

Many sources discussing the benefits of HIPAA compliance tend to focus on the avoidance of enforcement action by OCR; and while this is a benefit of complying with HIPAA, it is not one of the most important. Indeed, the avoidance of enforcement action can pale into insignificance when compared to some of the primary benefits – especially for healthcare providers.

Research has shown that, when patients trust their personal health information is being protected, they are more willing to share intimate details about themselves with healthcare providers. Having more information available enables healthcare providers to make better informed decisions and more accurate diagnoses and determine the best course of treatment.

Studies have also shown that when patients trust their healthcare providers, they tend to engage with preventative services, participate in healthy activities (or reduce unhealthy activities), and are more likely to comply with medications and treatments. This helps reduce the severity of illness and accelerates recovery when patients present at a healthcare facility.

Being able to determine the best course treatment and have patients engage with preventative services most often results in positive patient outcomes. This raises morale in the workplace, increases patient safety in other areas of healthcare, and reflects in higher satisfaction scores from patients and their families – a commonly used indicator for measuring the quality of health care.

The benefit of raising morale in the workplace cannot be underestimated. A healthy and happy workforce is likely to be more productive and have a far lower rate of absenteeism. Employee retention rates improve; and, when a vacancy becomes available, it is easier for the healthcare provider to fill the vacancy because of a positive organizational reputation.

Consequently, there are benefits of HIPAA compliance for patients, for healthcare providers, and for healthcare providers´ workforces which are all attributable to trust. Compliance with the measures introduced following the passage of HIPAA help build this trust – and this is probably the principle reason why HIPAA, and compliance with HIPAA, is so important.

10. HIPAA Resources:

Useful Webpages

Office for Civil Rights http://www.hhs.gov/ocr/office/index.html

OCR Breach Reporting https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

HIPAA Security Rule Guidance

HIPAA Security Rule

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

HIPAA Security Rule Guidance

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

Security Risk Assessments

http://www.healthit.gov/providers-professionals/security-risk-assessment

HHS – Final Guidance – Risk Analysis

https://www.hhs.gov/hipaa/for-professionals/security/guidance/final-guidance-risk-analysis/index.html

Security Standards – Final Rule

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Security and Electronic Signature Standards

https://aspe.hhs.gov/report/nrpm-security-and-electronic-signature-standards/electronic-signature-standard

 

HIPAA Privacy Rule Guidance

HIPAA Privacy Rule

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

Notice of Privacy Practices

http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html

Health Information Privacy Rights

http://www.hhs.gov/ocr/privacy/index.html

De-identification of PHI

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/deidentificationworkshop2010.html

Breach Notification Rule Guidance

HIPAA Breach Notification Rule

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

HIPAA Enforcement Rule Guidance

HIPAA Enforcement

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html

HIPAA Resolution Agreements

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html

HIPAA Enforcement – State Attorneys General

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html

HIPAA Omnibus Rule Guidance

HIPAA Omnibus Rule

http://www.hhs.gov/news/press/2013pres/01/20130117b.html

HITECH Guidance

HIPAA and the HITECH Act

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf

Business Associate Guidance

Business Associate Contracts

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Business Associate Guidance

http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/

HIPAA Compliance Audit Guidance

HIPAA Compliance Audits

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html

Additional Information and References

HIPAA, FERPA and Student Health Records

https://www.hhs.gov/hipaa/for-professionals/faq/ferpa-and-hipaa/index.html

HIPAA and Secure Text Messaging

http://www.hipaajournal.com/does-your-organization-need-a-secure-text-messaging-service-324/

HIPAA Disclosures in Emergency Situations

https://www.hhs.gov/hipaa/for-professionals/faq/disclosures-in-emergency-situations/index.html

HIPAA and Workplace Wellness Programs

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/wellness/index.html

HIPAA Compliance Guide FAQs

If a service provider handles PHI on behalf of a Business Associate, do they also have to sign a BAA with the Covered Entity?

It depends on the circumstances. If, for example, the Business Associate processes data on behalf of a Covered Entity and uses a cloud service to process, store, or transmit the data, the BAA will be between the Business Associate and the Cloud Service Provider. However, if a third party provides a direct service to both the Covered Entity and the Business Associate, two BAAs will be necessary.

So, is the U.S. Postal Service a Business Associate if it handles PHI?

No. The U.S. Postal Service and private courier services are considered to be conduits for PHI by the Department of Health and Human Services. Provided the conduit does not access PHI other than as required by law, it is not considered a Business Associate and no BAA is necessary. Note however, that email service providers are considered to be Business Associates even though they could be considered to be providing a conduit service.

Is the HIPAA Privacy Rule suspended during national or public health emergencies?

Not automatically. If the President declares an emergency or disaster and the Secretary for Health and Human Services declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule. Which provisions may be waived will be determined by the nature of the public health emergency and the issues it raises.

Does HIPAA require Covered Entities to keep patients’ medical records for any period of time?

No, the HIPAA Privacy Rule does not include medical record retention requirements – state laws generally govern how long medical records are to be retained. However, while retention requirements generally range from five years to ten years after the last patient encounter (or until a child reaches the age of majority), there are exceptions. For example, the state of Massachusetts requires hospitals to retain patient medical records for thirty years from the date of discharge.

Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?

When a doctor collects a patient´s family medical history, this data becomes part of the patient´s PHI and is subject to the same protections as any other health information relating to the patient. Importantly, only the patient – and not the family members included in the medical history – can exercise access rights under the HIPAA Privacy Rule. Therefore, family members cannot access this data set or authorize its disclosure to others.