Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law. It sets national standards for health care providers to maintain the privacy of patients' protected health information (PHI), including electronically protected health information (ePHI). If you collect, store, or process any kind of patient or medical data, you need to be aware of HIPAA and how it affects your operations.

But what does it really mean to be HIPAA compliant? In this article, we offer a comprehensive checklist for HIPAA compliance, so you know you're on the right track.

Table of Contents

Enjoying This Article?

Receive great content weekly with the Xplenty Newsletter!

What is Protected Health Information (PHI)?

It's important to clarify that HIPAA does not apply to all healthcare data, or all data handled by healthcare organizations—only to protected health information (PHI). So what is PHI exactly?

Protected health information is any healthcare data that can uniquely identify a specific individual, in particular patient data. The data that might be PHI include:

  • First, middle, and last names
  • Date of birth and/or death
  • Contact information (home address, phone number, email address, etc.)
  • Social Security number, account number, or other ID numbers
  • ID photographs
  • Biometric data (e.g. fingerprints, iris recognition, facial recognition, etc.)
  • Information about health conditions, including dates of treatment
  • Healthcare payment information

HIPAA requires "covered entities" to safeguard PHI, including electronic health records (EHR). The three types of HIPAA covered entities are:

  1. Health care providers (doctors, dentists, psychologists, clinics, nursing homes, pharmacies, etc.)
  2. Health plans (health insurers, HMOs, company health plans, Medicare, Medicaid, etc.)
  3. Health care clearinghouses, i.e. third-party middlemen between health care providers and health plans

In addition to these covered entities, HIPAA also applies to their "business associates." A business associate of a covered entity is a third party that may use or disclose PHI from the covered entity. Examples of business associates include subcontractors, consultants, and health information technology providers.

What is HIPAA Compliance?

"HIPAA compliance" refers to the set of processes and workflows that health care providers must follow in order to comply with HIPAA regulations. The U.S. Department of Health and Human Services (HHS) has the task of enforcing HIPAA.

Whistleblowers can report HIPAA violations to the HHS Office for Civil Rights (OCR). Penalties for HIPAA noncompliance vary, depending on the severity of the incident and the intentionality. Fines for accidental negligence range from $100 to $50,000 per incident. Intentional disclosure of protected health information and medical records, however, is sometimes a criminal act. Possible penalties for this latter category include fines and prison time.

HIPAA Compliance Checklist

How can organizations in the healthcare industry ensure they comply with HIPAA? In this section, we go over some of the must-dos and must-haves for healthcare organizations handling PHI.

Integrate Your Data Today!

Try Xplenty free for 14 days. No credit card required.

1. Understand the HIPAA Privacy Rule

The HIPAA Privacy Rule governs how healthcare organizations can collect, store, and process "individually identifiable health information." The rule includes definitions of PHI, covered entities, and business associates, as discussed above. It also outlines the cases in which covered entities can potentially disclose PHI without the individual's permission:

  • To individuals themselves
  • For purposes of treatment, payment, and healthcare operations
  • For activities in the public interest and benefit (e.g. for public health authorities, law enforcement, or coroners; to protect victims of violence and abuse; for medical research, etc.)
  • For use in an anonymized "limited data set"

To comply with the HIPAA Privacy Rule, you need to understand whether and how it applies to you:

  • Are you considered a covered entity or business associate under HIPAA?
  • What kind of healthcare data do you handle?
  • How are you handling this data, and to whom are you disclosing it?

2. Understand the HIPAA Security Rule

The HIPAA Security Rule defines security standards for your organization's data security and cybersecurity for electronic health records. It defines three types of security measures that covered entities and business associates must maintain:

  • Administrative safeguards (e.g workforce training and education programs about how to keep data secure, internal security audits and risk assessments, etc.)
  • Physical safeguards (e.g. security personnel in areas where sensitive data lives, workstation security, etc.)
  • Technical safeguards (e.g. IT access controls, transmission security measures, encryption, etc.)

The HIPAA Security Rule does not formally define any specific security or privacy practices that organizations need to follow. Instead, each covered entity must decide which measures are most reasonable and appropriate to follow (with the potential of non-compliance penalties as a motivator).

3. Understand the HIPAA Breach Notification Rule

Enjoying This Article?

Receive great content weekly with the Xplenty Newsletter!

The HIPAA Breach Notification Rule governs how organizations must respond in the event of a data breach, i.e. the unauthorized disclosure of PHI. Potential issues with healthcare data security are physical break-ins, theft of IT equipment, hacking, ransomware, sending PHI to the wrong recipient, and discussing PHI in public or on social media.

Important details of the HIPAA Breach Notification Rule include:

  • All individuals affected by a data breach must be notified within 60 days following the discovery of the breach.
  • Minor breaches (affecting less than 500 individuals) must be reported to HHS annually. Major breaches must be reported to HHS within 60 days of the discovery.
  • Any improper use or disclosure of PHI is considered a data breach unless the organization can convincingly demonstrate that there was a low probability of compromise.
  • The improper disclosure of encrypted PHI is not considered a data breach, since the information is unreadable and unusable by third parties without the decryption key.

How Xplenty Can Help with HIPAA

HIPAA compliance is absolutely essential for any organization handling PHI. But how can you enact the technical safeguards required by HIPAA in practice?

One crucial piece of the puzzle is to use an ETL tool that will keep sensitive and confidential data protected throughout the entire data integration process. Xplenty is a powerful, feature-rich ETL and data integration tool that makes information security our top priority. Our cybersecurity protocols include SSL/TLS encryption, physical security, network security, and system security. We are fully compliant with HIPAA's standards for business associates, making us a valuable partner for any healthcare organization.

Related Reading: Using ETL for HIPAA Compliance

Ready to learn how Xplenty makes it easier to process data while staying compliant with HIPAA? Get in touch with our team today for a chat about your business needs and objectives, or to start your 7-day pilot of the Xplenty platform.