In part 1 of this blog series, we looked at a few ways your business can stay in compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations. We continue our overview of some additional steps you can take to protect patient data.
1. Thoroughly Understand HIPAA
Every business associated with healthcare is bound by the HIPAA regulations. These regulations dictate permissions for who can access PHI and when. All workers associated with PHI, lawyers, administrators and healthcare operatives are liable to follow HIPAA regulations.
Thoroughly understanding HIPAA is important with so many different roles linked to it. HIPAA is designed in such a way as to ensure optimum data security. By defining access based on designation, data compliance becomes easier to maintain. Patient rights to PHI are also outlined by HIPAA, allowing them to retrieve records and request changes.
2. Assess Whether or Not HIPAA Impacts You
Once you have understood HIPAA you need to check if it impacts you. HIPAA exists to protect PHI by regulating the permissions and activities of covered entities, doctors, nurses, lawyers and insurance providers.
The following individuals are considered covered entities:
- Healthcare Providers
- Health plan
- Pharmacies
- Nursing homes
- Chiropractors
- Dentists
- Psychologists
- Clinics
- Doctors
- Health Insurance Providers
- Government-provided healthcare plans
- Business health plans
- HMOs
- Healthcare Clearinghouses
- These individuals administrate healthcare information from an individual into a standard form.
3. Avoid Any Would-be Breaches of HIPAA
Anticipating all potential breaches of HIPAA is the first step to avoiding them. Typical violations stem internally instead of external hacking. In most cases it is caused by negligence or partial HIPAA compliance. This requires you to:
Comply with Transaction Standards
PHI data is often sent back and forth between covered entities. As such HIPAA defines “transaction standards” to outline the correct procedure. This safeguards PHI.
Some standard transactions comprise:
- Premium payment
- Referrals and authorizations
- Enrollments and disenrollment
- Claims and benefits
- Eligibility
- Claims status
- Payment and remittance advice
Take Steps to Avoid Fines and Penalties
You must avoid non-compliance or else your organization can face huge fines and damage to reputation. Despite all measures taken its best to know what fines can be levied on which transgression. There are four tiers of violations:
- Tier 1 Violation: The covered entity did not know of a breach and could not prevent it in any case. Reasonable care was exercised in protecting PHI. Minimum fine of $100 per violation up to $50,000.
- Tier 2 Violation: The covered entity was responsible for knowing about the breach yet could not do anything to prevent it. Reasonable care measures are futile. Minimum fine of $1,000 per violation up to $50,000.
- Tier 3 Violation: A willful neglect violation of HIPAA. Covered entities are responsible for correction. Minimum fine of $10,000 per violation up to $50,000.
- Tier 4 Violation: An outstandingly bad case of HIPAA willful neglect. No attempt from the covered entity to correct. Minimum fine of $50,000 per violation.
Prepare for a Meaningful Breach
A meaningful breach impacts more than 500 people in a single jurisdiction. Such violations must be conveyed to the Department of Health and Human Services Office of Civil Rights (HHS OCR) within 60 days since the event. Affected individuals must also be immediately notified.
Law enforcement should be reported to immediately. Contacting regional media houses for coordination in notifying affected parties is crucial. These meaningful breaches are not frequent however planning for them can help you strengthen your HIPAA compliance measures.
Predicting a Minor Breach
According to the HIPAA Breach Notification Rule, impacted patients should be informed in case their PHI might be compromised. The kind of breach that takes place dictates how to respond. In the event HIPAA classifies an event as a minor breach there must be a specific process in place.
A minor breach impacts less than 500 people in a single jurisdiction. 60 days before the end of the year, a document outlining all minor breaches occurred over the course of the year must be reported to regulators. Impacted individuals must also be notified within 60 days of the breach.
Identifying Likely HIPAA Breaches
Some common reasons for a HIPAA violation:
- Sharing PHI to social media
- Divulging PHI in public
- Sending PHI to the wrong recipient
- Physical office break-in
- Ransom wear, hacking or malware
- Stolen devices with PHI data
Staying in compliance with HIPAA regulations can be achieved with due diligence. A meticulous approach can ensure the safety of patient data.
If you’re interested in streamlining and enhancing data compliance efforts for your organization, ComplyD would be glad to help. Leverage our SAP-native data discovery and compliance enablement tool. Enjoy comprehensive visibility through a user-friendly, unified dashboard with analytics. You’ll be able to take pro-actively take steps to meet any compliance regulations for ANY industry or geography. Our scientific, robust DASH approach discovers vulnerabilities and secures and hardens your perimeter to meet compliance regulations and avoid regulations. If you’d like a taste of compliance simplified for your entire enterprise, please request a demo.
