What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards in order to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. 

Why is HIPAA Important?

HIPAA was intended to improve the portability and continuity of health insurance coverage and gives patients more control over their health information. It provides data privacy and security in healthcare in order to protect patients’ medical information from cyber attacks.

This is especially important for healthcare providers or organizations that use electronic means such as electronic health records or EHR.

An EHR stores digital records of patient health information such as diagnoses, medications, radiology images, and billing data. It is commonly used in hospitals and other healthcare facilities and must adhere to the highest level of HIPAA standards.

In 2020, data breaches affected 26.4 million records in the U.S. alone which cost the healthcare industry over $13 billion.

When you think about the amount of personal information stolen at the hands of eager cybercriminal entrepreneurs, it makes HIPAA easy to understand as HIPAA safeguards against cyber attacks. 

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect PHI and applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.

The purpose of the rule is to make sure that individuals’ health information is properly protected while at the same time allowing the proper flow of information necessary for high-quality healthcare. 

What are the HIPAA Security Rules?

The HIPAA Security Rule requires physicians to protect patients’ ePHI by using appropriate administrative, physical, and technical safeguards. It’s the operational side of the privacy rule and involves various technical and nontechnical solutions and safeguards that covered entities must implement to secure ePHI.

All covered entities must assess the risk and put in safeguards to protect patients’ health information. The job of these entities according to the US Department of Health & Human Services, under the HIPAA rule is to:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information
3. Protect against reasonably anticipated, impermissible uses or disclosures
4. Ensure compliance by their workforce.

HIPAA Cost

It’s important to allocate the necessary funds to properly store and secure patients’ sensitive information. A full cost of a gap analysis or HIPAA audit is around $20,000 according to some reports.

Here is how the costs breakdown for small businesses: 

• $2,000 for risk management and analysis planning
• Between $1,000 and $8,000 for remediation
• $3,000 or more for policy development and employee training

Your total compliance cost can range between $4,000 and $12,000 depending on your technology, resources, and number of employees.

Here is the cost breakdown for medium to larger businesses:

• $20,000-$40,000 for a full HIPAA audit
• $500-800 to scan for vulnerabilities
• $20,000 for risk management and analysis planning
• $5,000 for penetration testing
• $5,000 to $8,000 for policy development and training

The total cost for medium to large businesses can be anywhere between $40,000 and $50,000. 

The Breach Notification Rule

This rule requires covered entities to notify patients when their unsecured PHI is impermissibly used or breached in a way that compromises the privacy and security of the PHI.

Looking for a HIPAA Compliant Cybersecurity Solution ?

Who is Covered by HIPAA?

As defined by HIPAA rules, covered entities include healthcare providers, healthcare clearinghouses (public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements), and health plans, as a health plan is considered a covered entity (CE).

These entities are responsible for dealing with transactions that involve payment and or billing, and insurance.   

Other covered entities include:

• Physicians
• Nurses
• Hospitals
• Dentists 
• Chiropractors 
• Nursing Homes
• Pharmacies
• Insurance companies
• Other healthcare programs

Under the HIPAA Department of Health and Human Services (HHS), HIPAA requires that all covered entities designate a privacy official, as the job of a privacy official is to be responsible for developing and implementing privacy policies and procedures.

A privacy official is a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Business Associates Must Comply with The HIPAA Privacy Standards

Business associates are defined as entities or persons that perform or assist in an activity involving PII such as claims processing, quality assurance reviews, data analysis, or any other function regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule.

Pharmaceutical suppliers are considered business associates and must follow strict HIPAA regulations in relevance to selling pharmaceuticals to physicians.

Other examples of business associates include:

• Accountants
• Consultants 
• Suppliers (medical devices)
• Legal 
• Data Aggregation
• Administrative/Management
• Financial Services

The HIPAA Omnibus Rule states who is required to protect ePHI and was finalized by the OCR (Office Civil Rights).

The Omnibus Rule relates to business associates under HHS OCR HIPAA compliance standards. The HIPAA Omnibus Rule requires healthcare providers to update their Business Associate Agreements and lasts 50 years after an individual’s death.  

A covered entity (CE) must have an established complaint process to meet the HHS privacy rule. That is the HIPAA privacy rule summary for covered entities.

Looking for a HIPAA Compliant Network Security Solution?

What Information is Protected by HIPAA?

Protected health information (PHI) as defined in the 2003 Privacy Rule encompasses all information that can be used to identify a patient. HIPAA Security Rule safeguard categories of PHI information, which include eighteen specific identifiers such as: 

• Name
• Address
• Telephone
• Social Security 
• Email 
• Medical Records
• Fax Numbers
• IP Addresses
• URLs
• Biometric identifiers such as fingerprints 
• Account Numbers 
• Photos
• Vehicle License Plates
• Customer Transactions

Only authorized individuals may process the information listed above as HIPAA security rule safeguards against unauthorized access.

What is ePHI?

ePHI is defined as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media. ePHI stands for Electronic Protected Health Information and is governed by the HIPAA Security Rule. 

ePHI HIPAA best practices and safeguards include:

• Strong passwords and the use of Multi-Factor Authentication (2FA)
• Unique accounts for each user
• Providing each user the minimum ePHI access required to work
• Record all changes to ePHI (change of patient address, telephone, email, etc.) 

How Does HIPAA Address Employees’ Access to ePHI?

Healthcare providers must have access to ePHI on a “need to know” limited basis. ePHI must be protected by providers regardless of where they are.

One method of protecting patient information is through end-to-end encryption which can only be deciphered with a decryption key, otherwise, the data appears scrambled and unreadable.

Medical records, for instance, must have this added layer of security to defend against malicious hackers.  

Other ePHI examples include: 

• Emailed lab results or blood test reports 
• E-prescriptions, stored X-rays, MRIs, or other digital photos of a patient
• Patient notes stored in a mobile device
• Appointments and procedures stored on an e-calendar
• Any kind of identifiable health information

HIPAA Procedures

PHI policies are the job of a privacy official under the HIPAA Act. Privacy officials are responsible for mitigating risks and handling business-related complaints.

PHI procedures place strict emphasis on access to confidential information and should be given only to authorized personnel.

HIPAA policies and procedures include: 

• The proper use and disclosure of a patient’s PHI
• A Notice of Privacy given to the patient to inform them how their health information could potentially be used
• Standard and guidelines that describe to the patient their rights over their PHI

HIPAA Compliance Requirements

HIPAA Compliance PHI refers to the protected health information of patients and is mandatory for the majority of healthcare facilities in the United States. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

HIPAA does permit PHI email sending, however, all emails must be fully encrypted and have a high level of PHI security. The HIPAA Security Rule establishes national standards for protecting PHI.

HIPAA Medical

Healthcare data security standards protect patient confidentiality and must comply with HIPAA regulations.

It is also crucial to update HIPAA medical software routinely to avoid potential vulnerabilities which cybercriminals can easily expose.

The exploits open a door to malicious actors that can quickly steal patient information and sell it for as little as $5.40 on the black market. 

HIPAA compliant medical software protects against some of the most common risk factors:

• Outdated legacy systems
• Unsecured network security
• Malicious emails such as Phishing scams
• Weak passwords (ex: 12346, Qwerty, and even astonishingly the word “password” itself)
• Lack of training among employees and other third-party care providers

Healthcare professionals must abide by stringent medical HIPAA laws, in addition to an ethical code and moral obligations. All healthcare facilities are required to appoint a privacy officer to ensure that HIPAA rules and regulations are being enforced. 

Physicians should follow strict HIPAA regulations for medical records storage and remain in HIPAA ICD-10 compliance for all electronic transactions as covered by the Health Insurance Portability and Accountability Act of 1996.

HIPAA Compliance Checklist for a Medical Office  

1. Train Your Staff on HIPAA Policies and Procedures – Employees should be very well familiar with the HIPAA Policies & Procedures Desk Reference which can be purchased online via Amazon. Although there are regular updates, this book acts as a starting point and is highly recommended. 
2. Set Up a HIPAA Policy for The Medical Office – Develop a manual with written policies and step-by-step procedures for everyone to follow. Don’t be afraid to quiz staff every once in a while to make sure everyone is up to date.
3. Maintain Privacy – Never disclose any patient information or leave patient files unattended as not to disclose HIPAA compliance patient names. Always knock before entering any room and avoid noisy places when speaking with patients. 
4. Use HIPAA Compliance Software – This not only includes installing the latest security updates but also staying current with new HIPAA regulations on electronic medical records and HIPAA medical record storage requirements. 

If HIPAA compliance requirements are not met then the business can face legal action by government entities (which can be monetary penalties) and be forced to create a corrective action plan. 

What Are Patient Rights Under HIPAA?

1. Right to Obtain a Copy of Your Health Data – Every patient has the right to either view or obtain a copy of their health data. A copy of your medical records will be provided within 30 days. A small fee might be applied. 
2. Right to Find Out Who Has Received Your Health Data – Covered entities (such as health care providers) must provide information on a patient’s health data over the past six years.  
3. Right to Restrict Sharing of Your Health Data – Patients can choose who to share their PHI with. HIPAA covered entities are not permitted to sell health data or use it for marketing, advertising, research, or any kind of personal gain or commercial advantage without first obtaining written authorization.
4. Right to File a Complaint for a Privacy Violation – A patient may file a complaint if they feel that any PHI has been accessed by unauthorized individuals. 
5. Right to Correct Errors in Your Health Records – HIPAA provides patients with the right to make any needed changes to their health information to correct mistakes. Requests must be submitted in writing. 
6. Notification of Privacy Practices – All HIPAA covered entities are required by law to notify you about how your medical data will be used. 

One popular question physicians research is “are sign-in sheets required by law?” The answer is that, yes, covered entities may use sign-in sheets as long as the information disclosed is limited, according to the Department of Health and Human Services.

How do you Break HIPAA?

Examples of HIPAA Security Rule violations include: 

• Failure to implement sufficient safeguards to ensure the confidentiality, integrity, and availability of PHI
• Improper disposal of PHI
• Impermissible disclosures of PHI
• Failure to conduct risk analysis
• Failure to manage risks properly
• Unauthorized release of PHI to individuals that are not authorized to receive the information
• Sharing PHI online on social media without permission
• Failure to encrypt PHI 
• Failure to implement access controls to limit who can view PHI and failure to terminate access when no longer required
• Failure to train employees on security awareness and HIPAA compliance
• Failure to monitor PHI access logs
• Failure to provide patients with a log of disclosures upon request
• Willful neglect of security preaches by medical providers

A HIPAA violation is failing to comply with any HIPAA aspect or provision, which can result in criminal or civil money penalties. The penalties for these violations start from $25,000 per violation category issued by State Attorneys and upwards of $1.5 million from the Office of Civil Rights HIPAA violation. 

The possible reasons of why HIPAA violations occur can be divided into four possible scenarios:

• Medical Identity Theft is when another person steals and utilizes your personal information to obtain money through fraudulent claims or purchase prescription drugs. Even more shocking is that 30% of victims were unaware of when the identity theft occurred. One way to prevent identity theft is to thoroughly read your EOB (explanation of benefits) and get a copy of your medical records, just in case. 
• Malicious Attacks on Networks – One of the most common attacks on healthcare institutions is ransomware. A couple of years ago, in 2017, the infamous Ryuk Ransomware attack on Universal Health Services (UHS), which had over 400 locations, occurred. The attack disrupted over 80 medical facilities, costing approximately $67 million in lost revenue. Having a secure Business VPN can help alleviate this type of headache.  
• Downloading PHI Onto Unauthorized Devices – Employees must be trained properly when it comes to the handling and transmission of PHI. Specific permissions and least privilege access must be granted by IT to prevent any PHI from leaking out. 
• Employees Snooping on Medical Records – Snooping on healthcare records under false pretenses is one of the most common HIPAA violations committed by employees. Once again, proper training should be provided to all new employees, and an annual review for existing employees just to be on the safe side. 

HIPAA violations are mainly discovered by HIPAA-covered entities through internal audits. Employees involved in such violations can face severe penalties and even prison time if caught and convicted.

What is a Compliance Breach?

A compliance breach is a result of not complying with HIPAA breach notification rules, guidelines, and policies. Breaches can also occur due to human error, but proper investigations into the incident will help determine the cause and whether or not it is a HIPAA violation.

Breaches must be reported 60 days after discovery, known as “reasonable diligence” to a privacy or security officer. 

Failure to report the incident within 60 days may result in a massive penalty from the OCR or a lawsuit. This process should be part of an OCR HIPAA audit checklist. All breaches should be reported, regardless of scope.

Looking for a HIPAA Compliant Network Security Solution?

HIPAA Legal Requirements 

HIPAA laws are designed to protect the privacy and security of patients’ health information. The HHS law enforces federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination on the basis of race, color, national origin, disability, age, or sex in health and human services.

The HIPAA law can be broken down into five titles. Each title or section provides different rules and provisions. 

• Title I – HIPAA Health Insurance Reform
• Title II – HIPAA Administrative Simplification 
• Title III – HIPAA Tax Related Health Provisions
• Title IV – Application and Enforcement of Group Health Plan Requirements
• Title V – Revenue Offsets

In HIPAA Title II, organizations must implement safe electronic access to PHI under the United States Department Of Health and Human Services (HHS).

HIPAA Law and COVID

The HIPAA privacy law states that covered entities may disclose the protected health information of an individual who has been infected with or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without consent from the individual. 

The other exceptions of HIPAA laws and COVID include:

• When first responders may be at risk of infection
• When disclosure is needed to provide treatment
• When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual
• When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
• When such notification is required by law

90/10 Rule HIPAA

The 90/10 Rule establishes good security standards which state that: 

• 10% of security safeguards are technical 
• 90% of security safeguards rely on the computer user to adhere to good computing practices

Is HIPAA a Federal Law?

HIPAA is a federal law which is enforced by the HHS’ Office for Civil Rights. The federal law began in 2003 and is stated in the HIPAA Privacy Rule which sets limits on who can view and receive your health information, and the Security Rule, which requires health information in electronic form.

EHR Laws and Regulations

EHR stands for Electronic Health Records and it is a digital version of a patient’s paper chart, containing medical history, diagnoses, lab and test results, treatment plans, and medications. The Security Rule was established to protect patients’ security of electronic health information under HIPAA. Healthcare practices should also implement an effective EHR Audit Checklist as required by HIPAA Federal laws and regulations.

WFH Guidelines and HIPAA-Compliant VPN

Many healthcare practitioners discuss how HIPAA requirements could affect working from home; thus, all covered entities must abide by HIPAA rules regardless of working from home or at the office. 

Although there are great advantages such as reduced costs and time saved traveling, there are drawbacks if proper security measures are not in place. 

One way to prevent this concern is through a HIPAA Compliant VPN, which protects against outside threats and malicious actors and encrypts all sensitive PHI data.  

HIPAA Compliance and The Cloud

• AWS HIPAA compliance allows their customers to build HIPAA compliant apps that process, transmit and store PHI. 
• Azure HIPAA compliance allows organizations to store, analyze and interact with regulated health data while maintaining security privacy and compliance all on the cloud. 
• Salesforce HIPAA compliance allows HIPAA compliant emails to be sent
• Google Workspace allows for HIPAA compliance on the Google Cloud platform. PHI is protected under HIPAA in accordance with HIPAA guidelines.

What Is a HIPAA Scan?

HIPAA scanning requirements are put in place as the HIPAA Security Rule requires that covered entities perform security risk analyses. Vulnerability scans may take place to find known vulnerabilities in apps, networks, as well as firewalls. Vulnerability scans identify weaknesses and flaws in IT systems. 

Some of the most common flaws revealed are:

Flaws in hardware: Outdated legacy hardware systems present major problems. Two such vulnerabilities are Meltdown and Spectre which can wreak havoc on your hardware systems and can create golden opportunities for anxious hackers. 

Flaws in software: These flaws can be found in the form of bugs that have not been addressed properly and Cross-site scripting (XSS), commonly found in applications.

Additional vulnerabilities exist on operating systems such as old versions of Windows or via browsers such as Google Chrome or Mozilla.

HIPAA Rules & Regulations

The first step towards Security Rule compliance is the assignment of a security responsibility or HIPAA Security Officer.

HIPAA rules and regulations give guidance for the correct uses and disclosures of PHI, how to secure PHI, and the measures that need to be taken should there be a PHI breach.

There are also HIPAA firewall rules, where outbound connections that are from networks containing PHI access have to be explicitly authorized. 

When it comes to the application of the HIPAA privacy rules to religious organizations, it’s important to know that many religious entities, such as ministries, are not subject to the HIPAA privacy rule. 

HIPAA documentation requirements are a lengthy process but absolutely essential, as a HIPAA document organizes all levels of security efforts taking place covering all HIPAA requirements and compliance rules.

The privacy and security rules require workforce training that every new member must undergo as part of their HIPAA training.

Looking for a HIPAA Compliant Network Security Solution

HIPAA Compliance Checklist

There are rules and procedures which all healthcare organizations must follow. Implementing a HIPAA compliance checklist for reference is crucial to thwarting cybercriminals from exposing sensitive information. 

The most common HIPAA guidelines include:

• Ensuring proper HIPAA training for all members of staff 
• Appointing a HIPAA compliance Privacy or Security officer 
• Reviewing all third-party BAA (Business Associate Agreements) to make sure they meet HIPAA compliance standards
• Regularly reviewing policies and procedures with staff to make sure everyone remains up-to-date

The HIPAA technology checklist consists of:

• Access Control – where centrally controlled individual credentials for every single user are implemented.
• Integrity Controls – where policies and procedures are put in place to ensure that ePHI stays unaltered and safe from harm. 
• Network Security – where all devices must be able to encrypt messages sent beyond internal firewalled servers and be able to decrypt them once received.
• Audit Controls – where ePHI must be recorded and examined in information systems.
• To expand your knowledge on the topic, read the following HIPAA books.

HIPAA Compliant Teleconferencing

There are certain HIPAA compliant web conferencing tools such as Zoom and GoToMeeting. These HIPAA compliant video tools are especially important during COVID-19, where most health meetings must take place online.

Sensitive information can easily leak into the wrong hands with a click of a button, causing a major breach and costing healthcare organizations a lot of money, over $13.2 billion in 2020 alone.

Is Zoom HIPAA Compliant?

Zoom, is in fact, HIPAA compliant. The Zoom business associate agreement protects personal health information (PHI) in accordance with HIPAA guidelines.

Zoom privacy features allow you to control session attendee admittance with either individuals or groups. Secure video conferencing HIPAA takes place with this platform that is trusted by millions of healthcare professionals worldwide.

Is GoToMeeting HIPAA Compliant?

Yes, GoToMeeting is HIPAA compliant. The GoToMeeting Business Associate Agreement (BAA) is a contract that is legal which mandates that GoToMeeting contains the essential safeguards that secure all PHI transmitted through their platform.

The BAA also mentions that every signing party has its own responsibility with regards to maintaining its own compliance.

HIPAA Certification

There are many great and reliable websites that can guide you on how to get HIPAA certified. A HIPAA certification on resume demonstrates that a covered entity or business associates such as a medical device company or pharma sales rep fully complies with all HIPAA rules and regulations.

A HIPAA compliant certification should be updated as often as possible in order to avoid hefty fines and provide your employees with proper training. 

HIPAA Compliant Website

If you are working with any sort of data related to a patient through your website, such as a PHI email, your organization must follow stringent HIPAA website laws.

There are no official rules that govern HIPAA cloud storage services with regards to PHI. Cloud service providers such as Dropbox, do not have any HIPAA or HITECH certifications.

That means that you are responsible for taking appropriate security measures with protected healthcare information. 

Regardless of your organization’s size, it is absolutely crucial to have a VPN for HIPAA compliance in place. A VPN will help encrypt all ePHI and minimize the chance of a breach by granting limited privilege access to employees and third-party providers. And that is HIPAA in a nutshell.

How Perimeter 81 Helps with HIPAA Compliance

Perimeter 81 offers the most secure HIPAA compliant VPN for healthcare professionals which meets the highest HIPAA encryption compliance requirements and HIPAA security software standards. 

Curious to see if your organization meets our HIPAA Compliance Checklist? Find out how Perimeter 81 secures healthcare organizations and maintains the highest levels of HIPAA compliance for remote employees with Zero Trust.

Highlighting The Importance of Perimeter 81 for HIPAA Compliance

Highlighting The Importance of Perimeter 81 for HIPAA Compliance

Encrypt Transmitted Data: Perimeter 81 helps encrypt all sensitive information such as Electronic protected health information or ePHI, making the data unreadable and indecipherable.

Secure Remote Access: Perimeter 81 leverages always-on encryption and 2FA of all traffic, as well as traffic firewalling, and device posture checks to ensure that stored and transmitted data remains private.

Centralized Cloud Platform: Grant employee and business associates limited access via least access privilege. Ensure that PHI remains confidential by establishing user roles, significantly minimizing the potential of a data breach.