What is HIPAA? | What’s the worst thing that could happen to your company? | What about your department? | Maybe even you personally? A data breach. In recent years, we have seen an increasing number of data breaches and personal information being leaked or hacked into by nefarious individuals. The result of these data breaches has been a lot of scrutiny on companies that have been breached and a number of regulations concerning what types of personal information an organization must store securely and who is allowed access to it. Think you can’t be hacked? You might be surprised. Even if you think you don’t have any sensitive data to protect, you probably do – maybe in some unexpected place. For example, employee social security numbers are now considered non-sensitive information, but they still need to be protected because they can be used for identity theft and other malicious activities. Read on for important insights about HIPAA compliance that will help keep your business safe from cyber threats, potential breaches, and more.
What is HIPAA?
The Health Insurance Portability and Accountability Act, referred to as HIPAA, was passed in 1996 as a way to protect individuals’ identities and health information. HIPAA applies to a wide array of health care service providers, including physicians, healthcare clearinghouses, and any other health care providers that transmit health information electronically in any way. The goal of HIPAA was to ensure that patients’ identities and personal information stayed secure at all times, which would ultimately protect their health care coverage. As technology has advanced, so have the rules related to HIPAA compliance. HIPAA now covers all forms of electronic communications and storage of health information, including email, text messages, and cloud storage.
Why is HIPAA Compliance Important?
As mentioned above, HIPAA protects individuals’ identities and health information. It also prevents fraudulent claims and helps health care providers efficiently process patients’ claims. In the event of a breach, HIPAA imposes strict liability on breached entities to notify individuals whose information was compromised as well as the appropriate regulatory agencies. If you are a business that handles any kind of health care information, HIPAA compliance is important for several reasons. First, you don’t want to deal with the consequences of a breach. Second, you don’t want to deal with the expense of hiring a team to help you stay compliant.
The Basics of HIPAA Compliance
- The Covered Entities – The covered entities are the businesses that handle health information as part of their daily operations. They include doctors’ offices, healthcare clearinghouses, insurance companies, and health plan administrators.
- The Business Associates – Business associates are entities that perform certain functions for a covered entity but don’t have direct access to patients’ health information. These entities help covered entities perform administrative and logistical tasks related to their operations, including billing, transcription, and data analysis. The functions business associates perform must be necessary to perform the work of the covered entity.
- Data Integrity – The covered entity has a responsibility to ensure the integrity of information at all times. This includes correcting inaccurate information and expunging information as appropriate.
- Limiting Individuals’ Access to Information – All individuals who have access to health information should be trained in how to appropriately use and store health information.
- Disposing of Health Information Properly – Health information must be disposed of properly at the end of its useful life.
- Safeguards – Covered entities must maintain adequate safeguards to protect health information at all times, including during transmission.
- Breach Notification – The covered entity is responsible for notifying the individuals whose information was compromised as well as the appropriate regulatory agencies if there is a breach.
Types of Protected Health Information
The Health Information Portability and Accountability Act protects all forms of health information, including electronic health records, demographic information, and financial information. The most common abbreviations used when discussing health information are listed below.
- Demographic information – This refers to information about an individual that doesn’t relate to their health, such as the individual’s name, address, and date of birth. Demographic information might be part of a patient’s electronic health record but it isn’t part of the health information protected under HIPAA.
- Health care payment information – Health care payment information includes information about how much an individual paid or was supposed to pay for health care services. This type of information is also not protected health information under HIPAA.
- Health care providers – Health care providers include providers of services and goods related to health care. Health care providers are another form of protected health information under HIPAA.
- Health plan beneficiaries – Health plan beneficiaries include individuals who receive health care coverage under a group health plan
- Health care instructions – Health care instructions include instructions related to health care, such as end-of-life directives or powers of attorney.
- Health information – Health information is any information that relates to the health or medical history of an individual. This includes demographics and health care information.
What Constitutes a Breach Under HIPAA?
If any protected health information is lost or stolen, it is considered a breach. The circumstances surrounding the breach can vary – the information might be exposed but not actually lost, or it might be lost but not actually be seen by unauthorized individuals. No matter the circumstances, the breach needs to be reported to the individuals affected by the breach and to the appropriate regulatory agencies. Covered entities have a variety of options for mitigating potential risks of a breach, but no security system is ever 100% foolproof.
There are many things that can cause a breach, from human error to cybercrime. These breaches may be reported to the media and the government, so it’s important for covered entities to be aware of their potential for harm.
Safeguards to Prevent a Breach and Stay Compliant
- Conduct a risk assessment – This is the first and most important step in being prepared for a breach. Conduct a thorough risk assessment to determine what information is most critical to protect.
- Encrypt sensitive data – Sensitive data that is stored in an electronic form should be encrypted to prevent prying eyes from getting a hold of it. This applies both to data at rest and data in transit.
- Use two-factor authentication – Using two-factor authentication, where possible, adds an extra layer of security and can help prevent a breach by providing an extra layer of security.
- Keep track of what device is storing what data – It’s important to keep track of which device is storing which data so that if a breach occurs, you can identify what data was compromised.
Conclusion
A data breach can have dire consequences for a business, from regulatory fines to reputational damage, and even financial losses. It’s important for businesses that handle any type of health information to be aware of their potential for harm and to take steps to mitigate that risk. These steps include conducting a risk assessment, encrypting sensitive data, using two-factor authentication, and keeping track of what device is storing what data. It’s also important to maintain adequate safeguards to protect health information at all times, including during transmission.
