ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

You are here: Home / Blog / HIPAA Compliance Basics
HIPAA Compliance Checklist
Get it for FREE

When it comes to keeping electronic health information and data secure and protected, healthcare compliance is crucial. Standards like HIPAA help to keep both providers and consumers protected. This blog will cover the following topics and questions associated with HIPAA Compliance:

What is HIPAA? What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA establishes national standards for electronic healthcare transactions and code sets, unique health identifiers, and security. Congress incorporated into HIPAA provisions that mandated the adoption of federal privacy protections for individually identifiable health information.

HIPAA Covered Entities: Who must comply with HIPAA?

Perhaps you’re wondering: who does HIPAA apply to? HIPAA applies to healthcare providers who electronically transmit any health information, healthcare clearing houses, and health plans. Business associates that act on behalf of a covered entity must also comply (The HITECH Act of 2009) — this includes claims processing, data analysis, utilization review, billing, etc. Researchers are covered entities if they are also healthcare providers who electronically transmit health information in connection with any transaction for which Health and Human Services has adopted a standard.

HIPAA Requirements: Three Components to HIPAA

The three components of HIPAA are the Privacy Rule, the Security Rule, and Breach Notifications.

HIPAA Privacy Rule
The Privacy Rule ensures that the privacy of healthcare information is safeguarded. The Privacy Rule:

  • Sets limits on what information can be disclosed based on outlined authorization.
  • Gives patients rights over their healthcare information.
  • Has numerous requirements such as: breach notification, certain access, reporting, etc.

The Privacy Rule requires compliance with the Security Rule.

HIPAA Security Rule
The Security Rule concerns administrative, technical, and physical safeguards to protect the confidentiality of all information. There are 3 components to the Security Rule:

  1. Administrative Safeguards: Password management, anti-malware, anti-virus, workforce training etc.
  2. Technical Safeguards: Authentication, encryption, transmission security etc.
  3. Physical Safeguards: Cameras, badges, facilities, data storage, etc.

Breach Notification
A breach occurs when the security and privacy of protected heath information (PHI) is compromised. HIPAA outlines requirements to be followed by covered entities in the event of a security or privacy breach. The outlined requirements describe the manner of notification, the timeline for the notification to occur, etc. – these stipulations differ based on the organization type and size and other associated circumstances. If Breach Notification guidelines are not followed in response to a breach, fines and penalties will result; the amount of the fine also varies based on organization type and other associated circumstances.

HIPAA requirements include Business Associates, subcontractors, and service providers.

HIPAA requires that covered entities implement a monitoring program and assessment of their subcontractors, service providers, and/or business associates – this ensures that all healthcare data handled by covered entities, including anything outsourced to a service provider, is appropriately protected. Under HIPAA, entities are permitted to outsource business processes; however, the liability of risk cannot be outsourced because of the service being outsourced. In other words, covered entities bear full responsibility for all risk, including any risk that may arise from outsourced processes.

HIPAA Violation Examples

HIPAA violations are easier to encounter than you may realize. Simple acts can be considered in violation of HIPAA, and violations can incur varying fines and penalties. Here are some examples of common HIPAA violations:

• Hacking
• Unauthorized access to information
• Unauthorized disclosure of PHI
• Stolen items and devices
• Inadequate employee training and resources
• Breach Notification guidelines not being followed in the event of a security or privacy breach

HIPAA Violation Reporting

Are you wondering how to report a HIPAA violation? Privacy and security complaints can be filed by anyone. Let’s go over the information about reporting a HIPAA violation from the U.S. Department of Health and Human Services website.

HIPAA Fines and Penalties

There are various well-defined fines and penalties that can occur from HIPAA violations. The penalties range in amount, depending on the severity of the violation, how quickly the violation was corrected, if willful neglect occurred, etc.

HIPAA Complaint Requirements:
Be filed in writing (mail, fax, email, or through the OCR Complaint Portal)
Name the entity or business
Describe what may be in violation of the HIPAA Privacy, Security, or Breach Notification Rules
Be filed within 5 months of the violation (unless reasonable cause for delay is provided)

Retaliation against those who file complaints is prohibited. The Office for Civil Rights (OCR) should immediately be notified of any retaliatory action.
A HIPAA violation can be reported via mail, fax, email, or through the online OCR Complaint Portal.

To report a HIPAA violation online through the OCR Complaint Portal, follow these steps:

  1. Go to the OCR Online Portal at ocrportal.hhs.gov.
  2. Read through the Complaint Portal Assistant text describing Federal Civil Rights Laws, Federal Conscience and Religious Freedom Laws, and the HIPAA Privacy Rule.
  3. Answer the first question at the bottom of the page: “What is the Nature of your complaint?”
  4. Answer any remaining questions. If your complaint is eligible for submission to the OCR, you will be directed to the “Complaint Portal” online complaint form.
  5. Click the “File…” link found under “Civil Rights, Conscience and Religious Freedom, or Health Information Privacy”.
  6. You will be taken to a page for you to provide the following information/paperwork:
    1. Complainant (name, phone number, address, and email address)
    2. Complaint Details (person/agency/organization, their address and phone number, dates of violation, a brief description of the incident, and any additional files)
    3. Optional Additional Information (necessary accommodations, whether the complaint has been filed elsewhere, and their primary language)
    4. Signature (privacy information)
    5. Consent (Complainant Consent Form)

ControlCase Methodology

To learn more about HIPAA compliance and chat with a healthcare IT security specialist, contact us. ControlCase’s expertise in HIPAA compliance extends beyond healthcare providers to include service providers (business associates) that fall under newly implemented regulations as part of current healthcare reform.

At the completion of any ControlCase IT assessment, you will receive a detailed report combined with a comprehensive consultation going over:
• Your current compliance posture.
• Recommended steps for improving compliance.
• Additional considerations that may require attention in the future.

 

Contact our team today to get started

Related Blog

HIPAA, CCPA, and GDPR: Privacy or Information Security?
Modern enterprise security teams must address many different types of requirements as they create their cyber defenses. These requirements can be internally generated, customer requested, legally defined, mandated by a court, or driven by an incident. They typically involve adding new protections such as cyber security platforms or increasing assurance such as through penetration testing.
Désormais tout est privé - Le barème prêt
La poussée vers la digitalisation à travers le monde signifie que diverses industries telles que la vente au détail, la santé, la restauration, etc. ont migré une part importante de leurs activités / services vers le mode en ligne. Cela oblige les consommateurs à partager leurs données personnelles ou sensibles (par exemple, numéros de carte, numéros SSN, dossiers médicaux, données d'identification, etc.) sur ces canaux en ligne.
It’s All Private!!!! - The Ready Reckoner
The push towards digitization across the globe means that various industries like retail, healthcare, F&B etc. have moved a significant amount of their business / services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data etc.) on these online channels.
HIPAA / HITECH Compliance
A HIPAA / HITECH attestation report demonstrates that an organization has implemented safeguards to protect sensitive ePHI. HIPAA establishes administrative, physical, technical, security and privacy standards that apply to both healthcare providers and business associates.
"One Audit" for IT Security Compliance Explained!
The One Audit solution provides the ability for organizations to perform a single audit and certify/comply with multiple regulations including but not limited to PCI DSS, ISO 27001, BITS FISAP, HIPAA, SOC 1/2/3, and FISMA NIST 800-53.
Quick Read? 4 Ways to Use Automation for IT Security Compliance!
4 ways to use automation for making compliance business as usual within your organization. This will help you maintain compliance with regulations including PCI DSS, SOC 1, SOC 2, HIPAA, NIST 800-53 and ISO 27001

About Us

ControlCase is a global provider of certification, cybersecurity, and continuous compliance services. ControlCase is committed to empowering organizations to develop and deploy strategic information security and compliance programs that are simplified, cost-effective, and comprehensive in both on-premise and cloud environments.
ControlCase offers certifications and a broad spectrum of cyber security services that meet the needs of companies required to certify to PCI DSS, HITRUST, SOC2, CMMC, ISO 27001, PCI PIN, PCI P2PE, PCI TSP, PCI SSF, CSA STAR, HIPAA, GDPR, SWIFT, and FedRAMP.