For those of you who are not familiar with the Health Insurance Portability and Accountability Act (HIPAA), it was passed in 1996 and has become the foundational data protection standard in the U.S. for the healthcare industry. If you are deciding if HIPAA applies to you, you might consider that while HIPAA does not apply to all healthcare entities, it does apply to:
- Covered entities – Health plans, health care clearinghouses (i.e., billing services) and any health care providers that engage in electronic payment for healthcare
- Business associates – Vendors to covered entities that have access to protected health information – PHI (i.e., law firms, software providers, etc.)
Additionally, fines for violating HIPAA are severe – from $100 to $50,000 per violation with a maximum penalty of $1.5 million per year for each violation.
Challenges to Complying with HIPAA
Some of the challenges clients we work with face in complying with HIPAA include:
- Fitting new Technology into Older Laws. HIPAA was adopted in 1996, over 20 years ago, before there were even smartphones! Companies trying to build technology to older standards often face challenges in identifying how to address PHI and what safeguards are needed (i.e., where and when to encrypt).
- Risk Assessments. Companies must consider both regular risk assessments as required by HIPAA and risk assessments related to new or changing processes/projects.
- Vendor Oversight. As a covered entity, a company needs to do proper due diligence over the life of the relationship with a vendor. The right agreements must also be in place to ensure that critical elements of HIPAA are addressed by the vendor (i.e., security obligations, breach notifications).
- Integration with Other Laws. Other privacy laws or requirements address one or more of the same provisions as HIPAA. Companies with activities that fall under another jurisdiction need to examine where the laws intersect and where they provide provisions that oppose each other. Examples include the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Recommendations for HIPAA Compliance
Achieving, maintaining and demonstrating compliance with HIPAA means companies must implement HIPAA’s administrative, physical and technical safeguards, exercise heightened diligence over vendors where they share PHI and meet the HIPAA breach notification requirements. As you you consider the steps you will take to comply with HIPAA, TrustArc suggests the following:
- Assess you business – Determine if HIPAA applies to your business; conduct a gap analysis against HIPAA requirements; determine cross-compliance overlap; and map processes to determine the scope and reach of HIPAA to business activities, data, systems/applications and vendors.
- Implement HIPAA compliance – Develop or enhance policies to comply with HIPAA; build a successful vendor management program; implement individual rights mechanisms; and develop a privacy impact assessment.
- Maintain compliance – Perform a thorough annual risk assessment and maintain ongoing compliance activities (i.e., policy updates, employee training, vendor assessments, etc.).
TrustArc can help with all these key areas of HIPAA compliance. TrustArc has extensive experience working with companies in the healthcare field including both covered entities and business associates. We assist companies throughout the lifecycle of HIPAA compliance from immediate needs such as determining if HIPAA applies to a business, initial risk assessments and employee training, to long-term needs such as vendor management, data inventory and PIAs. We can also partner with companies on corrective action plans under regulatory oversight.