The Ultimate HIPAA Guide
Powered by Vanta & The Cadence Group
Organizations working in and with the healthcare industry must confront a certain amount of complexity to stay on top of the technology and practices necessary to achieve HIPAA compliance. Vanta and The Cadence Group are here to help you establish policies, procedures, and ongoing practices that will position you for a successful HIPAA compliance review and audit — and to showcase your comprehensive commitment to healthcare data security.
Our guide will walk you through the key points of HIPAA and critical additions since its introduction, discuss what it means to comply with HIPAA (and outline the risks of non-compliance), and help you take important next steps on your HIPAA compliance journey.
HIPAA basics and terminology you need to know
Let’s start with a HIPAA overview. What is HIPAA and what is its purpose? HIPAA, the Healthcare Insurance Portability and Accountability Act, was signed into law on August 21, 1996. HIPAA’s overarching goal is to keep patients’ protected health information (PHI) safe and secure, whether it exists in a physical or electronic form. HIPAA was created to improve the portability and accountability of health insurance coverage for employees moving between jobs. HIPAA was also created to deal with waste, fraud, and abuse in health insurance and delivery of healthcare, as well as to promote the use of medical savings accounts, provide coverage for employees with pre-existing medical conditions, and simplify the administration of health insurance.
To achieve this administrative simplification in particular, the healthcare industry was encouraged to computerize patients’ medical records — an effort that has both improved patient healthcare and communication, and introduced increased risk to patient data privacy through the possibility of identity theft and patient privacy violations.
There have been a number of additions to HIPAA since its initial passage that require the critical attention and compliance of covered entities and business associates, such as healthcare providers and plans, and vendors or subcontractors who have access to protected health information. These HIPAA additions include the HIPAA Privacy Rule, Security Rule, Enforcement Rule, the HITECH (Health Information Technology for Economic and Clinical Health) Act, the Breach Notification Rule, and the Final Omnibus Rule.
- The HIPAA Privacy Rule (2003) sets national standards to safeguard individuals’ medical records and other protected health information, and establishes when PHI may be used and disclosed.
- The HIPAA Security Rule (2005) specifies safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI), and articulates three types of security safeguards — administrative, physical, and technical — that must be adhered to in order to ensure HIPAA compliance.
- The HIPAA Enforcement Rule (2006) was introduced to give the U.S. Department of Health and Human Services the ability to investigate complaints against covered entities not operating in compliance with the Privacy and Security Rules, and to enact penalties.
- The Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced in 2009; its primary goal was to urge healthcare authorities to implement the use of electronic health records (EHRs), as well as to incentivize healthcare organizations to maintain patient protected health information in electronic format as opposed to paper files. This led to the extension of the HIPAA Rules to business associates and third-party healthcare industry suppliers, so that any organizations interacting with protected health information were bound to comply with HIPAA.
- The HIPAA Breach Notification Rule (2009) was also introduced in conjunction with the HITECH Act’s changes, requiring that in the event of a breach of unsecured PHI, notification of the breach is communicated to affected individuals, the U.S. Department of Health and Human Services, and in some cases, the media.
- The Final Omnibus Rule (2013) clarified gray areas and fleshed out necessary details in existing HIPAA and HITECH regulations, while also establishing new penalties for HIPAA noncompliance.
The encouragement to use electronic health records and to maintain patient PHI in electronic form led to the wider development of technology and platforms for digital health data storage and distribution — which in turn increased the need for healthcare and related organizations to effectively manage and monitor access to sensitive healthcare information.
Organizations working in and with the healthcare industry must have a range of clear policies and procedures in place to ensure the safety of patient data, to ensure their compliance with the various rules and components of HIPAA, and to track and document their compliance for audit and verification purposes.
What does it mean to be HIPAA compliant — and how can my company get started?
Achieving HIPAA compliance isn’t a matter of proving your company’s adherence to a single static standard. HIPAA’s rules and requirements are intentionally broad and flexible to accommodate the range of types and sizes of covered entities and business associates that create, access, process, or store protected health information (PHI), and that must thus comply with HIPAA.
HIPAA compliance is an evolving process; your organization is responsible for proving in an ongoing way that you are abiding by all the rules of HIPAA. Your company’s compliance with HIPAA involves fulfilling the requirements of the initial act of 1996, its subsequent amendments and additions, and any related legislation. Covered entities and business associates with access to PHI are obligated to ensure that administrative, physical, and technical safeguards are in place to maintain the security of patient data; that they are in compliance with the HIPAA Privacy Rule; and that they have procedures in place to comply with the Breach Notification Rule should a data breach occur. An individual or a team within your organization must be identified as the responsible party for ensuring your organization’s HIPAA compliance. They should lead the charge in managing HIPAA compliance and assume the business risk to your company.
Your company will want to develop and implement a system for tracking policies, processes, procedures, documents, and related compliance materials. Your goal is to maintain compliance with HIPAA’s various component elements, to track any changes in ongoing HIPAA regulations, and to establish and maintain organizational processes for gathering compliance metrics, such that the status of your compliance with HIPAA is evident at any time.
HIPAA’s recommendations for how organizations can go about achieving compliance are technology-neutral, in that there are no expectations of use of certain prescribed systems or services; the expectation is that organizations and entities are advancing a serious approach to achieve compliance with HIPAA’s data protection regulations.
Understanding the costs of noncompliance with HIPAA
The creation of the HIPAA Enforcement Rule introduced the ability of the U.S. Department of Health and Human Services (HHS) to fine organizations for avoidable ePHI breaches. HHS’s Office for Civil Rights (OCR) is responsible for this enforcement, which it achieves through conducting compliance reviews, conducting outreach to encourage compliance, and investigating complaints.
The financial and other penalties incurred as a result of HIPAA violations and data breaches can be extraordinarily costly — from steep fines that vary by violation, to the organizational costs of issuing breach notifications and mitigating the damages following breaches, to the further possibility of criminal prosecution.
Fines may be levied against an organization whether a violation was unintentional or deliberate. Civil violations tend to involve situations where a covered entity fails to resolve a breach violation, and civil money penalties are subsequently levied to compensate for the violation. The Office for Civil Rights separates civil money penalties into four categories that range from a Tier 1 violation committed without an entity having reasonably known (incurring a possible fine of $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations) to a Tier 4 violation in which a breach has occurred due to willful neglect and the cause of the violation has not been remedied (incurring a fine of $50,000 per violation, and capped at $1.5 million per year). A recently revised interpretation of the HITECH Act implemented restructured caps, with annual maximums increasing with the severity of the violation tier — a change intended to acknowledge an entity’s level of culpability in a breach and set maximum fines accordingly.
By managing and monitoring your organization’s compliance with the rules and regulations of HIPAA on an ongoing basis, you will be best positioned to identify any potential data security risks or threats and to mitigate those risks before they turn into larger and much costlier problems.
Interested in more?
Share your email so Vanta can send you new guides and helpful steps to improve security at your company.
How can your company begin its HIPAA compliance journey?
Vanta and The Cadence Group are here to help you achieve HIPAA compliance. Vanta has partnered with The Cadence Group, an AICPA registered firm, to streamline your HIPAA and SOC 2 audit prep and support you as you prepare for a smooth and thorough evaluation and reporting process. As there is no official HIPAA compliance reporting mechanism, leveraging the SOC 2+ HIPAA report allows you to demonstrate your compliance using an industry standard report structure in the SOC 2 audit and to save on both time and cost.
Vanta includes HIPAA compliance support, and we’re able to offer guidance and information on preparing for your HIPAA audit — helping you track how ePHI flows through your systems and access points, helping you develop a breach notification policy and template, building a statement of applicability that describes how your organization controls for each of the HIPAA safeguards, and more. As part of Vanta’s HIPAA support package, we include features for tracking resources on your inventory list that store or process ePHI, as well as tracking Business Associate Agreements for vendors with whom you share ePHI. Vanta also offers HIPAA addendum policy templates to help you get started with your HIPAA policy language. We can help you utilize Vanta’s feature set to help track a range of HIPAA tasks, such as employee training, and to further customize your HIPAA compliance approach. Vanta will additionally support your company in preparing for your HIPAA audit fieldwork.
Vanta provides a set of security and compliance tools that scan, verify, and secure a company’s IT systems and processes. Our cloud-based technology identifies security flaws and privacy gaps in a company’s security posture, providing a comprehensive view across cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts. Vanta also offers a suite of tools streamlining the non-technical components of security tracking and audit preparation, so gathering and consolidating audit evidence is easier for both your company and your auditor. Vanta is “security in a box” for technology companies, trusted by hundreds for their SOC 2 preparation and more.
About The Cadence Group
The Cadence Group is a team of pragmatic, knowledgeable and seasoned audit and compliance professionals with years of experience across a multitude of industries. We offer significant experience with financial, business, and IT processes that can help any audit, risk management, and compliance initiative.
Interested in chatting more with Vanta and The Cadence Group about how to get HIPAA compliant?