The Complete HIPAA Guide

What is HIPAA

Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive health care legislation passed by the United States government as an effort to ensure privacy and safeguarding of all individuals’ medical data. It was signed to become a law by the president Bill Clinton in the August of 1996. HIPAA consists of the five main titles (sections):


The first title is enabled protection and maintaining of health insurance coverage for any individual that is changing or losing their jobs. It prohibits group plans from denying any persons with preexisting conditions and diseases to access coverage. It also bars them from setting any lifetime coverage limits.


The second title affirms that US Department of Health and Human Services must establish a national standard for processing electronic healthcare transactions. This forces all healthcare organizations to implement strong security measures for safeguarding health data access. Those data protection techniques must comply with privacy laws.


The third HIPAA title provides detail guidelines for medical care and tax provisions.


Title IV defines in great detail health insurance reform and states provisions for those individuals who seek continued coverage under the act and laws regarding the presence of pre-existing conditions.


The last title describes the provision for individuals who choose to give up their US citizenship and how their new citizenship state affects their income tax. It also defines the rules for company-owned life insurance policies.

HIPAA compliance detailed in Title II that affects anyone working in the healthcare information technology sector is also known as provisions of Administrative Simplification. The compliance requirements of Title II are:

  • Every healthcare entity (such as providers, employers, plans, and individuals) must have a unique 10 digit national provider identifier number (NPI).
  • Organizations must submit and process health care service claims following standardized electronic data interchange (EDI) protocol.
  • Privacy Rule (The Standards for Privacy of Individually Identifiable Health Information) establishes precise nationwide standards for protecting private medical information of patients.
  • Security Rule (The Security Standards for the Protection of Electronic Protected Health Information) establishes standards for data security of patient records.
  • Enforcement Rule establishes guidelines for investigating compliance violations of HIPAA.

In 2013, HIPAA Omnibus Rule has implemented the modification to the original HIPAA law that defined associates of a covered entity. It also increased penalties regarding compliance violations to the maximum of $1.5 million per incident. This strong financial burden was introduced so that healthcare organization could face stiff penalties if any breaches of patient record security would happen. In addition to paying the fines, such organizations and businesses are also obliged to notify all patients of the breach, bear the cost of such notifications, be audited, pay fines and finally providers could face criminal prosecution for the violation of HIPAA regulations.

Health organizations and businesses can greatly reduce the risk of regulatory action by going through HIPAA compliance training. HIPAA does not offer official compliance certifications, but businesses may offer credentials in form of compliance training scores. Such training programs are offered by many private groups, consultants, and even the US Office for Civil Rights (OCR).

HIPAA Compliance

One of the most important guidances of regulations such as HIPAA is the promotion of transparency between the health provider, patients, and oversight agencies. Audits can gain access to any regulated data systems. Health care providers must be held accountable to follow the policies and build organizational structures that guarantee the integrity of electronic protected health information (EPHI). Those policies are put in place so that health data is:

  • Fully monitored during access
  • Accessible only by those who have verified need to use it
  • Fully encrypted while in storage or transfer over any unprotected network and that data can be moved only to authorized locations
  • HIPAA has outlined four specific practices that licensed health care providers must follow. They cover in detail many things, with the most important rules being the ones covering data security, data loss protection, secure backup, processes and technical controls, network configurations, and practices regarding human element that is necessary to make entire system work as intended.

Building an HIPAA compliant system can be a very difficult task, with many of the rules making this process being very time and resource consuming. However, this amount of strict regulations is needed to achieve its goals, and compliance with it can be an achievable process of any organization that is willing to properly safeguard the personal data of their patients and clients. Such organizations only need to elect persons in charge of the implementation of technology systems, get the technology that is required for data protection, security, and access controls, train the appropriate personnel with compliance classes, and keep in mind that many smaller rules and policies will cause delays and rough patches. With a lot of effort, any willing organization can go through HIPAA compliance.

The four primary practices needed to ensure HIPAA compliance are:

Identity Management and Access Controls – Access controls are very important to ensure a good flow of data within available technology solutions. The primary custodians of EPHI Electronic Protected Health Information) access controls are custodians, supervisors, and owners. There is no specific technology standard that can define this practice, but adoption of strong identity and access manage tools can be very beneficiary to any entity that wishes to go through HIPAA compliance. This technology is needed to maintain controls of access and to manage network requests, approvals and denials. To ensure most protection, technology system could be made to rely on advanced account privilege recertification.

System and Environment Configuration Controls – Healthcare data systems that store protected data must be created to follow very strict guidelines, which includes knowing the state of critical systems at any given time within the regulated environment. Systems that employ simpler monitoring services are deemed too insecure to hold protected data of this size and importance.
To ensure better control, every individual system should be kept separate and configured solely to best perform their unique purpose. They also need to have their own monitoring systems that seek for vulnerabilities and ensure that all software packages are running the latest up-to-date versions and that only verified requests can access their data.

Monitoring – HIPAA requires that not only integrity of the data is monitored, but also access to that data. Any application technology, service or person that has access to patient health data must be authenticated and their sessions must be logged, backed up and strongly monitored.

Information Flow Control and Encryption – One of the big problems of modern data storing systems is that data that need to be protected is often never sitting for long periods of time at a single location. HIPAA strongly orders complete and utter prevention of any data loss or presence of errors in the encryption process that safeguards that data. Data must be fully encrypted at all times during both the storage and transfer and said transfer can be achieved only between secure and previously approved locations.


HIPAA History

HIPAA, or fully named as The Healthcare Insurance Portability and Accountability Act, was signed into law on August 21, 1996. The primary focus of the law was to enhance accountability and manageability of medical insurance for people who are in the process of looking for another job. It also covered areas of abuse, waste, and scams inside medical insurance field and healthcare industries. HIPAA also introduced various tax incentives, offered insurance coverage for workers with pre-existing health issues, and streamlined administration of medical insurance, which was all done to encourage medical savings.

Streamlining of medical insurance that was promoted by HIPAA was an important step that pushed the medical industry to convert their extensive medical record systems into modern electronic formats. This part of HIPAA was enhanced in 2009 by the HITECH – the Health Information Technology for Economic and Clinical Health Act. HITECH, in turn, prompted what many believe is the adoption of one of the most important advanced in the field of healthcare law in several decades – Meaningful Use program.


HIPAA Privacy and Security Rules

After HIPAA became the law in 1996, United States Department of Health and Human Service immediately started working on precisely defining its Privacy and Security Rules. This process lasted up to April 14, 2003, when those rules became effective and started being enforced. The most important thing that was defined in them was Protected Health Information (PHI) defines any data under possession of the covered entity that contains or relates to medical care health status, provision or payment that may be connected to a specific patient. It also contained instructions on obtaining individuals permissions for data access, how information should be divulged when access is granted, or shared for research, marketing or fundraising. Those two rules also gave the patient rights to conceal their healthcare-related information from private insurance companies.

Final versions of HIPAA’s Security Rules became active on April 21, 2005, and they governed the use of PHI that was stored electronically. It specifically defined three layers of security that were required to be used at all times:

  • Technical – Security of any storage media that contains PHI, especially when being electronically sent over open networks
  • Physical – Restriction of physical access to information storage areas and prevention of unauthorized use
  • Administrative – Procedures and policies that determine how entities must comply with various HIPAA requirements

2006 Enforcement Rule

After creation of HIPAA and the release of the Privacy and Security Rules in 2003, the need for additional laws became immediately apparent when a lot of healthcare entities failed to fully comply with the HIPAA rules. This forced the Department of Health and Human Services to create Enforcement Rule in 2006, giving them the authority to actively look and monitor for any violation claims against a covered entity that failed to adhere to the Privacy Rule. It also received the ability to fine these entities for preventable ePHI data breaches that caused the breaches of the safeguards of the Security Rule. This also included full authority to press criminal charges against repeated offenders who failed to take corrective actions within 30 days of the first notice. The law also stated that affected patients could bring civil suits against same offenders in the situations where their PHI leaked without their authorization and caused significant harm.


HITECH and the Breach Notification Rule

Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced in 2009, with a focus to provide additional rules that would urge medical authorities to adopt Electronic Health Records (EHR) and lead to the adoption of the Meaningful Use incentive program. The meaningful Use incentive program that was adopted in 2010 provided healthcare organizations and companies with incentives to move patient’s medical records from paper to electronic storage.

Since health organizations had to greatly increase their technical capabilities, HIPAA got expanded to also cover Business Associates and third-party medical industry suppliers that would facilitate the adoption of EHR. This expansion also introduced the Breach Notification Rule that forced covered health entities to report any data breach that affected more than 500 patients directly to the Department of Health and Human Services’ Office for Civil Rights. This law got expanded furthermore in March 2013 under the Final Omnibus Rule.


The Final Omnibus Rule

The latest version of HIPAA was brought with the adoption of the Final Omnibus Rule, which introduced very few new legislations but it addressed some flaws that were found in the original HIPAA and HITECH regulations. For example, it established the standards for encryption that would make ePHI unreadable, unusable and non-decryptable in an event of a security breach.

Many other gray areas were ironed out, most notably changing the definition of “workers” into “trainees, volunteers, employees or any other individual whose conduct, while performing work under a Business Associate or covered entity, is under the Business Associate’s or entity’s direct control.”

Privacy and Security Rules were also enhanced, enabling the patient’s medical records to be held not for the 50 years, but in perpetuity. Breach Notification Rule was also changed, adding additional penalties for covered entities that violated Enforcement Rule.

Final Omnibus Rule also took in the consideration changes in work practices that became available due to the presence of new technologies and devices, most notably smartphones. New rules defined new administrative procedures and policies that address the newfound trend of medical professionals using mobile devices to access ePHI data. Many other issues that were unforeseeable in 1996 were also addressed.


Impact of the Final Omnibus Rule

The biggest impact of the Final Omnibus Rule was the dramatic rise of the HIPAA awareness of many medical entities who violated many HIPAA rules for decades. This awareness was mostly brought by the several financial consequences that faced those who did not ensure the safety of ePHI data.

Final Omnibus Rule caused the dramatic increase of patient security across the United States, with many new procedures and safeguards suddenly appearing in many health organizations – data encryption, access monitoring, secure messaging, personnel training, adoption of modern technologies, and much more.


Who must comply with HIPAA?

HIPAA covers health organizations, individuals and also agencies as they are considered covered entities, including some business associates that provide secondary services. All business associates that enter into the business agreement with the HIPAA-covered entity, that new business must provide assurances via written contract that it will follow all HIPAA guidelines and rules. This extends HIPAA rules from the covered entities to their associates that work under temporary contracts, making them directly liable for any breach of compliance that was set by HIPAA and all the HIPAA extensions.

The HIPAA requires these entities to provide respect and follow rights of the patients by safeguarding their private medical information.

Covered entities may be:

  • Doctors
  • Dentists
  • Chiropractors
  • Clinics
  • Psychologists
  • Nursing Homes
  • Pharmacies

Covered health plans may be:

  • Company Health Plans
  • Government Health Plans that Pay for Health Care
  • Health Ins Companies
  • HMO’s


Healthcare Clearinghouses (electronic or data format)

The Primary Rules contains in itself various federal protections of individual’s health information that is held by a covered entity and it gives patient specific rights to that information. This private information can be disclosed only for patient care needs or other noted important reasons that require this information to be disclosed. Privacy Rule does not require patient to sign constantly for sharing of information. Healthcare providers are left able to decide at their discretion when they can share information for treatment purposes.
Modifications of the Privacy Rule in 2002 enabled health care protection against incidental disclosures. Since the elimination of all incidental disclosures is impossible, new rules were brought to safeguard the patient health information and limit the incidental distribution of this information. Privacy Rule does not prevent patients from sharing their medical data with whomsoever they desire. If they give consent, providers may share their medical data. Information can also be disclosed in several other ways, all by following need to know basis and with patient’s needs as the main interest.

Privacy Rule covers electronic transactions, communications via email, fax or phone. Child abuse is also covered by the Privacy Rule.

It is important to notice that Privacy Rule does not prevent posting of basic information or stop calls or visits to hospitals by family, friends or others unless patient objects.

Basic information includes the following:

  • Room Number
  • Phone Number
  • General Condition

And that basic information can be shared to:

  • Hospital Directory
  • Callers
  • Visitors
  • Clergy (with patient’s consent)


HIPAA Privacy Rules

HIPAA covers four major categories of entities – health care providers, health care clearinghouses (covered entities), their business associates and health plans.

HIPAA covered entities are required to be knowledgeable about their regulations since any potential and harmless disclosures of patients personal medical data can lead to the heavy fines, criminal and civil penalties that can target physicians, healthcare professionals, hospitals or health care providers. HIPAA violation occurs when the health care provider uses without permission or discloses information that can compromise the privacy or security of the Protected Health Information in both paper or electronic form (PHI or ePHI). Health care providers must carefully educate themselves about how to run their business and offer services that are not violating any HIPAA guidelines.

Basics of medical information uses and disclosures

The HIPAA Privacy Rule provides rules how covered entities or individuals with control can manage protected health information and when it can be used for patients benefit or disclosed for other (for example marketing) uses. Covered entities are almost completely forbidden to use protected health information of their patients for marketing without specific permission from HIPAA or by obtaining written authorization from patients. That “almost” part is present because covered entities can still take advantage of the several limitations, allowances, exceptions, nuances and prohibitions that are present in the current HIPAA regulations.

The most important distinction that covered entities have to understand before developing plans for taking advantage from PHI is the difference between marketing communications and communications about treatment, goods and other health care services. “Marketing” is defined by HIPAA as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” If the covered entity is engaging in the marketing communication, they must obtain written authorization from individuals whose personal data is used in that communication.


When is patient’s consent not needed?

Personal authorization from patients is not legally required if covered entity is conducting face-to-face communications, even if that communication is considered to be a marketing communication. One example of this is that insurance agent can sell health insurance policy in person, but cannot use data obtained by covered entities to phone potential health insurance recipients.

Authorization is also not needed if covered entity want’s to offer promotional gifts that will accompany their services. An example of this can be an offering of baby gifts for new parents who have their babies in select healthcare facilities. Covered entities may promote such offers, but they cannot share any personal data (including patients addresses) to the external companies (even if they are authorized partners) that are responsible for delivering baby items to parents.

Refill reminders of patient’s prescritions do not require authorization.

Covered entity can without authorization contact patients so that they would recommend them alternative treatment for their health issues. This can be done only if they conduct this communication without the involvement of external marketing partner that has paid covered entity to contact patients.

Authorization is also not needed for contacting patients about their therapy recommendations, care coordination, case management, the setting of care, calling to describe product or service that can benefit patient’s treatment and more.


When is patient’s consent needed?

Written authorization from the patient is needed when health care provider of covered entity want’s to use or disclose their protected health information. This protected health information may include but is not limited to: names, birth date, age, social security number, email address, telephone or fax numbers, medical record numbers, biometric identifiers, geographic information, full-face photographic images (or any comparable images) and others. More broadly speaking, PHI is any information that can allow the unauthorized third party to ascertain patient’s identity, medical condition, or injury.

Written authorization is absolutely needed for the following specific situations:

  • For the use and disclosure of psychotherapy notes
  • For the use and disclosure of PHI for marketing
  • For any disclosure of PHI which is a sale

Covered entities that are operating services such as abuse treatment programs are also required to follow HIPAA guidelines regarding the protection of patients private information. Such treatment programs fall under HIPAA oversight if they manage things like patients health plans, coordinates benefits, or inquires about a patient’s eligibility, coverage, or benefits. Various state laws are governing if the covered entities need to obtain written authorization to disclose certain patients identifiable information about their HIV or presence of other sexually transmitted diseases.

Written authorization from each patient needs to contain the following:

  • A description of the information that the covered entity wishes to disclose or use
  • Information about person who is authorized to use or disclose the patient’s information
  • Person to whom covered entity may disclose the patient’s information
  • A description of each purpose of the information that is requested for use or disclosure
  • And expiration date for using the requested information
  • Date and signature of patient or representative who has authority to act on behalf of the individual
  • Clear statement of patient’s right to revoke the authorization
  • Clear statement that health provider cannot condition treatment in any way on a patient signing an authorization


Providing opportunity to consent

If hospitals or any other covered entity that want to publish patient’s protected information in a directory, Privacy Rules requires of them to provide an opportunity to those individuals with an opportunity to consent.

The directory is a service that allows patient’s family, relatives, friends and coworkers, item delivery workers, reporters and anyone other to get informed if the patient is currently in the hospital. The patient can refuse to give consent, which means that hospital will then be unable to provide anyone with the information if the patient is currently in the hospital. The data that can be located in a directory is patient’s name, location, and optionally patient’s condition and religion (which is only accessible to the patient’s clergy).

The patient can decide whether or not his information should become part of a hospital directory, and to specify what information can be shared there. Healthcare entity can obtain authorization from patient verbally, but many hospitals recommend patients that if they want to prohibit sharing of the information, that they need to put that request in writing. If the patient is unable to provide his judgment (because of his health condition or other factors), healthcare workers are then allowed to use their own judgment.

In addition to sharing basic information in the Directory, hospital workers can get share patient’s personal health information with anyone that patient wishes. Most commonly those are patient’s family and friends. They can also disclose or use PHI to notify family members, personal representatives or people responsible for patient’s care about their health condition, location, and patient’s death.

In the event of the patient’s death, a healthcare provider can disclose the patient’s PHI to the people who provided care to the patient or paid the patient’s hospital bills. In this case, HIPAA allows health care providers only disclose information that is directly related to patient’s health and not other information (house address, social security number, and similar data).

The U.S. Department of Health and Human Services (HHS) has provided examples that healthcare workers may follow in this situation:

  • Doctor can provide information about patients mobility capabilities to family member or friend who has come to the hospital to drive patient home
  • Doctor or hospital staff can discuss patient’s payment options with adult friend or family member
  • Doctor can inform patient’s family member or friend about proper medicine dosages that are used in patient’s treatment at home
  • Doctor can discuss patient’s health status and treatment with patient and anyone who patient’s ask to be present in the room


Using and disclosing PHI for fundraising purposes

Covered entities are allowed to use or disclose patient protected health information (PHI) to business associates (that provide specialized services to covered entity such as legal advice, debt collection, financial services and more) or institutionally related foundations to raise funds for their own benefit. Anyone who receives PHI data this way may fully follow regulations that are established by HIPAA.

HIPAA allows covered entities to use only the following information:

  • General demographic information – name, address, other contact information, age, gender, and date of birth
  • Dates of health care provided to the individual
  • Department of service information
  • Names of treating physicians
  • Outcome information
  • Health insurance status

Individuals may elect to opt-out of receiving fundraising communications, and covered entities are obliged under HIPAA to offer “clear and conspicuous” opportunity to individuals to opt-out from any further communications. However, covered entities may elect to provide individuals with not only full opting out feature but also opting out from only specific campaigns. This puts individuals into the situation that they get repeated communications from health care provider or their business associates.


HIPAA Privacy Rule and Disclosure of Genetic Information

Privacy Rule specifically prevents health insurers from using genetic information for any underwriting purposes, such as setting the cost of treatment or determining eligibility to offer treatments. This includes not only patient’s genetic results, but also genetic results from their family members, or any other documents or evidence that depicts manifestation of disorder or disease in the patient’s family members. Also, this includes even making a request or using receipts of genetic services, information from participations in clinical research that include genetic research from both patient and his family members.

Privacy Rule also covers this same issue for group health plans, health insurance issues (PPOs and HMOs) and issues of Medicare supplemental policies. But, be aware that HIPAA does not enforce this rule for long-term insurers.


HIPAA Security Rules

The transition from paper-based patient record systems to electronic ones almost always introduces some issues and oversights. The most common error that happened in the early years of this transformation of record keeping was the inability to ensure proper access to PHI data. In the event of breaches of security of patient’s data, health providers must immediately contact affected patients and inform them about the loss of theft of data

Health Insurance Portability and Accountability Act (HIPAA) was introduced and later enhanced with several new laws aims as an effort the US government to put the end of such large breaches of security. One of the biggest goals of HIPAA was to hold responsible parties accountable for their misuse of private patient data.


Electronic Health Records

Electronic health record (EHR) is a term that depicts any form of patient private medical data that is stored digitally by healthcare providers. The government actively encouraged medical providers to move from paper-based patient information to the electronic ones, with a goal to improve the efficiency and quality of healthcare and enabling healthcare professionals to easily manage patient’s data. Still, with easier electronic data management come many forms of misuse that HIPAA aims to eliminate. Privacy of the patients is best maintained by providing strong security measures that allow only authorized persons to access that data.

Electronic health record primarily consists of data that is considered completely private, like patient’s health data and electronic communications. This includes entire patient medical history, allergy lists, treatments received, lab tests, images and videos, medication lists, billing information, diagnosis, diagnosis theories, immunization theories, and notes written by medical professionals (both by primary healthcare providers and consulting specialists).

EHR are for now usually kept in separate storage solutions that are maintained by various healthcare providers, but there is a movement that aims to provide the centralized database in the future, such as Nationwide Health Information Network that would be based on strong encryption and sharing of data between medical centers via encrypted internet communication. Issues that prevent easy implementation of centralized EHR database are data format compatibility and creating standardized sharing and privacy policies for different types of health institutions.

The biggest advantage of the implementation of EHR is the easy access to entire healthcare records, and ability for that data to be securely shared between specialists, physicians, emergency rooms and other healthcare professionals. With minimal waiting time, all authorized healthcare professionals can access patient’s full medical data and immediately start working on improving patient’s health status, perform mandatory health reporting or use data for purpose of research (if the patient provides authorization).

The security risk of using EHR is, of course, present, and can most often appear in a form of unauthorized access or wishes of patients to erase certain part of their medical data records from existence. HIPAA aims to reduce the occurrences of security breaches by making health care providers directly accountable, which includes not only issuing of strong fines but also criminal and civil offenses.


HIPAA Security Rule

The HIPAA Security Rule provides detailed guidelines that covered entities and their business associates must enforce in the management of electronic personal health information and Electronic health record of their patients and customers. This includes not only local security measures but also following strict guidelines during sharing of this data between medical professionals. Patients need to know that their data will not only be stored locally but can move and be shared nationally. Also, while it was easier during the paper-record era to remove certain parts of medical history from existence, electronic records cannot be as easily lost and thus, patients must be aware that they cannot willfully alter this electronic data.

It is important to note that HIPAA Security Rule applies only to electronic data, but it does not fully cover paper documents that can still be used by medical professionals. Rules for management,m storing and sharing of paper documents are provided by other laws of HIPAA. However, unauthorized access or disposing of any personal medical information that is written on paper is still regarded as a strong security breach and healthcare providers must notify all affected patients of this via Breach of Notification. In cases where more than 500 people are affected, HHS will also publically post about that incident. Most of such breaches happen because of improper management of access, mismanagement of documents (forgetting to clear cabinets, or them being stolen during transport). United States Department of Health & Human is responsible for enforcing Security Rule and can determine what action need to be taken against offending health providers or individuals.

There are no specific laws that govern how healthcare providers must get rid of physical paper documents. The Security Rule only details penalties that may occur from any type of security breaches that may happen after improper destruction (both papers and for example medication bottles that have private prescription information attached).

To reduce the occurrence of security breaches, Security Rule requires every business or organization to create written security plans for management of their stored patient’s electronic data. These plans must contain the following safeguards:
Administrative safeguards – Training of personnel and maintaining of staff member vigilance. This can be achieved via setting strict procedures to access files and devices in work areas, systems for identifying security risks and more.
Physical safeguards – Physical barriers that prevent unauthorized personnel from accessing both paper and electronic patient information, work devices and work areas.
Technical safeguards – Technical (hardware or software) solutions that allow only authorized access to patient’s data. This includes computer passwords, blocks on copying data, and network procedures that prevent easy sending of data to external networks.

Healthcare providers are not required to share their privacy practices (specifics of how they are protecting PHI data), but in the event of security breach they must immediately contact all affected patients and issue Breach of Notification notice.

The vast majority of security breaches come from the loss of portable computing devices that are used by medical professionals, most commonly smartphones and laptops. Preventing of this form of data loss is often a most effective way of drastically reducing the risk of security breaches.

In addition to the loss of patients’ data which can lead to the public release of such information, security breaches can also lead to the appearance of medical identity theft. Using of stolen data to impersonate someone is a serious offense and can lead to the further security risks. Your patient’s medical records or insurance records often includes private information such as addresses, phone numbers, social security numbers and other data that someone can use to impersonate you and commit fraud.


Breach Notification Rule

HIPAA demands from healthcare providers that security breach of the patient’s health information has to be reported to both United States Department of Health & Human Services (Office of Civil Rights) and affected persons. Additionally, in some cases, organizations and businesses who are responsible for providing security of that data may also contact local media.

According to HIPAA, breach or compromise of data is defined as any form of unauthorized access, use or disclosure of health information that is deemed as protected.

While any and all security breaches must be reported, not all data breach situations require notification to be sent to the patients. If the breached data was protected with suitable encryption, then data is still deemed as safe and uncompromised. Notifications also do not need to be sent in several other possible situations, such as unauthorized staff member accesses data without disclosing it to anybody else, or discussion of patient’s data by persons who have full authorization to access that data. Children or infants who witness some protected information that cannot be retained by them also do not cause a breach of HIPAA rules.

Originally, businesses and organizations in possession of PHI data were not obliged to report the theft if they could not determine that the loss of data would cause physical, financial, or emotional harm to the patients. This rule was changed significantly in 2013 and made way more strict.

The severity of the loss of data is determined by the businesses and organizations themselves. They assess the severity of the leak (leak of the single name is much less severe than database leak of full set of information of hundreds of people), the cause of the leak (access by unauthorized person, policy error, accidental sharing of data, etc) and what actions can be taken to prevent further breaches. This risk assessment decides whether or not HIPAA rules for notifying patients need to be followed. In addition to HIPAA Breach Notification Rule, each state also has its own set of guidelines. Most notifications are sent via first-class postal mail or email. If the notifications fail to reach at least 10 compromised individuals, public posting of information on the internet or calling via phone is acceptable. The notifications have to be sent within the 60 days of the discovery of security breach, except in situations where law enforcement is actively investigating the breach. A notification has to include the description of the breach, date of the breach, how it was discovered, contact information that compromised individuals can use to get more information (website, toll-free number, email address, business address). If the breach affected more than 500 people, media outlets can be made aware so that they could more easily inform the public about the breach. Notification of the Department of Human & Health Services must receive breach notification within a year of the breach discovery if less than 500 people were affected. If more were affected, they need to be contacted immediately and public notice has to be posted on affected entity’s website. Department of Human & Health Services can also publicly list some of the largest breaches. The Federal Trade Commission can also get involved with their own guidelines that cover practices of breached web-based vendors that specialize in personal health records. Those companies may or may not fall under HIPAA oversight (which may be various health-tracking services that operate on smartphones and similar health and providers that are most commonly operating on smartphones and tablets).

HIPAA, US Government, Department of Human & Health Services and the Federal Trade Commission all take breaches of private health information very seriously, and many new laws and state regulations that aim to provide better security are constantly being reshaped and introduced.


HIPAA Compliance

The rise of the internet in the 1990s introduced new forms of communication and streamlined data storage to the entire world, including businesses who elected to move away from paper-based storage solutions. The increase of workplace efficiency, streamlined sharing, and ease of use brought many people to fully depend on various digital service, but that opened businesses, organizations, and individuals to various security breaches and unsecured information sharing.

These technology developments cause the rise of the need for strong digital security and control over patient medical record data. This prompted the introduction of Health Insurance Portability and Accountability Act (HIPAA), which was enacted by Congress in 1996 and has now become a legal standard in ensuring patient and business privacy in the 21st century. HIPAA received several expansions, most notably 2003’s Privacy Rule. This is a Federal law that gives patient full authority over their private health information (in either digital, written or oral form) and allows them to set the limits on how this data can be used, shared or viewed. Security Rule has enhanced the HIPAA with laws that depicted specific ways in how covered entities must protect patient’s electronic health data from all forms of digital and physical security breaches. Covered entities are all businesses, organizations and even individual health professionals who can get authorization to access patient’s personal health data, which covers everything from hospitals and pharmacies, to the doctors, mental health professionals and alternative medicine chiropractors. Health Care Clearinghouses are separate entities who can have authorized access to non-standard health information. Business associates (for example hospital’s lawyers, accountants, etc) that have access to PHI data are also covered by HIPAA. Certain types of companies and groups of people are not under HIPAA coverage, which includes law enforcement agencies, schools, life insurers and others.

The best way to ensure that information is safe is that both patients and health care providers understand what kind of information is being protected, and what kind of harm can potentially occur if that data becomes compromised. Protected information can cover everything from patient’s basic info (names, addresses, phone numbers, etc), important private information (social security numbers, life insurance information, billing data, etc) to everything regarding their medical history (their conditions, treatments, medications, lab tests, consultations with specialists, etc).

Patient’s have the right to see what is part of their Private Health Information that is stored on health provider’s computer systems, receive paper copy of all medical records, request making of corrections, have full control of who can gain access to their information, received reports of who has accessed their data, and can file report if they feel their rights have been violated.

The quality of healthcare was furthermore enhanced with the adoption of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which aims to integrate various healthcare system into a service that can easily be used by various healthcare providers, promote improvements in the healthcare efficiency, quality standards, and safety. As one of its most meaningful legacies, this act successfully promoted Meaningful Use of electronic health records (EHR).

Meaningful Use of EHR data brought the adoption of many practices and services that provided benefit to patients, such as e-prescribing, maintenance of diagnoses, drug allergy checks, records of appropriate demographics, lists of medication used, sending reminders to patients about their upcoming doctor meetings, updates about treatment progress and many others. Many of these things were introduced as the direct results of the various investments and incentives that government offered to health businesses and organizations, as well as penalties for doctors and organizations who did not elect to institute HITECH act in their practices.

Since HITECH Act promoted more and more use of various electronic information and networking-related technologies, US government offered numerous incentives for the growth of the entire IT industry. HIPAA compliance checks by the HSS also pushed many healthcare providers to quickly adopt newer data storage, communication and security techniques that were powered by the latest IT technologies. And no matter how much focus is placed on security, all medical data present in the healthcare data systems have to remain easily accessible by those who have been authorized to access it. User authorizations are managed by advanced systems known of Identity and Access Management (IAM), which ensure that company’s access security services are secure and impenetrable to malicious hackers.

HIPAA expansion sets such as Security Rule and Privacy Rule pushed many companies to carefully assess their security risks and employment training measures, which again greatly improved the state of the entire healthcare industry. Even these risk analysis procedures have to be done in accordance with high professional standards which check for the repeatability of testing methods, the volume of data that is being handled, detected threats, quality of data, security (both digital and physical), accessibility and risk assessment of all possible threats. Companies are encouraged to perform this risk assessments test as often as possible since all breaches bring with themselves not only strong financial penalties (which can be as high as $1.5 million per affected person) but also have ground for criminal or civil charges.

These strong HIPAA requirements have quickly led to the adoption of high quality and carefully tested software, application, services and practices that have elevated the level of healthcare that patients receive. However, not all healthcare providers have funds to invest in top of the line networking, data center, communication and user-management digital systems. HIPAA allows for such companies to create and manage smaller streamlined digital systems that rely on sound practices of proper encryption of data, strong wireless internet protection, internet monitoring, and entering into contractual agreements with partners who also must abide by HIPAA and state rules and regulations.

Implementing all the requirements of the HIPAA and HITECH acts can be a time-consuming and costly endeavor, but end results speak for themselves, and furthermore, health organizations simply must adopt these measures or be liable for severe infractions of the law. They have to learn as much as they can about those acts, devise a way to fulfill all their requirements, perform risk assessment, plan security measures, and create the business plan that is operating fully under HIPAA compliance plan.

To become fully HIPAA compliant and to avoid being liable for breaches in security, health companies need to implement the following steps:

Outline and Solidify Privacy Practices – Before attempting to implement any changes to your business, you first need to develop a deep understanding of privacy practices and policies that your company will be responsible for. This is best achieved with the creation of extensive written documentation that will include your proposed ways to develop, adopt and implement HIPAA-required procedures. This step is crucial because it will help you to avoid any future misunderstandings and ambiguities.

Allocating a Position for Security and Privacy Officers – In smaller health provider offices, this position can be held by a single person, but in larger businesses, the amount of needed work will necessitate that each role becomes a responsibility of a single individual. These officers should have the authority to assess and implement your established HIPAA plan. Any organization that handles PHI o EHR data is required to have these two positions filled.

Risk Analysis/Assessment – Some of the details of this step were already covered in the text above. The most important things that you need to remain vigilant about is to constantly probe the security, integrity, and accessibility of PHI data everywhere where your data is used – this includes not only your own premises but also your business partners (associates, legal teams, billing companies, document disposal companies and others). You should check for not only common physical and digital risk factors, but also include planning for natural disasters, fire, flood, extended power outages, hackers and more.

Risk analysis can be performed either using internal resources or by hiring external contractors who have experience in this field. This approach is recommended for larger businesses. Frequency or risk assessments need to regular, taking in considering all regular upgrades of hardware, software and business policies that happen over the course of each year.

E-mail and Mobile Phone Policies – HIPAA does not forbid the use of email and phones for sharing of PHI data, but each covered entity needs to create detailed documentation that describes all security measures and work policies that govern this type of transmission. Emails are not required to contain encrypted data, but encryption is viewed as a highly recommended measure that can eliminate many potential breaches of security (at the cost of convenience and ease-of-use during data sharing process). The best approach when using these two transmission methods is to clearly inform patients what are advantages and disadvantages of sharing PHI data over phones and email.

Covered Entities Associate Contracts – You will undoubtedly share a lot of your PHI data with companies that help your run your business. These companies are under HIPAA called “Business Associate”, and they fully fall under your responsibility in regard how they manage your PHI data. They must enter into a contract that binds them to all to the same HIPAA requirements that you must fulfill, becoming liable for all potential breaches of patient information. If they become responsible for an information breach, your business will alongside them be held partly responsible for that breach, which may incur large fines (that can be counted for each affected patient!), civil and criminal charges.

Employee Training – Security and Privacy officers need to create comprehensive plans for training of personnel that will have access to PHI data. In addition to the training that will focus on daily procedures of accessing and sharing data, all trainees need to be fully briefed about the importance of importance of HIPAA compliance and the plan your company has created to ensure HIPAA implementation.

Training is not a one-time thing. It must be repeated every year, with updates that reflect all the changes in HIPAA requirements, state laws and changes in hardware/software environment in your company. Training should also contain quizzes, contracts with signatures, and detailed documentation that collects who has went through which training and when. Newly hired personnel needs to be put through your training as soon as possible, which presents an opportunity Security and Privacy officers to regularly update training regiments.

Patient Privacy Practice Notices – Each new patient that becomes your client need to be presented with your Notice of Privacy Policies (via paperwork or email). The patient should then provide authorization via signature, which can be either personal or from a patient’s legal guardian. A public copy of the Notice of Privacy Policies should always be easily accessible on your website, and all electronic and physical copies must be updated as soon as your policies change.

Potential Breach Protocols – Immediate investigations are required for any occurrence of security breaches. You should create detailed documentation that describes protocols which will help you to more quickly and efficiently conduct those investigations, create reports and pick appropriate actions. Risk assessments are the best tool for making sure many potential breaches are stopped before they occur. No company can be 100% safe over a long period of time, but creating procedures to handle such events may provide crucial in reducing risk factor of potential lawsuits and litigation.

In the event of a breach, you are responsible for notifying authorities and document as much data as you can collect about the security breach you have experienced. Guidelines for preventing and managing the fallout of potential breaches are depicted in great detail by HIPAA guidelines, the HITECH Act, the Security Act, and the Privacy Act, and it is your responsibility to understand how those rules have to be implemented in your company. To become compliant with such rules will undoubtedly demand resources from your company, but this manpower and funds have to be invested to prevent costly security breaches of confidential patient health information. Putting time into understanding rules, creating HIPAA-compliant plan, properly training personnel, and regularly performing risk assessments and upgrading your procedures will surely save a lot of your vital resources in the long run.

HIPAA Enforcement

HIPAA Privacy Rule protects privacy of patient’s medical records and other sensitive health information that is placed under protection of health providers, their business partners (Covered Entities and their Business Associates) and health plans, doctors, hospitals, health care providers and health care clearinghouses who are responsible to protect this data. This includes wide variety of data such as patient general information (names, addresses, phone numbers and more), sensitive information (bank accounts, billing info, social security numbers and more), and complete medical records that include full medical history, list of diagnosis, treatments, medications, lab results and much more. HIPAA ensures that patients have full control over their data, including who can access it or how it can be distributed.

HIPAA covers not only electronic information, but also paper records that covered entities that contain confidential personal information of patients. Initial set of HIPAA rules took effect in 2003, but this health act was enhanced several times over the next few years. Since 2009, the Office for Civil Rights (OCR) has become actively monitoring compliance of covered entities with all HIPAA regulations and responding to complaints. They act under the HIPAA Enforcement Rule, codified at 45 CFR Part 160, Subparts C, D, and E, which enables them access to the enforcement process and investigation procedures for entities covered in HIPAA that were found to be not in compliance with HIPAA Privacy Rule. TheOCR enforcement process and its common outcomes are detailed below.

Enforcement Process
Office for Civil Rights (OCR) is responsible for investigating all compliance issues that your business may have, mostly by investigating complaints and undertaking random compliance reviews of covered entities. In addition to such oversight, OCR is also responsible for providing education, training, incentives and outreach opportunities that can greatly help covered entities to fulfill their HIPAA obligations.

After accepting a complaint , OCR starts an investigation that starts with the written statement of intent that is sent to the both entity involved in the complaint and the party that filed the complaint. During an investigation, OCR can via direct communication demand additional information from covered entity. After investigation is done, if the covered entity is found guilty of HIPAA violation then OCR can recommend various forms of issue resolution, which may include encouragement of compliance, request of corrective action, and entering into the resolution agreement.

After the conclusion of the investigation, OCR will present its findings to all involved parties in writing.

Enforcement Statistics
While OCR perform regular checks of covered entities, vast majority of its investigations are started after receiving complaints. Ever since the adoption of the HIPAA Privacy Rule, OCR has received over 125 thousand HIPAA complaints and has started over 850 of its own compliance reviews. Over 96% of cases that OCR has engaged with has been brought to their final resolution. It is also important to notice that not all covered entities were found to be guilty of violating HIPAA rules. Over 10 thousand of them were found to be compliant, which resulted in OCR not issuing any corrective actions. Also, not all complaint result into start of active investigation. In over 17 thousand cases, OCR responded to the sender of complaint by offering them clarifications and compliance advice.

Issuing legal or financial sanctions on entity that was found guilty of violating HIPAA Privacy Rule is not first course of action that OCR takes. It usually forms an active plan of action that can help affected entities to quickly reform their business or operational practices that were found lacking. In over 24 thousand cases, OCR quickly resolved reported issues by providing the covered entity written depiction of corrective measures that can eliminate appearance of found violations.

In over 73 thousand cases, OCR determined that investigation or legal actions were not possible because of the lack of jurisdiction to investigate, or reported privacy violation was simply not covered under HIPAA. For example, OCR does not have the jurisdiction to investigate if a complaint was not filed in a timely manner, or if a complaint has targeted wrong covered entity.

Statistics unveiled in 2014 has shown that vast majority of cases that OCR investigates resulted in some form of technical assistance to the covered entity by the OCR, rather than some penalty or corrective action. In fact, only 7 percent of cases resulted in corrective actions and just 4 percent resulted in finding of no violations. According to that data, 2014 was the year with the least amount of cases investigated by OCR, and least amount of cases where corrective action was issued due to enforcement of HIPAA Privacy Rules. By 2014, the most common end of the OCR investigations included some form of corrective actions such as recommendations for changing practices of disclosures, safeguards, administrative issues, data access and technical safeguards.

When OCR suspect that criminal activity has brought to the violation of the HIPAA acts, the case will be referred to Department of Justice (DOJ) for further investigation. By 2014 this happened in less than 570 cases.

Resolution Agreements
After completion of the investigation and findings of the noncompliance with the HIPAA regulations, OCR may elect to enter into a resolution agreement with the offending covered entity. To become valid, this agreement must be signed by the both covered entity in question and U.S. Department of Health and Human Services (HHS).

Resolution agreement most commonly consists of obligations of covered entity and regular reporting requirements that covered entity has to meet in order to avoid possible penalties and legal actions that were recommended by the OCR. Most commonly, monitoring period during which covered entity will be closely watched by the HHS is three years. It is important to note that resolution agreements do not always result in covered entity not paying any fines. Those fines may be a part of the resolution agreements, and they can be increased if the covered entity does not satisfy HHS monitoring. Civil monetary penalties are also possible.

HIPAA Violation Penalties and Fines
U.S. Department of Health and Human Services is responsible for enforcing various penalties and fines against all covered entities that have been found guilty of violations of HIPAA rules. This includes healthcare providers, healthcare clearinghouses, health plans, business associates of all types, and even specific individuals that work for those entities. Severity of the penalties was significantly retooled in the latest version of Health Information Technology for Economic and Clinical Health Act (HITECH), making violations much more costly. These steep fines were implemented to keep all covered entities and their business associates more vigilant. The level of fines that is placed on offending parties may vary depending on the case-by-case basis, which includes the details of how recent did the entity started working in the health field, did they knew what rules they were responsible to follow and more.

HIPAA Penalty Structure
Office for Civil Rights has developed a tiered structure for penalties. This was done to make penalties as fair as possible. This tiered structure is based on the seriousness of the violation and many other factors (such as how much knowledge entity had about their violation) and is separated into four categories of varying seriousness:

Category 1 is used for the least serious offenses in which offending covered entity was fully unaware of their violation(s) and could not have avoided it even when implementing a reasonable amount of care and awareness.
Category 2 is more severe and it is used for entities who were unaware but could have prevented violations if they implemented a reasonable level of care.
Category 3 is used for covered entities that have showcased willful neglect of implementing various HIPAA rules.
Category 4 penalties are deemed worthy only for the most serious offenses where covered entities willfully violated HIPAA rules and have made no attempts to correct the situation.

Financial Penalties
Financial penalties are compiled and recommended by the Office for Civil Rights, but their discretion can be based on several factors. Some of those factors are:
Type of data that was compromised in the security breach
The number of people that were affected
Type of PHI data that was compromised
Willingness of the covered entity to cooperate with the investigation
Amount of time that passed between detection of the breach and notifying the authorities
Past history of the accused covered entity
Current financial condition of the covered entity
Level of harm caused by the violation

OCR takes all of these (and many other) factors into consideration before recommending the final fines. Fines are most often delivered in the following way:

Category 1 violations – $100 per violation, up to a maximum of $50,000
Category 2 violations – $1,000 per violation, up to a maximum of $50,000
Category 3 violations – $10,000 per violation, up to a maximum of $50,000
Category 4 and 5 violations – minimum of $50,000 per violation, with annual fine limit of $1.5 million

Special Circumstances
Not all fines are distributed in the same way, and Office for Civil Rights has the right to decide how to best approach solving the breaches of security for each specific offender. OCR can decide how to rank the severity of chained events, such as one security breach leading to the development of new security breach. Sometimes they may decide not to punish some minor violations, while other violators may receive new fines on a daily basis. The continuous fines are usually left for repeat offenders, such as companies whose database systems are not allowing their patients to access their records for the prolonged period of time. Such entities will be fined daily until they finally achieve HIPAA compliance.

Although very rare, Office for Civil Rights also has the ability to levy a standalone $50,000 fine to any accused covered entity. They can do this at their discretion, no matter of the severity of the discovered violation.

The Role of Attorney Generals
While the Office for Civil Rights can impose financial penalties, the office of state Attorney General has the full authority to additionally penalize violators more if they deem it necessary. They can impose fines of at least $100 per discovered violation, as well as bring civil lawsuits with federal district courts.

Criminal Penalties
Monetary penalties are not the only penalty that HIPAA violators can face. They can also be hit with the wide array of criminal charges for their actions can vary in their severity among different states. Similarly, as financial penalties, criminal penalties are also grouped into tiers. Judges decide into which category the offense will land. If the violation is deemed to be strong, the violators who had no knowledge of the violation stand to get up to one year in jail, while the offenders who accessed PHI data under false pretenses may face up to 5 years in jail. But even those are not the harshest penalties. They are left for the offenders who willfully obtained PHI data to use it with malicious intent or personal gain. Those serious violators could in addition to other monetary fines also face up to 10 years in jail.

The introduction of the strong HIPAA and HITECH acts have enabled federal officials to crack down hard on the violators and incidents that can endanger private information of US citizens that have placed their trust in the healthcare system. Office for Civil Rights, state Attorney Generals, federal organizations and the government know very well that with each passing year the value of PHI data becomes increases on black markets, making them even more vigilant to help health organizations to prevent data breaches (via training recommendations, incentives and more) and punish those who are responsible for breaches of various severities.

All personnel that deals with PHI data have to be properly trained to understand the incredible seriousness of HIPAA violations. Such preventive measures can enable both providers and patients to have peace of mind, knowing that private medical data is handled with great care.

20 Examples of HIPAA Violation Cases
1 – Telephone message violation
OCR investigation has confirmed that hospital employee has not followed proper procedure and has revealed private medical information to the daughter of a patient. According to the hospital privacy procedures, all hospital workers were supposed to contact the wife of the patient via her work number. In response to this incident, the hospital needs to create a new set of guidelines, provide proper employee training, and educate hospital workers who they can share private messages via telephone and when leaving messaging. These training sessions need to be repeated as often as possible, and at least once per year.

2 – Unauthorized Sharing of Full Private Health Information
OCR investigation has confirmed that primary care provider facility has erroneously sent patient’s full medical history to the disability insurance company, thus violating their privacy guidelines and causing harm to the patient. The solution for this mistake was found in the creation of much stricter guidelines, which require patient’s written authorization for sharing of medical data (full or parts of it) with other health organizations or business associates. Written authorization is needed even in the case when the patient has requested sharing of their PHI data.

3 – Failing to Give Written Notice of Privacy Policies
OCR investigation has confirmed that man’s daughter did not receive written notice of privacy policies before she undergone her mental health evaluation. This error was fixed by the creation of a new stricter set of guidelines in the way new patients are being booked. The new procedure requires patients to provide their signature to confirm they have received the copy of the privacy disclosure statement.

4 – Manipulations of Reasonable and Cost-Based Fees
OCR investigation has confirmed that covered entity has billed patient for administrative and recordkeeping costs, but has then failed to give patients access to their medical history. Privacy Rule only includes paid services that involve preparation, postage, and copying, which were not used by the patients. As a result, covered entity had to refund patient back their money.

5 – Disclosure of Patient’s Medical History to the Media
OCR investigation has confirmed that hospital has without authorization shared parts of the patient’s medical history (X-ray images, diagnosis of the health condition and more) to the media, all without written consent from the patient. This resulted in patient’s private information being shown to the public, including their name, location gender, and other information. Furthermore, OCR has found that hospital tried to excuse themselves from doing any wrong by citing that they only acted in the best interest of the public health and safety. Covered entities do not have the authority to handle PHI data in this way. In addition to fines, OCR has forced the hospital to revise all of their privacy guidelines and retrain their entire staff.

6 – Sharing of PHI data in Waiting Rooms
OCR investigation has confirmed that hospital staff member has disclosed HIV testing procedures to the patient who was located in a middle of a crowded waiting room by allowing them to look at the hospital’s computer monitor. This breached patient’s privacy rights, making part of their PHI data public. OCR forced the hospital to revise their privacy guidelines, install ways to physically prevent hospital patients and visitors from seeing information that is shown on computer screens and all other electronics via screen-privacy technology.

7 – Disclosing PHI Data to Non-Authorized Business partner
OCR investigation has confirmed that covered entity has shared patient’s PHI data with their business associates who was not vetted for HIPAA compliance. Sharing of data this way is completely illegal. OCR forced those two entities to become official business partners by signing a business associate agreement.

8 – Unauthorized Use of Patient Billing Information to Ask For Treatment Compensations
OCR investigation has confirmed that covered entity has contacted patient’s employer, attempting to make a compensation claim even though patient never had recognized specific compensation plan or had worker’s compensation. Using billing information in this way is illegal and can cause serious fines and punishments. OCR has forced the offending covered entity to change their privacy guidelines, punish the company and involved employees with monetary fines, force them to apologize to the patient, and providing mandatory training to all the staff.

9 – Displaying PHI data in public
OCR investigation has confirmed that a drugstore had an active practice of keeping log books of patient private health information in the counter area where anybody can access it in plain sight. OCR forced the drugstore to comply with a new set of privacy standards, requiring them to completely preserve patient’s private information in their logbooks. The severity of the penalties was increased after pharmacy initially claimed that they did nothing wrong.

10 – Disclosing PHI data to Law Enforcement without Authorization
Municipal law enforcement pressured small pharmacy chain to reveal patient’s protected health information, which is a violation of HIPAA’s Privacy Rule. OCR solved this issue by reversing national guidelines regarding the disclosure of patient’s PHI to law enforcement. Current written requests from law enforcement do not require covered entities to reveal patient’s data unless this request is also backed by the court or state law. Every storefront or pharmacy chain across the United States was notified of the new set of guidelines and procedures when handling law enforcement requests.

11 – Medicaid Plan Shares PHI Data to Non-Business Associate
OCR investigation has confirmed that during processing of Medicaid applications, social service agency wrongfully disclosed a client’s private health information to a non-business associate partner. OCR forced the agency to not disclose such information to their non-certified partners and to adopt a new set of guidelines that will limit the amount of private information sharing. OCR also created a new set of rules that were implemented in Medicaid and other health care program offices, which required retraining of all their workers and staff members.

12 – Disclosures Due Computer System Errors
Health maintenance organization has due to computer error accidentally sent patient’s medical history to the family member. OCR investigation has confirmed that the coding error in their software as compromised many other patient’s records and put them in danger of being disclosed. ORC pushed the company to analyze their computer systems, analyze found information and correct all errors in a fixed time period of six months. This included even reviewing past legal transactions.

13 – Accidental disclosure of the patient’s PHI data to patient’s employer
Covered entities are not permitted to accidentally disclose any data from their PHI databases to any unauthorized person, company or organization. In the event of such data breach, OCR first investigates if this breach was accidental or intentional, and then strongly encourages covered entities to change their privacy practices and review past data use with great speed. Any change of business practices also requires complete retraining of all staff members and employees.

14 – Misplacing patient’s physical PHI data
OCR investigation has confirmed that pharmacy employee broke HIPAA rules by accidentally misplacing patient’s insurance card inside another patient’s medical bag. Even though insurance company claimed this was not a breach of HIPAA act, OCR proved them wrong and demanded changes in business practices, privacy guidelines and forcing retraining of all employees.

15 – Accidental Release of PHI Data Causes Additional Training
Even though the health insurance company had up to date and well-implemented practices for maintaining security and privacy of patient’s PHI data, one of their employees revealed private medical information of a patient. This caused re-training of all employees, with additional sanctions and training sessions placed on the offending employee.

16 – Proper Management of PHI Access Authorizations
One private health practice elected to read the letter of the law quite literally and not allowing the mother to access medical records of her son. In this matter, OCR stood on the side of the mother and forced covered entity to divulge her son’s PHI data. They also forced them to revise their company privacy guidelines.

17 – Access to Medical Data That Was Obtained by a Different Payment Source
An insurance company requested detailed medical exam of a patient, but that patient then found out that he cannot access data from this exam. OCR ruled that all medical records of the individual must be fully in control of them, no matter who ordered or paid for their health examinations. The company had to change their privacy guidelines and procedures, giving the patient’s right to get a copy or all medical records.

18 – Managing health data subpoena in a right way
Hospital released patient’s personal information after being pressured by the subpoena, which later on found the be an inadmissible way of getting access to the PHI data. Hospital had to change their operating guidelines and procedures for protecting patient confidential data against subpoenas that did not meet their privacy guidelines. They also had to retrain all their employees.

19 – Privacy Breaches During Recruitment or Research
The surgical facility used private information during their research and recruitment practices, all without authorizations of the patient. The facility also claimed that this practice was legal under current rules. OCR sided on the side of the patient, forcing the surgical facility to change their privacy guidelines and retrain their staff.

20 – Disclosing Patient Information After Accessing Medical Records
OCR investigation has confirmed that supervisor disclosed patient’s private information after examining his medical records. This was done without first getting written authorization from the patient. OCR requested immediate counseling of that employee on proper procedure and guidances. He also received written reprimand.

HIPAA Certification Process
The defining purpose of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is to ensure proper protection of patient healthcare plans and their private information, as well as reducing the presence of paperwork and ensuring total electronic confidentiality. This act established that all covered entities and their business associates must:

Ensure that patients are the only ones who can control who can access or share their personal medical records
Ensure the presence of highest safeguards that protect patient’s data being accessed by unauthorized persons, or be shared automatically to unsafe destinations
Establish procedures with service providers regarding all the functions or activities they may perform when accessing PHI data.
Ensure that when PHI data is being accessed, only the minimum of required data is accessible to complete a specific task.
Limit user access to PHI data.

Is HIPAA Certification Required?
Even though all medical companies in the United States are required to follow instructions placed by the HIPAA, it’s extensions and medical state laws, there is no standard specification that can help those companies or medical practitioners to more easily adopt those measures and guarantee compliance or certification.

This means that no government body can guarantee if your medical business is compliant. There are no strict standards to be followed, no company has ever been certified to be HIPAA compliant, nor does US government and it’s various organizations that maintain oversight over HIPAA laws recommend or endorse any such certifications. In reality, all medical practitioners and their certified business partners (who have signed contract that binds them to same HIPAA laws) have to try as hard as they can to be compliant, and government organizations such as HHS or OCR will only act to punish those who they identify to be violating HIPAA guidelines.

This way, companies are forced to always remain vigilant, to regularly update their privacy and security practices, retrain their employees and remain in touch with the latest developments in the field of modern technology and state laws.

Certification issues
Since there is no fixed standard of operation that you can emulate, the fastest way to bring your company or health practice up to speed with the current HIPAA organizations is via the help of various companies that offer certification assistance and employee training. These companies do not offer any form of official certification but are instead responsible for informing you of the best practices, helping you organize your company’s privacy and security policies, and be responsible for performing periodic evaluations.

HIPAA offers no concrete standards that somebody can get certification for because of the constant changes in the field of business practices, technologies, laws and HIPAA guidelines. A person can be taught to become certified, but organizations cannot since they can greatly vary in size, type of operation and the situations they can found themselves in. And situations do change, sometimes even drastically over the course of a day. One day your company can be safe from OCR audits, but the next one firewalls can be infected by the software vulnerabilities that IT personnel did not patch in time, leading to the breach of security. According to HIPAA, any breach of security is against the law, no matter of the reasons.

The only sure way to remain HIPAA compliant is to perform regular internal audits, risk assessments, training exercises, employee education sessions and keep the track of the ever-changing legal landscape in your state. Much of this activity can be performed not only by internal employees but also with the help of external partners.

The only thing that you can be sure of, is that you can never produce a standard of operation that will get fully compliant over the long term period.

How to Become Certified
The first thing that HIPAA audits checks is your internal company policies that regard patient privacy and security of patient data. It is recommended that you first make your internal policies fully compatible with HIPAA demands before hiring any external partner that can help you with other facets of the HIPAA compliance requirements.

HIPAA audits are performed semi-regularly, sometimes yearly and sometimes once in five years, but once you got identified as a violator, audits will become much more regular and more encompassing.

Before Certification
The beginning of the HIPAA compliance process needs to start with the picking of the security officer from the current roster of your employees, which is a position that is required by the HIPAA itself. This individual will be responsible for organizing and implementing security compliance procedures and guidelines. Additionally, the security officer will also be responsible for interaction with third party vendors. The best practice is to elect someone on this position as early as possible so that they can have as much time as possible to get acquainted with the requirements of this important job position. It is also good to always have someone who is in charge of security, whether or not you feel you have reached HIPAA compliance stage or not.

Checks if your company is compliant cannot be started before you fully educate all your employees of the currently active procedures, regulations, and guidelines regarding the safety of patient’s private information. Healthcare practices can be set in very busy environments, where employees are interacting with lots of outside visitors, and these training and education sessions need to get them prepared to never break rules even in the most stressful situations, long shifts and more. During a single day, patient and its private information can interact with large amount of hospital employees (for example when a patient is moved from operating room into recovery). Security officer’s role is to audit this entire process and make sure that only employees with proper authorization can get access to patient’s data. Addition certification for access to certain parts of patient’s PHI data can be granted to employees that are involved with billing, transactions, security, electronic data management, medical coding and others.

HIPAA Certification Process
HIPAA certification process is not offered by any government agency. You should contact any of the numerous HIPAA training companies that can perform their independent evaluation of your privacy and security measures. Even though the evaluation score and certification you get from these companies is not “official”, that will at least show that your company or practice is aware of necessities in the field of privacy and security of PHI data that HIPAA requires.

Companies that offer HIPAA certification services can be of varying sizes and abilities. Some will operate their own facilities, forcing you to send your employees on remote training, educational sessions, and seminars, but others will have sufficient resources to travel to you and even serve companies that have thousands of employees.

When training is complete, only then you can take the proper certification test. If your organization is small, or the training company offers only basic service suite, you may not even need to go through certification. The mere process of finishing training session would deem you eligible for certification. However, more serious HIPAA compliance training companies may require you to go through full certification test.

Keep in mind that the certification only makes you compliant for the moment in time when certification process was performed. HIPAA regulations and law landscape changes regularly, so your company and your Security Officer need to remain continually vigilant. The best way to follow new trends that could possibly cause your organization to be non-compliant is via monitoring news developments on the Department of Health and Human Services website.

HIPAA Certification Companies
HIPAA certification services are offered by many companies. No matter if you think that your privacy and security guidelines are rock solid and that your staff is well trained, it is never a bad thing to test your state against the audits that are covering even the latest privacy guidelines and practices.

Some of the companies that offer HIPAA certification services can be found on the following websites:

After Certification
Performing well at independent HIPAA certification does not mean that OCR or HSS will not identify some violations in your privacy and security practices during their audits. You are required to remain vigilant, understand latest regulations and fully be ready to support any changes in compliance or legal landscape.

During the period after the certification, you must stay compliant no matter if you are a small or large company. You also have to maintain good relationships with your certified business associates and monitor their own privacy and security standards. This has to be done because OCR and HSS will level a part of the blame on you even if the security breach of patient’s medical data happens because of mistakes of your partners.

The best way to remain compliant is to monitor changes in HIPAA regulations and state laws, perform regular security audits, and train your staff to remain up to date with all the latest updates to your privacy and security guidelines. This kind of relationship with HIPAA compliance will make you most ready for the eventual appearance of official government audit (which can be either random or based on the tip from the dissatisfied patient).

HIPAA Telemedicine Guidelines
HIPAA telemedicine guides are as strict as those for in-person health procedures. They affect every aspect of medical and healthcare organizations that decide to augment their healthcare process with remote services that can enhance the ability of patients to monitor and improve their health status. These telemedicine guides are covering not only for the information sharing between physicians and patients (the most popular form of telemedicine, and the telemedicine service that has the potential to receive the biggest grow over the next years) but also regulating communication using ePHI at distance between medical professionals. HIPAA Security Rule has implemented many new rules and guidances that augment the regular rules for the physicians when they elect to start using telemedicine services.

The most basic rule of HIPAA security rule is that only authorized users can get access to the electronic Patient Health Information data (ePHI). Also what is included are the strong security measures for storing data, encryption that will make data unreadable even if it get’s leaked, monitoring systems to prevent accidental or malicious data breaches that are caused by cyber criminals, proper training and education of health provider staff, education of patients who have to properly use telemedicine hardware and software solutions and more.

HIPAA Security Rule guidelines are not recommending healthcare providers to engage with telemedicine using insecure public communication chat apps and services such as Skype, Facetime, SMS, Email, and others. Those programs and services should be avoided as much as possible when physicians want to include ePHI data during communication with patients at remote locations. According to HIPAA Security Rule, all endpoints and communication channels during telemedicine sessions must be enhanced with strong security measures that will not only safeguard ePHI data via user access monitoring but also even include the ability to delete data during unauthorized sessions if needed.

What apps and services need to be avoided?
Skype, SMS, and Email should be avoided at all cost because the data that is transmitted via these consumer-friendly services is stored at the neutral third party sites which may be unsecured, and that stored data could be shifted to the unknown number of locations over the time period. If ePHI data need to be stored anywhere, the company that hosts it must be certified either as a covered entity, or be an official business associate who has signed a contract that extends HIPAA rules to them. The Business Associate Agreement covers all the methods and requirements that third-party companies need to meet for protecting user data, and that they will perform regular risk assessments and audits that will test their capabilities of avoiding security breaches.

Neutral third parties such as Google and Skype avoid signing Business Associate Agreements because they know that they don’t have as strong security measures as HIPAA requires and they will be liable for each occurrence of security breaches in which untold amount of ePHI data would end up on the wild and thus violating the privacy of patients.

Solutions for Communicating ePHI
Almost all telemedicine services have switched to the use of HIPAA-compliant software solutions that enable them to communicate in a safe way. Secure messaging applications enable all patients to still send and receive the same type of data like with conventional apps, with same convenience levels and speed, but in a much more secure way that is fully compliant with strict Security Rule guidelines.

Physicians and medical workers who are using telemedicine services during their workdays also use robust applications that can safely manage ePHI data when working at a distance. All that they need to access that data is to log in into the data with their secure username and password that has been issued with them. This enables them to contact people who are also securely signed to the same private network.

Encryption is a key for making videos, images, and documents transmitted via telemedicine services protected from unauthorized access. This means that even someone manages to accidentally or maliciously intercept your data while it is traveling over public internet infrastructure (for example, intercepting data transfers over public WiFi networks), built-in telemedicine encryption will prevent cyber criminals to decipher that data and gain access to raw ePHI. All activity that is performed in telemedicine has to be monitored by cloud-based platforms that secure message and confirm that messages were received by appropriate end-users. Cloud-based systems used for storing of ePHI data must also be audited for HIPAA compliance, other standards of the healthcare industry and compliance with various state laws.

Secure Messaging for Patient Communication
Telemedicine services that connect patients and medical professionals are usually based on secure applications that will give patient’s temporary access to its functions (for example in a secure messaging app) or will involve temporary access to the browser session that will load up a secure web application. More and more companies are adoption such browser-based telemedicine systems because of their convenience, ease of use and streamlined way of administering software updates (they are all done on the cloud servers).

Even in an in-person meeting with medical professionals, patients and the doctors (or nurses) can often use telemedicine services for messaging and sending of various ePHI data. Patients can use their mobile phones to transmit various types of data, which can be especially useful in times when they cannot openly talk about their medical issues because of the presence of persons who are not authorized to hear that data.

Messaging telemedicine systems can be very useful in many situations, most notably in:
Sending and receiving of various ePHI data while being on the move
Enhance your messaging with images that can accelerate diagnosis or creation of treatment plans (most often used in teledermatology where patients can send the images of their skin condition to the doctor)
Sometimes dramatically speed up patient admission and Patient Emergency Discharge, which lowers wait times of patients and frees up resources in physical health care centers

Telemedicine messaging systems have many benefits in addition to secure sharing of data. They can increase the productivity, allow better workflow, increase patient engagement with their health status, allow faster treatments, create better doctor-patient relationships, reduce costs, up the healthcare standards that many patients receive and much more.

It is important to notice that proper security is one of the most crucial factors of telemedicine messaging. Massive data breaches can occur if the security of such systems is not kept up par with latest requirements. Covered entities or their business associates that are responsible for ePHI breaches may be fined with very strong fines that can easily reach multi-million dollar levels because HIPAA adds a fine (that can be between $100 and $50,000) for each affected patient. For example, health provider Blue Cross was fined in 2009 of $18.5 million for the data breach that leads to the release of a large amount of ePHI data to the hands of cyber criminals.

Even though many healthcare companies fear that implementation of HIPAA-compliant telemedicine services would require a lot of money, this was proven to be inaccurate in many instances. If your company is already HIPAA compliant, it does not take much to invest into new hardware, software packages and revise your privacy and safety guidelines to create modern telemedicine system that will benefit you and enable better healthcare for patients

Texting and HIPAA Compliance
Text messaging services have become an integral part of the lives of many people, and their convenience, ease-of-use, and ability to enhance text chat with multimedia attachments has enabled them to carry an incredible diversity of data. However, according to HIPAA, texting is very problematic because it does not ever come close to being secure as needed for sharing of ePHI data. But since text messaging is so important, HIPAA had to address that type of communication with a set of specific solutions that enable health providers and patients to communicate this way. For start, HIPAA-compliant text messaging is possible only with the use of the specifically crafted text messaging applications that were built from the ground up to retain ease of use and convenience of traditional chat apps, but are also hardened with strong security features and allow the creation of telemedicine sessions only via registered and authorized users. Those compliant apps can be downloaded and used on all types of popular consumer computing devices, such as home PCs, laptops, tablets and of course smartphones.

Risks to ePHI While Texting
Originally texting was defined as an exchange of written information via sharing of electronic messages between two or more parties, but in recent years texting applications become capable of embedding documents, images, sound, and video. This makes them capable of sharing almost entire content of full medical records, which can cause significant harm to the privacy of the patient if this data gets intercepted or accessed by an unauthorized third party. Before the adoption of stronger HIPAA guidelines, sending a text message to a doctor would not guarantee that the authorized doctor would actually read that message. Because of that, modern HIPAA guidelines require full user authentication before any data can be accessed, which greatly reduces the possibility of placing protected health information at risk. The result of those guidelines is that only text messaging applications that are allowed to be used in the telemedicine industry are HIPAA Compliant Texting Applications.

HIPAA Compliant Texting Apps
HIPAA Compliant Texting Apps are purpose-built multi-platform software solutions that are fully focused on placing protection on all data that is shared with them (which can in addition to text also be embeddable images, sounds, videos, and documents). This means that all messages sent and received with these apps are fully encrypted and sent via authenticated communication channels that can be accessed only by users who can authenticate themselves with a unique username and password. This not only prevents accidental access by non-authorized individuals but also prevention of communication interception or theft of data from third-party storage servers. Additionally, apps have to use timeout feature that requires from users to re-authenticate their login credentials if they leave their computer of mobile device unattended for too long, remote wipe function that can remove all communication data from the device, PIN controls for locking the app, and other security features. Newer apps, for example, can rely on biometric sensor readings (fingerprint sensor, facial scan, iris scan) in addition to traditional passwords.

Texting Security Features
One of the most dangerous features of traditional texting apps is the tradition of long-term local storage of received and sent communication on user devices. HIPAA addresses this serious security issue by forcing that all HIPAA Compliant Texting Apps adopt the measures prevent any messages from being stored on the device for too long, and of course preventing messages to be moved, copied or pasted on external storage devices such as computer hard drives. Messaging apps are allowed to remove messages from local devices after a predetermined amount of time. This is also done with emails, although since they are transmitted via public servers, their content also has to be completely protected with the strong encryption. To handle this, both patients and health practitioners need to use special email clients.

A popular solution for secure texting apps are cloud-based services that offer users access to service clients that are loaded directly in the browser. This enables users to never bother with applying security updates and patches since these security measures will be applied automatically by IT personnel that oversees the functioning of the secure cloud servers.

Properly built HIPAA compliant texting app will monitor its own usage and ensure that users are not in dangers of accidental or malicious ePHI data breach.

Productivity Increase with Texting
Healthcare facilities that have not adopted proper HIPAA-approved text messaging procedures have been found to produce stress and workflow issues. For example, in the study that looked what changes did texting brought into Salt Lake County Adult Detention Center have showed that doctors who were forced to use only telephones often had to wait for up to 15 minutes to get various administrative approvals to dispense treatment or medication to patients, other procedures such as x-ray and lab test document sharing had to be hand delivered, and nurses often had to spend a lot of their times finishing their tasks via telephone before actually focusing on their regular daily activities. All these issues added up, causing delays and lowering of the rate of dispensing health care in the facility.

The same study observed the changes when HIPAA Compliant Texting Apps on computers and mobile devices were adopted (in this case, it was secure texting app “TigerText”). Secure texting communication greatly streamlined daily workflow, reduced missed communication, times when doctors and nurses were “pinned” to their phones while waiting, improved productivity, quality of healthcare, and enabled health personnel to remain in contact with one another when they were on the move and far away from the landline phones. Instantaneous communication enabled reviewing of lab results and x-ray images instantaneous, enabling doctors to define their diagnosis and contact nurses without delays. Nurses suddenly had more than an hour of productive time opened to them, which enabled them to process up to 15 percent more patients per their shifts.

Benefits of HIPAA Compliance in Texting
One of the biggest benefits of HIPAA Compliant Texting Apps is that they allow healthcare workers (such as first responders, community-based nurses and on-call physicians) that are situated on off-site locations to easily get in contact with well-staffed healthcare facilities and immediately get access to better healthcare resources. Improvement of speed and accuracy of communication, texting applications can enable much better healthcare for patients. This includes reduction of wait times, better flow of communication, much faster delivery of lab results, easier contacting of external specialists, and better engagement of patient with his own health treatment.

Choosing an HIPAA-Compliant Application
As time goes by, more and more texting apps are becoming HIPAA-compliant, but as expected, not all of them have the same feature set and effectiveness when handling specific use-case scenarios.

When picking what texting application best suits your needs, in addition to needed communication features you also need to make sure that their security is up to the modern standard. This means that data must be protected with at minimum 256-bit encryption, data must be encrypted eve when the device is not in use, and messages should be by default erased within 24hrs. The app should also offer to archive of the messages if users wish this feature, but all archived copies also must be encrypted in accordance with HIPAA requirements.

One of the latest security technologies that has greatly increased protection of data sent in telemedicine texting apps is two-step authentication, which requires users to sign in to the app not only with their password, but also with random PIN number that is generated by the cloud server and sent to them via SMS message or email.

Electronic Medical Records (ERM) and HIPAA
With each passing year, the use of electronic medical records in the healthcare industry continues to evolve and be more present. 2010 marked the start of the “Stage 1” during which US government actively encouraged all healthcare professionals to move to ERM. Two years later “Stage 2” started, which is a period where many new guidelines and procedures were adopted, such as ironing issues for user access, sharing, storing and updating ERM. During this period, health care practitioners were actively challenged to incorporate and follow series of strict HIPAA regulations and requirements that governed how patient data can be used, stored, accessed and shared.

Stage 1 Requirements
Stage 1 adoption of ERM was focused on basics of patient data storage and maintenance. The data that was present in those records consisted of basic patient information, medical history, medication use (past and present), information about allergies, diagnoses, lab results and more.

Maintenance of the ERM data also covered instances where patients (both new and existing) moved from one health facility to another, with data collected at those facilities being added to their primary ERM data set. That data may be, but not limited to, lab results, diagnoses, images and treatment plans.

Stage 1 on of the Electronic Medical Records adoption provided health care practitioners with a lot of experience with handling these digital services, which enabled U.S. government to become much more ambitious with their requirements that were introduced in Stage 2.

Stage 2 Changes and Meaningful Use
“Meaningful Use” is a term that describes purpose for instituting an electronic records system that provides benefits to all participants who use them, such as health care providers, partners, insurers, and patients. Meaningful Use brought in with the Stage 2 carried all the requirements from the Stage 1 adoption of Electronic Medical Records, and instituted the adoption of the wide array of additional requirements:

Increase in the number of recording patients, from 50 percent to 80 percent of patients. The gathered data also had to be increased to include more demographic information.
The addition of new required criteria for practitioners who provide Medicare and Medicaid, and offering qualification for incentives to convert traditional paper records into new electronic medical records formats. The qualification included being compliant in nine specific security criteria covering privacy and security of patient data.
Implementation of solid technical support for handling new systems that are required to store and manage electronic medical records.
Handling of at least three Clinical Quality Measures in each patient file. Those measures are – patient safety, clinical processes, and effectiveness, care coordination, population and public health and efficient use of healthcare resources.
Providing access to EMR data within 36 hours to every patient who requested it.
Adoption of secure texting into the record keeping process.
Adoption of electronic health behavior monitoring services.
Adoption of storing images in the EMR data.
Stricter implementation of systems that are responsible for user authorization and user access to unauthorized prescription medication through a hand-off system from practitioner to administrator to pharmacist to patient.

Secure Texting Compliance Additions
Electronic medical record keeping can be utilized much more if medical practitioners have access to secure texting applications that are directly connected with the central secure database containing the confidential patient data they require. The use of secure rotating, reporting of Clinical Quality Measures and adoption of Stage 2 HIPAA compliance can produce the following:

Reduction of waiting times caused by telephone communication
Dramatic reduction of paperwork use
Easier and faster storing of patient data
Easier and faster sharing of patient data, including augmenting those records with new medical images, lab work results, new diagnosis and treatments
Reduced time for patient check-ins and check-outs
Automated patient prescription fulfillment and pickup
Reduced wait time for medication access
Increased security when sharing, reviewing and discussing private health data.
Increased speed of sharing medical data during emergencies
Enabling team-based approach in handling patient’s diagnosis and treatment
Enabling accessing and sharing of private health data by the healthcare workers who work in-the-field
Enhancing communication and keeping all team members notified of changes of patient’s health status

What makes Secure Texting is More Secure
Stage 2 rollout made secure texting much more resilient to data breaches because it stipulated use of strong security controls that covered things like message lifespans, app time-out, read notifications, full encryption and more. It even requires the presence of advanced features, including the ability to remotely delete any text-based data that was sent to devices which were reported to be stolen, missing or lost. These additions made data much more secure, preventing data breaches during storage, transport and on the recipient devices.

A study report from 2012 has shown interesting results that depict a clear picture in which business workers regard to text messaging as much more convenient and better way to transmit and receive information, especially if the communication have to be urgent. Urgent communication was noted as one of the disadvantages of landline phones and email.

Stage 2 rollout enables health practitioners to take full advantage of ERM adoption, enabling them to realize same benefits of secure texting as other modern communication techniques allow. Stage 2 contains guidances that can make adoption of secure texting easier, such as the ways EMR are updated, stored, accessed, shared.

HIPAA Audit Checklist
Ever since the enactment of HIPAA in 2013, every medical company that handles patient data became aware they must be prepared for the occurrence of sudden HIPAA audits. This process starts at the gathering of detailed documentation about the company’s procedures and guidelines regarding patient data privacy, security, reports about employee training status and more. In addition to those base records, audits will also gather data about any security incidents, including exact timelines, reports from company’s security and privacy officers, staff interviews, reports from affected patients, external security experts, the ways the security incidents were handled by the company’s staff leaders, and the way company employees adhered to active security and safety guidelines.

Companies should prepare for audits and know timelines and resources they need to make available for those visits. The results of audits determine how will consumers get affected by the changes in the operation of their health providers.

Providing Documentation
One of the key processes of audit involves companies providing documentation of their security and privacy guidelines and efforts. This includes disclosing data on patient visits, telemedicine sessions and how ePHI data is accessed and shared. Additionally, companies also need to disclose their income, access lists, system configurations, training materials, all locations that they are operating and any other factors that may affect the size of the company.

If the audit finds that some those areas are lacking, companies need to prove what actions they plan to implement to improve any security flaws.

Handling of Security Incidents
Audits from HIPAA will closely investigate if the company has had any security incident in its past, and how they handled the fallout of those incidents – how was the breach identified, remedied, and what protection measures have company placed to prevent their recurrence (new safety protocols, staff training and more).

Also, auditors will dedicate time to see how the company shares data with their business associates, and whether or not those partners are handling this protected information in accordance with HIPAA requirements.

Proof of HIPAA Training
Companies are required to provide to auditors the proof that their staff underwent adequate education and training. They also have to provide proof that they have updated their training manuals whenever some security issue was identified. “Serious vulnerability” is depicted by HIPAA as a security incident that has occurred five times with company not changing their training measures to handle such mishaps.

HIPAA requires that training manuals had to include a clear depiction of what would happen to anyone who violates privacy and security policies of the company, with depictions of penalties that go to the fullest extent of the security system. This has to be done so that employees would be aware of the consequences of their work position and the repercussions they would feel if they did not adhere to strict safety policies that were adopted to protect private patient information.

Adherence to Security Measures
Audited companies have to prove that their security guidelines are not only compliant with HIPAA regulations, but that their security is actually working. Auditors will ask for proof how employees handle access control to ePHI data, and company will have to provide detailed answers to all such questions.

The company has to provide concrete proof not only that their current security measures are working, but also that they understand all security guidelines and can adapt to future changes. Auditors may elect to examine company’s organizational structure, what kind of security equipment is used (unique or mass produced) and how the company handles the presence of potential risks.

Sharing Company Data
Auditors always take a close examination of how company stores, accesses and shares electronic private health information (ePHI) data. They must obtain proof that company can handle ePHI databases of all sizes, and authenticate presence of security measures such as full end-to-end encryption, up-to-date software, user access management and procedures that are used when company shares data with their partners of customers (presence of SSL protocols, secure messaging solutions, purpose-built secure apps and more). Company’s security systems have to include services that can authenticate user identities, prevent ePHI from being copied or pasted to non-authenticated external storage, and restore destroyed data (Business Continuity Plan and a Disaster Recovery Procedure).

Companies have to present their efforts from previously conducted risk assessments, which include full documentation and diagrams.

Audit Timeline
Companies receive written notice from the Office for Civil Rights (OCR) usually 30 to 90 days before an audit. This written notice details who will perform the audits, what processes will be used, and what documentation is required to be prepared by the company.

On-site audit lasts between three to 10 days, which mostly depends on the complexity of the organization, as well as the size of the staff that auditors want to interview and the amount of written or electronic data that has to be reviewed.

After the audit is done, an auditor will provide to the company a draft of his final report. The company will then have 10 days to review that document and provide any written comments. The final draft is then after 30 days forwarded to the OCR.

After Audit
OCR receives the final draft of the audit and examines it for auditor’s results. Audit enables OCR to understand the state of the company and their efforts in complying with extensive HIPAA rules. Of any issues are detected, OCR will recommend technical assistance that will enable the company to get compliant. For more stronger issues, OCR will suggest corrective measures.

In events for significant findings of security issues, OCR will put in place compliance review that will try to deal with the crisis.

What Effect Does Audit Have on Consumers?
Consumers benefit from audits because they determine if the companies are complying with extensive HIPAA guidance and procedures that govern privacy and security of private medical data. OCR puts tools and procedures for businesses (and their business associates) that they can use to better protect their customer’s identity and their private health care information.
Consumers who have a complaint can contact either OCR directly or companies who are required to accept those complaints and forward them to OCR.