The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law adopted in 1996 that requires Covered Entities (doctors, hospitals, insurance companies, etc.) and Business Associates (covered entities’ vendors) to implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Protected Health Information (PHI). The regulation also established breach notification requirements and penalties for non-compliance. 

HIPAA consists of a  Security Rule and a Privacy Rule. The Privacy Rule establishes requirements around legal uses and disclosures of PHI, and the Security Rule outlines requirements for protecting PHI.

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted and further strengthened HIPAA by implementing steeper fines for non-compliance and stricter Breach Notification requirements. Also,  Business Associates became directly responsible and accountable for complying with the regulation.

In 2013, the HIPAA Omnibus Final Rule was adopted. This regulation combined HIPAA and HITECH, provided further restrictions on the sale of PHI and expanded patients’ rights to access their data. 

Virtually any business that stores, processes, transmits, or generates PHI must comply with HIPAA. This statute includes Covered Entities (hospitals, doctor offices, health plans, pharmacies, etc.), as well as Business Associates (business providing services to Covered Entities), such as data processing vendors, medical billing, telehealth, messaging, hosting, and cloud solutions providers.

There are many reasons why companies must comply with HIPAA aside from the fact that protecting PHI is a legal and moral obligation for all organizations. 

• The Office of Civil Rights (ORC) conducts HIPAA audits of Covered Entities and Business Associates to ensure  HIPAA compliance. When non-compliance is found, the company must pay significant fines, and this information becomes publicly available.
• Most Covered Entities have a process in place to assess their vendors’ (Business Associates) compliance with HIPAA. If a  vendor does not have sufficient policies, processes, and technologies implemented to protect PHI, the Covered Entity will not sign a contract with the vendor.
• If a Covered Entity or Business Associate experiences a PHI data breach, they face significant consequences, including:
  • Legal penalties
  • Loss of customers’  and consumers’ trust
  • Lawsuits
  • Loss of existing and prospective contracts
  • Public image damage

And for many small businesses, this transgression may mean the end of the road, as they won’t be able to sustain the damage.

There is not a one-fits-all approach to HIPAA compliance as organizations have different people, processes, and technologies. However, there are general requirements that must be met by all organizations, including:

• Development of data privacy and security policies and procedures
• A formal role responsible for the implementation of the compliance requirements, for instance, Chief Information Security Officer (CISO) or Chief Privacy Officer (CPO)
• Security Incident Response and Data Breach Notification plans
• Workforce clearance procedures
• Security awareness training programs
• Access management processes
• Data handling procedures
• Information security risk management processes
• Compliance evaluation processes
• Workstation security standards
• Monitoring of activities around PHI
• Malware protection
• Encryption of PHI data in transit and at rest
• Business Continuity and Disaster Recovery Plans
• Business Associate Agreements (BAA) with all downstream vendors

Planet 9 employs seasoned professionals with years of experience working in the healthcare industry that can help with addressing all HIPAA requirements. A typical approach consists of the following process:

• Conduct a discovery to understand the clients’ organization, business processes, and technologies
• Perform a HIPAA evaluation to identify safeguards in place and compliance gaps
• Perform a risk analysis to identify risks to PHI
• Develop a roadmap for addressing the identified compliance gaps and risks
• Assist the client on executing the roadmap

Depending on the clients’ internal resources expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own, or supplement the clients’ team.