What medical professionals get wrong about HIPAA compliance

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a law that protects the rights and privacy of patients by introducing healthcare standards. Compliance with HIPAA is required by organizations and individuals who handle protected health information (PHI).

Following HIPAA’s regulations ensures the confidentiality, integrity, and security of PHI, defending the information from unauthorized access and potential misuse. Adhering to HIPAA also helps healthcare organizations avoid substantial penalties and damaged reputations. Unfortunately, there are a few facts about the legislation and HIPAA compliance that medical professionals get wrong.

Related: HIPAA compliant email: the definitive guide

First, what is HIPAA?

HIPAA is a law enacted to reform the healthcare industry and reduce fraud related to health transactions. The law applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. It establishes national standards that protect PHI from being disclosed without a patient’s consent or knowledge.

Navigating HIPAA compliance requires a basic understanding of the Privacy and Security Rules. The Privacy Rule safeguards PHI, ensuring it is handled with confidentiality and integrity. The Security Rule maintains the security of electronic PHI (ePHI). Among these two rules is the Enforcement Rule, which provides standards for enforcing HIPAA and penalizing uncompliant organizations.

The HITECH Act promotes the adoption and meaningful use of technology as it pertains to health information. With HITECH came two additional rules:

• Breach Notification Rule: requires organizations to provide notification following an unsecured PHI breach
• Final Omnibus Rule: incorporates HITECH by improving patient privacy protection

HIPAA mandates that organizations comply with its regulations by implementing technical, physical, and administrative safeguards. The rules, however, can be complex and confusing for medical professionals as they navigate their ins and outs.

Related: Understanding and implementing HIPAA rules

Myth #1: HIPAA is a new law

Some healthcare professionals still consider HIPAA a new law, which gives them time to develop safeguards without penalty. In actuality, HIPAA in some form or other has been a law for more than 30 years. Part of the reason for the mistaken belief may be because the Enforcement Rule did not become a law until 2006. Moreover, an increase in the enforcement of HIPAA wasn’t apparent to the public until 2013 (more than likely due to the Final Omnibus Rule).

The reality of the situation is different. Since 2003, the U.S. Office for Civil Rights (OCR) has received over 371,572 complaints and has initiated over 1,191 compliance reviews. Moreover, to date, OCR has settled or imposed monetary penalties resulting in $143,978,972.00 USD.

Myth #2: A breach won’t happen to my organization

Many covered entities believe that a breach won’t happen to them. Many think that they are too small or worth too little to interest hackers or to big to be considered worthwhile. Reports, however, illustrate that hackers target small- and medium-sized businesses as much as (if not more than) larger institutions. Especially with ransomware. A 2023 Ponemon Institute study adds that 88% of healthcare organizations have had at least one cyberattack within a year.

In other words, a breach could happen to anyone. Additionally, if a breach could happen, an OCR investigation, enforcement, and fine could occur as well. At times, a breach and the subsequent OCR intervention that follows may cost more than compliance needs.

More about: Ransomware is targeting vulnerable, smaller clinics

Myth #3: Compliance is expensive and time-consuming

Some healthcare professionals believe that HIPAA compliance is too expensive and too time-consuming. Costs can indeed add up with additional expenditures such as the hiring of compliance officers or IT personnel, the purchasing of security programs, and the training of staff continuously. Furthermore, the time it takes to achieve compliance can feel time-consuming and overbearing.

Rather than thinking this way, OCR wants providers to invest in HIPAA compliance to avoid costly and laborious expenses related to a breach. They also want organizations to avoid penalties related to noncompliance that could result in the loss of business, negative publicity, and even the death of a patient.

Myth #4: PHI only includes health information

PHI is much more than a patient’s health information. It is their personally identifiable information (PII) along with their health information. PII is any data or information that identifies a specific person such as names, addresses, or any other unique identifying numbers or characteristics.

Health information encompasses information about past, present, or future healthcare treatment, diagnosis, or payment. In other words, PHI includes a wide range of identifiers that can be used to identify an individual. If PHI is not recognized and even accidentally exposed, a breach could occur along with all the issues that follow, such as investigations, penalties, and fines.

See also: FAQs: Protected health information (PHI)

HIPAA knowledge and compliance keeps PHI secure

By following the federal guidelines on HIPAA, medical professionals will find that they function more efficiently and avoid problems associated with data breaches. Compliance can minimize the risk of HIPAA violations and promote a culture of privacy and security within a healthcare organization. HIPAA knowledge and compliance can protect healthcare organizations and their patients while also ensuring the privacy of PHI.

Strong technical, physical, and administrative safeguards that should be enacted include:

• Comprehensive policies and procedures
• Risk assessments
• Employee training
• Incident response and disaster recovery plans
• Access controls
• Encryption for data in transit and at rest
• Document retention and disposal protocols
• Business associate agreements (BAA) with all business associates
• Regular audits and monitoring systems

A HIPAA compliant organization addresses emerging threats and vulnerabilities, ensuring the ongoing protection of sensitive PHI. Maintaining HIPAA compliance is not only a legal obligation but also a step in safeguarding the trust and well-being of patients.

Get more information: Can organizations prove HIPAA compliance?

FAQs

Why is HIPAA compliance important?

HIPAA compliance is crucial to protecting patient privacy, securing sensitive health information, avoiding legal penalties, and maintaining trust with patients and stakeholders.

Related: What are the penalties for HIPAA violations?

How can an organization stay updated with HIPAA regulations?

Organizations can stay updated by regularly reviewing official HIPAA guidance, subscribing to updates from the Department of Health and Human Services (HHS), and participating in industry forums and training sessions.

What are the penalties for non-compliance with HIPAA?

Penalties for noncompliance can range from monetary fines to criminal charges, depending on the severity and circumstances of the violation. OCR can impose penalties, which can range from $1307 to $68,928 per violation, with a maximum annual penalty of $2,067,813.

Go deeper: What are the consequences of not complying with HIPAA?