The HIPAA rules and regulations are the standards and implementation specifications adopted by federal agencies to streamline healthcare transactions and protect the privacy and security of individually identifiable health information. This guide explains why the HIPAA rules and regulations exist, what they consist of, and who they apply to.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) with the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto plan members and employers, and that this would negatively impact tax revenues, Congress added a second Title to HIPAA – “Preventing Health Care Fraud and Abuse; Administrative Simplification”.

The measures in Title II were intended to neutralize the cost of the reforms. The measures introduced to prevent health care fraud and abuse gave HHS’ Office of Inspector General more resources to identify fraud and abuse in the healthcare industry, increased the civil and criminal penalties for violations of the Social Security Act, and widened the criteria for exclusion from federal health programs such as Medicare and Medicaid.

The Administrative Simplification measures instructed the Secretary for Health and Human Services to standardize the administration of healthcare transactions, adopt security standards for health information maintained or transmitted electronically, and “make recommendations with respect to the privacy of certain health information.” These instructions evolved into what many consider to be the HIPAA Rules and Regulations.

The HIPAA Administrative Simplification Regulations

The HIPAA Administrative Simplification Regulations occupy Parts 160, 162, and 164 in Title 45 of the Code of Federal Regulations (Public Welfare).

• Part 164 includes General Provisions (Subpart A), the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E).
• Part 162 includes further General Provisions (Subpart A), the Identifier Regulations (Subparts D to F), and the Transactions and Code Sets Rules (Subparts I to S).
• Part 160 also includes General Provisions (Subpart A), as well as the Enforcement Rule (Subparts C and E), and the process for determining HIPAA Civil Penalties (Subpart D).

The above HIPAA rules and regulations are mostly administered and enforced by HHS’ Office for Civil Rights (Parts 160 and 164) and HHS’ Centers for Medicare and Medicaid (Part 162). Other agencies involved in administrative activities include the Internal Revenue Service (who issue Employer ID Numbers), while the Federal Trade Commission has its own Health Breach Notification Rule for organizations not covered by the HIPAA rules and regulations.

In addition, State Attorneys General can take enforcement action against covered entities and business associates when a breach of unprotected health information harms a resident of the state, or when an organization violates a state privacy or security regulation that preempts HIPAA. Some states also have Breach Notification Rules with shorter notification periods than HIPAA and/or consumer data protection laws that allow for a private right of action.

The HIPAA Rules and Regulations in Part 164

General Provisions

All three Parts of the HIPAA Rules and Regulations commence with the General Provisions for that Part. General Provisions typically consist of an introduction to the Part, a list of definitions for terms that are only used in the Part, and any unique arrangements that apply to the Part. For example, the General Provisions of Part 164 include a definition of hybrid entities and standards for how the healthcare component(s) of a hybrid entity should operate.

The HIPAA Security Rule

The HIPAA Security Rule contains the standards and implementation specifications considered necessary to ensure the confidentiality, integrity, and security of electronic Protected health Information (ePHI). The Rule applies to all covered entities, business associates, and subcontractors with access to ePHI, who are responsible for ensuring all members of the workforce comply with this Subpart regardless of their access to ePHI.

The HIPAA Security Rule

HIPAA Risk Assessments

HIPAA Rules on Contingency Planning

HIPAA Medical Records Destruction Rules

How to Make Your Email HIPAA Compliant

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule exists to ensure covered entities alert patients and plan members to a data breach in a timely manner so the victims of a breach can take steps to protect themselves against fraud and identity theft. The Rule covers topics such as the burden of proof, non-notifiable disclosures, law enforcement delays, notifications to HHS’ Office for Civil Rights, and – when required – notifications to the media.

The HIPAA Breach Notification Rule

Breach Notification Requirements

Healthcare Data Breach Statistics

Healthcare Data Breaches due to Phishing

How to Respond to a Healthcare Data Breach

The HIPAA Privacy Rule

The HIPAA Privacy Rule has two objectives – the protect the privacy of individually identifiable health information and increase individuals’ rights over how their health information is used and who it is disclosed to. Individuals also have the right to request copies of their health information, review it for errors,  request amendments when errors exist, and transfer their health information to a different provider or health plan.

The HIPAA Privacy Rule

HIPAA Privacy Guidelines

Patient Rights under HIPAA

HIPAA Permitted Disclosures

The HIPAA Photography Rules

HIPAA and Social Media Guidelines

HIPAA Guidelines on Telemedicine

HIPAA Compliance for Home Health Care

HIPAA Rules on Disclosures to Family and Friends

How to Handle a HIPAA Privacy Complaint

The HIPAA Rules and Regulations in Part 162

General Provisions

The HIPAA rules and regulations in Part 162 apply to covered entities that conduct covered transactions in-house, health care clearinghouses, and business associates that conduct covered transactions on behalf of a covered entity. It is also necessary for healthcare providers who outsource covered transactions to monitor business associate compliance with the HIPAA rules and regulations in Part 162 for the reasons given below.

HIPAA Unique Health Identifier Regulations

Unique health identifiers are used to identify employers (EINs) when a plan member is enrolled or disenrolled from a health plan, and to identify healthcare providers (NPIs) in all HIPAA covered transactions. Healthcare providers need to ensure NPIs are used correctly in all covered transactions – regardless of whether they are conducted in–house or subcontracted – to prevent delayed eligibility checks, treatment authorizations, and payments.

HIPAA Unique Identifiers Explained

HIPAA Transactions and Code Sets Rules

The HIPAA transactions and code sets rules determine whether a healthcare provider qualifies as a covered entity or not. If a healthcare provider conducts any transactions electronically for which code sets exists, they qualify as a covered entity. If they do not conduct covered transactions electronically (i.e., only bill patients directly), they do not qualify as a covered entity and do not have to comply with the HIPAA rules and regulations.

HIPAA Transactions and Code Set Rules

The HIPAA Rules and Regulations in Part 160

General Provisions

The General Provisions in Subpart A of Part 160 and the section relating to the Preemption of State Law in Subpart B are very important in the context of understanding the HIPAA rules and regulations because they clarify when standards and implementation specifications apply to business associates, provide definitions of the most commonly used terms in HIPAA, and explain when a provision of state law preempts a provision of HIPAA.

What are Covered Entities?

What is PHI under HIPAA?

Limited Data Sets under HIPAA?

Complying with HIPAA California Law

When Does State Privacy Law Supersede HIPAA?

The HIPAA Enforcement Rule

The Enforcement Rule was originally one Subpart of Part 160 – “Procedures for Investigations, Imposition of Penalties, and Hearings”. As the number of standards increased and the penalty structure was amended by the HITECH Act, the Enforcement Rule was split into separate Subparts  “Investigations” (Subpart C) and “Hearings“ (Subpart E). The “Imposition of Penalties” now occupies Subpart D as HIPAA civil penalties are amended annually.

HIPAA Enforcement Rule

Can HIPAA be Waived?

HIPAA Enforcement Discretion

What Happens if You Violate HIPAA?

What Happens after a HIPAA Complaint is Filed?

HIPAA Civil Penalties

The HIPAA Civil Penalties are often a last resort for persistent offenders – HHS agencies preferring to “seek and promote voluntary compliance” with the HIPAA rules and regulations. However, although organizations might not be fined by HHS’ Office for Civil Rights, compliance with the HIPAA rules and regulations may be considered the “standard of care” in State Attorney General civil actions, private lawsuits, and class action lawsuits.

Penalties for HIPAA Violations

HIPAA Violation Fines

Enforcement Trends and Outlook

HIPAA Enforcement by State Attorneys General

MedData Settles Class Action Lawsuit for $7 Million

Who Do The HIPAA Rules and Regulations Apply To?

The HIPAA rules and regulations apply to health plans, health care clearinghouses, and healthcare providers who conduct covered transactions electronically – collectively “covered entities”. An individual or organization that provides a service for or on behalf of a covered entity – other than as a member of the covered entity’s workforce – is a business associate if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).

Business associates and subcontractors of business associates are required to comply with the Security and Breach Notification Rules, any other Administrative Simplification Regulations that apply to the service being provided, and any specific provisions included in the Business Associate Agreement between the parties. Compliance is required even when a business associate or subcontractor has “no view access” to Protected Health Information.

Workforce members are also required to comply with HIPAA. Workforce compliance is often assumed to be limited to workplace policies and procedures. However, §164.530(e)(1) requires covered entities to apply sanctions against workforce members” who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D of this part [the Breach Notification Rule]”

Applicability, Exceptions, and the Flexibility of Approach

In the context of who do the HIPAA rules and regulations apply to, it is important to be aware that covered entities, business associates, and workforce members do not have to comply with every standard and implementation specification – only those that are applicable to their operations. Those that are applicable should be determined by conducting a HIPAA risk assessment to identify where PHI is created, received, stored, or transmitted.

In addition, there are also a number of HIPAA exceptions. These can apply in circumstances where – for example – a state law preempts HIPAA, a patient provides their authorization for an otherwise impermissible disclosure, or when a covered entity conducts a patient safety activity such as a fire drill. Some third party service providers may also not be required to comply with the HIPAA rules and regulations if they are exempted by the HIPAA Conduit Exception Rule.

The flexibility of approach provisions can also affect how a covered entity or business associate complies with HIPAA. The provisions in §164.306(b) allow covered entities and business associates to take into account factors such as complexity, capabilities, and costs when deciding how they will comply with the Security Rule. Any decisions made on the basis of these factors must be justified and documented in case of a subsequent compliance investigation.

Future Changes to the HIPAA Rules and Regulations

In addition to complying with the current HIPAA rules and regulations, it is necessary to be aware of future changes to the HIPAA rules and regulations. This is because, when a new or revised standard is published, there is a limited time between publication, the effective date, and the compliance date. Some organizations may find it difficult to make whatever changes are necessary and provide workforce training on the changes within the time allowed.

When large scale changes occur – such as happened in 2013 with the HIPAA Omnibus Rule – almost every covered entity and business associate is impacted by the changes. This makes it harder to seek appropriate guidance from HHS and raises the likelihood of standards being misinterpreted. Fortunately, the changes since 2013 have been limited in scale (i.e., the NIC amendment to the Privacy Rule) or regular in nature (i.e., HCPCS code updates).

However, there is a growing list of HIPAA updates and changes in the pipeline – ranging from new Part 162 standards for electronic signatures on healthcare transactions, to new Security Rule standards to comply with HHS’ Healthcare Sector Cybersecurity Strategy. Significantly, it has been hinted that a failure to comply with the new Security Standards might not only result in a civil monetary penalty, but also in expulsion from federal health programs such as Medicare.

HIPAA Omnibus Rule

HHS Part 2 Final Rule

Reproductive Health Care Privacy Rule

HIPAA Updates and HIPAA Changes

New HIPAA Regulations

HIPAA Compliance Needs to be Approached Holistically

Because of the wide range of applicable HIPAA rules and regulations, the wide range of covered entities and business associates they apply to, and the potential for exceptions, flexibilities, and changes, compliance with the HIPAA rules and regulations needs to be holistic, rather than piecemeal. Individuals and organizations subject to HIPAA compliance are advised to seek professional compliance advice if assistance is needed adopting a holistic approach to HIPAA compliance.

HIPAA Compliance Checklist

HIPAA Policies and Procedures

HIPAA Data Retention Requirements

HIPAA Business Associate Agreements

Latest HIPAA News

The post HIPAA Rules and Regulations appeared first on The HIPAA Journal.

The HIPAA transactions and code sets rules have the objective of replacing non-standard descriptions of healthcare activities with standard formats for each type of activity in order to streamline administrative processes, lower operating costs, and improve the quality of data.

During the 1970s and 1980s, an increasing number of organizations in the healthcare and health insurance industries adopted Electronic Data Interchanges (EDIs) to accelerate manual healthcare processes such as eligibility checks, treatment authorizations, and remittance advices. However, many organizations developed proprietary transaction and code set formats to describe specific healthcare activities based on the formats used for internal operations.

Consequently, prior to the passage of HIPAA, it was estimated there were up to 400 proprietary formats in use. Acknowledging this would be a barrier to the objectives of the Administrative Simplification Regulations, Congress instructed the Secretary of Health and Human Services (HHS) to adopt standard HIPAA transactions and code sets rules for health plans, health care clearinghouses, and healthcare providers that transmitted health information electronically.

HIPAA Transactions and Code Sets Rules Adopted Quickly

At the time, most federal agencies and larger private organizations had adopted formats based on the ICD-9-CM and ASC X12N classification systems for diseases and medical data elements (i.e., diagnoses, procedures, and drugs). Indeed, many of the classification systems that would eventually be adopted as the HIPAA transactions and code sets rules were already mandated for use in some federal and state healthcare programs – including Medicare and Medicaid.

Because the adoption of standard formats was at an advance stage, it did not take long for proposed HIPAA transactions and code sets rules to be published (May 1998), and for the rules to be finalized (August 2000). The rules omitted code sets for health claims attachments and first report of injury transactions (which are still “deferred”), but included code sets for coordination of benefits transactions. The list of HIPAA transactions for which code sets apply are:

Payment and Remittance Advice and Electronic Funds Transfer.

Health Care Claims Status.

Health Plan Eligibility Benefit Inquiry and Response.

Claim or Equivalent Encounter Information.

Health Plan Enrollment and Disenrollment.

Referral Certification and Authorization.

Health Plan Premium Payments.

Coordination of Benefits.

The Standards for Code Sets are Updated Frequently

While the only change to the list of transactions was the addition of code sets for Medicaid pharmacy subrogation transactions in January 2009, the standards for the code sets used in HIPAA transactions are updated frequently. For example, ICD-9-CM code sets were replaced by ICD-10-CM in October 2015, Healthcare Common Procedure Coding System (HCPCS) code sets are updated quarterly, and the National Drug Code Directory is updated daily.

In addition, since January 2014, health plans have had to comply with the HIPAA Operating Rules as required by §1104 of the Patient Protection and Affordable Care Act. The HIPAA Operating Rules place additional requirements on health plans to provide quicker, more complete responses to healthcare providers when healthcare providers make inquiries about individuals’ eligibility for benefits, claim statuses, fund transfers, and remittance advices.

How Compliance with the Rules is Enforced

Compliance with the HIPAA transactions and code sets rules is enforced by HHS’ Centers for Medicare and Medicaid Services (CMS). CMS has the authority to investigate complaints made by covered entities when another covered entity is using incorrect transaction codes or HIPAA identifiers, or not complying with the HIPAA Operating Rules. Covered entities can test compliance with the HIPAA transactions and code sets rules and file complaints via CMS’ ASETT portal.

If a complaint is investigated and found to be justified, CMS has the same enforcement powers as HHS’ Office for Civil Rights. This means CMS can impose corrective action plans or civil money penalties for compliance failures. In addition, via HHS’ Office of Inspector General, CMS can also exclude healthcare providers from federal healthcare programs if the failure to comply with the HIPAA transactions and code set rules is attributable to fraud, theft, abuse, neglect, or an unlawful activity.

The post HIPAA Transactions and Code Sets Rules appeared first on The HIPAA Journal.

The requirement to adopt HIPAA unique identifiers for individuals, employers, health plans, and healthcare providers was originally included in the text of HIPAA in order to improve the efficiency of healthcare transactions and to reduce administrative costs. However, no standards were ever adopted for individuals, and the standards for health plans were rescinded in 2019.

The requirement for the Secretary of Health and Human Services (HHS) to adopt HIPAA unique identifiers appears in §1173 of HIPAA (42 USC 1320d-2(b)). Referred to as “unique health identifiers” in the text of HIPAA, the standard instructs the Secretary to:

“Adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers”.

The instruction was part of a larger goal to achieve uniform national health data standards that would support the efficient electronic exchange of health information used in HIPAA-covered transactions (the “health care system” mentioned above). However, the instruction was only partly complied with due to the cost and complexity of standardizing HIPAA unique identifiers for individuals and health plans.

The Cost of Adopting Individual HIPAA Identifiers

In 1998, HHS published a white paper containing multiple options for adopting individual HIPAA unique identifiers. The white paper listed 30 criteria for evaluating the options, and discussed the pros and cons of each identifier type. It also discussed the practicalities of adopting specific identifiers and the cost of implementation. Due to the costs of implementation and for converting existing systems, no standards for individual HIPAA unique identifiers were ever adopted.

The Quick Fix for Employer HIPAA Unique Identifiers

Employer HIPAA unique identifiers are necessary when an employer enrolls or disenrolls an employee in a health plan, or when a health plan needs to keep track of premium payments or contributions from a certain employer for certain types of benefit. As all employers are required by 26 USC 6011(b) to have an IRS-issued Employer Identification Number (EIN), HHS published a Final Rule in May 2002 adopting EINs as employer HIPAA unique identifiers.

The Complexity of Using Four Health Plan Identifiers

Due to the different ways in which health plans function, multiple codes of different lengths and formats were in use by the time HHS published a Final Rule in 2012. Even then, rather than there being one unique identifier for health plans, there were four. Due to the complexity of using the identifiers and the manual processes still required to process HIPAA transactions, the standards were never enforced and the HIPAA identifiers for health plans were rescinded in 2019.

Healthcare Provider Identifiers Were Already in Use

Prior to the passage of HIPAA, the Health Care Finance Administration (now known as CMS) had been working on a National Provider Identifier (NPI) for use in Medicare and Medicaid programs. In 1998, HHS proposed the NPI should be extended to all health plans. The proposal was finalized in 2004, and a National Plan and Provider Enumeration System was set up to assign HIPAA unique identifiers to healthcare providers not yet issued an NPI.

Unique Identifiers Should Not be Confused with PHI Identifiers

Several sources discussing HIPAA identifiers confuse employer and provider identifiers with the PHI identifiers that must be removed from a designated recorded set before any health information remaining in the record set can be considered de-identified under the safe harbor method of de-identification. It is important to understand the difference between the two types of identifiers to avoid preventable HIPAA violations.

Employer and provider identifiers are identifiers that must be used in healthcare transactions between providers (or their business associates) and health plans. PHI identifiers are individually identifying information that can identify the subject of PHI. Covered entities and business associates who are uncertain about the difference between HIPAA unique identifiers and PHI identifiers are advised to seek HIPAA compliance advice.

The post HIPAA Unique Identifiers Explained appeared first on The HIPAA Journal.

The purpose of HIPAA compliance software is to provide a framework to guide a HIPAA-covered entity or business associate through the process of becoming HIPAA-compliant and ensuring continued compliance with HIPAA and HITECH Act Rules.

The HIPAA software helps compliance officers navigate the nuances of HIPAA and ensure all applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules are satisfied. The software also proves a company has made a good faith effort to comply with HIPAA by maintaining full documentation of compliance activities.

This ensures that if a company is audited by the HHS’ Office for Civil Rights (OCR) or is investigated by OCR or state attorneys general over a data breach, the organization can demonstrate no aspect of HIPAA has been missed, all policies and procedures are in order, members of the workforce have received training, and appropriate technical, physical, and administrative safeguards have been implemented and are being maintained.

It should be noted that the use of HIPAA compliance software will not absolve companies of liability in every circumstance (i.e., in the event of an employee violating HIPAA), but regulators do take a covered entity’s or business associate’s good faith efforts to comply with HIPAA into account when deciding whether a financial penalty or other sanction is appropriate.

If you are a vendor looking for information on how to make your software solution HIPAA compliant please click here.

Avoid Taking Shortcuts with HIPAA Compliance Software

Many compliance solutions only address specific elements of HIPAA compliance, such as the risk assessment. While HIPAA risk assessment software is a good place to start, it only covers one required provision of the HIPAA Security Rule.

Software that only covers specific aspects of HIPAA compliance will not help covered entities and business associates assess and demonstrate they are fully compliant. Even if covered entities and business associates are confident about their compliance programs, it is best to use a comprehensive software solution that covers all the required and addressable implementation specifications of HIPAA, the HITECH Act breach notification requirements, and even state laws.

A comprehensive compliance software solution may be more expensive in the short-term; but, by efficiently guiding covered entities and business associates though the full compliance process, costs can be reduced, all gaps can be identified and addressed, and the risk of regulatory fines for noncompliance can be reduced to a minimal level.

Best HIPAA Compliance Software

The best HIPAA compliance software is a comprehensive compliance solution that walks users through setting up, implementing, and maintaining HIPAA policies and procedures, tracks staff training, and ensures all appropriate safeguards are implemented to meet HIPAA Privacy and Security Rule requirements.

Many HIPAA compliance software solutions include templates for policies and HIPAA documents, such as business associate agreements. While these are certainly useful and can save compliance officers a great deal of time, HIPAA requires all policies and procedures to specific and relevant to each organization.

The best HIPAA compliance software solutions make it easy for policies, procedures, and HIPAA documentation to be customized to cover the specific ways that the organization creates, receives, uses, stores, and transmits protected health information.

The top HIPAA compliance solutions also help with the management of business associates. Business associates can be fined directly for HIPAA violations, but HIPAA covered entities also have a responsibility to ensure vendors are fully compliant. A HIPAA breach at a business associate will have many negative implications for a covered entity.

Some HIPAA compliance software solutions allow covered entities to send self-audits to business associates, monitor the results of the audits, and track and maintain business associate agreements.

You should also look for a software solution that lets you track employee HIPAA and security awareness training to ensure that every member of the workforce has received and – where required – has attested to receiving training.

Last but not least, even the best HIPAA compliance software solutions are not guaranteed to resolve all HIPAA compliance issues. If problems are experienced, support staff should be available to guide you through the compliance process and answer any questions you may have about HIPAA. Look for a software provider that offers regular sessions with compliance experts who will be able to answer any HIPAA questions and assess your compliance program and progress.

Assessing Suitable HIPAA Compliance Software Vendors

Finding a suitable vendor of HIPAA compliance software can be a challenge. We suggest the following tips for finding a suitable software vendor to ensure the service provided for you is comprehensive and does not leave any unidentified gaps in your compliance efforts:

• Avoid HIPAA training courses that promise compliance certification within a matter of minutes
• Select vendors that offer compliance solutions tailored to your specific needs
• Ensure somebody is available to answer any questions and guide you through the compliance process
• Check the vendor offers a solution that supports continued compliance rather than simply providing a one-off assessment
• Request verifiable testimonials from the vendor.

HIPAA Compliance Software Vs. HIPAA Compliant Software

The terms “HIPAA compliant software” and “HIPAA compliance software” are frequently used interchangeably by some software vendors, although the two terms mean something quite different.

“HIPAA compliance software” is more often than not an app or service that guides a business through its compliance efforts. This type of software can either help with specific elements of HIPAA compliance (i.e. Security Rule risk assessments) or provide a total solution for every element of HIPAA compliance.

HIPAA compliant software is usually an app or service for healthcare organizations that includes all the necessary privacy and security safeguards to meet the requirements of HIPAA – for instance, secure messaging solutions, hosting services, and secure cloud storage services. HIPAA compliant software does not guarantee compliance. It is the responsibility of users of the software solutions to ensure the software is used in a HIPAA-compliant manner.

If you are a vendor looking for information on how to make your software solution HIPAA compliant please click here.

HIPAA Risk Assessment Software

One of the most important elements of the HIPAA Security Rule is the risk analysis or risk assessment. The purpose of the risk assessment is to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). If the risk assessment is not performed, healthcare organizations cannot be sure that all risks have been identified, which means it will not be possible to reduce those risks to a reasonable and acceptable level through the HIPAA risk management process.

Even though the risk assessment is foundational element of HIPAA compliance, it is one of the provisions of HIPAA that causes healthcare organizations the most problems. The failure to conduct an organization-wide HIPAA-compliant risk assessment is the single most common HIPAA violation penalized by OCR in its enforcement actions.

The use of HIPAA risk assessment software helps to ensure that the risk assessment is completed to the standard demanded by HIPAA, by guiding organizations through the whole process and ensuring all identified risks are tracked along with the efforts made by the company to remediate those risks.

HIPAA Compliance Certification for Software

There is no officially recognized HIPAA compliance certification for software, as any certification only confirms a software solution has incorporated all of the required safeguards to meet the requirements of HIPAA Rules. HIPAA compliance certification for software only confirms a solution is compliant at the moment when the compliance certificate is issued.

That said, many training and software companies issue HIPAA compliance certification to companies that have demonstrated compliance through the use of the software. These HIPAA compliance certifications may not be officially recognized by OCR and state attorneys general, but they do serve an important purpose.

They provide assurances that policies and procedures have been introduced in line with HIPAA, demonstrate a company is fully aware of its responsibilities under HIPAA and has provided appropriate training to employees, and confirm that software meets or exceeds the minimum standards for privacy and security demanded by HIPAA.

Vendors looking to break into the healthcare market will need to demonstrate to prospective healthcare clients that they are aware of their responsibilities with respect to HIPAA and provide “reasonable assurances” to the covered entity that they are compliant. This is achieved through the signing of a business associate agreement, but the use of HIPAA compliance software and any accompanying HIPAA compliance certification will help. It can be used to differentiate a company’s products and services and stand out from the competition.

Summary

It can be time-consuming finding a suitable vendor with a product to match your specific needs. There is no “one-size-fits-all” solution to HIPAA compliance, but the effort you put into identifying and addressing HIPAA compliance shortfalls is likely to pay dividends in the long run. Ensuring all aspects of HIPAA are satisfied should improve your security posture and help you prevent costly data breaches.

The software will ensure that no provision of HIPAA is overlooked, thus helping the company avoid regulatory fines for noncompliance.

FAQs

Is HIPAA compliance software the same for covered entities and business associates?

HIPAA compliance software is not the same for covered entities and business associates. While both covered entities and business associates are required to comply with all “applicable” standards of the HIPAA Administrative Simplification Regulations, a covered entity would likely need more comprehensive guidance through the complexities of the HIPAA Privacy Rule. In addition, topics such as business associate management would most often be unique to covered entities.

What is the most important feature of HIPAA compliance software for covered entities?

The most important feature of HIPAA compliance software for covered entities depends on whether gaps exist in the covered entity´s compliance efforts and what they are. For some covered entities, the risk assessment and analysis software may be most important. For others it may be helpful with responding to an OCR audit or HIPAA breach.

What is the most important feature of HIPAA compliance software for business associates?

The most important feature of HIPAA compliance software for business associates will again depend on whether gaps exist in the business associate’s compliance efforts and what they are. However, one of the most important benefits of HIPAA compliance software for business associates is understanding business associate agreements. Too often, business associates sign unnecessary agreements, exposing themselves to liability if a covered entity is at fault for a data breach.

Is there any HIPAA software my organization should avoid?

With regards to HIPAA software your organization should avoid, be wary of any software vendor that offers compliance training or compliance certification “within an hour” or “for less than $20” – especially those who certify HIPAA compliance with a pass mark of less than 100%. While a certificate with a 75% compliance score may look good on your website, anyone familiar with HIPAA will know this means your organization is 25% non-compliant.

Where can I find out more about HIPAA compliance software?

You can find out more about HIPAA compliance software by taking advantage of our reader offer to see a demo of the Compliancy Group’s HIPAA compliance software in action. This will not only give you the opportunity to see what HIPAA software does, but also to ask questions about how the software can be customized to be suitable for your organization and the nature of its operations.

What is the purpose of HIPAA compliance software?

The purpose of HIPAA compliance software is to provide a framework to guide HIPAA-covered entities and business associates through the process of becoming HIPAA-compliant and ensuring continued compliance with HIPAA and HITECH Act Rules. The software helps compliance officers navigate the nuances of HIPAA and ensures all applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules are satisfied.

How can HIPAA compliance software help during an investigation or audit by OCR inspectors?

HIPAA compliance software can help during an investigation or audit by OCR inspectors by providing full documentation of compliance efforts. The documentation demonstrates that the organization has made a good faith effort to comply with HIPAA, that all applicable policies and procedures are in order, and that workforce members have received training.

Does HIPAA compliance software absolve organizations of liability in the event of a data breach?

HIPAA compliance software does not absolve organizations of liability in the event of a data breach because there are several types of events compliance software is not capable of preventing – for example, an employee stealing PHI for personal gain. However, the implementation and use of HIPAA compliance software can help demonstrate an organization’s good faith efforts to be compliant when regulators investigate a data breach.

What features should be included in the best software for HIPAA compliance?

The features that should be included in the best software for HIPAA compliance include features to help develop, implement, and maintain HIPAA policies and procedures, track staff training, ensure appropriate safeguards are implemented, and allow the customization of policies, procedures, and documentation. The best software for HIPAA compliance should also assist with the management of business associates and be supported by knowledgeable and available compliance experts.

Is there an officially recognized HIPAA compliance certification for software?

There is no officially recognized HIPAA compliance certification for software. However, some companies issue HIPAA compliance certifications to vendors who have demonstrated compliance with HIPAA by implementing measures to comply with the Security and Breach Notification Rules, and who have developed software with the capabilities to support HIPAA compliance by users.

The post Test Post With DIA & MIA appeared first on HIPAA Journal.

Standards relevant to HIPAA compliance for email appear throughout the HIPAA Administrative Simplification Regulations – from the applicability and preemption standards of Part 160 (the General Requirements) to the privacy, security, and breach notification standards of Part 164. Due to the potential complexities of HIPAA email compliance, this article discusses:

• Who do the HIPAA email rules apply to?
• Preemptions and exclusions to HIPAA email compliance
• HIPAA email policies and the Privacy Rule
• Security standards for HIPAA compliant email
• What are the HIPAA email encryption requirements?
• HIPAA compliance for email breach notifications

Who do the HIPAA Email Rules Apply to?

The HIPAA email rules apply to individuals and organizations that qualify as HIPAA covered entities or business associates. Most – but not all – health plans, health care clearinghouses, and healthcare providers qualify as HIPAA covered entities, while third party service providers to covered entities qualify as business associates when the service provided for or on behalf of a covered entity involves uses or disclosures of Protected Health Information (PHI).

However, the HIPAA email rules only apply to HIPAA covered entities and business associates when PHI is created, received, stored, or transmitted by email. If – for example – a covered entity sends an email that does not include PHI, the standards relevant to HIPAA compliance for email do not apply. Similarly, if a prospective patient submits a contact form by email that does not include PHI, the HIPAA email rules do not apply to the contact form or the email.

Preemptions and Exclusions to HIPAA Email Compliance

In all applications of HIPAA, the HIPAA Rules apply unless a provision of state law has more stringent requirements or provides more individual rights than the equivalent HIPAA standard. This is relevant to HIPAA email compliance because, in 2008, the Department for Health and Human Services (HHS) issued guidance stating “

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume […] that e-mail communications are acceptable to the individual.”

However, several subsequently passed state laws have adopted “affirmative opt-in” requirements. These requirements mean a covered entity or business associate must obtain an individual’s clear consent before communicating with them by email. States in which these requirements preempt HIPAA include Connecticut, Colorado, Texas, Tennessee, Virginia, Utah, Montana, Iowa (from January 2025), and Indiana (from January 2026).

In addition, under §164.522(b) of the Privacy Rule individuals have the right to request confidential communications by alternative means. If the requests are reasonable, covered entities are required to comply with them – even if this means covered entities cannot comply with the HIPAA email compliance requirements. In such circumstances, covered entities should warn individuals of the risks, request written consent, and document both the warning and the consent.

HIPAA Email Policies and the Privacy Rule

Many sources of information discussing HIPAA compliance for email tend to focus on the requirements of the Security Rule. However, it is important not to overlook Privacy Rule compliance requirements. The Privacy Rule is relevant because it defines what is considered PHI under HIPAA and lists the permissible uses and disclosures of PHI – important standards when developing HIPAA email policies for members of the workforce.

HIPAA email policies should be covered in general HIPAA training rather than in security awareness training because of the frequency with which members of the workforce may email patients, each other, or members of other covered entities’ workforces. The provision of training on HIPAA email policies will benefit general HIPAA compliance as members of the workforce will be more conscious of requirements such as the minimum necessary standard.

Other areas of the Privacy Rule which may influence HIPAA compliance for email include the requirements for Business Associate Agreements. The Privacy Rule requirements (in §164.502 and §164.504) stipulate what must be included in a Business Associate Agreement for the Agreement to be in compliance with HIPAA, whereas the standards relating to Business Associate Agreements in the Security Rule just require that an Agreement is in effect.

Security Standards for HIPAA Compliant Email

The security standards for HIPAA compliant email require covered entities and business associates to implement access controls, audit controls, integrity controls, ID authentication, and transmission security mechanisms. This is in order to restrict access to PHI, monitor how PHI is communicated via email, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit

In addition, if PHI is stored in emails, covered entities and business associates should adopt an email archiving and retention system that ensures they are able to respond to individuals’ access requests and Accounting of Disclosure requests within the timeframe specified under the Privacy Rule (currently 30 days). This may require the adoption of an external HIPAA compliant archiving and retention service in addition to a HIPAA compliant email provider.

As well as the implementation specifications mentioned above, some requirements – such as maintaining an audit trail and preventing the improper modification of PHI – can be complex to resolve. So, although emails systems can be compliant at a point in time, ongoing compliance may require significant IT resources and a continuing monitoring process to ensure authorized users are communicating PHI in adherence with HIPAA email policies.

What are the HIPAA Email Encryption Requirements?

The HIPAA email encryption requirements are that a mechanism must be implemented to encrypt and decrypt electronic PHI at rest, and technical security measures must be implemented to guard against unauthorized access to electronic PHI transmitted over a communications network. Although these are “addressable” implementation specifications, they must be implemented unless equally effective measures are implemented in their place.

Due to technological advances, the encryption mechanisms and security measures that existed when the Security Rule was first published are long out of date (i.e., the DES algorithm). Covered entities and business associates are advised to follow the latest guidelines on electronic mail security published by the National Institute of Standards and Technology (NIST) which, in the context of HIPAA compliance for email, can be found in  SP 800-45 Version 2.

While the NIST guidelines clarify the HIPAA email encryption requirements, they can raise challenges about which type(s) of encryption to adopt. For example, TLS encrypts the communication channel when emails are in transit, but not the content of the email itself, while S/MIME encrypts the content of email – making malware invisible to email filters. In many cases, it may be necessary to adopt more than one type of encryption mechanism or security measure.

HIPAA Compliance for Email Breach Notifications

Even when a covered entity or business associate has implemented all the required safeguards to support HIPAA compliance for email, it is still necessary to be aware of the breach notification requirements. §164.404(d) of the HIPAA Breach Notification Rule requires notifications to be sent to individuals by first class mail. It is only possible to notify individuals by email if they previously consented to receive “electronic notifications”.

The wording of the standard implies that, if an individual has affirmatively opted in to receive emails or requested communications by email, the document(s) used to obtain consent should note that the consent includes electronic notifications. If the consent document does not include the electronic notification requirement – or a notification email is sent to individuals who have not previously consented – this may be considered a HIPAA violation.

HIPAA compliance for email breach notifications is just one example of how covered entities and business associates can fall foul of the HIPAA email rules due to the potential complexities of HIPAA email compliance. If your organization is unsure of its HIPAA compliance for email, or requires assistance in adopting the necessary measures to comply with HIPAA, it is recommended you seek advice from a compliance professional.

HIPAA Compliance for Email FAQs

Why is it important to encrypt emails?

It is important to encrypt emails because unencrypted emails are sent from sender to recipient in plain text. During the communication process, they “rest” on various servers and could be read by any man-in-the-middle technology in the same way as email filters read emails to look for spam. Encrypting emails so they are unreadable by unauthorized persons is the best way to maintain the confidentiality of PHI.

Do I need to sign a BAA with my email service provider?

You do need to sign a BAA with your email service provider because email service providers have “persistent access” to ePHI, even when an email is encrypted. Please note that not all email services are willing to sign a BAA. For example, most free services will require you to subscribe to a business email service before entering into a BAA.

Is consent necessary to send PHI by email?

In most states, consent is not necessary to send PHI by email to patients, but it is recommended. HHS´ guidance states that if an individual provides a health care provider with an email address or initiates a communication by email, consent is implied. However, individuals should be warned of the risks of communicating PHI by email and the warning should be documented. In all other cases, consent should be sought before communicating PHI by email to patients.

What are the risks of communicating PHI by email?

There are several risks of communicating PHI by email other than the risks of unencrypted emails being intercepted. For example, emails sent to a patient may be viewed by family members if a patient leaves their mobile phone unattended, or by work colleagues if the email is sent to a work email address. Depending on the content of the email, this could be interpreted as a breach of individuals´ rights if consent has not been previously obtained.

What training do employees require regarding HIPAA compliance for email?

With regards to what training employees require regarding HIPAA compliance for email, as well as email basics – such as checking that the email address is correct before clicking the send button – employees should be reminded that, even when emails are encrypted, the content of the email has to comply with the Privacy Rule standards relating to permissible uses and disclosures and the Minimum Necessary Rule.

What are the HIPAA email rules for access and message accountability?

The HIPAA email rules for access and message accountability appear throughout the Administrative and Technical Safeguards of the Security Rule. These include (but are not limited to) unique user identifiers, login monitoring, access reports, automatic log-off, encryption, email backup/archiving, and the termination of credentials when a member of the workforce leaves.

Is email HIPAA compliant?

Email is HIPAA compliant provided all the necessary safeguards are in place to ensure the confidentiality, integrity, and availability of PHI, a Business Associate Agreement is signed with the email service provider, and members of the workforce are trained on email best practices to mitigate the risk of an email being misdirected. If communicating with a patient or plan member via email, it is also a best practice to obtain the recipient’s written consent before sending PHI by email.

What are the HIPAA email requirements?

The HIPAA email requirements (according to HHS guidance) are to apply reasonable safeguards when emailing PHI, comply with the minimum necessary standard, and ensure the transmission of electronic PHI is in compliance with the Security Rule. The guidance does not mention entering into a Business Associate Agreement with an email service provider, but this is one of the most important HIPAA email requirements whenever emails containing PHI are sent to any recipient.

What is HIPAA email compliance?

HIPAA email compliance means complying with the applicable standards of the HIPAA Administrative Simplification Regulations developed to protect the privacy of individually identifiable health information communicated in an email and to ensure the confidentiality, integrity, and availability of the email. Compliance with these standards does not guarantee the content of an email will remain secure, but it will mitigate the risk of impermissible disclosures and breaches of unsecured PHI.

Is it a HIPAA violation to email PHI?

It can be a HIPAA violation to email PHI if the necessary and appropriate safeguards have not been put in place to protect the privacy of PHI and comply with the Security Rule. Even if these safeguards are in place, HIPAA violations can still occur if an email contains more than the minimum necessary PHI to achieve the purpose of the email or if account credentials are misused to transmit PHI for an impermissible purpose.

Should all emails include a HIPAA compliance email disclaimer?

Emails can include a HIPAA compliance email disclaimer, but it won’t absolve the sender of a HIPAA violation if an email containing PHI is sent to the wrong recipient. Consequently, although a HIPAA email disclaimer may help reassure genuine recipients that an organization complies with the Privacy and Security Rules, it serves no other worthwhile purpose.

The post HIPAA Compliance for Email appeared first on HIPAA Journal.

What is required for HIPAA compliance is for covered entities and business associates to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations in order to protect the privacy and security of individually identifiable health information.

Due to the complexity of the HIPAA Administrative Simplification Regulations, misunderstandings can sometimes exist about what HIPAA is, who it applies to, what is protected by HIPAA, and who is responsible for HIPAA compliance. These misunderstandings can make it difficult to determine what is required for HIPAA compliance.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed in 1996 with the purpose of reforming the health insurance industry. Due to the cost of the reforms, a second Title was added to the Act which aimed to counter the cost by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.

The Administrative Simplification Regulations are what most people refer to when discussing what is required for HIPAA compliance. The Regulations include the General Provisions and the procedures for the enforcement of HIPAA (Part 160), the standards for electric healthcare transactions (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164).

Individuals and organizations to whom HIPAA applies have to comply with all applicable standards and implementation specifications of the Administrative Simplification Regulations. This means that, if – for example – a medical office outsources its healthcare transactions to a third party, the medical office does not have to comply with the standards in Part 162 of HIPAA.

Who does HIPAA Apply To?

§160.102 of the HIPAA Administrative Simplification Regulations states that the standards and implementation specifications apply to health plans, health care clearinghouses, and health care providers that conduct or outsource transactions for which a standard exists in Part 162. Individuals and organizations that fall into these categories are called “covered entities”.

HIPAA also applies to “business associates” – third party individuals and organizations that provide a service to or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Business associates can include outsourced billing companies, cloud service providers, and medical transcriptionists.

Examples of who HIPAA does not apply to include auto insurance companies that provide health benefits as a secondary service, healthcare providers that bill patients directly, publicly funded schools, and employers in their role as an employer. HIPAA also does not apply directly to members of a covered entity’s or business associate’s workforce for reasons explained later.

What does HIPAA Protect?

One of the most common misunderstandings about HIPAA – and one of the biggest barriers to determining what is required for HIPAA compliance – is what does HIPAA protect. The misunderstanding exists due to some sources confusing what is considered PHI under HIPAA with the requirements for de-identifying PHI using the safe harbor method in §164.514(a).

To summarize what does HIPAA protect, any information relating to a patient’s health condition, treatment for the condition, or payment for the treatment is protected by HIPAA. In addition, any information that could be used to identify the patient is protected by HIPAA when it is maintained in the same designated record set as health, treatment, or payment information.

This means – for example – that a patient’s name and cellphone number are protected by HIPAA when they are maintained in the same designated record set as the patient’s health, treatment, or payment information, but they are not protected when they are maintained in a separate database that does not contain health, treatment, or payment information (i.e., for marketing purposes).

Who is Responsible for HIPAA Compliance?

Covered entities are required by §164.530(a) to designate a privacy official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Privacy and Breach Notification Rules. The privacy official does not have to be an existing member of the workforce. The position can be outsourced on a temporary or permanent basis.

In addition, §164.308(a) requires covered entities and business associates to identify a security official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Security Rule. Again, this position can be outsourced, or it can be combined with the responsibilities of the privacy official in a single HIPAA compliance role.

In most cases, covered entities and business associates will already have an individual or team responsible for managing compliance with other federal, state, or voluntary regulations. In many cases, what is required for HIPAA compliance can overlap with what is required for complying with other regulations – for example, the conditions of participation in Medicare, OSHA, and SOC 2.

What is Required for HIPAA Compliance by Workforce Members?

It was mentioned earlier that HIPAA does not apply directly to members of a covered entity’s or business associate’s workforce. The reason for this is that covered entities are required to provide HIPAA training to members of the workforce on the policies that are relevant to their roles. It is not necessary for every member of the workforce to be trained on every HIPAA policy.

In addition, covered entities and business associates must provide security awareness training to all members of the workforce and “ensure compliance” with their policies and procedures by implementing and applying a sanctions policy. Rather than it being necessary for workforces to comply with the HIPAA Rules, workforces are required to comply with the organization’s rules.

There is one exception to this explanation of workforce compliance with HIPAA. When HIPAA was passed by Congress in 1996, it extended §1177 of the Social Security Act to members of the workforce. In the context of what is required for HIPAA compliance by workforce members, a violation of §1177 can result in a workforce member being convicted for the wrongful disclosure of PHI.

What is Required for HIPAA Compliance? Conclusion

It is not surprising some covered entities and business associates have difficulty determining what is required for HIPAA compliance. Misunderstandings about what HIPAA is, who it applies to, and what is protected by HIPAA can be compounded by assuming members of the workforce are required to comply with HIPAA when their compliance obligations are indirect.

Organizations that are unsure of what is required for HIPAA compliance should take advantage of our HIPAA compliance checklist to compare existing privacy and security measures against the standards that apply to their activities. Thereafter, it will be possible to conduct a gap analysis and develop a healthcare compliance program that incorporates the requirements of HIPAA.

Covered entities and business associates that encounter difficulties in conducting a gap analysis, developing a healthcare compliance program, or incorporating the requirements of HIPAA into existing compliance activities are advised to review the HHS Office for Civil Rights Help Pages or speak with an independent compliance professional.

The post What is Required for HIPAA Compliance? appeared first on HIPAA Journal.