Standards relevant to HIPAA compliance for email appear throughout the HIPAA Administrative Simplification Regulations – from the applicability and preemption standards of Part 160 (the General Requirements) to the privacy, security, and breach notification standards of Part 164. Due to the potential complexities of HIPAA email compliance, this article discusses:

• Who do the HIPAA email rules apply to?
• Preemptions and exclusions to HIPAA email compliance
• HIPAA email policies and the Privacy Rule
• Security standards for HIPAA compliant email
• What are the HIPAA email encryption requirements?
• HIPAA compliance for email breach notifications

Who do the HIPAA Email Rules Apply to?

The HIPAA email rules apply to individuals and organizations that qualify as HIPAA covered entities or business associates. Most – but not all – health plans, health care clearinghouses, and healthcare providers qualify as HIPAA covered entities, while third party service providers to covered entities qualify as business associates when the service provided for or on behalf of a covered entity involves uses or disclosures of Protected Health Information (PHI).

However, the HIPAA email rules only apply to HIPAA covered entities and business associates when PHI is created, received, stored, or transmitted by email. If – for example – a covered entity sends an email that does not include PHI, the standards relevant to HIPAA compliance for email do not apply. Similarly, if a prospective patient submits a contact form by email that does not include PHI, the HIPAA email rules do not apply to the contact form or the email.

Preemptions and Exclusions to HIPAA Email Compliance

In all applications of HIPAA, the HIPAA Rules apply unless a provision of state law has more stringent requirements or provides more individual rights than the equivalent HIPAA standard. This is relevant to HIPAA email compliance because, in 2008, the Department for Health and Human Services (HHS) issued guidance stating “

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume […] that e-mail communications are acceptable to the individual.”

However, several subsequently passed state laws have adopted “affirmative opt-in” requirements. These requirements mean a covered entity or business associate must obtain an individual’s clear consent before communicating with them by email. States in which these requirements preempt HIPAA include Connecticut, Colorado, Texas, Tennessee, Virginia, Utah, Montana, Iowa (from January 2025), and Indiana (from January 2026).

In addition, under §164.522(b) of the Privacy Rule individuals have the right to request confidential communications by alternative means. If the requests are reasonable, covered entities are required to comply with them – even if this means covered entities cannot comply with the HIPAA email compliance requirements. In such circumstances, covered entities should warn individuals of the risks, request written consent, and document both the warning and the consent.

HIPAA Email Policies and the Privacy Rule

Many sources of information discussing HIPAA compliance for email tend to focus on the requirements of the Security Rule. However, it is important not to overlook Privacy Rule compliance requirements. The Privacy Rule is relevant because it defines what is considered PHI under HIPAA and lists the permissible uses and disclosures of PHI – important standards when developing HIPAA email policies for members of the workforce.

HIPAA email policies should be covered in general HIPAA training rather than in security awareness training because of the frequency with which members of the workforce may email patients, each other, or members of other covered entities’ workforces. The provision of training on HIPAA email policies will benefit general HIPAA compliance as members of the workforce will be more conscious of requirements such as the minimum necessary standard.

Other areas of the Privacy Rule which may influence HIPAA compliance for email include the requirements for Business Associate Agreements. The Privacy Rule requirements (in §164.502 and §164.504) stipulate what must be included in a Business Associate Agreement for the Agreement to be in compliance with HIPAA, whereas the standards relating to Business Associate Agreements in the Security Rule just require that an Agreement is in effect.

Security Standards for HIPAA Compliant Email

The security standards for HIPAA compliant email require covered entities and business associates to implement access controls, audit controls, integrity controls, ID authentication, and transmission security mechanisms. This is in order to restrict access to PHI, monitor how PHI is communicated via email, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit

In addition, if PHI is stored in emails, covered entities and business associates should adopt an email archiving and retention system that ensures they are able to respond to individuals’ access requests and Accounting of Disclosure requests within the timeframe specified under the Privacy Rule (currently 30 days). This may require the adoption of an external HIPAA compliant archiving and retention service in addition to a HIPAA compliant email provider.

As well as the implementation specifications mentioned above, some requirements – such as maintaining an audit trail and preventing the improper modification of PHI – can be complex to resolve. So, although emails systems can be compliant at a point in time, ongoing compliance may require significant IT resources and a continuing monitoring process to ensure authorized users are communicating PHI in adherence with HIPAA email policies.

What are the HIPAA Email Encryption Requirements?

The HIPAA email encryption requirements are that a mechanism must be implemented to encrypt and decrypt electronic PHI at rest, and technical security measures must be implemented to guard against unauthorized access to electronic PHI transmitted over a communications network. Although these are “addressable” implementation specifications, they must be implemented unless equally effective measures are implemented in their place.

Due to technological advances, the encryption mechanisms and security measures that existed when the Security Rule was first published are long out of date (i.e., the DES algorithm). Covered entities and business associates are advised to follow the latest guidelines on electronic mail security published by the National Institute of Standards and Technology (NIST) which, in the context of HIPAA compliance for email, can be found in  SP 800-45 Version 2.

While the NIST guidelines clarify the HIPAA email encryption requirements, they can raise challenges about which type(s) of encryption to adopt. For example, TLS encrypts the communication channel when emails are in transit, but not the content of the email itself, while S/MIME encrypts the content of email – making malware invisible to email filters. In many cases, it may be necessary to adopt more than one type of encryption mechanism or security measure.

HIPAA Compliance for Email Breach Notifications

Even when a covered entity or business associate has implemented all the required safeguards to support HIPAA compliance for email, it is still necessary to be aware of the breach notification requirements. §164.404(d) of the HIPAA Breach Notification Rule requires notifications to be sent to individuals by first class mail. It is only possible to notify individuals by email if they previously consented to receive “electronic notifications”.

The wording of the standard implies that, if an individual has affirmatively opted in to receive emails or requested communications by email, the document(s) used to obtain consent should note that the consent includes electronic notifications. If the consent document does not include the electronic notification requirement – or a notification email is sent to individuals who have not previously consented – this may be considered a HIPAA violation.

HIPAA compliance for email breach notifications is just one example of how covered entities and business associates can fall foul of the HIPAA email rules due to the potential complexities of HIPAA email compliance. If your organization is unsure of its HIPAA compliance for email, or requires assistance in adopting the necessary measures to comply with HIPAA, it is recommended you seek advice from a compliance professional.

HIPAA Compliance for Email FAQs

Why is it important to encrypt emails?

It is important to encrypt emails because unencrypted emails are sent from sender to recipient in plain text. During the communication process, they “rest” on various servers and could be read by any man-in-the-middle technology in the same way as email filters read emails to look for spam. Encrypting emails so they are unreadable by unauthorized persons is the best way to maintain the confidentiality of PHI.

Do I need to sign a BAA with my email service provider?

You do need to sign a BAA with your email service provider because email service providers have “persistent access” to ePHI, even when an email is encrypted. Please note that not all email services are willing to sign a BAA. For example, most free services will require you to subscribe to a business email service before entering into a BAA.

Is consent necessary to send PHI by email?

In most states, consent is not necessary to send PHI by email to patients, but it is recommended. HHS´ guidance states that if an individual provides a health care provider with an email address or initiates a communication by email, consent is implied. However, individuals should be warned of the risks of communicating PHI by email and the warning should be documented. In all other cases, consent should be sought before communicating PHI by email to patients.

What are the risks of communicating PHI by email?

There are several risks of communicating PHI by email other than the risks of unencrypted emails being intercepted. For example, emails sent to a patient may be viewed by family members if a patient leaves their mobile phone unattended, or by work colleagues if the email is sent to a work email address. Depending on the content of the email, this could be interpreted as a breach of individuals´ rights if consent has not been previously obtained.

What training do employees require regarding HIPAA compliance for email?

With regards to what training employees require regarding HIPAA compliance for email, as well as email basics – such as checking that the email address is correct before clicking the send button – employees should be reminded that, even when emails are encrypted, the content of the email has to comply with the Privacy Rule standards relating to permissible uses and disclosures and the Minimum Necessary Rule.

What are the HIPAA email rules for access and message accountability?

The HIPAA email rules for access and message accountability appear throughout the Administrative and Technical Safeguards of the Security Rule. These include (but are not limited to) unique user identifiers, login monitoring, access reports, automatic log-off, encryption, email backup/archiving, and the termination of credentials when a member of the workforce leaves.

Is email HIPAA compliant?

Email is HIPAA compliant provided all the necessary safeguards are in place to ensure the confidentiality, integrity, and availability of PHI, a Business Associate Agreement is signed with the email service provider, and members of the workforce are trained on email best practices to mitigate the risk of an email being misdirected. If communicating with a patient or plan member via email, it is also a best practice to obtain the recipient’s written consent before sending PHI by email.

What are the HIPAA email requirements?

The HIPAA email requirements (according to HHS guidance) are to apply reasonable safeguards when emailing PHI, comply with the minimum necessary standard, and ensure the transmission of electronic PHI is in compliance with the Security Rule. The guidance does not mention entering into a Business Associate Agreement with an email service provider, but this is one of the most important HIPAA email requirements whenever emails containing PHI are sent to any recipient.

What is HIPAA email compliance?

HIPAA email compliance means complying with the applicable standards of the HIPAA Administrative Simplification Regulations developed to protect the privacy of individually identifiable health information communicated in an email and to ensure the confidentiality, integrity, and availability of the email. Compliance with these standards does not guarantee the content of an email will remain secure, but it will mitigate the risk of impermissible disclosures and breaches of unsecured PHI.

Is it a HIPAA violation to email PHI?

It can be a HIPAA violation to email PHI if the necessary and appropriate safeguards have not been put in place to protect the privacy of PHI and comply with the Security Rule. Even if these safeguards are in place, HIPAA violations can still occur if an email contains more than the minimum necessary PHI to achieve the purpose of the email or if account credentials are misused to transmit PHI for an impermissible purpose.

Should all emails include a HIPAA compliance email disclaimer?

Emails can include a HIPAA compliance email disclaimer, but it won’t absolve the sender of a HIPAA violation if an email containing PHI is sent to the wrong recipient. Consequently, although a HIPAA email disclaimer may help reassure genuine recipients that an organization complies with the Privacy and Security Rules, it serves no other worthwhile purpose.

The post HIPAA Compliance for Email appeared first on HIPAA Journal.

What is required for HIPAA compliance is for covered entities and business associates to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations in order to protect the privacy and security of individually identifiable health information.

Due to the complexity of the HIPAA Administrative Simplification Regulations, misunderstandings can sometimes exist about what HIPAA is, who it applies to, what is protected by HIPAA, and who is responsible for HIPAA compliance. These misunderstandings can make it difficult to determine what is required for HIPAA compliance.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed in 1996 with the purpose of reforming the health insurance industry. Due to the cost of the reforms, a second Title was added to the Act which aimed to counter the cost by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.

The Administrative Simplification Regulations are what most people refer to when discussing what is required for HIPAA compliance. The Regulations include the General Provisions and the procedures for the enforcement of HIPAA (Part 160), the standards for electric healthcare transactions (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164).

Individuals and organizations to whom HIPAA applies have to comply with all applicable standards and implementation specifications of the Administrative Simplification Regulations. This means that, if – for example – a medical office outsources its healthcare transactions to a third party, the medical office does not have to comply with the standards in Part 162 of HIPAA.

Who does HIPAA Apply To?

§160.102 of the HIPAA Administrative Simplification Regulations states that the standards and implementation specifications apply to health plans, health care clearinghouses, and health care providers that conduct or outsource transactions for which a standard exists in Part 162. Individuals and organizations that fall into these categories are called “covered entities”.

HIPAA also applies to “business associates” – third party individuals and organizations that provide a service to or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Business associates can include outsourced billing companies, cloud service providers, and medical transcriptionists.

Examples of who HIPAA does not apply to include auto insurance companies that provide health benefits as a secondary service, healthcare providers that bill patients directly, publicly funded schools, and employers in their role as an employer. HIPAA also does not apply directly to members of a covered entity’s or business associate’s workforce for reasons explained later.

What does HIPAA Protect?

One of the most common misunderstandings about HIPAA – and one of the biggest barriers to determining what is required for HIPAA compliance – is what does HIPAA protect. The misunderstanding exists due to some sources confusing what is considered PHI under HIPAA with the requirements for de-identifying PHI using the safe harbor method in §164.514(a).

To summarize what does HIPAA protect, any information relating to a patient’s health condition, treatment for the condition, or payment for the treatment is protected by HIPAA. In addition, any information that could be used to identify the patient is protected by HIPAA when it is maintained in the same designated record set as health, treatment, or payment information.

This means – for example – that a patient’s name and cellphone number are protected by HIPAA when they are maintained in the same designated record set as the patient’s health, treatment, or payment information, but they are not protected when they are maintained in a separate database that does not contain health, treatment, or payment information (i.e., for marketing purposes).

Who is Responsible for HIPAA Compliance?

Covered entities are required by §164.530(a) to designate a privacy official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Privacy and Breach Notification Rules. The privacy official does not have to be an existing member of the workforce. The position can be outsourced on a temporary or permanent basis.

In addition, §164.308(a) requires covered entities and business associates to identify a security official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Security Rule. Again, this position can be outsourced, or it can be combined with the responsibilities of the privacy official in a single HIPAA compliance role.

In most cases, covered entities and business associates will already have an individual or team responsible for managing compliance with other federal, state, or voluntary regulations. In many cases, what is required for HIPAA compliance can overlap with what is required for complying with other regulations – for example, the conditions of participation in Medicare, OSHA, and SOC 2.

What is Required for HIPAA Compliance by Workforce Members?

It was mentioned earlier that HIPAA does not apply directly to members of a covered entity’s or business associate’s workforce. The reason for this is that covered entities are required to provide HIPAA training to members of the workforce on the policies that are relevant to their roles. It is not necessary for every member of the workforce to be trained on every HIPAA policy.

In addition, covered entities and business associates must provide security awareness training to all members of the workforce and “ensure compliance” with their policies and procedures by implementing and applying a sanctions policy. Rather than it being necessary for workforces to comply with the HIPAA Rules, workforces are required to comply with the organization’s rules.

There is one exception to this explanation of workforce compliance with HIPAA. When HIPAA was passed by Congress in 1996, it extended §1177 of the Social Security Act to members of the workforce. In the context of what is required for HIPAA compliance by workforce members, a violation of §1177 can result in a workforce member being convicted for the wrongful disclosure of PHI.

What is Required for HIPAA Compliance? Conclusion

It is not surprising some covered entities and business associates have difficulty determining what is required for HIPAA compliance. Misunderstandings about what HIPAA is, who it applies to, and what is protected by HIPAA can be compounded by assuming members of the workforce are required to comply with HIPAA when their compliance obligations are indirect.

Organizations that are unsure of what is required for HIPAA compliance should take advantage of our HIPAA compliance checklist to compare existing privacy and security measures against the standards that apply to their activities. Thereafter, it will be possible to conduct a gap analysis and develop a healthcare compliance program that incorporates the requirements of HIPAA.

Covered entities and business associates that encounter difficulties in conducting a gap analysis, developing a healthcare compliance program, or incorporating the requirements of HIPAA into existing compliance activities are advised to review the HHS Office for Civil Rights Help Pages or speak with an independent compliance professional.

The post What is Required for HIPAA Compliance? appeared first on HIPAA Journal.

Covered entities and business associates are responsible for HIPAA compliance, the compliance of their workforces, and the compliance of any third party service providers to whom Protected Health Information (PHI) is disclosed. To manage the responsibilities, covered entities and business associates are required to designate a Privacy Officer and/or a Security Officer.

Although HHS’ Office for Civil Rights is responsible for enforcing Parts 160 and 164 of the Administrative Simplification Regulations (which include the Privacy, Security, and Breach Notification Rules), there are a number of standards within these Parts which place the responsibility for HIPAA compliance on covered entities and business associates. These standards include, but are not limited to:

§160.304 – The Principles for Achieving Compliance

The standard has two parts. The first part states that the Secretary of Health and Human Services (HHS) will seek the cooperation of covered entities and business associates in obtaining HIPAA compliance, while the second part states the Secretary may provide technical assistance to support voluntary HIPAA compliance.

§160.402 – Basis for a Civil Monetary Penalty

Section (c) of this standard makes covered entities (or business associates) liable for a HIPAA violation attributable to an “agent” of the covered entity (or business associate) acting within the scope of the agency. Agents include members of the workforce and business associates (or subcontractors of business associates).

§164.105 – Organizational Requirements

Section (a)(2)(iii) of this standard lists the responsibilities of a covered entity that is the covered element of a hybrid entity. In the context of answering the question who is responsible for HIPAA compliance, it is reasonable to assume these responsibilities apply to all types of covered entities. The listed responsibilities include:

• Complying with subpart C of Part 160 (“Compliance and Investigations”)
• Implementing policies and procedures to comply with the Privacy and Breach Notification Rules.
• Implementing “reasonable and appropriate” Security Rule policies and procedures.
• Conducting due diligence and entering into compliant Business Associate Agreements when PHI is disclosed to third party service providers.

§164.308 – Administrative Safeguards

The Administrative Safeguards require covered entities and business associates to identify a security official who is responsible for the development and implementation of Security Rule policies and procedures, and to apply appropriate sanctions against members of the workforce who fail to comply with the policies and procedures.

§164.530 – Administrative Requirements

Similarly, the Administrative Requirements of the Privacy Rule require covered entities (and business associates where necessary) to designate a privacy official who is responsible for the development and implementation of Privacy Rule and Breach Notification Rule policies and procedures, workforce training, and applying sanctions.

Is HIPAA Compliance Voluntary or Mandatory?

The Administrative Simplification Regulations include references to “voluntary compliance”, the “flexibility of approach”, and “addressable implementation specifications”. However, compliance with HIPAA is mandatory for individuals and organizations that qualify as covered entities or business associates. This is clear from the “Applicability” sections of the Security Rule (§164.302) and the Privacy Rule (§164.500).

In addition, covered entities and business associates are not only responsible for the compliance of the organization, but also responsible for workforce compliance and compliance of third party service providers that create, receive, store, or transmit PHI for or on behalf of the covered entity or business associate. The secondary responsibilities apply to “agents working within the scope of their agency”.

The “scope” condition means there can be several outcomes to violations by workforce members or business associates. For example:

• If a workforce member violates HIPAA due to not having received HIPAA training or due to the lack of required safeguards, the violation has occurred within the scope of the workforce member’s agency. In this case, HHS’ Office for Civil Rights can conduct a HIPAA investigation and sanction the covered entity or business associate.
• However, if a workforce member is responsible for a violation of 1177 of the Social Security Act having received HIPAA training and when the required safeguards are in place, the workforce member has acted out of the scope of their agency. In this case, the covered entity or business associate is not liable for the violation.

A similar “out of scope” scenario could exist if a covered entity shares PHI with a business associate without conducting due diligence or entering into a Business Associate Agreement. If a data breach subsequently occurs due to the non-compliance of a business associate, the covered entity – rather than the business associate – will be considered liable for the breach by HHS’ Office for Civil Rights.

Designating Who is Responsible for HIPAA Compliance

Designating who is responsible for HIPAA compliance is not just a question of selecting a random member of the workforce and assigning them the role of Privacy Officer and/or Security Officer. Covered entities and business associates have to comply with multiple federal, state, and local laws, and it may be necessary to combine HIPAA compliance with other compliance standards such as those required as a condition of participation in Medicare.

In some cases, the responsibility for HIPAA compliance can be assigned to an existing multi-disciplinary compliance team consisting of representatives from nursing, administration, legal, finance and IT. In other cases, it may be necessary to delegate the responsibility for HIPAA compliance to individual team leaders, with one team leader given the title of Privacy Officer and/or Security Officer to comply with the personnel designation requirement of §164.530.

If existing team leaders do not have the knowledge, capacity, or resources to take responsibility for HIPAA compliance, it may be necessary to employ a new member of the workforce who is responsible for HIPAA compliance, or outsource the responsibility to a third party organization. Covered entities and business associates unsure about who should be responsible for HIPAA compliance in their organizations are advised to speak with a HIPAA compliance professional.

The post Who is Responsible for HIPAA Compliance? appeared first on HIPAA Journal.

Estimates of how much does HIPAA compliance cost have risen sharply since HHS  forecast costs of between $458 and $3,602 for health plans – and of between $1,269 and $10,211 for hospitals – for complying with the Privacy Rule in 1999. A quarter of a century later, mid-range estimates of how much does HIPAA compliance cost fall into the range of between $80,000 and $120,000.

The Health Insurance Portability and Accountability Act was passed in 1996 in an attempt to reform the health insurance industry. To neutralize the costs of the reforms to the industry and protect tax revenues, Congress added measures to reduce fraud and abuse in the healthcare industry and simplify the administration of healthcare transactions such as eligibility checks, authorizations for treatment, and claims for reimbursement.

The measures to simplify the administration of healthcare transactions led to the publication of the Administrative Simplification Regulations (Subchapter C of Subtitle A of the Public Welfare Code). The Regulations include the HIPAA General Provisions, the Transaction Rules and Code Sets, and the HIPAA Privacy, Security, and Breach Notification Rules. Since their publication, the Administrative Simplification Regulations have been updated multiple times.

What Does it Mean to be HIPAA Compliant?

What it means to be HIPAA compliant is that an individual or organization that qualifies as a covered entity or business associate (see “Who Needs to be HIPAA Compliant?” below) complies with all the applicable standards, and implementation specifications of the Administrative Simplification Regulations. For some individuals and organizations, this can mean complying with far fewer standards and implementation specifications than for others.

For example, whereas a large health system that conducts healthcare transactions in-house will have to comply with most of the Administrative Simplification Regulations, a cloud service provider that provides “no view” data storage services as a business associate will only have to comply with the applicable standards and implementation specifications of the Security and Breach Notification Rules – reducing how much it can cost to become HIPAA compliant.

Who Needs to be HIPAA Compliant?

An individual or organization needs to be HIPAA compliant if they qualify as a HIPAA covered entity – i.e., a health plan, a health care clearinghouse or a healthcare provider that conducts electronic transactions for which the Department of Health and Human Services (HHS) has published standards in 45 CFR Part 162. It is important to be aware that not all providers of insured health benefits or all healthcare providers qualify as HIPAA covered entities.

In addition, a third party service provider that provides a service to or on behalf of a HIPAA covered entity also needs to be HIPAA compliant if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Service providers that provide such services are referred to as “business associates”, and not only must business associates comply with all applicable standards of HIPAA, but their subcontractors must do as well.

How Much Does HIPAA Compliance Cost According to HHS

HHS has only produced partial estimates of how much does HIPAA compliance cost because the different types of organizations covered by HIPAA and because – at the time the proposed Security Rule was published – it was assumed that covered entities who conducted electronic healthcare transaction would already have most of the required security measures in place, and would only need to implement minimal additional measures to become HIPAA compliant.

However, in the Notice of Proposed Rulemaking for the Privacy Rule, HHS estimated the average cost of implementing the provisions of the Privacy Rule as between $337 and $732 depending on the size of an organization and the nature of its activities. This estimation of how much HIPAA compliance cost in 1999 failed to take into account that many covered entities were already required to comply with state laws relating to the privacy of healthcare data.

Similarly, when HHS estimated the average cost of compliance with the Omnibus Final Rule in 2013 at $1,040 per organization, the estimate failed to take into account that many states already had breach notification laws. As 75% of the 2013 Omnibus Final Rule estimate was based on the cost of breach notifications – and the number of future breaches that would incur costs was unknown – it is probably best to ignore this estimated cost of HIPAA compliance.

How Much Does HIPAA Compliance Cost in 2024

Taking inflation into account, the cost of HIPAA compliance in 2024 should be double what it cost in 1999, but that is unlikely to be the case. Although there is no consensus of opinion among compliance professionals, the mid-range estimate seems to be between $80,000 and $120,000 depending on whether compliance efforts are mostly in-house (potentially with help from software or consultants) or completely outsourced.

In reality, how much does HIPAA compliance cost in 2024 depends on the size, nature, and distribution of an organization, the degree of compliance with other healthcare regulations, and the resources available to the organization to become HIPAA compliant. Due to these variables, it may cost less for a larger, multi-specialty, multi-location health system to become HIPAA compliant than for a smaller, single-location dental practice.

Does Size, Nature, and Distribution Matter?

The size, nature, and distribution of an organization is not such a big factor in determining how much does HIPAA compliance cost compared to some other variables. For example, it might be assumed that a large health system providing a variety of medical services to patients in multiple physical service delivery sites and in the community is going to have a larger workforce to train, more standards to comply with, and more compliance challenges to overcome.

However, the HIPAA regulations protecting the privacy of individually identifiable health information are the same regardless of the medical service provided, the additional standards protecting sensitive psychiatry, SUD, and reproductive healthcare information are similar (and only apply to a subset of the workforce), and the implementation specifications for securing PHI apply whether colleagues are communicating PHI from adjoining offices or from miles apart.

Compliance with Other Healthcare Regulations

How much does HIPAA compliance cost is more likely to be affected by the degree of compliance with other healthcare regulations than by an organization’s size, nature, and distribution. For example, a health system that complies with the conditions for participation in Medicare is going to be much closer to HIPAA compliance than a dental practice that only bills health plans and has not implemented any measures to protect the privacy or security of PHI.

Compliance with federal non-health regulations and voluntary standards can also make a difference to how much does HIPAA compliance cost. If a health system complies with OSHA and voluntary standards such as SOC 2, ISO/IEC 27001, or NIST SP 800-66r2, the health system will most likely already have the measures in place to comply with HIPAA’s Disaster Recovery, Contingency Operations Planning, and Emergency Access requirements.

The Resources Available to Become HIPAA Compliant

Similarly, the resources available to become HIPAA compliant are also going to affect how much does HIPAA compliance cost. A large health system will already likely be paying for legal, compliance, and IT services – either directly (i.e., via employed members of the workforce) or indirectly (i.e., outsourced contractors). The health system may only need to redirect the resources it is already paying for in order to fund becoming HIPAA compliant.

A smaller, single-location dental practice might also be paying directly or indirectly for legal, compliance, and IT services. However, the existing paid-for resources are less likely to have the capacity to scale up in order to support HIPAA compliance (depending on the existing degree of HIPAA compliance), and it is more likely that the smaller, single-location dental practice will have to engage third party consultants or outsource certain compliance activities.

How Much Does HIPAA Non-Compliance Cost?

There is no one-size-fits-all scale for how much does HIPAA non-compliance cost because penalties for HIPAA compliance failures are assessed according to multiple factors. These factors include (but are not limited to):

• Whether the covered entity/business associate knew or should have known the compliance failure was a violation of HIPAA.
• The nature and extent of the violation(s), the number of individuals affected, and how long the violation(s) continued.
• Whether the violation(s) resulted in physical, financial, and/or reputational harm, or prevented/hindered access to health care.
• The history of prior compliance and whether violations of a similar nature have previously been reported or notified to HHS.
• How the covered entity/business associate has responded to previous compliance failures or technical assistance provided by HHS.

Even when the penalties for HIPAA violations are not financial, they can still incur indirect costs. HHS Office for Civil Rights initiates hundreds of compliance reviews each year; and, when non-compliance with HIPAA is identified, organizations are required to adopt corrective actions. The corrective actions can include the implementation of further safeguards, revisions to policies and procedures, and workforce retraining – all of which can be disruptive and costly.

Calculating How Much Does HIPAA Compliance Cost

To calculate how much does HIPAA compliance cost, a covered entity or business associate needs to review their current degree of healthcare regulatory compliance against a HIPAA compliance checklist and then conduct a gap analysis to identify what measures need to be implemented to raise HIPAA compliance to the required level. The measures can then be costed to calculate how much achieving a state of HIPAA compliance will cost.

However, HIPAA compliance is an ongoing requirement. Achieving “point-in-time” HIPAA compliance is not sufficient to excuse a covered entity or business associate from a penalty for a violation of HIPAA, and organizations not only need to calculate how much does HIPAA compliance cost, but also how much maintaining a healthcare compliance program will cost. Organizations requiring help with these calculations should seek professional compliance advice.

The post How Much Does HIPAA Compliance Cost? appeared first on HIPAA Journal.

Gmail is HIPAA compliant, and can be used to receive, store, or send Protected Health Information (PHI) when Google’s email service is used as part of an Enterprise Workspace Plan supported by a Business Associate Addendum to the Workspace Terms of Service. To ensure Gmail is used compliantly, it is necessary to configure Workspace controls correctly, apply user policies, and train members of the workforce on how to use Gmail in compliance with HIPAA.

Gmail is the most popular personal email service in the world; and, because most employees are accustomed to how Gmail works, Google’s email service is widely used in business behind customized domain names (i.e., DrJoe@AAAhealth.com, rather than DrJoe@gmail.com). Although several methods exist to operate a Gmail account behind a customized domain name, the simplest method for larger businesses is to subscribe to a Google Workspace account.

There are several levels of Workspace subscription ranging from the “Business Starter” package – which includes Gmail for Business, Drive Storage, Meet Videoconferencing, and Shared Calendars – to the feature-rich Enterprise package. Businesses can often pick the most suitable subscription level based on the number of users, types of services, and features required. This is not the case for all businesses in, or providing services to, the healthcare industry.

Using Email Services in the Healthcare Industry

Because most healthcare providers are required to comply with the HIPAA Administrative Simplification Requirements (which include the Privacy, Security, and Breach Notification Rules), there are two ways to use email services in the healthcare industry. You can either prohibit uses and disclosures of PHI in emails (except when patients exercise their right to request confidential communications by email), or ensure the email service is HIPAA compliant.

Prohibiting uses and disclosures of PHI in emails is impractical unless email is replaced with an equally compliant communication system that integrates with other productivity and collaboration services in the same way as Gmail integrates with other Workspace services. Even then, although an alternative communication system might be suitable for inhouse operations, it could create HIPAA compliance challenges for payers and business associates who do not have a compatible communication system.

Realistically, the only viable option for businesses covered by HIPAA and their business associates is to implement a HIPAA complaint email service. In order for an email service to be  HIPAA compliant, it has to support compliance with the Administrative, Physical, and Technical Safeguards of the Security Rule via series of controls and monitoring capabilities. The vendor of the service also has to be willing to enter into a Business Associate Agreement. So, is Gmail HIPAA compliant?

Is Gmail HIPAA Compliant? It Depends!

Gmail’s compliance with HIPAA depends on the type of Workspace subscription and what other security mechanisms a business already has in place. For example, if a business already has account access and monitoring software from another vendor, it may be possible to get away with subscribing to a Business Starter, Standard, or Plus Plan depending on the size of the workforce and the amount of storage space required by each user or pooled group.

If, however, no other security mechanisms are in place, it will be necessary to subscribe to a Workspace Enterprise Plan in order for Gmail to be HIPAA compliant. However, in addition to having the necessary access controls and monitoring capabilities, the Enterprise Plan includes a Vault feature for securely archiving and retrieving emails, endpoint management for emails sent and received remotely, and DLP capabilities to prevent data breaches by internal bad actors.

In the context of email security, possibly the most useful tool in the Workspace Enterprise Plan is the Security Center. The unified security dashboard can be configured to alert system administrators and security teams to email borne malware attacks, phishing, and spam. It can also help identify, triage, and take action on privacy and security issues, and examine file sharing activities to prevent data exfiltration from both internal and external bad actors.

The Google BAA and Workspace Terms of Service

Before any emails containing PHI are sent or received via Gmail, it is necessary for a Business Associate Agreement to be in place between Google and the covered entity or business associate. Google has a standard one-size-fits-all Business Associate Agreement (BAA) for core services with “covered functionality”; which, rather than being a separate BAA is a Business Associate Addendum to the Workspace Terms of Service.

For businesses familiar with BAAs, the Google Business Associate Agreement holds no surprises and complies with the BAA requirements of the Privacy Rule (45 CFR §164.504(e)) and the Security Rule (45 CFR §164.314(a)). However, before digitally signing the Business Associate Addendum, system administrators are advised to review the Workspace Terms of Service – particularly clause #3 relating to Customer Obligations.

This clause requires businesses to assume responsibility for user behavior when using Workspace services, requires businesses to prevent and terminate unauthorized access to accounts, and stipulates businesses must notify Google when passwords have been compromised or when Workspace services  are used or accessed without authorization. The failure to comply with the Terms of Service can result in a loss of service and the removal of content – including PHI.

Making Gmail HIPAA Compliant

To help businesses make Gmail HIPAA compliant, Google has produced a HIPAA Implementation Guide for all Workspace services with covered functionality. The Guide explains the controls available to ensure (for example) messages are only opened by their intended recipients and that messages containing PHI are not forwarded to third party recipients (which will be useful if the proposed HIPAA changes relating to Attestation are finalized).

In addition to configuring the controls to make Gmail HIPAA compliant, it is also necessary to train members of the workforce on how to use Gmail in compliance with HIPAA. As mentioned previously, most employees are accustomed to how Gmail works; but they are unlikely to be as conscious of privacy and security when emailing friends and family members. HIPAA training on how to use Gmail in compliance with HIPAA will help prevent bad habits being carried over into the workplace.

Finally, if you are unsure about whether Gmail is a suitable email solution for your business, or have concerns about the technical knowledge you will need to make Gmail HIPAA compliant, Google offers all businesses a 14 day free trial of Workspace for up to ten users. The free trial should give your business an opportunity to test Gmail for Business in your own environment with on-call support from Google’s technical team should you require it.

The post Is Gmail HIPAA Compliant? appeared first on HIPAA Journal.

A HIPAA Security Rule checklist helps covered entities, business associates, and other organizations subject to HIPAA compliance to fulfil the requirements of the Security Standards for the Protection of Electronic Protected Health Information (better known as the HIPAA Security Rule). Complying with the Security Rule Standards can reduce the likelihood of HIPAA violations and data breaches attributable to human error and bad actors.

Introduction to the HIPAA Security Rule

The HIPAA Security Rule in Part 164 Subpart C of the HIPAA Administrative Simplification Requirements consists of regulations, standards, and implementation specifications that have the objective of ensuring the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) created, collected, maintained, or transmitted by covered entities, business associates, and other organizations subject to HIPAA compliance.

All organizations subject to HIPAA must comply with the “applicable” Security Rule  regulations, standards, and implementation specifications. However, because the Security Rule is technology neutral, organizations are allowed a “flexibility of approach” with regards to what security measures are implemented. The flexibility of approach also extends to how organizations fulfil the requirements of “addressable” implementation specifications.

What is a HIPAA Security Rule Checklist?

A HIPAA Security Rule checklist is a summary of the main regulations, standards, and implementation specifications likely to be applicable to most organizations. The reason for the checklist being a summary is that, due to the different types of organizations required to comply with the Security Rule and the flexibility of approach allowed by the Security Rule, there is no one-size-fits all HIPAA Security Rule checklist that will match every organization’s requirements.

Organizations should use this HIPAA Security Rule checklist as the foundation of their own checklists – paying careful attention when developing a checklist to the General Requirement (§164.306(a)) that organizations not only have to protect against any reasonably anticipated threats to the security and integrity of ePHI, but also protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required by the Privacy Rule.

Who This HIPAA Security Rule Checklist Is For

This HIPAA Security Rule checklist is for any member of the workforce with a responsibility for HIPAA compliance. This could be the HIPAA Security Officer or a member of the Compliance Team depending on the size of the organization, or – if elements of compliance are delegated to other teams – this HIPAA Security Rule Checklist could be a valuable guide for a member of an IT, HR, Legal, or Security Team.

With regards to the types of organization this HIPAA Security Rule checklist should help, it has been designed not only to be relevant to HIPAA covered entities and business associates, but also to subcontractors of business associates, vendors of personal health devices, and organizations that do not qualify as covered entities under HIPAA, but may do so under a state law – for example, the Texas Medical Records Privacy Act.

10 Important Elements of Security Rule Compliance

While it is important to review and understand every Security Rule regulation, standard, and implementation specification, there are ten important elements of Security Rule compliance that will apply to most organizations.

1.     Read the Security Standard General Rules

The Security Standard General Rules include the conditions that apply when exercising the flexibility of approach and determining when an addressable implementation specification is not reasonable or appropriate. It is important not to bypass this section because the standards and implementation specifications within it are relevant to the remainder of the checklist.

2.     Conduct a Thorough Risk Assessment

In order to ensure the confidentiality, integrity, and availability of ePHI, it is necessary to know how and where ePHI is created, collected, maintained, and transmitted. For this reason, it is important to identify any unsanctioned software and apps used by members of the workforce (“Shadow IT”) and any systems or devices they connect to.

3.     Control and Monitor All Access to ePHI

Depending on the outcome of the risk assessment, you will be in a better place to determine what access controls are required to ensure only authorized members of the workforce have access to ePHI. However, it will still be necessary to monitor access in order to identify when passwords are shared impermissibly or when login credentials are compromised.

4.     Develop Training Program and Sanctions Policy

The Security Rule requires all organizations to implement a security awareness training program for all members of the workforce regardless of their access to ePHI. Organizations are also required to develop and enforce a sanctions policy for any violation of a security policy or procedure, regardless of whether the violation results in a data breach.

5.     Implement Procedures for Reporting Security Incidents

The Security Rule requires organizations to implement policies and procedures to manage security incidents; but, in order for this standard to be effective, it is important organizations are made aware of security incidents as quickly as possible. For this reason, it is advisable to implement procedures for reporting security incidents as quickly as possible.

6.     Disaster Recovery and Emergency Mode Operation

Most healthcare providers have to implement measures for disaster recovery and emergency mode operation as a condition of participating in Medicare. However, as downstream disasters can affect healthcare providers’ operations, it is essential that all organizations develop, test, and revise disaster recovery and emergency mode operation plans.

7.     Business Associate and Subcontractor Agreements

The reason for including business associate and subcontractor agreements in this HIPAA Security Rule checklist is to remind organizations to refer to §164.504(e) of the Privacy Rule, which includes important information about conducting due diligence on business associates and subcontractors before releasing ePHI to a third party.

8.     Configure Software to Comply with the Security Rule

Most modern software solutions include the capabilities such as (for example) data integrity controls, encryption, and automatic logoff. However, the software is not always configured by default to comply with the Security Rule. The settings of all software used to create, collect, maintain, or transmit ePHI should be reviewed to ensure it is used compliantly.

9.     Address Threats to Facility, Device, and Media Security

It is a best practice to maintain an inventory of devices and media used to create, collect, maintain, and transmit ePHI; and, in addition to ensuring that the devices and media are protected from unauthorized access, the facilities in which they are located should also be protected from unauthorized access to prevent tampering and theft.

10.   Schedule a Review of the HIPAA Security Rule Checklist

The final implementation standard in the Security Rule requires organizations to maintain documentation, review it periodically, and update it as required in response to environmental or operational changes. Due to the changes expected in 2024, organizations are advised to schedule a review of the HIPAA Security Rule checklist for within twelve months.

Expected Changes to Security Rule Standards in 2024

In December 2023,  the Department of Health and Human Services published a Healthcare Sector Cybersecurity Strategy – a concept paper that proposes measures to secure the healthcare industry from cyber threats in line with President Biden’s National Cybersecurity Strategy.  One of the measures proposed in the concept paper is to update the Security Rule to include new cybersecurity requirements.

Due to the length of time it takes for proposed Rules and changes to existing Rules to evolve into Final Rules, it is unlikely the new cybersecurity requirements will take effect in 2024. However, there are several other Rule changes in the pipeline that are likely to impact Security Rule compliance in 2024. These include (but are not limited to):

• The publication of “recognized security practices” that will be considered when determining the amount of a civil monetary penalty for violating HIPAA.
• The requirement to include disclosures of ePHI for treatment, payment, and healthcare operations in an accounting of disclosures (see 42 USC §17935(c)).
• The application of HIPAA violation penalties to impermissible disclosures of Substance Use Disorder Patient Records currently protected by 42 CFR Part 2.
• A new category of “attested” uses and disclosures to prevent reproductive health care data being used or disclosed for a “non-health” purpose.

Organizations that encounter challenges in preparing for these expected changes – or that have difficulty developing a HIPAA Security Rule checklist – are advised to seek professional compliance advice.

The post HIPAA Security Rule Checklist appeared first on HIPAA Journal.

Google Workspace is HIPAA compliant for services that have “covered functionality”, provided HIPAA-covered organizations subscribe to a Workspace Plan that supports HIPAA compliance and configure the services to comply with the HIPAA Security Rule. To make Google Workspace HIPAA compliant, it is also necessary to agree to Google’s Business Associate Addendum (BAA)  to the Workspace Terms of Service Agreement.

Google Workspace – formally known as G Suite –  is a collection of productivity and communication services that can be integrated with each other to streamline workflows and enhance collaboration. It is a popular choice for organizations in the healthcare industry because most users already have experience of services such as Gmail and Drive, while most other Workspace services have familiar controls and are intuitive to use.

However, most organizations in the healthcare industry are required to comply with HIPAA – a federal law which led to the development of privacy and security standards for “Protected Health Information” (PHI). The standards govern how PHI can be used and disclosed, and what measures must be put in place to protect the confidentiality, integrity, and availability of PHI created, collected, maintained, or transmitted electronically.

In the context of the question is Google Workspace HIPAA compliant, it is important that – when PHI is created, collected, maintained, or transmitted by Workspace services – the services have controls in place to support HIPAA compliance with the security standards, the controls are configured to comply with the applicable implementation specifications, and that members of the workforce are trained on how to use the services compliantly.

Which Workspace Plan Supports Compliance?

Excluding the personal (free) and “solopreneur” editions of Workspace, there are four subscription plans for business. Although the first three plans – “Starter”, “Standard”, and “Business Plus” – include basic administrative controls, they lack important features such as shared Drives, retention Vaults, and Data Loss Prevention. If any of these plans are used, it may be necessary to integrate third party solutions to ensure HIPAA compliance.

The Enterprise Workspace Plan supports HIPAA compliance without additional integrations. The Enterprise Plan does not limit the number of users, has S/MIME email encryption, and includes enterprise endpoint management to support the compliant use of personal devices on site or in the community. The Enterprise Plan also include a unified Security Center which provides data on external file sharing, malware attacks, and other security threats.

However, although the Enterprise Workspace Plan supports compliance, it is important to be aware that not every Google service included in or connected to the Plan can be used in compliance with HIPAA. Google recommends restricting user access to core services without “covered functionality” (i.e., Google Contacts) and all non-core services not covered by the Workspace Service Agreement (i.e., Google Photos, Blogger, YouTube, etc.).

With regards to restricting user access to Google Contacts, the recommendation will affect the functionality of other HIPAA compliant Workspace services. Therefore, we suggest ignoring Google’s recommendation. Instead, administrators should implement a policy prohibiting PHI being stored in Google Contacts and monitoring compliance with the policy via the Security Center. (Note: Names and contact details are NOT PHI when maintained separately from health information – see “What is Considered PHI under HIPAA?” for a full explanation).

Which Services have Covered Functionality?

The Workspace services that can be configured to be used in compliance with HIPAA and that are covered by the Google Workspace HIPAA compliant BAA are currently:

To configure these services in compliance with HIPAA, it is advisable to follow the guidance in Google’s HIPAA Implementation Guide. The guidance will not be suitable for every covered entity and business associate because it may be necessary to (for example) integrate a third party app with a Google service. If the default guidance is not to allow access by third party apps, this element of guidance will have to be circumnavigated.

Covered entities and business associates that encounter issues with configuring covered Workspace services should be able to take advantage of Google’s customer support channels depending on the subscription (The Admin Help pages are very good for resolving technical issues). However, for HIPAA-related issues, it is probably more beneficial to seek accurate and timely advice from an external HIPAA compliance expert.

The Google Workspace HIPAA Compliant BAA

Before any Workspace service is used to create, collect, store, or transmit PHI, it is necessary to agree to Google’s Business Associate Addendum (BAA) to the Workspace Terms of Service Agreement. The Google Workspace HIPAA compliant BAA is relatively straightforward and there are no contentious clauses that may cause further issues. In most cases it is possible for Super Administrators to digitally sign the Addendum via the Admin console.

However, before digitally signing the Google Workspace HIPAA compliant BAA, it is important Super Administrators review the Terms of Service Agreement. While the entire agreement should be reviewed, Super Administrators are advised to pay careful attention to the Customer Obligations in Clause #3, which:

• Prohibit the storage and transmission of PHI without a signed BAA,
• Makes customers responsible for end user compliance with the Agreement,
• Requires customers to prevent and terminate unauthorized use of Workspace, and
• Requires customers to notify Google of any unauthorized use of, or access to, a Workspace account (including compromised passwords).

A failure to comply with the Terms of Service Agreement could result in suspension of the account and the removal of content – regardless of compliance with the Google Workspace HIPAA compliant BAA. If this happened to a Workspace account in which PHI was stored, it would not only result in an operational disruption, but also in a HIPAA violation for failing to ensure the availability of the removed PHI.

Why Provide Training on How to Use Gmail?

Google is not unique in having compliance clauses in both its Terms of Service Agreement AND in its Business Associate Agreement. Most software providers do the same. However, many workplace members will already have personal Google accounts which they use with little consideration for the privacy and security of the information they receive, store, and share. (You can check this theory by asking how many users have 2FA enabled on their personal accounts).

Using Gmail and other Workspace services in compliance with HIPAA is a lot different from using the same services for personal use. To ensure the privacy and security of PHI, workforce members should be trained on permissible disclosures, the minimum necessary standard, and verifying the identity of unknown correspondents who request PHI. It is essential they are also trained on detecting malware, phishing emails, and other threats to the security of PHI.

With regards to what has previously been discussed, it is important that members of the workforce are told not to save PHI with contact information, not to import files from non-covered services (i.e., Google Photos), and not to export files to non-covered services (i.e., Blogger). Even if these access to these services have been disabled, inventive workforce members can often find ways to circumnavigate controls to “get the job done”.

Is Google Workspace HIPAA Compliant? Conclusion

It may appear as if there are a lot of hurdles to overcome in order to make Google Workspace HIPAA compliant, but they are not insurmountable – and the benefits are more than worthwhile. Not only can covered entities and business associates in the healthcare sector share PHI compliantly to streamline workflows and enhance collaboration, but they can also better communicate with patients via a range of chat, phone, and video communication tools.

If you would like to find out more about using Google Workspace in your healthcare environment, Google offers a free 14 day trial for up to ten users. This should be long enough for Administrators to configure covered services in compliance with the Security Rule’s implementation specifications and to identify any user issues that may materialize as a result. If, during the free trial, you encounter HIPAA-related issues, you will also have time to speak with a HIPAA compliance expert before committing to a Workspace subscription.

The post Is Google Workspace HIPAA Compliant? appeared first on HIPAA Journal.

Apple Pay is not HIPAA compliant – but, but due the way the payment service works, Apple Pay does not need to be HIPAA compliant before the service can be used by healthcare providers to collect payments from patients, or by health plans to collect payments from plan members. In addition, the payment service is exempted from HIPAA under §1179 of the HIPAA Act.

What is Apple Pay?

Apple Pay is a mobile payment service available on iPhones, iPads, Apple Watches, and other Mac devices that facilitates online, app, and contactless payments. The service works by allowing users to enter the details of their payment cards into an Apple Wallet app. The app then sends the user’s Apple account and device information to the card issuer and creates a unique Device Account Number for each card.

When a user wants to use Apple App to pay for goods or services, they either click on an Apple Pay button for online and in-app purchases, or run their device over a Near Field Communications (NFC) reader for in-store purchases. Apple Pay sends the payment request and the Device Account Number to the card issuer, where the payment is processed. Apple does none of the processing. It only facilitates the payment.

Because of the way the payment service works, the organization in receipt of the payment never has access to the user’s debit or credit card number – or, in the context of is Apple Pay HIPAA compliant – any information that could be used to identify the user. Even Apple does not know what a user buys, where they bought it from, or how much they paid for it. Due to this high level of privacy, any information sent through the service would not qualify as Protected Health Information  (PHI).

HIPAA Exempts Payment Services Anyway

Even without this high level of privacy, it would not be necessary to make Apple Pay HIPAA compliant and sign a Business Associate Agreement with Apple as §1179 of the HIPAA Act exempts “entities engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution. The exemption was confirmed by HHS’ Office for Civil Rights in the preamble to the HIPAA Final Omnibus Rule in 2013.

However, this exemption only applies to the payment facilitation element of Apple Pay. If a covered entity or business associate uses Apple Pay for B2B transactions, there is no exemption for PHI stored in an Apple Wallet app to support transactions or reconcile payments. As Apple will not sign a Business Associate Agreement for the Apple Wallet app, it is a violation of HIPAA to store any individually identifying health information in the Apple Wallet app.

It may also be important for covered entities and business associates to identify – and conduct risk assessments on – any third party integration with Apple Pay. If Apple Pay is used (for example) to reconcile payments, the reconciliation software must be HIPAA compliant and Business Associate Agreements must be entered into with the software vendors. Members of the workforce may also need security awareness training on using Apple Pay in compliance with HIPAA.

Is Apple Pay HIPAA Compliant? Conclusion

For the reasons discussed above, Apple Pay does not have to be HIPAA compliant in order for covered entities and business associates to use the service to collect payments from patients and plan members. When used for B2B transactions, covered entities and business associates may have to implement Apple Pay HIPAA compliant integrations and conduct risk assessments if the integrations will create, collect, maintain, or transmit PHI. Covered entities and business associates with questions relating to is Apple Pay HIPAA compliant should seek professional compliance advice.

The post Is Apple Pay HIPAA Compliant? appeared first on HIPAA Journal.

HIPAA training is good for one year because HIPAA training is required to be completed annually to ensure best practice compliance with evolving regulations and organizational policies, though the frequency can vary depending on specific job roles, updates in HIPAA laws, or organizational requirements. New employees who will have access to Protected Health Information (PHI) are mandated by law to receive HIPAA training to ensure compliance with privacy and security regulations. The HIPAA Privacy Rule and HIPAA Security Rule each have HIPAA training requirements for entities handling PHI.

Under the HIPAA Privacy Rule, training is mandated for all workforce members of covered entities and business associates who handle or have access to PHI, ensuring they understand how to maintain the confidentiality and security of this sensitive information. This includes education on the proper use and disclosure of PHI, the rights of individuals under HIPAA, and the entity’s privacy policies and procedures. The HIPAA Privacy Rule states that “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information”. The frequency of training is specified “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”, which is generally interpreted as being at least annual refresher training for all staff.

The HIPAA Security Rule specifically focuses on training regarding electronic PHI (ePHI), emphasizing the importance of securing electronic health records and other digital forms of PHI. It requires that relevant staff are trained on the entity’s security policies and procedures, the handling of ePHI, and awareness of potential security threats.  The HIPAA Security Rule states “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).”

Both the HIPAA Privacy Rule and the HIPAA Security Rule require that HIPAA training be provided to new employees within a reasonable time frame after hiring and thereafter as needed, typically annually, to ensure staff are up-to-date with the latest regulations, technologies, and threats to PHI privacy and security. The aim is to create a knowledgeable workforce that contributes to the prevention of unauthorized PHI disclosures and enhances the overall protection of patient privacy and data security. It is general best practice that new employees receive HIPAA training as soon as possible.

Documenting HIPAA training helps in proving compliance with federal requirements, reducing the risk of legal issues or fines during audits. Training records are useful for confirming that new hires and staff with access to PHI are properly trained. Training records also allow organizations to track and manage their employees’ training, identifying areas that need further education and ensuring everyone is up to date with current HIPAA rules.

The post How long is HIPAA training good for? appeared first on HIPAA Journal.