What is Required for HIPAA Compliance?

Posted by Steve Alder

What is required for HIPAA compliance is for covered entities and business associates to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations in order to protect the privacy and security of individually identifiable health information.

Due to the complexity of the HIPAA Administrative Simplification Regulations, misunderstandings can sometimes exist about what HIPAA is, who it applies to, what is protected by HIPAA, and who is responsible for HIPAA compliance. These misunderstandings can make it difficult to determine what is required for HIPAA compliance.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed in 1996 with the purpose of reforming the health insurance industry. Due to the cost of the reforms, a second Title was added to the Act which aimed to counter the cost by reducing fraud in the healthcare industry and simplifying the administration of healthcare transactions.

The Administrative Simplification Regulations are what most people refer to when discussing what is required for HIPAA compliance. The Regulations include the General Provisions and the procedures for the enforcement of HIPAA (Part 160), the standards for electric healthcare transactions (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164).

Individuals and organizations to whom HIPAA applies have to comply with all applicable standards and implementation specifications of the Administrative Simplification Regulations. This means that, if – for example – a medical office outsources its healthcare transactions to a third party, the medical office does not have to comply with the standards in Part 162 of HIPAA.

Who does HIPAA Apply To?

§160.102 of the HIPAA Administrative Simplification Regulations states that the standards and implementation specifications apply to health plans, health care clearinghouses, and health care providers that conduct or outsource transactions for which a standard exists in Part 162. Individuals and organizations that fall into these categories are called “covered entities”.

HIPAA also applies to “business associates” – third party individuals and organizations that provide a service to or on behalf of a covered entity that involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). Business associates can include outsourced billing companies, cloud service providers, and medical transcriptionists.

Examples of who HIPAA does not apply to include auto insurance companies that provide health benefits as a secondary service, healthcare providers that bill patients directly, publicly funded schools, and employers in their role as an employer. HIPAA also does not apply directly to members of a covered entity’s or business associate’s workforce for reasons explained later.

What does HIPAA Protect?

One of the most common misunderstandings about HIPAA – and one of the biggest barriers to determining what is required for HIPAA compliance – is what does HIPAA protect. The misunderstanding exists due to some sources confusing what is considered PHI under HIPAA with the requirements for de-identifying PHI using the safe harbor method in §164.514(a).

To summarize what does HIPAA protect, any information relating to a patient’s health condition, treatment for the condition, or payment for the treatment is protected by HIPAA. In addition, any information that could be used to identify the patient is protected by HIPAA when it is maintained in the same designated record set as health, treatment, or payment information.

This means – for example – that a patient’s name and cellphone number are protected by HIPAA when they are maintained in the same designated record set as the patient’s health, treatment, or payment information, but they are not protected when they are maintained in a separate database that does not contain health, treatment, or payment information (i.e., for marketing purposes).

Who is Responsible for HIPAA Compliance?

Covered entities are required by §164.530(a) to designate a privacy official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Privacy and Breach Notification Rules. The privacy official does not have to be an existing member of the workforce. The position can be outsourced on a temporary or permanent basis.

In addition, §164.308(a) requires covered entities and business associates to identify a security official who is responsible for the development and implementation of policies and procedures to meet the requirements of the Security Rule. Again, this position can be outsourced, or it can be combined with the responsibilities of the privacy official in a single HIPAA compliance role.

In most cases, covered entities and business associates will already have an individual or team responsible for managing compliance with other federal, state, or voluntary regulations. In many cases, what is required for HIPAA compliance can overlap with what is required for complying with other regulations – for example, the conditions of participation in Medicare, OSHA, and SOC 2.

What is Required for HIPAA Compliance by Workforce Members?

It was mentioned earlier that HIPAA does not apply directly to members of a covered entity’s or business associate’s workforce. The reason for this is that covered entities are required to provide HIPAA training to members of the workforce on the policies that are relevant to their roles. It is not necessary for every member of the workforce to be trained on every HIPAA policy.

In addition, covered entities and business associates must provide security awareness training to all members of the workforce and “ensure compliance” with their policies and procedures by implementing and applying a sanctions policy. Rather than it being necessary for workforces to comply with the HIPAA Rules, workforces are required to comply with the organization’s rules.

There is one exception to this explanation of workforce compliance with HIPAA. When HIPAA was passed by Congress in 1996, it extended §1177 of the Social Security Act to members of the workforce. In the context of what is required for HIPAA compliance by workforce members, a violation of §1177 can result in a workforce member being convicted for the wrongful disclosure of PHI.

What is Required for HIPAA Compliance? Conclusion

It is not surprising some covered entities and business associates have difficulty determining what is required for HIPAA compliance. Misunderstandings about what HIPAA is, who it applies to, and what is protected by HIPAA can be compounded by assuming members of the workforce are required to comply with HIPAA when their compliance obligations are indirect.

Organizations that are unsure of what is required for HIPAA compliance should take advantage of our HIPAA compliance checklist to compare existing privacy and security measures against the standards that apply to their activities. Thereafter, it will be possible to conduct a gap analysis and develop a healthcare compliance program that incorporates the requirements of HIPAA.

Covered entities and business associates that encounter difficulties in conducting a gap analysis, developing a healthcare compliance program, or incorporating the requirements of HIPAA into existing compliance activities are advised to review the HHS Office for Civil Rights Help Pages or speak with an independent compliance professional.

The post What is Required for HIPAA Compliance? appeared first on HIPAA Journal.

LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution

Posted by Steve Alder

An affiliate of the notorious LockBit ransomware group has been sentenced in Canada to almost four years in jail and has been ordered to pay more than $860,000 in restitution. Mikhail Vasiliev, 34, is a Russian-Canadian national who was born in Moscow and moved to Canada more than 20 years ago. During the COVID-19 pandemic, Vasiliev became an affiliate of the LockBit ransomware operation, one of the most prolific ransomware-as-a-service groups over the past few years. Around 18 months ago, Vasiliev was arrested following a raid of his home in Bradford, Ontario. The search of his property uncovered a list of prospective and historical victims, instructions on how to deploy LockBit ransomware, the source code of the ransomware, the control panel used to deliver the ransomware, and screenshots of conversations with a core member of the LockBit Group – LockBitSupp – on the Tox messaging platform.

Vasiliev admitted to being an affiliate of the LockBit group between 2021 and 2022 and having conducted attacks on businesses in Saskatchewan, Montreal, and Newfoundland, from whom he stole data, encrypted files, and demanded ransom payments. Vasiliev pleaded guilty to eight counts, including cyber extortion, mischief, and weapons charges. Vasiliev has also been under investigation by law enforcement in the United States for around two years, and last month, the U.S. Department of Justice charged Vasiliev with conspiracy to intentionally damage protected computers and to transmit ransom demands. Vasiliev has consented to extradition to the United States and his extradition is pending. If convicted in the United States, Vasiliev faces a maximum sentence of five years in jail. The DOJ also announced charges against four other individuals suspected of working with the LockBit group.

The LockBit group is alleged to have conducted over 2,000 ransomware attacks in the United States alone and generated more than $144 million in ransom payments in its four years of operation. Several healthcare organizations have fallen victim to LockBit ransomware attacks including Capital Health in New Jersey, Saint Anthony Hospital in Chicago, and Varian Medical Systems in California. In February 2024, the group’s infrastructure was seized as part of an international law enforcement operation, and three individuals suspected of involvement with the operation were arrested in Poland and Ukraine. A few days later, the U.S. State Department announced rewards of up to $15 million for information about the leaders of the group and any information that could lead to the arrest of any individual who participated in the LockBit operation. The LockBit group restored its data leak site within a week of the takedown, set up new infrastructure, and started listing new victims on its data leak site.

The post LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution appeared first on HIPAA Journal.

HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds

Posted by Steve Alder

Audits conducted by the Department of Health and Human Services Office of Inspector General (HHS-OIG) of states that claim Medicaid school-based costs with the assistance of contractors have revealed some states have claimed unallowable federal funds due to their contractors improperly conducting random moment time studies (RMTSs). Pennsylvania is the latest state to be audited by HHS-OIG, which found that approximately $590 million was claimed in federal Medicaid payments for school-based services between July 1, 2015, and June 30, 2019, $551.4 million of which was improperly claimed.

For the audit, HHS-OIG reviewed a stratified random sample of 310 random moments, each of which was coded as a health service or administrative activity. HHS-OIG also looked at the methods Pennsylvania used to allocate health services costs to Medicaid.

Based on the sample, HHS-OIG estimated that Pennsylvania claimed $182.5 million in unallowable Federal funds because it did not support that all moments used in RMTSs and coded as Medicaid-eligible were actually for Medicaid-eligible health services or Medicaid administrative activities. Pennsylvania also improperly claimed $368.9 million when it used unsupported ratios to allocate costs to Medicaid. The RMTSs conducted by contractors for Pennsylvania did not cover all days worked by staff members because they were not conducted for the first month of the school year.

HHS-OIG said that the improper claims were due to complex cost allocation methods that were developed by the state and its contractor which were difficult or impractical to support with documentation, or that CMS guidance was not followed. HHS-OIG recommended that the state refund the $182.5 million as these funds were used for unsupported Medicaid-eligible health services and Medicaid administrative activities. HHS-OIG also recommended that the state either support or refund the $368.9 million, as these funds were claimed using an unsupported cost allocation method. HHS-OIG also provided guidance to the state to help with the preparation of accurate and supportable claims.

Pennsylvania agreed with the guidance but disagreed with the monetary and procedural recommendations, specifically disagreeing with the HHS-OIG finding that the moments were not supported as Medicaid-eligible. Pennsylvania claimed that it was not required to provide documentation other than what RMTS participants provided and that it was not responsible for ensuring that all service providers were appropriately licensed. Pennsylvania also claimed that the ratios it used for allocating costs to Medicaid are accurate.

The post HHS-OIG: Pennsylvania Improperly Claimed $551 Million in Medicaid Funds appeared first on HIPAA Journal.