With more and more data breaches hitting the headlines, The Health Insurance Portability and Accountability Act (HIPAA) has garnered more than its fair share of attention in recent years, but what exactly is it? More importantly, how does this US privacy law impact your business? Read on to find out…
In today’s digitally driven society, there’s nary a single day-to-day task remaining that can’t be made simpler in exchange for the handing over of our personal information.
Whether it’s ordering groceries online or getting a ride from an Uber, watching a movie or managing personal finances, the wealth of technological innovations we’ve seen over the past few decades has certainly made life easier for most people, but only on the proviso that those people hand over all manner of data.
As any number of recent, high-profile security breaches can attest to, that data can prove incredibly valuable to criminals should it fall into the wrong hands, not to mention causing some serious problems for organisations who are the victims of such breaches.
All of this, of course, makes data protection a serious concern for any organisation, though none more so than those in the healthcare industry where, beyond the usual categories of personal data that many businesses collect, all manner of sensitive information may be gathered, stored, and processed. So, it’s no surprise that, in the US at least, rules to safeguard that data have been in place for some time. Together, those rules form a single piece of legislation.
The Health Insurance Portability and Accountability Act (HIPAA)
Signed into law on August 21st, 1996 by then-president Bill Clinton, HIPAA introduced several new measures designed to streamline, simplify and standardise healthcare processes in the United States.
Among other things, these measures included some important privacy rules which not only affect healthcare organisations in the United States, but indeed any organisation which handles or processes the protected health information (PHI) of US citizens, regardless as to where in the world that organisation might be based.
But what exactly are these rules? What does your business need to know about them? More importantly, what -if anything- do you need to do about them?
At Relentless Privacy & Compliance, we work with businesses across the globe to help them enjoy frictionless compliance with international privacy laws, and to optimise data protection processes and procedures in a way which generates long-term added value both businesses themselves and their customers.
Today, we draw on our wealth of experience in supporting businesses with achieving HIPAA compliance to answer these key questions, and to outline what you really need to know about the health information privacy rules affecting your business.
The HIPAA Privacy Rule Explained
When President Clinton signed HIPAA into law, he effectively ushered in a number of new rules governing healthcare transactions in the United States.
One of these rules was The Standards for Privacy of Individually Identifiable Health Information, better known simply as the HIPAA Privacy Rule. In essence, this rule aims to protect patient privacy by limiting how PHI is used or disclosed. It makes healthcare professionals responsible for providing individuals with an account of each instance that they disclose PHI for administrative and billing purposes, who that PHI is disclosed to, and why. Much as with data subject requests under the General Data Protection Regulation (GDPR), the rule also gives individuals the right to request and receive a copy of their own PHI, though unlike GDPR, HIPPA does give healthcare organisations the option to charge administrative fees to cover the cost of copying and mailing those records.
Other requirements of the HIPAA Privacy Rule
As with other privacy regulations, the HIPAA Privacy Rule doesn’t concern itself merely with data access. It also provides organisations with several administrative obligations, including:
Appointing a privacy official (often called a Chief Privacy Officer or CPO for short) who is responsible for developing, implementing and overseeing privacy policies and procedures.
- Ensuring that all staff, as well as volunteers and trainees, are fully trained on all privacy policies and procedures.
- Implementing a process that allows people to make a complaint about privacy policies and procedures should they need to.
- Ensuring that any harmful effects of a data breach are mitigated as much as possible.
- Ensuring that appropriate administrative, technical, and physical safeguards are in place to minimise the risk of a potential breach
On the subject of safeguarding, much of this is covered by The Security Standards for the Protection of Electronic Protected Health Information or the HIPAA Security Rule as it’s more frequently known This rule requires health care providers to identify the threats to information systems which contain PHI and put in place the appropriate physical and electronic measures needed to minimise and counter those threats.
Who Has to Comply With HIPAA?
Both the HIPAA Privacy Rule and HIPAA Security Rule apply to a wide range of what the law calls “covered entities.”
These covered entities include:
such as HMOs, Medicare, Medicaid, and health maintenance companies.
Health care providers
Such as doctors, dentists, surgeons, pharmacies, nursing homes and podiatrists.
Such as billing services or other organisations who collect data from one organisation, process it, and deliver it to another organisation.
It doesn’t end there, either.
HIPAA Business Associates
In 2017, the HIPAA Omnibus Rule was introduced. Along with modifying existing HIPAA rules to better reflect the advancements in modern technology made since 1996, the Omnibus Rule also decreed that business associates (and their subcontractors) would now be held to the same standards for protecting PHI as the companies they work for. In this case, HIPAA defines a business associate as any individual or organisation who works with or provides services to a covered entity who uses PHI.
In 2016, the HSS Office for Civil Rights (OCR) further clarified that this extends to include cloud service providers such as data storage services and even smartphone apps.
How Does this Affect Non-US Businesses?
While most actual covered entities are likely to be based in the United States, the increasing cost benefits of outsourcing certain data processing and storage tasks to offshore firms means there are many more non-US businesses who find themselves falling under the category of HIPAA business associate. If you store, collect or process the PHI of US citizens on behalf of a HIPAA covered entity, this means that you are equally as accountable for ensuring that you are HIPAA compliant as the businesses you work with or for.
But what exactly does HIPAA compliance actually look like, and how do you go about achieving it?
HIPAA Compliance for Covered Entities and Business Associates
Before you do much of anything, it’s worth checking whether your existing compliance measures for other privacy regulations can be used to help you with HIPAA compliance. It may be, for example, that many of the systems and processes you have in place to ensure frictionless compliance with GDPR can be used to help you adhere to HIPAA rules. Conversely, if your business is already compliant with HIPAA but you’re currently in the process of risk assessing for GDPR compliance, you may find that there is little -if any- need to duplicate your efforts.
Take data subject access requests. It may be that the system you have in place for responding to those requests under GDPR will work just as effectively for HIPAA, and vice versa.
Likewise, both regulations require that you have strict physical, technological and administrative data protection measures in place, and both require at least some level of express consent or authorisation from a user in order to process their data.
Depending on the nature of your business, you may also find that some of the requirements of the HIPAA-mandated Chief Privacy Officer and those of a Data Protection Officer as required by GDPR are similar, if not the same. Potentially, this could mean combining both roles into one position.
Setting Agreements With Business Associates
Of course, getting your own house in order is only half the battle.
If you use third-parties to process data, then no matter where in the world those third-parties are based, you’re going to have to ensure that you have a sufficient HIPAA Business Associate Agreement (BAA) in place with them.
This is a binding contract between your business and your business associate that contains vital information including:
- A description of how the business associate is required and permitted to use PHI.
- An agreement that the business associate will not use or disclose PHI in any way other than as specified in the contract or required by law.
- An agreement that the business associate will use specific and appropriate PHI protection safeguards.
- A requirement for the covered entity to take reasonable action for curing a data breach by the business associate fi and when it comes known. If they can not do this, the covered entity will be required to terminate the BAA contract.
- A requirement that any data breach is reported to the OCR if the contract can’t be terminated.
What You Need to Know as a Business Associate
Having signed the BAA with the covered entity you provide services to, it’s important to be aware that, under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, you could be subjected to audits by the OCR and liable to pay penalties for non-compliance. Though the penalties may be severe, this doesn’t have to be as scary as it sounds.
Whether you’re a covered entity or a business associate, no matter where you are in the world, Relentless Privacy & Compliance are on hand to help you optimise your processes, policies and workplace culture in order to enjoy frictionless compliance with HIPAA, GDPR, and other international privacy legislation.
We can do this by providing training, consultation, by providing you with an affordable alternative to hiring a Chief Privacy Officer in-house or offering hands-on support to help you design and develop your data protection systems.
Book your free, initial consultation online today, or call us now on +44 07732841440.