If your company creates, receives, maintains, or transmits electronic protected health information (e-PHI) , you probably already know that you are subject to HIPAA – the U.S.’ legal standard for patient health data protection.
So, if you’re working on compliance or inheriting an already-working compliance program, what do you need to know about HIPAA? What is it exactly? How can you make sure your business stays compliant? And is there overlap with other popular compliance frameworks like SOC 2?
Read on for answers.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is the legal standard for patient health data protection. Since its inception in 1996, any person or company who provides treatment, payment, or operations in healthcare has been (and is) subject to HIPAA and must have a compliance program in place.
The goal of HIPAA is to set and enforce security standards for protected health information (PHI)—which is patient data that relates to past, present, or future physical or mental health or healthcare payment.
Noncompliance can lead to stiff financial penalties (ranging from $100 to $50,000 per violation) and—perhaps worse—loss of patient trust.
Not to mention that the more advanced healthcare becomes–with digital patient databases, online collaboration between doctors, and even consultations via video chat or secure online platforms that make patient lives easier–the more risk we introduce for potential breaches. And the more important robust security and compliance programs become for protecting patient health information and preserving that trust.
The HIPAA security rule
HIPAA is governed by a series of rules, the first of which is the security rule.
The security rule tells us that we need to have physical, technical, and administrative safeguards in place to be compliant. Now, what exactly those safeguards are will vary a bit based on your company size and complexity, your technical infrastructure, and your risk factors. The best way to understand how your company can and should address compliance is by conducting a formal risk assessment.
The HIPAA privacy rule
The second important HIPAA rule is the privacy rule. This tells us how protected health information can be used and shared.
Can you share health information between doctors? What about across hospitals? What safeguards and policies should be in place around that sharing? These are the kinds of questions the policy rule asks us to consider.
The privacy rule gives patients explicit rights to obtain and examine copies of their own health records and request corrections. It also dictates that companies must respond to these patient requests within 30 days and must get written permission before using any health information for marketing, fundraising, research, or disclosure to schools or private health insurance providers.
The HIPAA enforcement rule
The HIPAA enforcement rule covers investigation of a breach. It dictates how regulators determine liability and how fines are calculated if you fall out of compliance.
The HIPAA breach notification rule
Finally, there’s the breach notification rule, which specifies that you must notify patients if their information was breached, notify the Department of Health and Human Services (HHS) and the media if the breach impacts more than 500 patients, and provide annual reports on smaller breaches (of less than 500 patients).
What Types of Organizations are Subject to the HIPAA Rules?
HIPAA rules are applicable to two main groups: covered entities and business associates. According to the U.S. Department of Health & Human Services (HHS), a covered entity is defined as either a health plan, healthcare clearinghouse, or healthcare provider while a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Because most health care providers or health plans don’t perform all health care functions by themselves, it’s not uncommon to utilize a business associate to carry out that specific task. Cloud service providers (CSPs) are also considered business associates when they’re leveraged by covered entities or subcontracted by a business associate in the production, maintenance, and transmission of e-PHI.
It’s important to note that per HHS guidelines, a CSP is not a business associate “if it receives and maintains only information de-identified following the processes required by the Privacy Rule,” which does not block the use or disclosure of de-identified information. For additional context, the Security Rule does not require safeguards on de-identified information, as it is not deemed “protected health information.”
Becoming HIPAA compliant
Much like with SOC 2, HIPAA compliance does not come with a certification. Instead, proving compliance means hiring an audit firm to do an audit and provide an attestation. This is often bundled with a SOC 2 report and called SOC 2+.
The great news here is that if you are already working on SOC 2 compliance, you’re likely well on your way to HIPAA compliance as well. There is substantial overlap in the security and privacy requirements of the two frameworks.
While there is no hard-and-fast list of requirements (because, again, your business size, complexity, etc. will be taken into account), some of the things you will likely need to put in place to become compliant include:
- Data encrypted in transit and at rest to NIST standards
- Access control
- Activity logs and audit controls
- Automatic log-offs
- Facility access controls
- Workstation use/location policies
- Mobile device policies
- Hardware inventory
- Risk management policies
- Risk assessments
- Employee training
- Emergency planning (and testing of emergency plans)
- Restricted third-party access
- Incident reporting
One significant way to jump forward in your HIPAA compliance journey is through automation—of security, processes, monitoring, and record collection.
When these processes are manual, there’s more room for human error. Mistakes are made. Files are misplaced. Processes are forgotten or skipped. When done well, automation means all of these risks go by the wayside. The process is automatic and never skipped. Files are where you expect them to be. And wave farewell to human error. Not to mention that automation frees up your teams to focus on patient care instead of tedious admin work.
Automation with a platform like Drata helps you not only get compliant, but also stay compliant by identifying issues before they become breaches, making sure processes are followed to a T every single time, and proving compliance through continuous 24-7 monitoring and record-keeping.
HIPAA vs. SOC 2 and other security frameworks
HIPAA and SOC 2 are not twins, but if you’re familiar with SOC 2, you probably noticed the overlap above. If you’ve already used Drata for SOC 2 or ISO 27001, adding HIPAA only requires an additional set of controls and monitoring. Data encryption, access controls, workstation use policies, mobile device policies—these are things you’re already working on if you are standing up and maintaining your SOC 2 program.
This means that if you are working on SOC 2, you’re probably also working on HIPAA—even if you didn’t know it.
Need help planning, automating, and tracking your HIPAA compliance program? We partner with best-in-class firms to support you on your compliance journey. Schedule a demo to see how we can help.