HIPAA Compliance: What Your Company Needs To Know

The basics you should know before the audit

In the days of the web, data is a valuable thing. When it comes to companies that handle health insurance, personal health information (PHI) is something that should be handled with care, which is why the Health Insurance Portability and Accountability (HIPAA) Act was passed. Keeping patient data protected is of high importance, and HIPAA compliance ensures extra steps are taken to protect data. Additionally, you can avoid fines and violations with compliance, which is why all companies should take steps toward becoming HIPAA compliant. 

 

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is an act that was passed by congress in 1996 and was put in place to help protect patients’ privacy. It’s a federal law created to put standards and procedures in place to keep patient information safe. A patient’s information may not be disclosed under any circumstance unless the patient gives permission, and failing to do so can lead to fines and penalties. 

 

The Basics of PHI

Protected health information (PHI) is handled by a number of entities. During handling, it’s up to the entity to keep all information safe. HIPAA rules line out PHI and claim that all companies that come into contact with it must take measures to protect it. PHI does not only include past and present information involving patients but also future information. Some common examples of PHI include: 

  • Names
  • Telephone numbers
  • Email Addresses
  • Medical record numbers
  • Social security numbers (SSN)
  • Health plan beneficiary numbers
  • Biometric identifiers
  • License plates or any other vehicle identification number 

HIPAA deals with all of the information mentioned above and much more. HIPAA was put in place to protect this data and limit the disclosure of this data between entities. Because this type of data is passed between entities daily, those handling it must be HIPAA certified to know how to handle it and avoid violations and fines. 

 

The HIPAA Privacy Rule

All companies that handle protected health information (PHI) are subject to the Privacy Rule. These entities are in constant contact with sensitive information, which is why they are required to keep up with a certain list of safety precautions. Some of these covered entities include: 

 

Healthcare providers

Healthcare providers deal with a lot of patient information. They may process things like claims, eligibility inquiries, and even referral authorization requests. Because of their involvement with patient information, they have to abide by a set of rules. 

 

Health plans

Health plans provide an individual with medical, dental, and prescription drug insurance, among other things. Many employers have health plans for their workers, which keep a large amount of patient information on file. Not all health plans are HIPAA compliant, however, as those with fewer than 50 total participants are not so additional measures are needed. 

 

Healthcare Clearinghouses

Sometimes, entities that process health information pass information to another entity. They must have HIPAA compliance when they do so, as they may process services to a health plan or provider. 

 

Business associates

Some business associates that work with companies handle patient information. They may partake in data analysis, utilization review, and billing, all of which could have highly sensitive information along with it. 

 

What is HIPAA Compliance?

HIPAA compliance is an outline that sets standards for the lawful disclosure of patient information. These regulations are put in place to ensure that things are handled safely and securely, keeping the integrity of the patient as the top priority. While there are many businesses that should take steps to manage sensitive information properly, there are two types of organizations that must be HIPAA compliant: covered entities and business associates.

 

Covered entities

Covered entities are defined as companies that collect, create, or transmit PHI electronically. Because of the dangers that can come in the processing or transferring of patient data, all companies that come into contact with it must have HIPAA compliance and must take steps to ensure that it’s implemented and understood by all employees. Some of these entities include health care providers, health insurance providers, and even healthcare clearinghouses. 

 

Business Associates

Business Associates are organizations that come into contact with patient data in any way. If they have to come into contact with patient data as part of their service, they must have HIPAA compliance. Because this could include a large number of businesses in all kinds of industries, companies must maintain HIPAA compliance or implement it as soon as possible. Some common Business Associates that need HIPAA compliance include billing companies, third-party consultants, and even EHR platforms. 

 

A Breakdown of HIPAA Compliance Titles

There are five titles in total, and each section is there to protect a specific area of patients’ health. 

 

Title I

Title I was put in place to protect health insurance coverage for those who have lost their jobs. It also helps to prevent insurance companies from denying health care coverage for those who have pre-existing conditions. Insurance companies cannot set limits for lifetime coverage. Under HIPAA law, companies and entities that handle healthcare cannot deny those with a pre-existing condition the right to healthcare and cannot use information from their healthcare providers to avoid covering individuals. 

 

Title II

Title II was put in place to keep insurance companies in check regarding electronic processing. It was put in place to regulate safe electronic access across the board to allow healthcare services to access data easily and electronically. A lot of information is passed between entities in large quantities using different systems and processors. Those dealing with the electronic sharing of data must use a certified HIPAA compliant service and must also ensure that they take steps to keep themselves HIPAA compliant through self-audits and employee training. 

 

Title III

This title protects the insured from everything tax-related when it comes to medical care. It sets guidelines for pre-tax medical accounts and ensures the safe and fair processing of them all to protect all parties involved. 

 

Title IV

In this title, insurance companies have regulations on who they can or cannot deny coverage. Those with pre-existing conditions cannot be dropped and cannot be denied coverage based on their current condition. 

 

Title V

For companies that provide insurance for their employees, this title is there to ensure that all parties act and are treated fairly. This title is also there for those who have lost their citizenship for income tax reasons, allowing them to keep their coverage or apply for new if they need it. 

 

What Does It Mean to Be in Compliance with HIPAA?

HIPAA compliance is regulated by the Department of Health and Human Services (HHS). It’s put in place to ensure that all companies provide their employees with proper insurance and keep everything fair and within the regulations laid out in HIPAA rules. There are a few things that companies must do to be HIPAA compliant, explained by the checklist below.

 

HIPAA Compliance Checklist (what you need for HIPAA compliance)

HIPAA compliance is a huge deal, one that all companies must strive to reach. Keeping compliant takes a few essential elements, all of which we will point out below. When trying to get your business in the correct position, this is what you should look for:

  • Writing out policies and standards of conduct
  • Providing open opportunities for communication about employee support
  • Monitoring and auditing from within
  • Enforcing all of the standards set out in HIPAA rules
  • Taking action when needed when there is an issue with employees.

 

What are the key elements of HIPAA compliance?

Companies can develop an effective HIPAA compliance program, one that makes sure to keep things in fair and working order for both company and employee. When companies put together a HIPAA compliance program, they are taking steps to protect themselves from HIPAA breaches and fines. A few ways that they can do that include: 

 

Self-Audits

While a security risk assessment is one that companies typically take care of, it’s not enough to keep them HIPAA compliant. Instead, companies should take steps to conduct annual audits on their own. These audits will help keep things organized and will help companies find holes in their compliance. Doing an annual audit keeps things running smoothly and will show where companies are vulnerable. 

 

Remediation Plans

Audits are put in place to show weaknesses in a system. When those weaknesses are found, companies need to know what they can do to take care of them and get things back up and running smoothly. This could keep companies away from having to pay for violations. 

 

Employee Training and Policies

Companies are the ones who have to take the initiative when it comes to HIPAA compliance. That’s why they will do well to develop policies and procedures that keep things in check. On top of that, they need to provide employees with training, helping them take on some of the workloads. Usually, companies try and have annual training to keep all employees up to date on all policies and procedures. 

 

Documentation

Keeping a record of all the things you do as a company to stay HIPAA compliant is a great way to avoid violations. Not only does it show organization and initiative, but it also works as a way to remind companies of all they have done. 

 

Business Associates

Companies must also do what they can to extend their HIPAA compliance to vendors that work with them and share PHI. To keep things running smoothly, companies can initiate Business Associate Agreements, keeping all parts of the business negotiations running smoothly. 

 

Incident Management

Incidents happen, and they can be a big part of the learning process. It’s recommended to have an incident response place in plan and to keep an incident report showing when incidents occurred, why they happened, and how they can be avoided next time. If data is compromised, companies need to file an incident report, keeping things on track so that they are better prepared if it happens again.

 

FAQs for G Suite Security

Is G Suite HIPAA Compliant?

When asked about HIPAA compliance, G Suite says that they are compliant and compatible with the framework for protected health information (PHI).

A few requirements must be met to claim HIPAA compliance, including using a paid G Suite version, signing a Business Associate Agreement (BAA), and having G Suite configured correctly to support HIPAA compliance.

 

Can Gmail be HIPAA compliant?

Gmail does not come automatically HIPAA compliant, as email can in no way account for securely processing and handling sensitive data. However, Gmail can be made HIPAA compliant as long as companies implement security measures to keep sensitive data safely secured.

 

What is a HIPAA-compliant email?

HIPAA compliant emails are out there, though there are a few things they have to have to be so. A HIPAA compliant email ensures that an email with PHI is delivered safely and securely to the recipient’s mailbox. Currently, no email provider comes with automatic HIPAA compliance, as it’s something that must be implemented after setup.

 

Is Google Calendar HIPAA compliant?

Yes, Google Calendar is considered HIPAA compliant. That doesn’t mean that companies shouldn’t take extra steps to ensure that it’s safer, implementing better practices and ensuring that it’s used properly. To ensure that both businesses and their employees are using Google Calendars correctly and safely, companies should take steps to train employees and make sure everyone knows the importance of using the system properly.

 

Are Google Sheets HIPAA compliant?

Google signs the Business Associate Agreement (BAA), which means that Google Sheets is HIPAA compliant. Though it’s considered compliant, companies should still take extra measures to increase security, including adding encryptions, access controls, and ensuring they get on a good auditing schedule to keep things running smoothly.

 

Free E-Book: A Closer Look at HIPAA

Download this free IT Compliance: HIPAA E-Book to learn more about HIPAA covered entities, violation penalties, and more. Feel free to share this with people in your industry as well!

 

Download Free HIPAA Compliance E-Book

Are you concerned whether your online data is HIPAA compliant? To find out how your company is performing and isolate weaknesses in your cyber defenses, schedule a call with us or take our free, self-guided IT Security Risk Assessment