HIPAA compliance is essential for minimizing the risk of fines, civil lawsuits, and even criminal charges.
Table of contents
If your business handles patient information, you likely need to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Failing to do so puts you at risk of large financial penalties and civil lawsuits.
In this guide, we step you through this key federal law—including who it applies to and its main rules—and offer practical tips for ensuring your business is HIPAA compliant.
Key Takeaways
- Healthcare providers, health plans, and healthcare clearinghouses must comply with the Health Insurance Portability and Accountability Act (HIPAA). Businesses that provide services to these organizations and handle protected health information must also comply.
- HIPAA protects patients’ sensitive health information by setting standards for handling, storing, and sharing protected health information.
- Understanding your HIPAA obligations is essential, as violations can attract hefty fines, civil lawsuits, and even criminal charges.
- HIPAA-compliant software like Connecteam supports compliance with HIPAA and reduces the risk of violations.
What Is a HIPAA-Compliant Business?
To be HIPAA compliant, your business must follow the rules and requirements of HIPAA. These include ensuring the confidentiality and integrity of protected health information (PHI), following standards for storing and sharing PHI, conducting risk assessments, training employees, and introducing measures to protect against data breaches.
Let’s look at HIPAA more closely:
What is HIPAA?
HIPAA is a federal law that sets strict rules for how individuals and businesses in the US healthcare and health insurance industries handle patients’ protected health information.
Protected health information (PHI) is any “individually identifiable health information” (i.e., information that could be used to identify someone) stored or sent by an organization covered by HIPAA. It includes paper, electronic, and oral information.
Examples of PHI include medical records or test results that contain identifying information such as:
- Names
- Dates of birth
- Phone numbers
- Emails
- Social security numbers
- Fingerprints
- IP addresses
- Driver’s licenses
- License plate numbers
- Insurance policy number
- Insurance claims history
HIPAA requires covered individuals and businesses to protect patients’ PHI through administrative, physical, and technical safeguards.
The law tries to balance protecting individuals’ privacy and the need to easily share their medical information in certain circumstances to provide effective healthcare services.
The Department of Health and Human Services (HHS) administers HIPAA, while HHS’s Office for Civil Rights (OCR) enforces HIPAA’s Privacy and Security Rules.
Why Is HIPAA Compliance Important?
Ensuring compliance with HIPAA is essential to protecting patient privacy and confidentiality. Personal health information can be highly sensitive, and patients have a right to keep it private.
HIPAA ensures the security of patients’ medical information. HIPAA-compliant businesses reassure patients of their commitment to privacy and confidentiality, building patient trust.
Ensuring your business is HIPAA compliant also helps protect your business from data security breaches. Healthcare businesses are often targeted by criminals wanting access to patient information for fraudulent reasons. Not only is this bad for the individuals whose details are compromised, but it can also harm your business’s reputation.
Most significantly, non-compliance puts businesses at risk of HIPAA violations. Businesses that do not follow HIPAA regulations can face civil fines and even criminal charges in the most severe cases.
The OCR is responsible for issuing civil HIPAA penalties. The amount of these varies depending on the level of negligence that led to the violation. Minimum and maximum penalties are set out in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and adjusted yearly based on inflation.
The current minimum and maximum fines for HIPAA violations are:
- Tier 1 (reasonable efforts): $137-$68,928
- Tier 2 (lack of oversight): $1,379-$68,928
- Tier 3 (neglect – addressed within 30 days): $13,785-$68,928
- Tier 4 (neglect – not addressed within 30 days): $68,928
The OCR can impose multiple fines, up to an annual limit of $2,067,813 per category.
In the most serious cases, criminal charges can lead to fines and jail time. HIPAA violations may also result in civil lawsuits and large compensation payouts, making them a costly exercise for your business.
📚 This Might Interest You:
HIPAA compliance is one of the most important considerations when setting up a healthcare business—but it is not the only one. We put together a list of the best HIPAA compliance software of 2024 to help your business remain compliant.
Which Businesses Does HIPAA Apply To?
HIPAA applies to two types of businesses: covered entities and business associates.
Covered entities
Covered entities are:
- Healthcare providers (such as doctors, dentists, and pharmacists) who electronically send health information for specific purposes, including claims and benefit eligibility inquiries.
- Health plans, including health insurers, Medicare insurers, and employer-sponsored health plans with 50 or more participants.
- Healthcare clearinghouses, which are businesses that standardize information, such as billing and medical claims, and transfer it between healthcare providers and health insurers.
Business associates
According to the CDC, a business associate is “a person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.”
Business associates are third parties who handle PHI while delivering services to covered entities. Examples include companies that provide medical billing, IT, or transcription services to a covered entity.
Business associates can also include subcontractors who work with business associates and access PHI.
Key HIPAA rules
Here are several key rules published by the HHS under HIPAA.
HIPAA Privacy Rule
The Privacy Rule is a set of standards governing how covered entities can use and share PHI. It addresses certain obligations on businesses, including:
- Informing patients of their rights.
- Designing and implementing plans and procedures to protect patients’ information.
- Providing employee training on patient privacy rights and procedures.
- Appointing someone in the organization to oversee privacy procedures.
The Privacy Rule also sets out:
- The necessary steps covered entities must take to protect PHI.
- Who can access PHI, and when and how can it be shared.
- The limited circumstances in which covered entities can share PHI without patient consent.
- Patients’ rights to access and make corrections to their PHI.
- The requirement for covered entities to include specific protections in their contracts with business associates.
The Privacy Rule mainly applies to covered entities. However, where a covered party contracts with a business associate and PHI is involved, the Privacy Rule also places obligations on the business associate.
HIPAA Security Rule
While the Privacy Rule applies to PHI generally, the Security Rule applies to electronic protected health information (e-PHI)—any individually identifiable health information created, sent, stored, or received electronically.
Covered entities and business associates must abide by the Security Rule. The rule requires they take necessary steps to protect e-PHI by introducing security measures, including administrative, technical, and physical safeguards.
The Security Rule is designed to address the unique risks associated with electronic information and records. For example, it addresses:
- What covered entities and business associates must do if there’s a potential breach of e-PHI.
- Conducting risk analyses of potential risks to the security of e-PHI.
- Conducting evaluations to ensure policies and procedures meet the necessary security standards.
- Appointing a security official to oversee these policies and procedures.
- A requirement to ensure their workforce complies.
Breach Notification Rule
A breach occurs when someone accesses, uses, or shares unsecured PHI in a way that isn’t allowed under HIPAA. For example, breaches include an unauthorized employee accessing PHI or a cyberattack on a healthcare organization.
If a covered entity identifies a breach of PHI, they must notify the affected individuals within 60 days. Businesses can do this by sending a letter to the individuals’ last known addresses.
If the business does not have up-to-date contact information for 10 or more affected individuals, it must add a breach notice to its website via a link on its homepage for 90 days.
If the breach affects more than 500 individuals, the covered entity must notify HHS and a prominent media outlet in their relevant state within 60 days. If less than 500 individuals are affected, the covered entity can report the breach to HHS within 60 days of the end of the calendar year.
Under the Breach Notification Rule, business associates must notify the relevant covered entity of any unsecured PHI breaches within 60 days.
💡 Pro Tip:
The Breach Notification Rule applies only to unsecured (i.e., unencrypted) electronic PHI and physical documents. Therefore, encryption is an important feature to look for in the healthcare document management software you use in your business.
Tips for staying HIPAA compliant
Understand your HIPAA obligations
Compliance with HIPAA is only possible with a good understanding of the relevant laws. However, HIPAA provisions are complex, and state laws may also apply to your business. Understanding the interaction between these and HIPAA is essential.
Additionally, the exact steps you need to take to ensure your business complies with its HIPAA obligations depend on its size and nature.
For these reasons, speaking to a lawyer or HIPAA expert is important to understand your obligations and how your business can achieve compliance.
The HIPAA Journal is a good starting point for learning about HIPAA generally. This website provides various resources on HIPAA-related topics, including a helpful compliance checklist.
Stay up to date with any HIPAA developments
HIPAA regulations are regularly updated. Staying on top of these developments ensures your business remains compliant.
You could appoint someone in your organization to follow this by routinely checking the HHS website and subscribing to industry publications. For example, the HIPAA Journal has a newsletter for HIPAA updates and proposed new rules.
Conduct regular HIPAA-risk assessments
Risk assessments are mandatory under the Security Rule but apply only to e-PHI. By conducting broader, more regular risk assessments, you can proactively identify any areas you need to address before a HIPAA violation occurs.
HHS’s HIPAA audit protocol provides useful guidance for conducting these risk assessments.
Deliver regular HIPAA training to your employees
HIPAA compliance is an all-of-organization effort. Support your employees in understanding their responsibilities by introducing HIPAA during onboarding and continuing with regular training sessions.
You can conduct these sessions in person or via online training courses. Various companies offer HIPAA training programs, or you can create your own. Tailoring the training content according to roles and responsibilities ensures employees understand how HIPAA rules apply to their specific job functions.
📚 This Might Interest You:
We put together a list of the best healthcare learning management systems to help you train your staff and remain HIPAA compliant.
Use a digital tool to manage protected health information
Using HIPAA-compliant software to securely store, manage, and send e-PHI can help you comply with your HIPAA obligations.
Connecteam’s all-in-one employee app is fully HIPAA-compliant. You can use it to create and manage HIPAA training for your employees, securely share encrypted patient documents, and communicate with your employees in real-time—all while knowing the privacy and security of patients’ e-PHI are safe.
Seamlessly manage HIPAA compliance using Connecteam
HIPAA compliance must be a priority when starting or running a healthcare business. Fully understanding your HIPAA obligations is essential to reducing the risk of violations and their consequences. Regular audits, employee training, and the right software further help support compliance.
With HIPAA-compliant software such as Connecteam, you can ensure your document management and communication systems meet HIPAA standards. This not only helps protect patient information but also reduces the risk of violations and fosters patient trust.
Learn more about how Connecteam can help your healthcare business.
FAQs
What is an example of HIPAA compliance?
Examples of HIPAA compliance include:
- Restricting access to patient information to specific users.
- Encrypting electronic PHI.
- Developing clear policies and procedures for handling, storing, and sharing PHI.
- Conducting regular risk assessments to identify potential threats to the security of PHI.
- Training employees to understand their HIPAA obligations.
How do I know if I am HIPAA compliant?
The best way to know if your business is HIPAA compliant is to understand your obligations under HIPAA and then review your policies, procedures, and practices to ensure they meet the required standards. If they don’t, take the necessary steps to address any gaps.
Disclaimer
The information on this website about HIPAA compliance is intended to be a summary for informational purposes only. However, laws and regulations regularly change and may vary depending on individual circumstances. While we have made every effort to ensure the information provided is up-to-date and reliable, we cannot guarantee its completeness, accuracy, or applicability to your specific situation. Therefore, we strongly recommend that readers seek guidance from their legal department or a qualified attorney to ensure compliance with applicable laws and regulations. Please note that we cannot be held liable for any actions taken or not taken based on the information presented on this website.