XMedius HIPAA Hub:
Compliance & Security Information
As a preferred solutions provider in the healthcare market, XMedius is dedicated to offering solutions that improve productivity, minimize risk, and simplify regulatory compliance for our healthcare customers. Our solutions have enabled HIPAA compliant communications and data handling for:
- Private Practices (Physicians, Dentists, Mental Health Practitioners)
- Health Plan Providers
- Government Employers
- And more
Whether you’re new to learning about HIPAA or are polishing up your knowledge, our guide is designed to help you easily understand the essentials of HIPAA compliance so that you’re equipped with the information you need on the road to compliance.
HIPAA is the cornerstone of modern medical records management regulation in the U.S. Businesses that handle sensitive medical information, whether they are healthcare providers themselves or companies providing services to those providers, need to account for the security and record keeping of all identifiable health data they handle.
When HIPAA was created, it was designed to evolve with the times, and while businesses may have understood what HIPAA compliance involved in the early days, a lot has changed since then. Our secure file exchange and communications solutions are tailor-made to facilitate easy, consistent HIPAA compliance, protecting businesses from fines and negative PR.
The Basics of HIPAA
When was HIPAA enacted?
While HIPAA was enacted in 1996, part of the law directed the Department of Health and Human Services (HHS) to establish rules in the event Congress didn’t within a set period of time, so portions of HIPAA weren’t authored until later.
HHS was eventually required to establish the rules (as Congress didn’t act within three years). The final Privacy Rule, which actually set the national directives for protection of personal information, wasn’t published until the end of 2000. Everyone was required to comply by April 2004.
The Security Rule, which introduced national regulations for protecting electronic health information, was established in the beginning of 2003, with all covered entities required to comply by early 2006.
In 2013 the HIPAA Omnibus Final Rule made extensive modifications and updates to the original law, changing it into the HIPAA we know today.
What does HIPAA stand for?
What is HIPAA?
HIPAA is a landmark American law covering the U.S. medical system.
HIPAA had two primary goals:
- Adding safeguards to protect people’s ability to keep or replace their health insurance when leaving or changing jobs, even if they have pre-existing conditions.It’s worth mentioning that these safeguards had conditions attached to them which have since been removed by the Affordable Care Act (aka Obamacare).
- Establishing nationwide, standardized rules for the storage, transfer, protection, and release of personal medical records.
HIPAA’s medical insurance consumer protections have made it easier for people to get and keep health insurance despite prior conditions or turbulent life circumstances, like the loss of a job.
The privacy portion of HIPAA is important because it protects patients’ medical records and establishes a universal standard for how those records should be handled. From coast to coast in the US, all medical providers who qualify as Covered Entities (and their Business Associates) have to follow the same rules and confront the same challenges.
Patients know what privacy protections they can expect, and businesses know what they have to provide. Contracts, forms, company policies, industry standards, and software can all be built with HIPAA compliance in mind.
What are the HIPAA Titles?
HIPAA was split into five sections (called “Titles”), each addressing a different aspect of healthcare. Here’s a brief description of each:
Title 1: Health Insurance Reform
Title 1 has three different customer protection provisions aimed at reforming practices in the American health insurance market:
- It protects employees’ coverage when they change or lose jobs.
- It prevents insurance companies from excluding people in group plans from coverage based on specific preexisting conditions.
- It prevents insurance companies from setting lifetime coverage limits.
Title 2: Administrative Simplification
Title 2 directed the U.S. Department of Health & Human Services (HHS) to establish a nationwide standard for processing electronic healthcare transactions.
This is the section of the law that contains the HIPAA Privacy and Security Rules, the portions of the law that dictate compliance and people care the most about today. It was created in response to the rise of electronic medical records. Previously record security and handling guidelines were established by each individual healthcare provider, there was no national standard.
HIPAA directed the Department of Health & Human Services (HHS) to establish a standardized set of standards, privacy rules, and security rules that covered the healthcare system as a whole. HIPAA guidelines supersede any local laws that are weaker than them, making it far easier for businesses to know what is expected of them. However, while HIPAA sets the minimum standards, state laws can set more stringent requirements that organizations must abide by.
For example, HIPAA requires patients be notified of breaches within 60 days, but California law supersedes that with a stricter requirement of 15 days.
Title 3: Tax-Related Provisions Regarding Medical Savings Accounts
Title 3 lays out rules standardizing the amounts of an employee’s salary that they can divert into pre-tax health savings accounts (HSA) paired with high-deductible health insurance plans.
Title 4: Application and Enforcement of Group Health Plan Requirements
Title 4 lays out in more detail the mechanisms involved in enforcing the new rules (in Title 1) covering group health plans.
Title 5: Various Revenue Offsets
Title 5 covers complicated tax rules, including those on premiums for company-issued life insurance. It repeals the financial institution rule on interest allocation and expands taxes and reporting on American citizens who voluntarily give up citizenship to change their tax status.
How does HIPAA cover patient medical information?
HIPAA Title 2 is the section that lays out standards for electronic medical records, but also contains the crucial Security and Privacy Rules. Here’s a breakdown of what’s in there:
Unique Identifiers Rule
All healthcare entities, including individuals, health plans, employers and healthcare providers must have a national provider identifier number (NPI).
Transactions and Code Sets Standard
Established a nation-wide, standardized system for electronic data interchange (EDI). All healthcare organizations are required to utilize this system in order to submit and process insurance claims.
(Standards for Privacy of Individually Identifiable Health Information)
This rule defines protected health information (PHI) and creates rules for creating, storing, and sharing it that preserve patient privacy.
(Security Standards for the Protection of Electronic Protected Health Information)
This rule establishes nationwide minimum standards for the storage, transport, and release of electronic protected health information (ePHI).
Establishes the guidelines for investigations into HIPAA possible compliance violations.
How has HIPAA changed over the years?
The HITECH Act
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is one part of The American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act’s purpose was to jumpstart the American healthcare industry’s move into electronic medical records (EMR) through financial incentives for implementing and making “meaningful use” of EMRs in patient treatment.
The HITECH Act also added new rules dictating updated penalties and mandatory reporting of large (500+ patient) data breaches to HHS, the news media, and affected patients.
Finally (with regards to HIPAA), the HITECH Act extended full HIPAA compliance requirements from Covered Entities to Business Associates (and their subcontractors) and put tighter requirements in place for having a Business Associate Contract between Covered Entities and Business Associates. New Business Associate Contracts and Notices of Privacy
The Omnibus Rule Update
The Omnibus Rule Update of 2013 further refined HIPAA’s information privacy and security rules into what they are today. It was responsible for (among other things) implementing the HIPAA changes mandated by the HITECH Act.
In addition to the changes discussed in the HITECH Act section above, the additional changes introduced were:
- PHI is protected for up to 50 years after a patient’s death (previously that protection was indefinite, which could be a hardship for Covered Entities and their Business Associates).
- Patients can elect to not have medical information shared with insurance companies for services they pay for out of pocket.
- Tighter breach reporting requirements for Covered Entities and their Business Associates.
- The Department of Health and Human Services (HHS) received a new mandate to perform periodic compliance audits.
- Unsecured PHI could be considered grounds for a breach notification, whether there was a record of unauthorized access or not.
- An allowance for waiving HIPAA protections temporarily in the event of a natural disaster (such as a hurricane) requiring a massive healthcare mobilization.
- Rules regarding marketing & fundraising uses of PHI.
GINA is the acronym name for the Genetic Information Nondiscrimination Act of 2008. It’s a law passed by Congress with the goal of preventing insurance companies and employers from discriminating against people based on their genetic predispositions. GINA expanded HIPAA’s PHI definition to include genetic information.
HIPAA Pitfalls to Avoid at All Costs Webinar
Join Mike Semel, a certified HIPAA security professional, for a guided tour through common pitfalls your employees can unwittingly fall into leading to HIPAA violations for your organization.
Obligations to Protect Patient Information
What businesses does HIPAA apply to?
You are likely considered a “Covered Entity” and subject to HIPAA regulations if you are a:
(Note: businesses above a certain size that self-fund health plans and reimburse employees for health expenses are considered health plans.)
(billing service, community health information or health management information system, repricing company, “value-added” networks and switches)
Health Care Provider who transmits medical data electronically
(doctor’s office, hospital, physical or mental health therapist, lab, etc.)
Doctors that do not electronically transmit medical data because they perform non-insurance-billable elective procedures (like plastic or cosmetic surgery) are not covered by HIPAA.
Organizations who handle information for Covered Entities can be categorized “Business Associates” and also subject to HIPAA.
What are HIPAA Business Associates?
Even if businesses you work with do not themselves provide health care or health coverage, they may be classified as “Business Associates” under HIPAA if they handle medical data on your behalf. That means you may be liable for any HIPAA violations they commit with your patients’ information, unless you protect yourself with a Business Associate Contract laying out their obligations.
Businesses and services that may be classified as Business Associates include:
- Health information organizations
- E-prescribing gateways
- Providers of data transmission services that will carry or need access to Protected Health Information
- People offering a personal health record to individuals on your behalf
- Subcontractors who receive, maintain, or transmit Protected Health Information on your behalf
- Pharmacy benefits managers
- Third party administrators
- Independent medical transcriptionists
- Independent accountants and employees of accounting firms
While the Security Rule came into effect in 2005, long before the Cloud, it has since been updated in 2016 with Cloud Service Guidance. The Business Associate system is a very important consideration in the Cloud era, because any cloud-based services you or your employees ever use for medical data, (including many free services intended for use by private citizens) are considered Business Associates under the law. This status applies to them even if the information is encrypted before you send it over and they don’t have the key. If your data is in their care, they’re an Associate.
If an entity your business works with could be considered a Business Associate under HIPAA, you must get a Business Associate Contract in place that requires them to align their practices with your data with your obligations under HIPAA.
What is Considered Protected Health Information (PHI) Under HIPAA?
Medical data covered by HIPAA are referred to as Protected Health Information (PHI, ePHI when in electronic form).
PHI is defined by HIPAA as any “individually identifiable health information,” whether stored or transmitted electronically, on paper, or via speech.
Anything personally identifiable that provides insight into a person’s past, present, or future
- mental or physical health
- payments for care
is generally covered by HIPAA’s privacy and security rules.
Information that can identify the patient, if on the document, includes:
- Names, or part of names, including initials
- All geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code
- All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, etc.
- Phone & fax numbers
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Website URLs
- Internet Protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images (or comparable images)
- Any other unique identifying number, characteristic, or code
Personal medical records and other info that has had any ties and possible identification vectors to the individual patient removed (as is typically used in trials & studies) can be designated “De-Identified Medical Information” and is no longer subject to HIPAA controls.
How many years after a person’s death is their PHI protected?
When HIPAA first came into effect, PHI was protected indefinitely. This was viewed as a significant record keeping hardship for Covered Entities and Business Associates, so in 2013 the Omnibus Rule Update changed that to require PHI be secured for 50 years after a patient’s death.
HIPAA vs State Laws
When HIPAA and state laws conflict, which wins?
HIPAA was designed as a national baseline that all healthcare organizations across the country had to adhere to. However, many states have laws that put in place stricter requirements than HIPAA.
When there is a conflict between the two on a specific point, whichever provision is stricter wins. This is on a point by point basis, so a state law may enact stricter protections on some parts of privacy practices, while HIPAA controls other parts.
For example, if a state law requires faster disclosure of breaches than what is necessary under HIPAA, that part of state law applies. If HIPAA requires more data security measures than (likely older) state laws, HIPAA’s provisions apply.
To put it another way, whatever is in HIPAA is always the minimum requirement, but is never guaranteed to be the maximum requirement. This makes it critically important that organizations be aware of both HIPAA requirements and applicable local laws.
Which state’s laws apply, the ones where your organization is, or patients’ home states?
State laws are applied based on both the state where your organization resides as well as whatever state the patient is in.
“If you’re out of California and you have information about California residents, you’ll need to protect that and notify them within the same timeframe that California requires.”
President & Chief Compliance Officer, Semel Consulting
Can states sue for HIPAA violations?
According to The HITECH Act’s amendments to HIPAA, each state Attorney General has the power to enforce HIPAA civil penalties within their state. They are not authorized to enforce HIPAA criminal penalties.
These same officials are also usually the ones charged with enforcing stricter state laws covering medical records.
Permissible Disclosures Under HIPAA
What is a Permissible Disclosure?
While HIPAA is concerned with protecting patients’ information from prying eyes, the Privacy Rule also recognizes that such protections can get in the way of providing proper treatment and billing patients for services rendered. For this reason, there are some exceptions in the law.
The HIPAA-required Notice of Privacy Practices that is provided to all patients must include disclosures of the type of Permissible Disclosures a Covered Entity will be making.
When are Permissible Disclosures of PHI allowed?
There are three core health care activities under which Permissible Disclosures are allowed without specific patient prior approval:
Sharing PHI for providing, coordinating (including referrals and consultations), or managing a patient’s care between providers or with third parties.
Sharing PHI with billing agencies, health plans, and, in limited cases, consumer reporting agencies. This exception is largely in service of helping organizations get paid and determine patients’ eligibility for services and coverage by health plans. This exception also allows health plans to review requests for treatment and records of treatment for prior approval of services as well as to ensure services were actually provided and medically necessary.
Health Care Operations
Sharing PHI in the service of day-to-day administrative, legal, financial, and quality control operations of a Covered Entity. This sounds like a catch-all, but it is actually limited to specific activities by the law, as described in 45 CFR section 164.501 of the Privacy Rule.
What is the “Minimum Necessary” standard?
While Permissible Disclosures are allowed under HIPAA’s Privacy Rule, there is also guidance that Covered Entities must develop policies and procedures that lead to the fewest/narrowest disclosures necessary to carry out payment systems and day to day operations.
This standard does not apply to treatment-based Permissible Disclosures.
Is patient authorization required to make Permissible Disclosures?
No. Though organizations may request authorization anyway; this is not a HIPAA requirement.
While organizations may design such authorization forms as they see fit, they cannot use them to circumvent the Privacy Law’s limits on Permissible Disclosures (even if a patient has agreed to allow it).
Are patients allowed to block Permissible Disclosures?
Yes, and no. Patients are allowed to request additional limits on how an organization will use Permissible Disclosures. However, organizations are only required to follow those limits if they tell the patient they will abide by them.
What are patients’ rights to confidential communications?
When Covered Entities are communicating with patients about their care, patients may request that such communications be delivered via alternative means or to alternate locations.
Health care providers are required to accommodate “reasonable requests” in this area.
Health plans are required to accommodate such “reasonable requests” if the patient clearly informs that that failure to do so would put them in danger.
What is a HIPAA violation?
HIPAA violations can either involve
- not providing patients proper access to their records when they request it.
- granting access to or disseminating Protected Health Information (PHI) without patient authorization.
Here are examples of common HIPAA violations:
Improper disposal of patient records
Before any PHI is discarded, it must first be shredded.
Failing to get proper signatures on HIPAA release forms
Any HIPAA forms without a patient’s signature are invalid, so releasing information based on them is a violation.
Releasing protected information to an undesignated party
Only the exact person listed on the authorization form may receive patient information.
Releasing unauthorized health information
Someone releases the wrong document, one that has not been approved for release. A patient has the right to release only parts of their medical record.
Releasing the wrong patient’s information
Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.
Storing patients’ information in an unprotected state
While it’s common to immediately think of internet hacker activity this violation can also occur when physically unprotected electronic information, such as a laptop, hard drive, USB memory stick, or other storage medium left exposed to the public.
Who enforces HIPAA?
At the national level, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is responsible for enforcing HIPAA’s privacy & security rules, including fining Covered Entities or Business Associates who fail to comply.
The HITECH Act’s amendments to HIPAA included empowering the Attorney General of each state to enforce HIPAA civil penalties with their state. They are not authorized to enforce HIPAA criminal penalties, those are left to the OCR.
What happens if you are suspected of a HIPAA violation?
If there are concerns that the integrity of your records has been compromised, the OCR can undertake an investigation and you will be asked to provide the extensive records of access to that information (as required by HIPAA).
What are the penalties for a HIPAA violation?
If the investigation and subsequent hearings conclude that there were violations, it is possible that civil money penalties (ranging from $100 to $1.5 million per violation, with a maximum penalty of $1.5 million per year) can be imposed upon your business by the OCR or state governments. The more willful/egregious they perceive the violation to have been, the more severe the fine they’re likely to levy.
HIPAA violations can also carry with them serious jail sentences, ranging from one year (for unknowing violations or those committed with reasonable cause) to ten years (for violations committed for personal gain or malicious reasons).
Beyond government-levied fines, additional lawsuits can occur – patients have successfully sued providers for HIPAA privacy violations.
In addition to notifying affected individuals within 60 days, businesses are also required to report all breaches to the OCR. Small breaches can be recorded in a ledger and reported to the OCR annually. However larger breaches (over 500 patients affected) must be reported to OCR within 60 days, as well as to major local media outlets.
As always, stricter provisions in state laws supersede HIPAA. Many states have shorter reporting windows. If, for example, a state has a 7-day breach reporting requirement and/or more powerful rules regarding notifying affected patients, those provisions would apply instead.
In addition to the fine, when investigating a breach that may have exposed the information of more than 500 individuals, the OCR must also list your business on its public breach report portal for two years. States may also have reporting requirements that publicize compliance failures.
This sort of negative exposure can deal a serious blow to a business’s reputation (and, if applicable, its stock value).
And Possibly More!
Remember that state laws may cover some of the same ground and include additional penalties if their stricter provisions are violated. Failure to abide by security obligations set out in contracts can lead to further financial penalties, staff or facility licensing can be pulled, and more.
“Sometimes we have to remind them that it’s not just HIPAA they need to worry about if there’s a breach. They can lose their professional license. That’s their career.
We’re seeing more and more organizations that want to do business with each other will put into a contract, not into a HIPAA business associate agreement or anything that’s specific to a regulation, but just into a contract: “If you want to work with us, here’s what you must do to protect our data.”
Why is it important to put that into contract? Because if you don’t protect the data, you are in violation of a contract and you can be sued by the other party. That is actually easier for the other party to penalize you, rather than to wait for the federal government to maybe investigate you and maybe issue a fine. This is a direct issue with your relationship with that vendor.”
President & Chief Compliance Officer, Semel Consulting
An Important Note About Cyber-Liability Insurance:
Even if your organization maintains a cyber-liability insurance policy, do not forget that coverage is contingent on your IT department maintaining whatever security policies you agreed to/put forth when the policy was signed. There have been high-profile examples of insurance companies refusing to pay for breaches because policies were not followed.
For example, Cottage Health was sued by their insurance company for a return of $4.1 million paid out for data breaches, after it was discovered they were not living up to their security obligations as stated in the policy.
HIPAA May be the Least of Your Compliance Worries
“When we work with our clients, we ask them to give us their application for cyber liability insurance, because we’ll use that to find out what they committed to with their insurance carrier.
Often we find that through our scans of their networks and checking equipment that their systems are not set up the way that they were supposed to be for the insurance policy.”
President & Chief Compliance Officer, Semel Consulting
How Do I Comply with HIPAA?
What are best practices for adhering to the HIPAA Privacy Rule?
Here are some best practices for setting your company up for compliance with the HIPAA Privacy Rule:
Appoint a HIPAA champion
Covered Entities are required to assign someone as a designated HIPAA champion or privacy officer to implement the Privacy Rule and make sure procedures are being followed to keep PHI secure.
In offices or clinics, this might be only part of the duties of a doctor or office manager, but hospitals or other organizations dealing with a large amount of PHI may need a consultant or dedicated full-time employee.
Set up office policy, procedures, and HIPAA training for all staff
Provide training for your staff on the Privacy Rule, covering all forms of PHI in the practice and how it must be kept private and secure. Explain the patients’ rights and how the practice will support those rights. Ensure everyone understands the law and has no confusion or unanswered questions.
Make sure that new employees are trained in a reasonable timeframe and that trainings are ongoing to keep the information fresh – the HIPAA champion/privacy officer should maintain a record of who was trained and when.
Inform patients of their rights
It’s important to inform patients of their rights to see or update their protected health information and submit privacy complaints under the HIPAA privacy rule.
All new patients must be given a Notice of Privacy Practices that complies to HIPAA guidelines. That same notice must also be posted prominently in-patient areas and on organizations’ websites.
What are some HIPAA Security Rule compliance best practices?
Here are the requirements for creating a work environment that adheres to the HIPAA Security Rule, which covers storage and transfer of protected health information in electronic form (ePHI):
Perform a risk analysis
Every healthcare organization has different vulnerabilities when it comes to storing and transmitting ePHI. Assessing these vulnerabilities and investing in countermeasures (i.e. stronger passwords, encryption of stored data, encryption of data being transmitted, intrusion prevention software, locking down USB ports, etc.) are key to protecting your organization from mishaps.
Assign controlled information access levels
Not all users in your organization require full access to all medical records. Breaking your staff’s access into tiered security levels prevents employees from either intentionally or accidentally seeing PHI that doesn’t apply to their duties. Clearly documenting who can access to what, and who can expand authorizations will help keep you in compliance.
Carry out regular security awareness training
Hackers and thieves often use employee mistakes and inattention as access vectors to protected infrastructure. Along with educating your staff about HIPAA mandated confidentiality, training should cover best security practices for using computers, like physical access security, protection from malicious software and phishing attacks, log-in monitoring, and proper password management.
Limit physical access to equipment
Access to physical hardware can allow malicious actors to more easily bypass security that prevents outside invasion via the internet. The physical safeguards section of the Privacy Rule provides guidelines for physically securing equipment that transmits ePHI, such as your server and wired or wireless networks.
Maintain in-depth records
It’s important that you create and maintain documentation to illustrate that your organization is following its HIPAA policies and procedures (access logs, incident investigation reports, training documents, etc). If you are ever subject to a HIPAA audit or breach investigation, investigators will likely want to see such records.
Including an effective date on any documentation (policies, procedures, plans, etc.) is useful for meeting HIPAA’s requirement for documentation retention – you can then easily determine when documents can be safely discarded.
How can XMedius Solutions Help with HIPAA compliance?
XM Fax is a Fax over IP (FoIP) solution that not only removes the need for unreliable, expensive fax machines, but also includes a variety of security and documentation features that aid HIPAA compliance.
- An automatically generated, extensive audit trail of which files are sent, where, and when, making it easy to document in the event of a HIPAA inquiry.
- Faxes are sent directly from a controlled workstation rather than an unsecured fax machine. Nobody has to hover over the machine to ensure all pages get sent and that no unauthorized person reads them.
- Because documents are faxed electronically, they do not need to be printed for a fax machine – reducing physical copies that you’d need to account for.
XMediusSendSecure is secure file transfer software that allows a range of applications far beyond simple fax.
- Supports files up to 5TB, so x-ray and MRI images, videos, and other large files can be transferred with ease.
- Advanced security features- when uploaded to a SafeBox, files are protected with double encryption at rest and in transit, configurable two-factor authentication, automatic virus scanning, and an encryption fingerprint to prevent tampering.
- Automatically generates an extensive audit trail tracking every interaction of the file – downloads, uploads, deletions, comments, and more.
- All files are stored in ephemeral locations that will self-delete after a set period of time, so you don’t need to keep track of legacy shares.
XM Connect is a Unified Communications platform that delivers interoperability for the multivendor UC environments that most organizations find themselves in. It features a suite of productivity-enhancing apps, including secure unified messaging functionality, which allows staff to access their voicemail anywhere via steaming to a mobile app, but does not allow the file to be downloaded or transferred outside your system. This helps prevent sensitive information from being exposed in audio form.
HIPAA compliance made easy
If your organization handles protected health information, ensuring that the proper safeguards are in place and aligning with HIPAA compliance requirements can be challenging. XMedius combines HIPAA-trained personnel with powerful tools and technology to provide solutions that address several requirements within the HIPAA/HITECH acts.
Do you have questions about how our solutions can help streamline HIPAA compliance and protect your business? Reach out to our team for more information.