If the title of this article captured your attention, most likely, you are planning to build a healthcare app. Or you have already developed one. One way or another, your intentions deserve respect because your app can help doctors and patients.
How to Comply With HIPAA Requirements in 2020: Fines, Components, and Examples
However, there’s one thing that you have to take very seriously. In case your application deals with patients’ health records, you should protect them by any means necessary. And that’s what congress thought when designed HIPAA in 1996.
Further below, you will find out who is required to follow HIPAA requirements, our HIPAA compliance checklist, and how large are HIPAA violation penalties.
What Does HIPAA Stand For?
A lot of entrepreneurs that plan to develop a healthcare app wonder what is HIPAA? HIPAA(Health Insurance Portability and Accountability Act) was designed to modernize the flow of healthcare information and protect personal data from fraud and theft. This act consists of 115 pages, so there’s a lot of things to discuss.
But, I’m going to explain HIPAA in simple words and focus on what it means for tech products.
Who is Mandated to Follow HIPAA Requirements?
HIPAA covered entities are individuals or companies that receive, transmit or update protected ePHI or EHRs. They can be divided into three main groups:
- Healthcare providers
- Health insurance companies
- Healthcare clearinghouses
It’s important to remember that business associates of the above entities also have to comply with HIPAA.
4 groups of HIPAA covered entities
By the way, here’s an article about hospital app development. It uncovers the benefits and challenges of the custom hospital app.
What’s the most important thing for entrepreneurs in these regulations? Violating the rules may lead to huge expenses. That happens because of the heavy fines specified in the act.
HIPAA Violation Fines
Before we get to such a terrific thing as penalties, we should first figure out the reasons for imposing penalties.
HIPAA violations happen when the obliged entity fails to comply with one or more HIPAA requirements. Violations can be intentional or unintended and are divided into 4 groups by the severity and impact.
- Tier 1: An unintentional HIPAA violation that the healthcare provider wasn’t aware of and so couldn’t avoid. Made a proper effort to comply with HIPAA regulations. The penalty is from $100 to $50,000 per violation with a maximum amount of fines of $1,500,000 annually.
- Tier 2: An unintentional HIPAA violation that the healthcare provider was informed of but couldn’t change things even with a proper amount of effort. The penalty is from $1,000 to $50,000 per violation, with a maximum amount of fines of $1,500,000 per year.
- Tier 3: An intentional violation that resulted from a “willful neglect” of HIPAA rules. The issue has been fixed in a period of 30 days after identifying the violation. The penalty is from $10,000 to $50,000 per violation with a maximum amount of fines of $1,500,000 annually.
- Tier 4: An intentional violation that resulted from a “willful neglect” of HIPAA rules. No attempts to fix the issue were made during the 30 days of identifying the violation. The penalty is $50,000 per violation, with a maximum amount of fines of $1,500,000 per year.
Has Anyone Been Fined?
To get a deeper understanding of the penalty system and types of violations, I will give some examples of fined companies.
- Korunda Medical, LLC. Korunda Medical failed to provide medical records to a third party on patient’s request. The point is, HIPAA requires covered entities to transfer personal information to any individual specified by the patient. Moreover, the provider charged more than it’s allowed under HIPAA. As a result, the company had to provide records in the requested format for free and was fined $85,000.
- West Georgia Ambulance. The investigation into the West Georgia Ambulance began in 2013, after the loss of an unencrypted laptop with personal information of over 500 individuals. This investigation detected a long-term HIPAA non-compliance that resulted in a fine of $65,000.
Basic Components of HIPAA
To avoid troubles with HIPAA compliance, you have to understand three basic HIPAA rules:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
3 basic HIPAA components
HIPAA Privacy Rule
The privacy rule focuses on keeping PHI (personal health information) in safety.
PHI includes information about:
- The patient’s past, present, or future physical or mental health condition.
- The type of healthcare provided to the patient.
- Information about the payment for the healthcare service provided to the patient.
- Personal data such as name, address, birth date, and Social Security number
The Privacy Rule provides patients with rights that protect their PHI. One of them is a right to get a copy of their health records. Also, they can ask for corrections in their data. On top of it, the Privacy Rule permits the use and disclosure of health records needed for patient care and other important purposes.
HIPAA Security Rule
HIPAA security requirements include protection methods that you should implement in order to protect the integrity of ePHI.
Each entity should analyze ePHI-connected risks and eliminate them. Here are top tier HIPAA covered entities requirements:
- Ensure the privacy, integrity, and accessibility of all ePHI they create, update, transmit, or maintain.
- Identify and protect ePHI against reasonably anticipated threats.
- Guarantee the access to ePHI only to the HIPAA covered individuals.
- Instruct employees on how to follow compliance rules
Also, you should review and modify protection methods to keep up with new threats and vulnerabilities.
HIPAA Breach Notification Rule
Data breaches are getting more common these days. Being a security-centered act, there are HIPAA breach notification requirements. The regulations require you to inform affected users, HHS (Department of Health and Human Services), and media in case of a breach. You have to deliver notifications without delays in terms and no later than 60 days since the moment of breach disclosure. Notifications that affected less than 500 individuals can be sent to HHS annually.
Technical Guarantees for HIPAA Compliance
As you see, HIPAA requires strong means of protection and rules restricting access to ePHI. To comply with all requirements, your solution should have a solid tech background. Meaning that your software development company or the team of developers must be skilled enough to deal with possible exploits and eliminate gaps.
Main HIPAA Technical Guarantees
There are several tech aspects to pay attention to while working on a software falling under HIPAA:
Implementing an authorization system is a must for every app. But when it comes to HIPAA requirements, you should be as responsible as never before. Spare no expense for the development of two-step verification and independent system for managing the release and disclosure of ePHI.
Encryption and Decryption Algorithms
HIPAA encryption requirements are the top concern for healthcare apps. Be sure to provide your application with encryption methods. The reason is when information is transmitted beyond the internal server it falls under the risk area. Fraudsters can intercept it, but with crypto algorithms, they won’t be able to extract any personal information. Otherwise, if the information got to the destination point successfully, the receiver should be able to decrypt the message.
Want to learn more on how to secure healthcare software? We’ve outlined the best cybersecurity frameworks. Check them out!
Take Care of Log Records
Log history is a mandatory HIPAA record retention requirement. Whenever someone attempts to access ePHI, your software should automatically register the identity that made a request. There are a lot of ways to develop this feature. For example, you can track the internal ID if the request comes from the registered user. If a breach happened, you can put an IP address of an attacker to the log.
This is an optional point but is highly recommended for the development. Whenever your personnel is away from the device, third persons can try to use the application. With auto log-off, the HIPAA compliant app will request a password after a pre-defined period of time.
Administrative Guarantees for HIPAA Compliance
By now, we figured out the tech side of HIPAA requirements. But sometimes, the human factor can lead to even worse consequences than technical gaps. Let me provide some recommendations for addressing these issues.
Main HIPAA administrative requirements
Managing the Risks
This one is a primary task for HIPAA compliance. First, you should identify hazards and possible weaknesses that could harm the ePHI. Then, you have to evaluate risks and potential losses associated with these weaknesses. The final step is to find out the most cost-efficient solution or control the risk when there’s no way to eliminate the threat.
Instruct Your Employees
HIPAA rules and regulations not only include a huge amount of information, but they are also very flexible and scalable. That means it’s important to arrange meetings and training courses with your employees to teach them how to comply with HIPAA. Trained personnel is a way to reduce the risk of getting penalties.
Restrict Third Party Access
It’s crucial to restrict access to ePHI by unauthorized organizations, individuals, and subcontractors. Besides, you should sign Business Associate Agreements with your business associates that will have access to ePHI.
Failures That Lead to Non-Compliance
Let’s get through some frequent mistakes that can cost you a fortune while dealing with HIPAA.
- Incorrect disposal of the information. Whether you have digital information or something written on a piece of paper, make sure that after disposal, this data won’t fall into third party hands.
- Blind trust in your partners. Make sure your business associates are complying with HIPAA and fulfill the terms of your contract. Thus, you won’t get a stab in your back.
- Spreading the information around. Minimize the chance of accidental hearing of information. Train your employees to not spell the full name of patients and their health conditions in the presence of third persons.
- Handle the data storage. If you’re using hard drives for storing the ePHI and EHRs, make backups regularly. Actually, HIPAA compliant cloud storage has a number of advantages over the physical drives. The main reason is you don’t have to worry about backups and scaling. Instead of buying new drives, you can pay for extended cloud storage. On top of that, you don’t have to worry about the space for your server room.
Reasons that may lead to non-compliance
At first glance, HIPAA looks complicated. But with the right approach and guidelines from professionals, you won’t have any trouble with these strict requirements.