How to Comply With HIPAA Requirements in 2023: Fines, Components, and Examples
Updated 25 Jan 2023
If the title of this article captured your attention, most likely, you are planning to build a healthcare app. Or you have already developed one. One way or another, your intentions deserve respect because your app can help doctors and patients.
However, there’s one thing that you have to take very seriously. In case your application deals with patients’ health records, you should protect them by any means necessary. And that’s what congress thought when designed HIPAA in 1996.
Further below, you will find out who is required to follow HIPAA requirements, our HIPAA compliance checklist, and how large are HIPAA violation penalties.
What Does HIPAA Stand For?
Many entrepreneurs planning to develop a healthcare app wonder what HIPAA is. HIPAA (Health Insurance Portability and Accountability Act) was designed to modernize the flow of healthcare information and limit access to protected health information (PHI) from misuse. There are 18 categories of PHI, ranging from names and email addresses to phone numbers, account numbers, health records, and more. HIPAA policies are established to keep these details from being lost or stolen. This act consists of 115 pages, so there are many things to discuss.
But we’ll explain HIPAA in simple words and focus on what it means for tech products.
Who is Mandated to Follow HIPAA Requirements?
HIPAA covered entities are individuals or companies that receive, transmit or update protected ePHI. They can be divided into three main groups:
- Healthcare providers
- Health insurance companies
- Healthcare clearinghouses
It’s important to remember that business associates of the above entities also have to comply with HIPAA.
HIPAA Violation Fines
Before we get to such a terrific thing as penalties, we should first figure out the reasons for imposing penalties.
HIPAA violations happen when the obliged entity fails to comply with one or more HIPAA requirements. Failure to comply with HIPAA rules can result in considerable penalties being issued — even if no breach of PHI happens — while breaches can lead to criminal consequences and civil action lawsuits being logged. Violations can be intentional or unintended and are divided into 4 groups by the severity and impact.
- Tier 1: An unintentional HIPAA violation that the healthcare provider wasn’t aware of and so couldn’t avoid. Made a proper effort to comply with HIPAA regulations. The penalty is from $100 to $50,000 per violation with a maximum amount of fines of $1,500,000 annually.
- Tier 2: An unintentional HIPAA violation that the healthcare provider was informed of but couldn’t change things even with a proper amount of effort. The penalty is from $1,000 to $50,000 per violation, with a maximum amount of fines of $1,500,000 per year.
- Tier 3: An intentional violation that resulted from a “willful neglect” of HIPAA rules. The issue has been fixed in a period of 30 days after identifying the violation. The penalty is from $10,000 to $50,000 per violation with a maximum amount of fines of $1,500,000 annually.
- Tier 4: An intentional violation that resulted from a “willful neglect” of HIPAA rules. No attempts to fix the issue were made during the 30 days of identifying the violation. The penalty is $50,000 per violation, with a maximum amount of fines of $1,500,000 per year.
Has Anyone Been Fined?
To get a deeper understanding of the penalty system and types of violations, we'll give some examples of fined companies.
- Korunda Medical, LLC. Korunda Medical failed to provide medical records to a third party on patient’s request. The point is, HIPAA requires covered entities to transfer personal information to any individual specified by the patient. Moreover, the provider charged more than it’s allowed under HIPAA. As a result, the company had to provide records in the requested format for free and was fined $85,000.
- West Georgia Ambulance. The investigation into the West Georgia Ambulance began in 2013, after the loss of an unencrypted laptop with personal information of over 500 individuals. This investigation detected a long-term HIPAA non-compliance that resulted in a fine of $65,000.
Basic Components of HIPAA
To avoid troubles with HIPAA compliance, you have to understand three basic HIPAA rules:
HIPAA Privacy Rule
The privacy rule focuses on keeping PHI (personal health information) in safety.
PHI includes information about:
- The patient’s past, present, or future physical or mental health condition.
- The type of healthcare provided to the patient.
- Information about the payment for the healthcare service provided to the patient.
- Personal data such as name, address, birth date, and Social Security number
The Privacy Rule provides patients with rights that protect their PHI. One of them is a right to get a copy of their health records. Also, they can ask for corrections in their data. On top of it, the Privacy Rule permits the use and disclosure of health records needed for patient care and other important purposes.
HIPAA Security Rule
HIPAA security requirements include protection methods that you should implement in order to protect the integrity of ePHI.
Each entity should analyze ePHI-connected risks and eliminate them. Here are top tier HIPAA covered entities requirements:
- Ensure the privacy, integrity, and accessibility of all ePHI they create, update, transmit, or maintain.
- Identify and protect ePHI against reasonably anticipated threats.
- Guarantee the access to ePHI only to the HIPAA covered individuals.
- Instruct employees on how to follow compliance rules
Also, you should review and modify protection methods to keep up with new threats and vulnerabilities.
HIPAA Breach Notification Rule
Data breaches are getting more common these days. Being a security-centered act, there are HIPAA breach notification requirements. The regulations require you to inform affected users, HHS (Department of Health and Human Services), and media in case of a breach. You have to deliver notifications without delays in terms and no later than 60 days since the moment of breach disclosure. Notifications that affected less than 500 individuals can be sent to HHS annually.
The Administrative Safeguards are the linchpin of Security Rule compliance. The Security Officer is responsible for performing risk analyses, initiating measures to lower risks and vulnerabilities, workforce training, supervising IT continuity, and Business Associate Agreements.
HIPAA administrative safeguards are broken up into the following rules (but it’s not limited to them):
- Security management process. Enterprises must execute risk analyses, introduce preventive measures to mitigate risks and vulnerabilities, bring a workforce sanctions policy into place, and implement procedures to check system activity.
- Workforce Security. The workforce members should have permission before accessing systems, including ePHI and required measures must be introduced to restrict access to ePHI and block access when the workers resign from their posts.
- Assign Security Responsibility. Designate a HIPAA Security Officer who will oversee the development, introduction, and execution of Security Rule policies.
- Information Access Management. This standard involves hybrid and affiliated organizations to guarantee access to ePHI only by the members of mentioned entities.
- Security Awareness and Training. Members of the workforce, including those with no access to PHI, must take part in the continuing security awareness training sessions. This standard also entails security reminders and password control.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule was presented in 2013 to upgrade components of the Privacy, Security, Enforcement, and Breach Notification Rules and rouse elements of the HITECH Act. It mandates that obliged entities and business associates must be HIPAA compliant and also outlines the rules surrounding business associates agreements, also known as BAAs. These agreements are the contracts that must be executed between a covered entity and a business associate (or between two business associates) before any PHI or ePHI can be transferred or shared. The Omnibus Rule provides businesses resources to investigate violations and force fines for non-compliance. In addition, the Omnibus Rule provides businesses resources to investigate violations and force fines for non-compliance.
The HIPAA Enforcement Rule establishes how the Department of Health and Human Services’ (HHS’) Office for Civil Rights will perform investigations, handle hearings, and impose fines for HIPAA violation cases. It also justifies how financial civil penalties will be calculated for non-compliance with HIPAA requirements.
The Physical Safeguards concentrate on physical access to ePHI regardless of its location. ePHI could be saved in a remote data center, in the cloud, or on servers placed within an enterprise's premises. The Physical Safeguards also state how workstations and mobile devices should be protected against third-party access.
The essential standards of HIPAA Physical Safeguards are:
- Facility access control. This standard mainly covers physical access to electronic data systems and the facilities they're stored, but it also governs the measures that should be implemented to restrict physical access to paper PHI as much as possible.
- Workstation Use. There are different interpretations of this standard. The most secure explanation declares that non-business activity is prohibited on workstations and devices employed to produce, obtain, maintain, or transfer ePHI.
- Workstation security. This standard requires obliged entities and business associates to introduce safeguards so that physical access to workstations and devices is restricted to only specified members of the organization.
- Device and Media Controls. The specifications attached to this standard entail the disposal or re-employ of media on which ePHI has been kept and managing an inventory of devices and media utilized by the companies to access ePHI.
Technical Guarantees for HIPAA Compliance
HIPAA Technical safeguards cover access controls, data in motion, and data at rest requirements. Introducing technical policies and procedures is required for software solutions that handle PHI data to limit access to only authorized users. Each user must have a unique user identification (ID). This ID is used for detecting and monitoring the users’ activities while accessing ePHI.
There are several tech aspects to pay attention to while working on software falling under HIPAA:
Main HIPAA Technical Guarantees
Implementing an authorization system is a must for every app. But regarding HIPAA requirements, you should be as responsible as never before. So spare no expense for developing two-step verification and an independent system for managing the release and disclosure of ePHI.
All medical information should be encrypted and only be decrypted when required. Data encryption is a proven way to make PHI unusable to unauthorized parties. If malicious users steal unencrypted records, they can instantly read, access, and employ them. Once a communication comprising PHI goes beyond an obliged entity´s firewall, encryption becomes an addressable safeguard that must be accounted for. This applies to any form of online communication, such as email, SMS, instant message, etc. According to HIPAA, encryption IT systems must adhere to minimum demands relevant to the state of that information, whether it is at rest or in transit.
The following processes are determined best methods for encrypting ePHI records at rest:
Application-level encryption (ALE)
With ALE, encryption is initiated within the software, enabling customizing the encryption process according to user roles and permissions.
Full disk encryption (FDE)
FDE turns records on a disk drive into an unreadable format. Without the appropriate authentication key, the disk data is unavailable even if the hard drive is removed and rested on another device.
Encrypting at the file level defends separate files and directors rather than the whole disk. Each item is encrypted with a special key, providing an additional layer of security to full disk encryption.
Audit control relates to logging who accesses the medical data. Log history is a mandatory HIPAA record retention requirement. Whenever someone attempts to access ePHI, your software should automatically register the identity that made a request. There are a lot of ways to develop this feature. For example, you can track the internal ID if the request comes from the registered user. If a breach happens, you can put an IP address of an attacker to the log.
This regulation aims to ensure that the ePHI and other medical data weren’t modified or destroyed in an unauthorized manner. It means that data integrity should be governed, for example, with a digital signature. If an authenticated user signs the altered data, any following modifications by unauthorized parties will be apparent.
To avoid unauthorized data devastation, it’s required to carry out a backup that won’t sync alterations that an authorized user hasn’t digitally signed. If a malicious user erases data, it will either appear in the audit logs, or the delete won’t disperse to the backup.
Person or entity authentication
Person or entity authentication refers to access control; however, it mainly has to do with requiring users to submit identification before having access to ePHI. It can be performed by applying unique passwords, pins, smart cards, fingerprints, face or voice recognition, or other methods.
Administrative Guarantees for HIPAA Compliance
By now, we figured out the tech side of HIPAA requirements. But sometimes, the human factor can lead to even worse consequences than technical gaps. Let me provide some recommendations for addressing these issues.
Managing the Risks
This one is a primary task for HIPAA compliance. First, you should identify hazards and possible weaknesses that could harm the ePHI. Then, you have to evaluate risks and potential losses associated with these weaknesses. The final step is to find out the most cost-efficient solution or control the risk when there’s no way to eliminate the threat.
Instruct Your Employees
HIPAA rules and regulations not only include a huge amount of information, but they are also very flexible and scalable. That means it’s important to arrange meetings and training courses with your employees to teach them how to comply with HIPAA. Trained personnel is a way to reduce the risk of getting penalties.
Restrict Third Party Access
It’s crucial to restrict access to ePHI by unauthorized organizations, individuals, and subcontractors. Besides, you should sign Business Associate Agreements with your business associates that will have access to ePHI.
Want to learn more on how to secure healthcare software? We’ve outlined the best cybersecurity frameworks. Check them out!
Failures That Lead to Non-Compliance
Let’s get through some frequent mistakes that can cost you a fortune while dealing with HIPAA.
- Incorrect disposal of the information. Whether you have digital information or something written on a piece of paper, make sure that after disposal, this data won’t fall into third party hands.
- Blind trust in your partners. Make sure your business associates are complying with HIPAA and fulfill the terms of your contract. Thus, you won’t get a stab in your back.
- Spreading the information around. Minimize the chance of accidental hearing of information. Train your employees to not spell the full name of patients and their health conditions in the presence of third persons.
- Handle the data storage. If you’re using hard drives for storing the ePHI and EHRs, make backups regularly. Actually, HIPAA compliant cloud storage has a number of advantages over the physical drives. The main reason is you don’t have to worry about backups and scaling. Instead of buying new drives, you can pay for extended cloud storage. On top of that, you don’t have to worry about the space for your server room.
Reasons that may lead to non-compliance
HIPAA Compliance Expert Assistance
At first glance, HIPAA looks complicated. But with the right approach and guidelines from professionals, you won’t have any trouble with these strict requirements. And the Cleveroad team is ready to assist you with HIPAA compliance-related services.
With over 10+ years of practical experience in HealthTech, Cleveroad offers HIPAA-compliant software consulting and development services. Our team has practical expertise in creating healthcare software solutions complying with HIPAA, HITECH, PIPEDA, GDPR, and other regulations and security standards. We start our cooperation with a deep analysis of your business to provide you with a legislation-compliant application aligning with your unique corporate needs.
Let’s make your app HIPAA compliant
We can help you to develop a HIPAA compliant software fitting your business needs
HIPAA, or Health Insurance Portability and Accountability Act, was designed to modernize the flow of healthcare information and protect personal data from fraud and theft.
Individuals or companies that receive, transmit or update protected ePHI or EHRs (find more on it here) have to comply with HIPAA. They can be divided into three main groups:
- Healthcare providers
- Health insurance companies
- Healthcare clearinghouses
- Business associates
HIPAA consists of three essential rules:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
Covered entities frequently face the following mistakes:
- Incorrect disposal of the information
- Blind trust in your partner
- Spreading the information around
- Handling the data storage wrong