HIPAA has been in force for almost three decades, but it’s never been more relevant than today.
The number and cost of data breaches is growing. Healthcare regulators are scrambling to catch up with AI. Public health agencies are “addressing a diverse array of issues among an increasingly polarized public”.
Amid all this, companies have a critical role to play in protecting sensitive data.
One area that’s increasingly under scrutiny is HIPAA compliance. Although HIPAA primarily applies to healthcare organizations, it could affect how your business handles sensitive information – no matter your industry.
Table of Contents
- What is HIPAA compliance?
- HIPAA non-compliance risks and penalties
- HIPAA compliance checklist: Best practices for HIPAA compliance in a changing world
- HIPAA compliance case study: Change healthcare
- The role of workforce analytics in HIPAA compliance
- See how Time Doctor can improve your organization’s health and data handling
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act or HIPAA is a US law protecting sensitive patient health information (PHI). PHI includes patients’ medical records and health information provided to insurers, doctors, hospitals, and other healthcare providers.
It sets standards for how organizations can collect, use, store, transmit and disclose individuals’ medical information.
The key components of HIPAA compliance
HIPAA compliance means adhering to rules and regulations surrounding the confidentiality, integrity, and availability of PHI.
There are two main guardrails, the Security Rule and Privacy Rule.
But before diving into the Rules, we need to define a few technical terms you’ll encounter when looking into HIPAA compliance.
- Protected health information (PHI): Individually identifiable health information transmitted or maintained in any form. This includes names, addresses, birth dates, Social Security numbers and medical records.
- Covered entities: Healthcare providers, health plans, and healthcare clearinghouses that must comply with HIPAA regulations.
- Business associates: Individuals or organizations that perform functions or activities on behalf of a covered entity that involve using, transmitting or disclosing PHI.
Remember this last group because it might apply to your organization.
HIPAA compliance is not only important for “covered entities” but also for BPOs and KPOs in the healthcare sector. From call centers to virtual assistants and medical transcription services, any organization handling PHI is likely to be subject to HIPAA.
It might also apply to employers in other industries if the company stores, accesses or transfers employee health data.
HIPAA security rule
The HIPAA Security Rule outlines the safeguards organizations must implement to protect patient health information.
- Administrative safeguards: Policies and procedures for managing the security of electronic PHI, such as risk analysis, workforce security and information access management.
- Physical safeguards: Protecting systems and data from unauthorized access, use, disclosure, disruption, modification or destruction. This includes access controls, workstation security, and asset-level (device and media) controls.
- Technical safeguards: Using technology to protect electronic PHI, such as access control, audit controls, and integrity controls.
The HIPAA privacy rule
The HIPAA Privacy Rule establishes national standards for protecting individuals’ medical records and health information. It specifies patients’ rights to understand and control how their health information is used:
- Patient rights: Individuals have the right to access their health information, request amendments to their health records, and receive a notice of privacy practices.
- Permitted disclosures: The specific circumstances under which PHI can be disclosed, including for treatment, payment and healthcare operations.
- Minimum necessary: Covered entities must disclose only the minimum PHI necessary to accomplish a particular purpose.
HIPAA compliance also means meeting the Breach Notification Rule and Enforcement Rule.
The Breach Notification Rule outlines how covered entities should respond to a violation, including notifying authorities and affected individuals.
As you might’ve guessed, the Enforcement Rule establishes the guidelines for regulators to investigate, penalize, and in some cases prosecute HIPAA violations.
Does HIPAA apply to all employers?
Healthcare isn’t the only industry impacted by HIPAA. Other sectors and organizations handling PHI must comply, including insurance and technology companies providing health-related services.
As a very generalized guide – with a disclaimer that this is not legal advice – if your concern relates to employees’ health information, HIPAA might apply.
That includes scenarios like:
- New employees providing health information to HR
- Arranging health insurance for employees
- Responding to a health provider enquiring about an employee’s treatment eligibility
- Handling or storing workplace compensation claim data
Whether full or partial compliance applies depends on the specific scenario.
If you’re concerned that your organization’s practices or processes might be on the wrong side of HIPAA compliance, we recommend seeking legal advice.
It’s also important to remember that HIPAA isn’t the only privacy legislation in play. Other laws like GDPR, CPPA and the Fair Credit Reporting Act govern what employers can do with certain employee data.
HIPAA non-compliance risks and penalties
Non-compliance with HIPAA can lead to severe consequences. These include hefty fines, legal actions and reputational damage.
Financial penalties
The Department of Health and Human Services (HHS) can impose significant fines for HIPAA violations.
Penalties are tiered based on the level of negligence, with fines ranging from $100 to $50,000 per violation, per year, with a maximum annual penalty of $1.5 million.
Reputation damage
Data breaches and other HIPAA violations can severely damage your organization’s reputation, causing affected individuals and prospective partners to lose trust.
Legal liabilities
Non-compliance can expose your organization to lawsuits from affected individuals and service providers.
These lawsuits can drag on for months or years, draining financial reserves and limiting business activity.
Operational disruptions
Investigations and corrective actions required for non-compliance can disrupt daily operations and impact productivity.
Depending on your business, these disruptions could affect patients’ access to essential healthcare services.
Loss of business
In severe cases, non-compliance can lead to patients seeking care elsewhere and partners turning their backs.
These costs are hard to count and harder to recoup.
HIPAA compliance checklist: Best practices for HIPAA compliance in a changing world
Achieving and maintaining HIPAA compliance requires a proactive and comprehensive approach. That’s especially true nowadays, with cybercrime on the rise and AI tools with questionable compliance appearing everywhere.
That’s why a comprehensive compliance strategy is crucial for businesses today.
You can keep on top of HIPAA compliance with these 13 focus areas.
1. Risk assessments
Conduct a thorough risk assessment to identify vulnerabilities in your organization’s systems and processes. Assess the likelihood and impact of PHI risks and implement mitigation strategies.
2. Access controls
Restrict access to PHI on a need-to-know basis. Implement strong password policies, including multi-factor authentication, and regularly review access permissions.
3. Data encryption
Encrypt PHI both at rest and in transit to protect it from unauthorized access. Use strong encryption standards and ensure that encryption keys are securely managed.
4. Employee training and awareness
Regular training on HIPAA regulations, policies, and procedures is crucial. Employees should understand the importance of protecting PHI and the consequences of HIPAA non-compliance.
Training should cover the organization’s policies and procedures, common threats arising from everyday activities, and best practices for data security.
5. Patient communication
Provide patients with a clear and understandable notice of how their PHI will be used and disclosed.
6. Business associate agreements
Ensure all business associates handling PHI have signed HIPAA-compliant agreements and use HIPAA-compliant systems.
7. Incident response plans
Develop a comprehensive plan to respond to data breaches or other security incidents. Regularly review and update these policies to reflect changes in regulations and technology.
8. Security audits and penetration testing
Conduct regular security audits and penetration testing to identify and address security weaknesses. These activities should be conducted by qualified professionals.
9. Secure communication channels
Ensure that all communications involving PHI are conducted through secure, HIPAA-compliant channels. Avoid using unsecured email or messaging services. Stick to encrypted email services or secure file transfer protocols.
10.Physical security
Physical security measures are just as important as digital ones. Protect physical access to PHI by implementing measures such as locked doors, surveillance cameras, and secure storage.
11. Updating software and systems
Regularly update all software and systems to protect against known vulnerabilities. Implement patch management processes to ensure security updates are timely and non-disruptive.
12. Mobile device security
Establish policies for using mobile devices to access PHI, including data encryption and remote wipe capabilities.
13. Data backup and recovery
Regularly back up PHI and ensure backups are secure. Develop and test recovery plans to ensure quick restoration in case of data loss or breach.
HIPAA compliance case study: Change healthcare
Change Healthcare is one of the world’s largest health clearinghouses, handling 15 billion medical claims annually. Most major US hospitals use its payment platform to process patient claims.
Although it’s not a healthcare provider, it falls under HIPAA compliance. So, when hackers locked up the system in February 2024 and stole around 4 terabytes of PHI, it kicked off the largest HIPAA compliance case in history.
The hacker group used compromised credentials to access a portal that should have been protected by multi-factor authentication. They subsequently demanded a $22 million ransom for the data’s safe return.
Investigations are still ongoing. However, current estimates are that one in three Americans could be affected. That’s more than 100 million people whose PHI could be compromised, including:
- Health insurance information
- Medical records
- Billing, claims and payment information
- Personal data like Social Security numbers or ID numbers
Doctors’ offices and hospitals couldn’t process claims for several weeks, creating a serious backlog and threatening patients’ access to care.
Although the full impact of the breach is yet to be counted, the costs are already eye-watering.
- The American Hospital Association reported that 94% of hospitals recorded damage to cash flow.
- UnitedHealth has already paid over $2 billion to deal with the ransomware attack response.
- Additionally, they provided $9 billion in advanced funding and interest-free loans to help providers who couldn’t bill for services through Change Healthcare.
Adding to the mounting challenges, UnitedHealth missed the deadline to report the incident under the Breach Notification Rule by several months. The nature of their business also means some healthcare organization customers could have become wrapped up in the breach, triggering additional notifications.
Change Healthare’s hackers were organized, militant and skilled. Still, it has to be said that the biggest HIPAA compliance case in US history – one of the biggest cyberattacks on record – was allegedly caused by lax security in a legacy system. Change Healthcare continued to suffer crippling losses because a system they acquired in 2016 didn’t have multi-factor authentication.
The ongoing and widespread fallout shows how critical HIPAA compliance is for organizations of all sizes.
Sources:
- Change Healthcare cyberattack fallout continues | TechTarget
- Change Healthcare Ransomware Attack Cost Predicted to Rise to at Least $2.3B in 2024 | HIPAA Journal
- Almost All US Hospitals Took Financial Hit From Change Hack, AHA Says | Medscape
- What We Learned: Change Healthcare Cyber Attack | House.gov
The role of workforce analytics in HIPAA compliance
You might be wondering why Time Doctor, as a workforce analytics provider, would take a strong interest in HIPAA compliance.
For the same reason as we’re concerned with GDPR, Soc 2 and other compliance frameworks: we care about compliance, accountability and security.
Time Doctor might not be a core compliance tool. However, you can use workforce analytics insights to strengthen compliance and security, especially in remote organizations and large teams.
Monitoring anomalies
Workforce analytics tools can help identify unusual activity patterns that might indicate potential security breaches or compliance issues.
For example, our Unusual Activity Report (UAR) flags suspicious keyboard and mouse behavior that could indicate non-compliant employees.
Detailed activity reporting, such as Website & App Usage reports, can also help you pinpoint compliance issues like unauthorized software, non-compliant data transfers or suspicious usage patterns.
Analyzing employee behavior
Automatic time-tracking can help you spot unauthorized attempts to access physical or virtual machines.
You can also drill down on data mishandling incidents or identify processes that expose your organization to HIPAA compliance risks, such as sharing sensitive data with other teams or transferring it to unsecured storage locations.
Fostering accountability
In our experience, most HIPAA compliance issues caused by employees arise from a lack of awareness or training.
This is where workforce analytics really helps. You and your managers can proactively address training requirements or repeated incidents, getting ahead of compliance risks.
See how Time Doctor can improve your organization’s health and data handling
Time Doctor is fully HIPAA and GDPR-compliant. We follow best data security and transfer practices, including strong encryption and regular external audits.
To learn more about Time Doctor’s security measures, visit the Security and Compliance page.
Or start your free trial today to get access to the full platform with the confidence that your employees’ data is secure with Time Doctor.
Liam Martin is a serial entrepreneur, co-founder of Time Doctor, Staff.com, and the Running Remote Conference, and author of the Wall Street Journal bestseller, “Running Remote.” He advocates for remote work and helps businesses optimize their remote teams.