To begin with, HIPAA is a complicated law to understand, much less for which to create compliance documentation. But let’s learn together about HIPAA policies and procedures and how Essential Data Corporation can help you keep up your documentation.
What is HIPAA?
Born of a need to “‘improve the portability and accountability of health insurance coverage’ for employees between jobs,” the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton on August 21, 1996 (HIPAA Journal). HIPAA was made to protect both workers and employers. The act also combats fraud, waste, and abuse in health insurance and healthcare delivery. In addition, there are passages introducing tax breaks for medical savings accounts, simplifying health insurance administration, and providing coverage for employees with pre-existing medical conditions (HIPAA Journal).
Protected Health Information (PHI)
HIPAA deals with protected health information (PHI). According to PCIHIPAA, PHI is demographic information that could identify a client of an organization subject to HIPAA regulation, including names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos. There is also ePHI — electronic protected health information.
Covered Entities and Business Associates
Two types of organizations must be HIPAA compliant: Covered Entities and Business Associates. Covered Entities are organizations that collect, create, or transmit PHI electronically, including health care providers, health insurance providers, and health care clearinghouses. Business Associates are organizations that are contracted to work for a covered entity that come across PHI, including practice management firms, billing companies, third-party consultants, MSPs, EHR platforms, IT providers, faxing companies, physical storage providers, shredding companies, cloud storage providers, attorneys, email hosting services, accountants, and more.
Who Does Not Have to Follow HIPAA?
According to the U.S. Department of Health & Human Services (HHS), organizations that do not have to follow HIPAA include life insurers, employers, workers’ compensation carriers, most schools and school districts, most law enforcement agencies, many municipal offices, and many state agencies.
What are the 5 titles which make up HIPAA?
- Title I: Health Care Access, Portability, and Renewability
- Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Title III: Tax-related Health Provisions Governing Medical Savings Accounts
- Title IV: Application and Enforcement of Group Health Insurance Requirements
- Title V: Revenue Offset Governing Tax Deductions for Employers
What is the HITECH Act?
To clarify and strengthen enforcement of HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in February 2009, according to Accountable. As records were increasingly becoming computerized, the need for such an act became clear. The following infographic from HIPAA Journal details the HIPAA penalties put into effect under HITECH.
The following table from HIPAA Journal shows the penalty amounts adjusted for cost of living increases as of November 2021.
|Penalty Tier||Level of
|Minimum Penalty per Violation (adjusted
|Max Penalty per Violation (adjusted
|Annual Penalty Limit (adjusted for inflation)|
|Tier 1||Lack of Knowledge||$120||$60,226||$30,113|
|Tier 2||Reasonable Cause||$1,205||$60,226||$120,452|
|Tier 3||Willful Neglect||$12,045||$60,226||$301,130|
|Tier 4||Willful Neglect (not corrected within 30 days)||$60,226||$1,806,757||$1,806,757|
What are the 4 rules of HIPAA?
The four rules of HIPAA are The Privacy Rule, The Security Rule, The Breach Notification Rule, and The Omnibus Rule. These rules are regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights.
The Privacy Rule
The Privacy Rule has affected all healthcare organizations, providers of health plans (including employers), healthcare clearinghouses, and since 2013, it has covered the Business Associates of covered entities and subcontractors of business associates, according to Accountable.
The Privacy Rule implemented the PHI/ePHI safeguards of the Patients’ right to access PHI/ePHI and the Minimum Necessary Rule.
The patients’ right to access PHI/ePHI gives them the rights to:
- Obtain a copy of their health records
- Examine their health records
- Request correction if necessary
The Minimum Necessary rule is pretty self-explanatory: employees working with PHI only have access to the very minimum amount of PHI that allows them to perform their work.
The Security Rule
The Security Rule deals with ePHI and consists of administrative safeguards, physical safeguards, technical safeguards, and risk assessment (Accountable).
- Administrative safeguards involve roles and responsibilities, documentation processes, data maintenance, and training requirements
- Physical safeguards encompass access control systems, security systems, and policies about access to ePHI from mobile devices
- Technical safeguards incorporate technology and policies that protect PHI from unauthorized access
The Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to notify affected individuals within 60 days of a breach — any unauthorized use or sharing of PHI — and they must also notify HHS and the media if it’s severe (Accountable).
The Omnibus Rule
The Omnibus Rule from 2012 updates all previous rules (Accountable). Business associates are now liable for compliance, which is enforced by the Office for Civil Rights. Unauthorized use or sharing of any kind is a breach.
Key Dates in HIPAA History
|August 1996||HIPAA signed into law by President Bill Clinton|
|April 2003||Effective Date of the HIPAA Privacy Rule|
|April 2005||Effective Date of the HIPAA Security Rule|
|March 2006||Effective Date of the HIPAA Breach Enforcement Rule|
|September 2009||Effective Date of HITECH and the Breach Notification Rule|
|March 2013||Effective Date of the final Omnibus Rule|
What Documents Do I Need for HIPAA Policy and Procedure Compliance?
- HIPAA Risk Management Plan
- HIPAA Risk Analysis
- PHI location documentation (map)
- Notice of Privacy Practices
- How you’ve eliminated third party risks
- Software development lifecycles
- Business associate agreements
- How the environment is coping with identified vulnerabilities
- Breach response plan
- Current/future goals and milestones
- Explanation of unimplemented addressable implementation standards
- Work desk procedures
- Training logs
- Compliant processes and procedures
- List of authorized wireless access points
- List of all devices including physical location, serial numbers, and make/model
- Electronic commerce agreements
- Trading partner security requirements
- Lists of vendors
- Lists of employees and their access to systems
- Diagram of your physical office, including exit locations
- Disaster recovery book
- Employee handbook
- Policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule
At first glance, this exhaustive list may seem exhausting, even impossible, but technical writers can work with what you have and make it into clear, concise, and compliant documentation.
How Essential Data Corporation Can Help
EDC has a pool of qualified technical writers ready to help with your HIPAA policy and procedure documentation needs. These writers are well versed and subject matter experts. They can take what seems like a monumental task and simplify it for you. Our perfect fit guarantee ensures that you will have a top-notch team that produces incredible and compliant HIPAA policy and procedure documentation.
Whether you need a team of consultants to produce a complete line of documentation or a single technical writer for a brief project, Essential Data’s Engagement Manager will lead the project from start to finish. At Essential Data Corporation, the quality of our work is guaranteed. Contact us today to get started. (800) 221-0093 or firstname.lastname@example.org
Written by Heidi Ripplinger