HIPAA – Health Insurance Portability and Accountability Act
HIPAA stands for: Health Insurance Portability and Accountability Act, and it requires that healthcare facilities (hospitals, clinics, and private practices…) who have access to Protected Health Information (PHI) take actions to ensure the protection of their patient’s data.
Anytime a healthcare facility outsources a service, the service must be HIPAA compliant as well. Altogether, both partners being HIPAA compliant leads to exceptional data security. That’s why at Ditto Transcripts, we understand the severity of data breaches and are 100% HIPAA compliant with our medical transcription services.
In this article, we’ll explain more about HIPAA and what we do to stay in compliance.
What Does HIPAA Really Do?
HIPAA is the Health Insurance Portability and Accountability Act, which sets a standard for patient data protection. There’s a series of regulatory standards that companies must follow if they handle sensitive protected health information (PHI). All healthcare facilities, including hospitals, doctor offices, and clinics, must choose to outsource their confidential files to companies that are HIPAA compliant. Otherwise, they face violating the law and possible lawsuits.
The history of HIPAA and how it came to be
HIPAA was founded in 1996 when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. It was created to improve the portability and accountability of health insurance coverage for employees handling Protected Health Information (PHI). Other goals were to eliminate waste, fraud, and abuse in health insurance and in health care delivery. Over time, HIPAA became a vehicle for encouraging the healthcare industry to digitize patient documents.
As HIPAA is a complex topic that covers many aspects, we’ll break it down so it’s easier to understand.
First though: what counts as Protected Health Information (PHI)?
Under HIPAA, PHI is considered health information like diagnostics, treatment information, prescription information, and medical test results. Identification numbers and demographic information such as birth dates, ethnicity, gender, and contact information fall under the HIPAA protection.
Who Needs to be HIPAA Compliant?
Anyone who works in healthcare or does business with healthcare clients that require access to health data must be HIPAA compliant. Organizations include:
- Nursing homes
- Health clinics
If any of these enterprises need outsourcing (translating, transcription, medical billing and coding, etc.), the company they chose to outsource too also needs to be HIPAA compliant. Which means the medical provider or facility will be responsible to know if they have chosen to do business with a legitimate medical transcription services company, or a fraudulent foreign based company.
What Is HIPAA Compliance?
The HIPAA compliance requires physicians, and anyone else in the healthcare industry to protect electronically stored PHI by using appropriate administrative, physical, and technical safeguards. This ensures the confidentiality and security of the information.
Violators of provisions in the HIPAA Privacy and Security Rules can be financially penalized. Sometimes even something as drastic as criminal penalties can be implemented for severe neglect of HIPAA privacy.
HIPAA Security Requirements
- The Administrative Safeguards is to conduct ongoing risk assessments to identify potential vulnerabilities and risks of PHI.
- Physical Safeguards are measures that are integrated to prevent unauthorized access to PHI and to protect data from disasters like fire, flooding, and any other environmental hazards.
- The Technical Safeguards are the controls needed to ensure data security when PHI is being shared through an electronic network.
Many more HIPAA security requirements fall under the 3 safeguards to protect data.
Designated Security Official
Each organization has one designated security official in charge of their HIPAA Security Rule’s development and implementation. These are almost always a managerial position of some kind that will report to the board or practice management positions, because it is an extremely important position.
Security Management System
Companies handling HIPAA information must establish policies and procedures to prevent, detect, contain, and correct security breaches and violations. If not your company could be fined and assessed a 20 year penalty by the FTC for violating HIPAA confidentiality requirements.
Identity Workforce Access Needs
An organization must be able to identify which employees require access to PHI. The least privilege principle can be implemented and practiced to achieve this.
Restricted Information Access
Once it’s decided which employees get access to PHI, restricted access should be implemented via permissions.
Security Awareness Training
Users must be thoroughly trained on the rules and security policies. All staff should be on the same page, and resources should be made available for reference.
Security Incident Procedures
If anything happens, like a breach in security, organizations need to have a policy in place so that the staff knows the proper steps to take.
The Contingency Plan comes after the Security Incident Procedure. This plan should include a data backup, disaster recovery, and emergency operation plan if PHI is breached. The Contingency Plan also includes testing and revising the plans and managing applications that maintain, store, and send PHI.
Evaluations and Improvements
As the HIPAA Security Rule changes often, it’s crucial to establish a process to review and maintain policies and procedures.
Any healthcare related business that is outsourced needs to be HIPAA compliant, as well. This ensures both organizations understand the HIPAA rules and follow the same policies. Organizations can rest assured data is not breached.
Physical Facility Access Controls
Any place where PHI is stored should have physical barriers. For example, the room where the computers are stored should have a heavy-duty lock and a security system. Any cabinets with files inside should also have some kind of complicated locking system.
Strict Workstation Use
All workstations should have secure computers (desktops, laptops, and tablets) to access PHI. Any device that is used to access PHI should follow this policy, regardless if they are onsite or offsite, online or offline.
Technical Workstation Security
Workstations should have remote wipe safeguards, and encryption, implemented on all computers used to access PHI.
Auxiliary Device and Media Controls
Implementing computer safeguards is the start. Anything that has contact with the computers or devices such as tape backups, USB drives, and removable storage, must also have safeguards. These devices may need to be wiped and disposed of after usage.
Audit Access Control Lists
User authentication is necessary to access PHI. User authentication is one time passwords, two-factor authentications, computer recognition authentication, etc. A regular schedule should be created to access audit control lists to ensure no suspicious logins.
Breach Audit Trail and Reporting
Policies and procedures need to be in place in case of a breach. The audit lists will show where the breach came from. The breach then must be appropriately reported based on the procedures.
Ability to Recover and Restore
Any computer systems containing PHI that was lost due to a breach, an accidental deletion, or a natural disaster must have the capacity to recover and restore files. The organization needs to prove this to be HIPAA compliant.
Person or Entity Authentication
Anybody accessing PHI must prove they are who they say they are. Personal authentication can be through personal questions, two-factor authentication or anything that works for the organization and is effective.
When sending PHI to business partners, you must prove that authorized individuals are the only people with access to the PHI. You can use an SFTP or HTTPS file transfer, an encrypted email with a private key, or a VPN. HIPAA doesn’t look at how you set it up. They look at if authorized or non-authorized personnel accessed or had access to the PHI.
What Is a HIPAA Violation?
A HIPAA violation happens when a breach in an organization’s compliance program compromises the integrity of PHI.
Does a breach always mean a violation?
No. A data breach becomes a violation when the breach is the result of an ineffective, outdated, or incomplete HIPAA compliance program. It could also be a direct violation of an organization’s HIPAA policies.
Here’s an example of the difference:
- An employee’s laptop containing PHI gets stolen. This is a data breach.
- After the employee’s laptop gets stolen, the organization doesn’t have a policy in place barring laptops being taken off site or requiring encryption. This is a HIPAA violation.
In 2018, OCR found 10 companies guilty of not following HIPAA compliance. This resulted in $28.7 million in fines altogether.
In 2009, Blue Cross Blue Shield of Tennessee had a data breach, exposing over 1 million records. It cost them an estimated $18.5 million.
In 2015, Anthem Inc breached 80 million records costing them $1 billion.
Some of the most common HIPAA violations are:
- Stolen devices (laptop, phone, USB)
- Malware incidents
- Office break-in
- Sending PHI to the wrong person
- Social media posts
- Ransomeware attack
- Discussion of PHI outside of work
These violations fall into several common categories:
- Use and disclosure
- Access controls
- The Minimum Necessary Rule
- Improper security safeguards
- Notice of Privacy Practices
If an organization gets a HIPAA violation and claims they didn’t know about the incident, they will still get fined. Here is a chart of the fine amounts depending on the severity of the violation.
Elements of an Effective HIPAA Compliance Program
To ensure organizations have all the boxes ticked for HIPAA compliance, the office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) created a compliance training guide. The guide is referred to as “The Seven Fundamental Elements of an Effective Compliance Program.”
An auditor will use these criteria during investigations, and so as long as the organization is following the seven rules, they’ll be in compliance.
How Ditto Transcripts Complies
At Ditto Transcripts, we understand the importance of being HIPAA compliant. That’s why we’re a business associate that takes Protected Health Information (PHI) seriously. How are we compliant with HIPAA and dedicated to keeping your information confidential?
Detailed Reporting and Tracking Features
Our data reporting and tracking features include:
- The monitoring of all modifications to PHI across file services to detect breaches.
- Track and monitor all changes to access rights and file server permissions to identify anomalies.
- Audit and report all data access to PHI to ensure that no unauthorized changes are taking place.
- Utilize customizable, built-in capabilities for alerts to regularly audit file/folder-related activities.
- Detect and respond to mass access with customizable, automated responses.
HIPAA Training Information
Individually Defined User Access Levels
We use user based access to secure software and its features to allow granular control of the system. The software ensures files are kept between you and the employees involved with the transcription, and no one else.
Individual User Names, Passwords, and PINs
Having individual usernames, passwords, and PINS ensures the right people are accessing files. At Ditto Transcripts, there is no account sharing or screen peeking. Each medical transcriptionist works within their own accounts, with their own individual access.
Usernames, passwords, and PINs can be immediately deactivated upon request. They can also be automatically deactivated once you finish your work with us so your files are no longer accessible remotely on our systems.
Scaled Network Redundancy
Ditto Transcript’s networks are highly redundant. Any interruption in connection does not take our systems offline. We have alternative network paths, which are implemented with standby routers and switches.
Virtual Private Network (VPN) Integration
We understand sharing files on the public internet puts your security at risk. We use a VPN that uses tunneling protocols to encrypt data at the sending end and decrypt it at the receiving end. In simpler words, our use of a VPN ensures other internet users can’t hack your files.
Dedicated HIPAA Compliant Data Centers
We store data in HIPAA compliant Amazon cloud servers. Amazon Web Servers (AWS) improve our ability to meet core security and HIPAA compliance requirements such as data locality, confidentiality, and protection.
SSL 256 bit Secure Encryption
To avoid being hacked, Ditto Transcripts uses SSL 256-bit secure encryption. A hacker would need to try hundreds of trillions of different combinations to break a 256-bit encrypted message. It’s virtually impossible to be broken by even the fastest computers in the world.
Secure FTP (SFTP) Servers
To send files with confidentiality, Ditto Transcripts uses a secure FTP server. The FTP server supports many actions such as file transfers of multiple files, directory listings, remote file management activities, creations of directories, and deletions related to directories. We also use the secure server for security features like authentication, encryption of data integrity, password management, and access control mechanisms.
If you have any questions about HIPAA, please let us know by contacting us by phone, email, on our contact us page using the button above.