HIPAA Compliance Overview

What is HIPAA?

Introduced in 1996, the Health Insurance Portability and Accountability Act specifies certain rules and parameters any company that deals with PHI must adhere to.  Penalties for not achieving and maintaining compliance range from the bad to
catastrophic:

ViolationAmount per violationViolations of an identical provision in a calendar year
Did Not Know$100 – $50,000$1,500,000
Reasonable Cause$1,000 – $50,000$1,500,000
Willful Neglect — Corrected$10,000 – $50,000$1,500,000
Willful Neglect — Not Corrected$50,000$1,500,000

What is PHI?

PHI, or Patient Health Information, is any item that meets the guidelines specified by Health and Human Services.  Some of the guidelines include, but are not limited to (the full list can be seen on our website at https://www.dansnetworks.com/services/hipaa-compliance):

  1. Names
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

Who Does HIPAA Apply To?

Anyone who deals with any information that deals with the above items.  That obviously includes any health care provider, but it also encompasses businesses that are not as obvious, such as law firms (medical malpractice, personal injury, etc.).

How Do We Achieve HIPAA Compliance?

First off, you need to have IT providers that are HIPAA compliant, meaning that they have internal policies to prevent any leakage of PHI that they may encounter.  To protect yourself, you need to have the provider sign a BAA (business associate agreement).  This basically is a contract that says the provider is HIPAA compliant – it essentially “passes the buck” downstream, so that if there were a breach due to your provider, some of the penalties pass downstream.  In turn, your provider will procure BAAs from their providers, such as hosted email services like Microsoft Office 365, cloud backup solutions, etc.

Second, you need to observe practices and guidelines that your provider goes over with you.  These are things such as restricting access to PHI on a “need to know” basis, avoiding storing PHI in any non-personnel accessible locations, and even making sure physical access is restricted to PHI. 

Some of the practices that can help achieve this include:

  • Storing PHI on an encrypted device – data must be encrypted at rest and in transit, meaning that any storage device that holds PHI must have HIPAA-compliant encryption.  This includes servers, workstations, and network storage devices.
  • Avoiding any PHI on the desktop – employees must not store PHI in locations such as desktop, my documents, or anywhere else on a personal computer.  If there is a physical breach such as theft, or even a virus, that constitutes a breach.
  • Making sure that any printers are safe-guarded from physical access and that any storage media is wiped prior to the printer leaving (in case of a lease or sale).  Most printers store copies of documents scanned on internal storage, making these devices a very big security risk.

How are Managed Services HIPAA Compliant?

To provide HIPAA compliant managed services, we observe all of the appropriate practices. We will advise you of any potential issues, help your company address those issues, and then also monitor at all times to make sure those solutions are in effect. This includes keeping operating systems, 3rd party software, and any line of business applications up to date. They also include verify physical and electronic access to any PHI is guarded, and monitoring to make certain practices such as storing PHI on workstations is not violated. These practices are above and beyond typical managed services, which is why they tend to cost more.