Key Points:

• HIPAA encompasses four key regulations - Privacy, Security, Breach Notifications, and Enforcement - which healthcare organisations must adhere to in order to protect patient data effectively.
• Organisations aiming to maintain HIPAA compliance should appoint a compliance overseer, understand and implement HIPAA requirements, conduct regular risk assessments, educate employees, and employ tools like Metomic for data security.
• HIPAA violations can result in significant fines ranging from $100 to $1.5 million per year, contingent on the seriousness of the violation and whether corrective measures were taken.

Protecting patient data for decades, HIPAA is a federal law that dictates how healthcare organisations should manage the sensitive information they hold. 

Non-compliance with HIPAA regulations can mean facing huge financial penalties, and taking a hit to your reputation. 

But secure your data in the right way, and you can make sure you’re looking out for your customers, as well as protecting your business. 

What is HIPAA? 

HIPAA stands for the Health Insurance Portability and Accountability Act. It was brought into law in 1996 in the US, to protect patients’ PHI (Protected Health Information.

HIPAA ensures that any healthcare organisations are taking the right steps to protect data they hold, such as personal details, medical bills, and information on medication that patients may be taking. 

What are the HIPAA regulations? 

HIPAA consists of four rules: Privacy, Security, Breach Notifications and Enforcement. Let’s take a look at each of them in detail: 

HIPAA Privacy Rule 

The HIPAA website states that: ‘A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.’ 

Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, must abide by the restrictions put in place by the Privacy Rule. For instance, they should keep records of when PHI is disclosed, and gain permission from the individual before it’s shared. 

The Privacy Rule also grants individuals certain rights over their PHI, including the right to access, amend, and request restrictions on the use and disclosure of their information. Patients should also be notified about how their data is being used. 

HIPAA Security Rule 

While HIPAA was put in place before digital data became widely available, the HIPAA Security Rule was brought in in 2003 to specifically focus on electronic PHI. 

Covered entities need to make sure any PHI that’s being stored digitally is protected as well as physical data would be. That means that PHI will need to be protected while it’s being sent over networks, and devices that hold PHI must be secured. If you send PHI over a network, the data must be protected while in transit. 

Healthcare organisations that conform to HIPAA need to run frequent data risk assessments, and ensure their employees are educated on procedures they need to follow. 

HIPAA Breach Notification Rule

If a healthcare company in the US is hit by a data breach, they’re required to notify everyone who has been affected. They’re also required to tell the US Department of Health and Human Services (HHS) and any other regulatory agencies within 60 days of the breach taking place. 

A breach impacting more than 500 people will also require you to notify major media outlets in the area. 

HIPAA Enforcement Rule 

Finally, the Enforcement Rule lays out how the Office for Civil Rights can investigate businesses who are not complying with HIPAA. 

That could include involving the accused business in an investigation if there have been complaints about them breaking HIPAA rules. The OCR can establish the facts around the incident, enforce penalties, and suggest further actions for the business to take, so they’ll remain compliant in the future. 

The fines you’ll have to pay can vary depending on how severe the incident is, and how quickly you were able to fix it.

A HIPAA Compliance checklist 

“HIPAA isn’t something to take lightly,” says CEO of Metomic, Rich Vibert. “Get a clear understanding of your duties to your patients, so you know how to protect the data you have on record. You should make sure you have a solid plan in place to maintain a great reputation, and avoid hefty financial penalties.” 

Putting a clear strategy together can help you ensure you’re complying with HIPAA at all times. 

Tick these tasks off your HIPAA checklist: 

1. Appoint someone to oversee HIPAA compliance in your business
2. Understand what the HIPAA requirements are and how they specifically apply to your business 
3. Run a risk assessment to understand where your weaknesses lie 
4. Put processes in place that align with HIPAA compliance and de-risk the chances of PHI being shared
5. Educate your employees on HIPAA compliance, and how it relates to their role 
6. Create clear privacy notices so your patients understand how their data will be secured
7. Implement regular risk assessments to see how your process is working 
8. Amend and adjust accordingly 

What are the penalties for breaking HIPAA Compliance? 

If you’re found to have breached HIPAA rules, you’ll be fined based on the outcome of the investigation, and whether you deliberately neglected to comply. Here’s what you could end up shelling out: 

• Tier 1: Unaware of HIPAA rules and would not have known the rules existed, even with due diligence: $100 - $50,000 per violation. Maximum amount of $25,000 per year. 
• Tier 2: Reasonable cause that the covered entity knew about or should have known about the violation, if due diligence was carried out: $1,000 - $50,000 per violation. Maximum amount of $100,000 per year. 
• Tier 3: Wilful neglect of HIPAA rules, with the violation remediated within 30 days of discovery. $10,000 - $50,000 per violation. Maximum amount of $250,000 per year. 
• Tier 4: Wilful neglect with no effort made to rectify the issue within 30 days. $50,000 per violation. Maximum amount of $1.5 million per year. 

How Metomic can help you stay HIPAA compliant

When it comes to using SaaS apps like Slack, employees are constantly sharing sensitive data as they collaborate on issues that need to be resolved. 

You can help keep your SaaS apps HIPAA compliant by implementing a data security software, like Metomic that can automatically redact sensitive data once it’s shared, or after a set retention period. It enables your employees to get on with their jobs, while locking down your most sensitive data. 

A tool like Metomic can also help you to educate your employees on your security policies whenever they share sensitive data, with real-time notifications to let them know where they’re going wrong. 

Make sure you’re regularly monitoring your SaaS apps to ensure sensitive data is secure, and you’re still compliant with HIPAA. Finally, make sure your Slack environment is protected by multi-factor authentication and the correct access controls to stop bad actors getting into your systems. 

For a free Risk Audit on your Slack workspace, book a demo with one of our cybersecurity experts. We’ll be in touch soon. 

‍