Protecting patient data for decades, HIPAA is a federal law that dictates how healthcare organisations should manage the sensitive information they hold.
Non-compliance with HIPAA regulations can mean facing huge financial penalties, and taking a hit to your reputation.
But secure your data in the right way, and you can make sure you’re looking out for your customers, as well as protecting your business.
HIPAA stands for the Health Insurance Portability and Accountability Act. It was brought into law in 1996 in the US, to protect patients’ PHI (Protected Health Information.
HIPAA ensures that any healthcare organisations are taking the right steps to protect data they hold, such as personal details, medical bills, and information on medication that patients may be taking.
HIPAA consists of four rules: Privacy, Security, Breach Notifications and Enforcement. Let’s take a look at each of them in detail:
The HIPAA website states that: ‘A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.’
Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, must abide by the restrictions put in place by the Privacy Rule. For instance, they should keep records of when PHI is disclosed, and gain permission from the individual before it’s shared.
The Privacy Rule also grants individuals certain rights over their PHI, including the right to access, amend, and request restrictions on the use and disclosure of their information. Patients should also be notified about how their data is being used.
While HIPAA was put in place before digital data became widely available, the HIPAA Security Rule was brought in in 2003 to specifically focus on electronic PHI.
Covered entities need to make sure any PHI that’s being stored digitally is protected as well as physical data would be. That means that PHI will need to be protected while it’s being sent over networks, and devices that hold PHI must be secured. If you send PHI over a network, the data must be protected while in transit.
Healthcare organisations that conform to HIPAA need to run frequent data risk assessments, and ensure their employees are educated on procedures they need to follow.
If a healthcare company in the US is hit by a data breach, they’re required to notify everyone who has been affected. They’re also required to tell the US Department of Health and Human Services (HHS) and any other regulatory agencies within 60 days of the breach taking place.
A breach impacting more than 500 people will also require you to notify major media outlets in the area.
Finally, the Enforcement Rule lays out how the Office for Civil Rights can investigate businesses who are not complying with HIPAA.
That could include involving the accused business in an investigation if there have been complaints about them breaking HIPAA rules. The OCR can establish the facts around the incident, enforce penalties, and suggest further actions for the business to take, so they’ll remain compliant in the future.
The fines you’ll have to pay can vary depending on how severe the incident is, and how quickly you were able to fix it.
“HIPAA isn’t something to take lightly,” says CEO of Metomic, Rich Vibert. “Get a clear understanding of your duties to your patients, so you know how to protect the data you have on record. You should make sure you have a solid plan in place to maintain a great reputation, and avoid hefty financial penalties.”
Putting a clear strategy together can help you ensure you’re complying with HIPAA at all times.
Tick these tasks off your HIPAA checklist:
If you’re found to have breached HIPAA rules, you’ll be fined based on the outcome of the investigation, and whether you deliberately neglected to comply. Here’s what you could end up shelling out:
When it comes to using SaaS apps like Slack, employees are constantly sharing sensitive data as they collaborate on issues that need to be resolved.
You can help keep your SaaS apps HIPAA compliant by implementing a data security software, like Metomic that can automatically redact sensitive data once it’s shared, or after a set retention period. It enables your employees to get on with their jobs, while locking down your most sensitive data.
A tool like Metomic can also help you to educate your employees on your security policies whenever they share sensitive data, with real-time notifications to let them know where they’re going wrong.
Make sure you’re regularly monitoring your SaaS apps to ensure sensitive data is secure, and you’re still compliant with HIPAA. Finally, make sure your Slack environment is protected by multi-factor authentication and the correct access controls to stop bad actors getting into your systems.
For a free Risk Audit on your Slack workspace, book a demo with one of our cybersecurity experts. We’ll be in touch soon.