Key Points:

• HIPAA encompasses four key compliance regulations - Privacy, Security, Breach Notifications, and Enforcement - which healthcare organizsations must adhere to in order to protect patient data effectively.
• Organizations aiming to maintain HIPAA compliance should appoint a compliance overseer, understand and implement HIPAA requirements, conduct regular risk assessments, educate employees, and employ tools like Metomic for data security.
• HIPAA violations can result in significant fines ranging from $100 to $1.5 million per year, contingent on the seriousness of the violation and whether corrective measures were taken.

Protecting patient data for decades, HIPAA is a federal law that dictates how healthcare organizations should manage the sensitive information they hold. 

Non-compliance with HIPAA regulations can mean facing huge financial penalties, and taking a hit to your reputation. 

But secure your data in the right way, and you can make sure you’re looking out for your customers, as well as protecting your business. 

What is HIPAA? 

HIPAA stands for the Health Insurance Portability and Accountability Act. It was brought into law in 1996 in the US, to protect patients’ PHI (Protected Health Information).

HIPAA ensures that any healthcare organizations are taking the right steps to protect data they hold, such as personal details, medical bills, and information on medication that patients may be taking.

What are the 18 PHI identifiers, under HIPAA?

The 18 PHI data elements that organisations must protect are:

• Patient name
• Address (all components)
• All dates (birthdate, treatment dates, etc.)
• Telephone numbers
• Vehicle ID and serial numbers
• Fax numbers
• Device identifiers & serial numbers
• Most device IDs are derived from the MAC address, IMEI number, or ESN number.
• Email addresses
• URLs
• Social security numbers
• IP addresses
• Medical record numbers
• Biometric IDs
• Health plan numbers
• Full-face photos
• Account numbers
• Any other uniquely identifying ID or code
• Certificate or license numbers

Who needs to comply with HIPAA regulations?

If you’re dealing with healthcare data, and are based in the US, it’s likely you’ll need to comply with HIPAA. There are two main groups that need to comply. They are:

• Covered Entities: these include health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims.
• Non-covered Entities: these organisations are not bound by the Privacy Rule, and can include wearable tech, health apps, or providers not dealing with electronic data.

It's essential to determine your classification to ensure compliance and avoid penalties under HIPAA.

Read more: Covered Entities v Non-covered Entities

What are the 4 main rules of HIPAA? 

HIPAA consists of four rules: Privacy, Security, Breach Notifications and Enforcement. Let’s take a look at each of them in detail: 

1. HIPAA Privacy Rule 

The HIPAA website states that:

‘A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.’ 

Covered entities under HIPAA, such as healthcare providers, health plans, and healthcare clearinghouses, must abide by the restrictions put in place by the Privacy Rule. For instance, they should keep records of when PHI is disclosed, and gain permission from the individual before it’s shared. 

The Privacy Rule also grants individuals certain rights over their PHI, including the right to access, amend, and request restrictions on the use and disclosure of their information. Patients should also be notified about how their data is being used. 

Non-covered entities, such as wearable tech or health apps, don’t fall under the Privacy Rule but may still have to comply with other aspects of HIPAA.

2. HIPAA Security Rule 

While HIPAA was put in place before digital data became widely available, the HIPAA Security Rule was brought in in 2003 to specifically focus on electronic PHI. 

Covered entities need to make sure any PHI that’s being stored digitally is protected as well as physical data would be. That means that PHI will need to be protected while it’s being sent over networks, and devices that hold PHI must be secured. If you send PHI over a network, the data must be protected while in transit. 

Healthcare organizations that conform to HIPAA need to run frequent data risk assessments, and ensure their employees are educated on procedures they need to follow. 

3. HIPAA Breach Notification Rule

If a healthcare company in the US is hit by a data breach, they’re required to notify everyone who has been affected. They’re also required to tell the US Department of Health and Human Services (HHS) and any other regulatory agencies within 60 days of the breach taking place. 

A breach impacting more than 500 people will also require you to notify major media outlets in the area. 

4. HIPAA Enforcement Rule 

Finally, the Enforcement Rule lays out how the Office for Civil Rights can investigate businesses who are not complying with HIPAA. 

That could include involving the accused business in an investigation if there have been complaints about them breaking HIPAA rules. The OCR can establish the facts around the incident, enforce penalties, and suggest further actions for the business to take, so they’ll remain compliant in the future. 

The fines you’ll have to pay can vary depending on how severe the incident is, and how quickly you were able to fix it.

A HIPAA compliance requirements checklist 

CEO of Metomic, Rich Vibert says:

“HIPAA isn’t something to take lightly. Get a clear understanding of your duties to your patients, so you know how to protect the data you have on record. You should make sure you have a solid plan in place to maintain a great reputation, and avoid hefty financial penalties.” 

Putting a clear strategy together can help you ensure you’re complying with HIPAA at all times. 

Tick these tasks off your HIPAA checklist: 

1. Appoint someone to oversee HIPAA compliance in your business
2. Understand what the HIPAA requirements are and how they specifically apply to your business 
3. Run a risk assessment to understand where your weaknesses lie 
4. Put processes in place that align with HIPAA compliance and de-risk the chances of PHI being shared
5. Educate your employees on HIPAA compliance, and how it relates to their role 
6. Create clear privacy notices so your patients understand how their data will be secured
7. Implement regular risk assessments to see how your process is working 
8. Amend and adjust accordingly 

What are the penalties for breaking HIPAA compliance? 

If you’re found to have breached HIPAA rules, you’ll be fined based on the outcome of the investigation, and whether you deliberately neglected to comply. Here’s what you could end up shelling out: 

• Tier 1: Unaware of HIPAA rules and would not have known the rules existed, even with due diligence: $100 - $50,000 per violation. Maximum amount of $25,000 per year. 
• Tier 2: Reasonable cause that the covered entity knew about or should have known about the violation, if due diligence was carried out: $1,000 - $50,000 per violation. Maximum amount of $100,000 per year. 
• Tier 3: Wilful neglect of HIPAA rules, with the violation remediated within 30 days of discovery. $10,000 - $50,000 per violation. Maximum amount of $250,000 per year. 
• Tier 4: Wilful neglect with no effort made to rectify the issue within 30 days. $50,000 per violation. Maximum amount of $1.5 million per year. 

How Metomic can help you stay HIPAA compliant

You can help keep your SaaS apps HIPAA compliant by implementing a data security software, like Metomic that can automatically redact sensitive data once it’s shared, or after a set retention period. It enables your employees to get on with their jobs, while locking down your most sensitive data. 

A tool like Metomic can also help you to educate your employees on your security policies whenever they share sensitive data, with real-time notifications to let them know where they’re going wrong. 

Make sure you’re regularly monitoring your SaaS apps to ensure sensitive data is secure, and you’re still compliant with HIPAA. Finally, make sure your Slack environment is protected by multi-factor authentication and the correct access controls to stop bad actors getting into your systems. 

For a Risk Audit on your Slack workspace, book a personalised demo with one of our cybersecurity experts.