We Help Our Clients Streamline HIPAA Compliance
Compliance Team Lead – Timothy E. Allen | Former Special Agent (U.S. Secret Service & DOJ-OIG)
The Health Insurance Portability and Accountability Act (HIPAA) is among the most well-known federal laws governing the healthcare industry. It is also among the most commonly misunderstood. While most healthcare providers know that they need to address HIPAA compliance, relatively few have a clear appreciation for what this actually means.
HIPAA compliance has two main components. The first component is privacy. As the U.S. Centers for Disease Control and Prevention (CDC) explain, HIPAA’s privacy standards, “address the use and disclosure of individuals’ health information . . . [and] individuals’ rights to understand and control how their health information is used.” Covered healthcare entities must ensure that they are adequately protecting their (and other providers’) patients’ privacy, and they must be prepared to demonstrate their privacy protection efforts to the CDC and other authorities when necessary.
The second component is security. Under HIPAA’s Security Rule, covered healthcare entities must take several steps to prevent unauthorized access to patients’ electronic protected health information (e-PHI). If covered healthcare entities fail to take these steps, they can face federal penalties—regardless of whether their failure leads to a malicious intrusion.
Experience in All Aspects of HIPAA Compliance
Corporate Investigation Consulting (CIC) is a team of former federal agents who rely on centuries of combined federal investigative and law enforcement experience to help healthcare providers and other entities meet their legal obligations. This includes addressing all aspects of HIPAA compliance. From assessing individual healthcare providers’ obligations under HIPAA to evaluating and implementing third-party cybersecurity applications, we help our clients make informed decisions with their (and their patients’) best interests in mind.
As with all areas of healthcare compliance, HIPAA compliance is not a one-time event. Providers and businesses cannot purchase an off-the-shelf HIPAA compliance program and then assume they have done their duty. HIPAA compliance requires a tailored approach, and providers and other businesses must take adequate steps to ensure that they are maintaining HIPAA compliance on an ongoing basis.
We work closely with our clients to help them implement, monitor, and enforce effective HIPAA compliance programs. Whether you are starting from scratch or you have concerns about your practice’s current HIPAA compliance protocols, we can provide a solution that meets your needs. Our consultants will work closely with you to ensure that you have a clear understanding of what is required, and we will provide you with the tools you need to manage your practice’s HIPAA compliance program with confidence.
Put our highly experienced team on your side
Roger Bach
Former Special Agent (OIG)
Timothy E. Allen
Former Senior Special Agent U.S. Secret Service
Chris J. Quick
Former Special Agent (FBI & IRS-CI)
Maura Kelley
Former Special Agent (FBI)
Ray Yuen
Former Supervisory Special Agent (FBI)
Michael S. Koslow
Former Supervisory Special Agent (DOD-OIG)
Marquis D. Pickett
Special Agent U.S. Secret Service (ret.)
Core Components of an Effective HIPAA Compliance Program
To effectively address the requirements of HIPAA’s Privacy Rule and Security Rule (among the law’s other mandates and prohibitions), covered healthcare entities must adopt compliance programs that ensure compliance in all aspects of their operations on an ongoing basis. An effective HIPAA compliance program must have at least seven core components—recognizing that additional compliance efforts may be necessary case-by-case:
1. Custom HIPAA Compliance Program Documentation
Covered healthcare entities must understand their specific HIPAA compliance obligations, and then they must draft custom HIPAA compliance program documentation. This compliance program documentation must be specific to the entity, as generic program documents might establish adherence to inapplicable requirements or fail to address applicable privacy and security obligations.
2. HIPAA Compliance Officer Appointment and Orientation
All covered entities should have a designated HIPAA compliance officer. Depending on the size of the entity, its resources, and its statutory obligations, this may be a newly established position within the organization, or the relevant responsibilities may be assigned to an existing member of the entity’s leadership team. In either case, the HIPAA compliance officer should receive orientation training to ensure that they have an adequate understanding of the role that HIPAA compliance plays in the entity’s operations, IT systems, and organizational structure.
3. Staff HIPAA Training and Attestation
Relevant staff members and new hires will need to receive HIPAA training, and they should attest to completion of all relevant training courses. Covered healthcare entities will also need to conduct periodic refresher courses to educate their employees on changes in their compliance duties and expectations.
4. Internal HIPAA Compliance Monitoring, Auditing, and Enforcement
After implementing their HIPAA compliance programs, covered healthcare entities must monitor their operationalized compliance efforts, and they must conduct periodic audits to ensure that no issues go overlooked. They must also enforce their employees’ compliance responsibilities. Providers and other businesses should have automated monitoring systems in place, conduct regularly scheduled compliance audits, and take a systematic approach to enforcement—all with the goal of fostering a zero-defect culture.
5. Business Associate Due Diligence
Together with addressing HIPAA compliance internally, covered healthcare entities must also address compliance in relation to their Business Associates. Covered entities must ensure that their Business Associate Agreements (BAAs) contain appropriate obligations and protections, and they must monitor their Business Associates’ HIPAA compliance efforts on an ongoing basis. Examples of Business Associates include third-party vendors that provide claims process, data analysis, utilization review, and billing services.
6. Breach Response and Remediation Preparedness
Covered healthcare entities must have breach response protocols in place to respond to their own cybersecurity incidents as well as cybersecurity incidents involving their Business Associates. This includes protocols designed to ensure compliance with HIPAA’s breach notification requirements as well as protocols designed to facilitate efficient remediation. This is among the most important aspects of HIPAA compliance, as losing control of patients’ e-PHI can lead to both civil litigation and government enforcement action.
7. Ongoing Program Updates and Documentation of HIPAA Compliance
A key theme we impress upon our clients is that HIPAA compliance is an ongoing process. The HIPAA Rules are not set in stone, and covered healthcare entities may need to update their compliance programs from time to time. Changes in practices’ and businesses’ operations may necessitate HIPAA compliance program updates as well. Once a HIPAA compliance program becomes outdated, it no longer serves its intended purpose.
We also emphasize the importance of documentation. Beyond adopting HIPAA compliance policies and procedures, covered entities must also document their ongoing compliance efforts. Training, audits, program updates, stress testing—these are all things that can (and should) be documented. In the event that a provider’s or business’s HIPAA compliance efforts come under scrutiny, having this documentation on hand will go a long way toward fending off any potential allegations.
FAQs: Understanding Covered Healthcare Entities’ Obligations Under HIPAA
Does my business or practice need to be HIPAA compliant?
Virtually all entities in the healthcare sector are subject to HIPAA. The law applies to “[e]very healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions.” It also applies to health plans (except employer-sponsored group health plans with fewer than 50 participants), healthcare clearinghouses, and other businesses and individuals “using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.”
How do healthcare providers establish HIPAA compliance?
Establishing HIPAA compliance requires a comprehensive and dedicated approach. Providers must work to ensure that they adequately address HIPAA’s privacy and security requirements in all pertinent areas of their operations—from patient record keeping and billing to contracts with cybersecurity vendors and other Business Associates. Understanding a provider’s obligations is the first step, then the provider must develop a custom HIPAA compliance program that reflects its specific obligations and risks.
What are the consequences of failing to comply with HIPAA?
Failing to comply with HIPAA can lead to federal enforcement action, and this enforcement action can be either civil or criminal in nature depending on the specific issues involved. Providers and other businesses can face substantial fines, and owners, executives, and other individuals can face fines and prison time. Noncompliance presents a risk for unauthorized access to patients’ private information as well, and this can lead to substantial civil liability irrespective of any government enforcement activity (or lack thereof).
Do I need to engage a HIPAA compliance consulting firm?
Given the complexities of HIPAA compliance and the risks of noncompliance, all covered healthcare entities should work with a team of experienced consultants to help them meet their obligations. At Corporate Investigation Consulting, our former federal agents work with healthcare providers and other businesses nationwide to help them implement, maintain, and enforce effective HIPAA compliance programs.
Speak with a HIPAA Compliance Consultant in Confidence
Do you have questions or concerns about HIPAA compliance? If so, we can help. To discuss your practice’s or business’s needs with a senior HIPAA compliance consultant at Corporate Investigation Consulting in confidence, please call 866-352-9324 or tell us how we can help online today.