What Is HIPAA? An Essential Guide to HIPAA Compliance

Employees who aren't trained in HIPAA can pose a costly risk to your organization. In June 2023, Yakima Valley Memorial Hospital paid $240,000 to settle a HIPAA compliance breach involving 419 patients. Curious security guards violated HIPAA rules by accessing private patient information. As a result, the hospital had to enhance its HIPAA training programs and enforce stricter policies to ensure employees understand their responsibilities.

The shift from paper-based records to digital files has increased efficiency, especially when handling sensitive medical data. However, as seen in the Yakima case, the digitization of health records also brings potential security risks. Before HIPAA became law, there was no federal regulation to protect the privacy of digital health information, which left patients vulnerable to frequent privacy breaches.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that demands all organizations protect what’s considered “protected health information” (PHI) from being disclosed to unauthorized persons. Unless the state law is more stringent than federal law, HIPAA overrides state law regarding health data privacy.

What Is Considered Protected Health Information (PHI) Under HIPAA?

PHI is generally any information found in medical records that can be used to identify an individual. HIPAA considers the following items protected health information:

Names
Geographical subdivisions smaller than a state (address, city, county, zip code, etc.)
Dates directly related to an individual (birth date, date of death, admission/discharge date, etc.)
Phone numbers
Fax numbers
Emails
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
URLs
IP address numbers
Biometric identifiers (fingerprints, etc.)
Identifiable images/photographs
Any other unique identifying numbers, characteristics, or code

According to The HIPAA Journal, employers most frequently run into HIPAA compliance issues due to:

Impermissible uses and disclosures of PHI
Lack of safeguards for (non-electronic) PHI
Failures to provide patient access to PHI
Lack of Administrative Safeguards for electronic PHI, and
Violations of the minimum necessary standard

To maintain HIPAA compliance, employers must adhere to three major HIPAA rules: Privacy, Security, and Breach Notification.

The Key Rules of HIPAA Compliance

To ensure HIPAA compliance, organizations must adhere to three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule requires safeguards to protect the privacy of PHI in any medium and applies to health plans, health care clearinghouses, and health care providers. The rule also sets limits on disclosures that can be made without patient consent and gives individuals rights to examine and obtain their health records at any time. Its goal is to balance the confidentiality, integrity, and availability of private health information.

What Is the HIPAA Security Rule?

The HIPAA Security Rule extends the protections of the Privacy Rule to electronic protected health information (e-PHI). The rule sets forth specific standards that organizations must meet to safeguard e-PHI from threats such as unauthorized access and data breaches. As part of HIPAA compliance, organizations must implement security measures and ensure employees undergo proper HIPAA security training to understand how to protect patient data.

What Is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule, requires HIPAA covered entities and their business associates to notify the secretary following a breach of unsecured protected health information.

According to the Dept. of Health and Human Services, if the breach affects 500 or more individuals, the covered entity must send the notification no later than 60 calendar days from the date of discovery.

If the breach affects less than 500 individuals, the covered entity must notify the secretary by submitting a breach notification within 60 days of the calendar year in which the breach was discovered (March 1st).

This rule is critical in maintaining transparency and trust between healthcare providers and patients, underscoring the importance of having a solid HIPAA compliance strategy in place.

Does My Organization Need HIPAA Compliance Training?

HIPAA compliance training requirements apply to all employers that are HIPAA Covered Entities or Business Associates. Healthcare providers, health plans, and healthcare clearinghouses who transmit PHI are considered covered entities.

A business associate is anyone who creates, receives, maintains, or transmits PHI for a function regulated by HIPAA or on behalf of a covered entity. This definition of a “business associate” was expanded by the HIPAA Omnibus Rule.

Any person who works in healthcare or has access to PHI must be trained in HIPAA compliance regardless of their role. So while those curious security guards from Yakima were not dealing with PHI regularly, they still needed HIPAA compliance training.

If you are a covered entity, each new member of your workforce must receive HIPAA privacy training within a reasonable period of time after they join your organization and when changes in policies or procedures are made. Some states require that training be completed 30 or 90 days from employment, but refresher training is recommended at least annually.

Both covered entities and business associates who have access to protected health information, or PHI, must receive security awareness training.

According to The HIPAA Journal, HIPAA security awareness training should include

Periodic security updates,
Procedures for guarding against, detecting, and reporting malware,
Procedures for monitoring login attempts and reporting discrepancies,
Procedures for creating, changing and safeguarding passwords.

This implies that security awareness training should be ongoing. HR pros should keep a close watch on the Department for Health and Human Services for new rules and guidelines that may require implementation of additional HIPAA training.

HIPAA Standards for Health Coverage

HIPAA also sets standards and regulations on health insurance coverage. HIPAA prohibits employers from offering group benefits that discriminate against individuals based on health factors such as:

Health status
Medical condition (including both physical and mental illnesses)
Claims experience
Receipt of health care
Medical history
Genetic information
Evidence of insurability; or
Disability

HIPAA also regulates discrimination in regard to Cafeteria plans (Section 125 plans), which provide employees an opportunity to set aside part of their compensation as pre-tax contributions toward health insurance and other benefits.

Under HIPAA, group benefits cannot discriminate in favor of highly compensated employees in terms of eligibility, contributions, and/or benefits. Because this is a tax-related law, the Internal Revenue Service (IRS) enforces these regulations.

Penalties for HIPAA violations can range from $100 to $1.5 million dollars depending on the type and frequency of the violation, which makes compliance training essential to the success of your organization.

Additional Resources

You can stay informed, educated, and up to date with important HR topics using BerniePortal’s comprehensive resources:

BernieU—free online HR courses, approved for SHRM and HRCI recertification credit
BerniePortal Blog—a one-stop shop for HR industry news
HR Glossary—featuring the most common HR terms, acronyms, and compliance
Resource Library—essential guides covering a comprehensive list of HR topics
HR Party of One—our popular YouTube series and podcast, covering emerging HR trends and enduring HR topics
Community—the HR Party of One Community forum, a place devoted to HR professionals to ask questions, learn more, and help others