HIPAA compliance and privacy: What employers need to know

The Health Insurance Portability and Accountability Act (HIPAA) is legislation designed to protect the privacy and security of individuals’ protected health information (PHI). HIPAA regulations are codified in the Privacy Rule, Security Rule, and Breach Notification Rule, with organizations subject to HIPAA compliance facing substantial financial penalties and negative publicity for violations that put the privacy and security of PHI at risk.

Employers need to be aware of their HIPAA compliance and privacy responsibilities in two distinct situations. The first is when the company fits the HIPAA definition of a covered entity or the business associate of a covered entity. The other case is when an employer offers their employees a self-funded health care plan. 

We’ll look at both situations and provide employers with the information they need to make informed decisions regarding their data protection solutions.

In this article: 

• What are covered entities and business associates?
• When are non-covered entity employers subject to HIPAA guidelines?
• What steps must employers take to protect PHI?
• Protecting PHI with a data loss prevention solution
• Frequently asked questions

Wh‎at are covered entities and business associates?

‎HIPAA defines the term covered entities to identify organizations that need to comply with its data privacy, security, and breach notification rules. Business associates are third parties that provide services for covered entities that involve the processing or storage of PHI. 

Covered entities need to enter into business associate agreements (BAAs) with all their HIPAA-related business associates.

Covered entities

The following three types of organizations or programs are considered HIPAA covered entities.

• Healthcare providers such as doctors, clinics, dentists, pharmacies, and nursing homes are considered covered entities if they transmit patient information in an electronic format for which standards have been adopted by the U.S. Department of Health and Human Services (HHS).
• Health plans include health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for healthcare such as Medicare and Medicaid.
• Healthcare clearinghouses include entities that process nonstandard health information they receive from another entity into a standard format.

Business associates

Business associates are persons or entities that perform functions or activities for a covered entity involving the use or disclosure of PHI. A covered entity can also be a business associate of another covered entity. 

Business associate functions include claims processing, data analysis, data processing, billing, benefit management, and IT administration.

Examples of business associates include:

• IT service providers that store and process PHI for covered entities
• Third-party administrators who process healthcare claims
• Independent medical transcriptionists
• Attorneys whose legal searches involve access to PHI

Many covered entities, especially smaller companies, use third-party IT vendors to process their PHI, and covered entities should always insist on entering into valid BAAs when working with a third party.

Wh‎en are non-covered entity employers subject to HIPAA guidelines?

‎Employers whose business does not fall under the definition of a covered entity or business associate are often not subject to any HIPAA regulations regarding data privacy and security.

However, there is one situation in which an employer in an unrelated field has to protect a subset of their data resources in compliance with HIPAA regulations. This is when the employer offers employees a self-funded health insurance plan, as the plan itself is defined as a HIPAA covered entity.

This means the employer has to segregate any PHI related to the healthcare plan and process it according to HIPAA guidelines. This can complicate security by requiring different policies and procedures to protect the privacy of PHI. 

Regardless of the difficulties this situation presents, employers need to take the necessary measures to maintain HIPAA compliance regarding their PHI.

Wh‎at steps must employers take to protect PHI?

‎Maintaining the privacy of PHI necessarily involves providing security to ensure the sensitive data is not misused, accessed by unauthorized personnel, or inadvertently disclosed. 

Employers should therefore take the following steps to comply with HIPAA regulations.

1. Identify the data assets that are subject to HIPAA regulations. 

This may include information about customers or patients, if the business operates in the healthcare sector. It also includes PHI related to any employer-funded healthcare plan.

2. Implement the HIPAA-defined administrative safeguards. 

These include:

• Designating a HIPAA Privacy Officer responsible for developing appropriate policies and procedures
• Conducting regular risk assessments to identify risks to PHI
• Developing workforce training programs to educate employees about HIPAA requirements
• Establish breach reporting and response procedures

3. Implement physical safeguards. 

These include:

• Restricting physical access to systems storing and processing PHI
• Employing access controls and surveillance systems to control access to PHI
• Disposing of PHI securely

4. Implement technical safeguards.

These include:

• Encrypting data and enforcing access controls to secure electronic protected health information (ePHI)
• Developing authentication procedures to restrict access to PHI
• Patching systems regularly to maintain the security of the IT environment
• Monitoring and auditing PHI usage to identify suspicious activities

Pr‎otecting PHI with a data loss prevention solution

‎Data loss prevention (DLP) can be instrumental in protecting an employer’s PHI, as well as any other sensitive or high-value data resources, as DLP software directly addresses the technical safeguards designed to minimize risks to PHI. 

A DLP platform can also automatically enforce the handling policies that determine who can access PHI in the environment.

The Reveal Platform by Next offers employers a comprehensive DLP platform that restricts deliberate or accidental misuse of an organization’s PHI. 

For example, if an unauthorized individual attempts to use PHI, access will be blocked. The user will also receive an instructive message that describes why the activity was not permitted to promote enhanced security consciousness.

Reveal’s next-gen agents deliver the power of machine learning to the endpoint. The agents identify and categorize data at the point of risk. They baseline activity at deployment and use multiple behavioral analytics algorithms to define typical versus anomalous behavior for superior data protection.

Talk to the experts at Next and schedule a demo today to see Reveal in action.

Fr‎equently asked questions

What are the risks of not entering into a business associate agreement?

The risk of not entering into a business associate agreement that defines the responsibilities of a third-party provider is that the covered entity will be held liable for HIPAA violations. A BAA protects the covered entity by defining the business associate’s role and responsibilities. 

Ultimately, it is the covered entity’s responsibility to address violations if their associates commit them and are not bound by a BAA.

How can employers protect health plan information with enhanced security?

Employers can protect health plan information with enhanced security by segmenting it from the general IT environment. The systems containing PHI need more stringent security and access controls than the majority of the organization’s data assets. At a minimum, additional authentication measures should be put in place to restrict access to PHI.

Why should employers develop a data handling policy to protect PHI?

Employers should develop a data handling policy to protect PHI by defining who and under what conditions individuals can use sensitive data. A policy designed to limit access to PHI can be modified to protect all of a company’s high-value data. A well-defined policy enforced through the use of a data loss prevention platform eliminates accidental and malicious misuse of PHI.