The Health Insurance Portability and Accountability Act (HIPAA) is legislation designed to protect the privacy and security of individuals’ protected health information (PHI). HIPAA regulations are codified in the Privacy Rule, Security Rule, and Breach Notification Rule, with organizations subject to HIPAA compliance facing substantial financial penalties and negative publicity for violations that put the privacy and security of PHI at risk.
Employers need to be aware of their HIPAA compliance and privacy responsibilities in two distinct situations. The first is when the company fits the HIPAA definition of a covered entity or the business associate of a covered entity. The other case is when an employer offers their employees a self-funded health care plan.
We’ll look at both situations and provide employers with the information they need to make informed decisions regarding their data protection solutions.
In this article:
HIPAA defines the term covered entities to identify organizations that need to comply with its data privacy, security, and breach notification rules. Business associates are third parties that provide services for covered entities that involve the processing or storage of PHI.
Covered entities need to enter into business associate agreements (BAAs) with all their HIPAA-related business associates.
The following three types of organizations or programs are considered HIPAA covered entities.
Business associates are persons or entities that perform functions or activities for a covered entity involving the use or disclosure of PHI. A covered entity can also be a business associate of another covered entity.
Business associate functions include claims processing, data analysis, data processing, billing, benefit management, and IT administration.
Examples of business associates include:
Many covered entities, especially smaller companies, use third-party IT vendors to process their PHI, and covered entities should always insist on entering into valid BAAs when working with a third party.
Employers whose business does not fall under the definition of a covered entity or business associate are often not subject to any HIPAA regulations regarding data privacy and security.
However, there is one situation in which an employer in an unrelated field has to protect a subset of their data resources in compliance with HIPAA regulations. This is when the employer offers employees a self-funded health insurance plan, as the plan itself is defined as a HIPAA covered entity.
This means the employer has to segregate any PHI related to the healthcare plan and process it according to HIPAA guidelines. This can complicate security by requiring different policies and procedures to protect the privacy of PHI.
Regardless of the difficulties this situation presents, employers need to take the necessary measures to maintain HIPAA compliance regarding their PHI.
Maintaining the privacy of PHI necessarily involves providing security to ensure the sensitive data is not misused, accessed by unauthorized personnel, or inadvertently disclosed.
Employers should therefore take the following steps to comply with HIPAA regulations.
This may include information about customers or patients, if the business operates in the healthcare sector. It also includes PHI related to any employer-funded healthcare plan.
These include:
These include:
These include:
Data loss prevention (DLP) can be instrumental in protecting an employer’s PHI, as well as any other sensitive or high-value data resources, as DLP software directly addresses the technical safeguards designed to minimize risks to PHI.
A DLP platform can also automatically enforce the handling policies that determine who can access PHI in the environment.
The Reveal Platform by Next offers employers a comprehensive DLP platform that restricts deliberate or accidental misuse of an organization’s PHI.
For example, if an unauthorized individual attempts to use PHI, access will be blocked. The user will also receive an instructive message that describes why the activity was not permitted to promote enhanced security consciousness.
Reveal’s next-gen agents deliver the power of machine learning to the endpoint. The agents identify and categorize data at the point of risk. They baseline activity at deployment and use multiple behavioral analytics algorithms to define typical versus anomalous behavior for superior data protection.
Talk to the experts at Next and schedule a demo today to see Reveal in action.
The risk of not entering into a business associate agreement that defines the responsibilities of a third-party provider is that the covered entity will be held liable for HIPAA violations. A BAA protects the covered entity by defining the business associate’s role and responsibilities.
Ultimately, it is the covered entity’s responsibility to address violations if their associates commit them and are not bound by a BAA.
Employers can protect health plan information with enhanced security by segmenting it from the general IT environment. The systems containing PHI need more stringent security and access controls than the majority of the organization’s data assets. At a minimum, additional authentication measures should be put in place to restrict access to PHI.
Employers should develop a data handling policy to protect PHI by defining who and under what conditions individuals can use sensitive data. A policy designed to limit access to PHI can be modified to protect all of a company’s high-value data. A well-defined policy enforced through the use of a data loss prevention platform eliminates accidental and malicious misuse of PHI.