HIPAA Compliance for Hospitals

Discussing HIPAA compliance for hospitals in a single article is challenging. Not only is there so much to cover, but there are also many different types and sizes of hospitals. This means there is no one-size-fits-all guide to HIPAA compliance for hospitals, but rather checklists that can help hospitals cover the basics of the compliance requirements.

It is also the case that, regardless of the level of effort put in to comply specifically with HIPAA, most hospitals already comply with HIPAA to some degree due to the measures implemented in order to participate in Medicare. For example, most Medicare-participating hospitals already have:

  • A Notice of Rights which includes the hospital’s grievance procedures
  • Procedures to respond to patients’ requests to access medical records
  • Measures in place to ensure the confidentiality of patient records
  • A system that maintains the availability of records during an emergency
  • Physical safeguards that comply with the Health Care Facilities Code (NFPA 99)

To start on the path to HIPAA compliance for hospitals, it does not take a great deal of effort to incorporate a Notice of Privacy Practices into the Notice of Rights, to adopt existing patient access procedures to accommodate requests for amendments or requests to limit uses and disclosures, and to upgrade confidentiality, availability, and physical safeguards to meet HIPAA standards.

What is Required to Comply with HIPAA?

Although it may not take a great deal of effort to upgrade existing Medicare measures to HIPAA standards, it is important the method used is organized. If HIPAA compliance is approached in a haphazard manner, it can result in gaps in compliance, which can result in avoidable HIPAA violations, which can lead to penalties being issued by the HHS’ Office for Civil Rights.

Get the HIPAA
Compliance Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Therefore, one of the most thorough ways to address HIPAA compliance for hospitals that already have measures in place to fulfill the Medicare requirements is to designate a Privacy Officer responsible for compliance with the HIPAA Privacy and Breach Notification Rules and a Security Officer responsible for compliance with the HIPAA Security Rule.

Thereafter, hospitals can begin to identify what is required to comply with HIPAA by following the Administrative Requirements of the Privacy Rule (§164.530) and the Administrative Safeguards of the Security Rule (§164.308). Between them, these two standards will enable Compliance Officers to compile an inventory of where in the organization Protected Health Information is created, received, maintained, or transmitted, and identify threats to its confidentiality, integrity, and availability.

The Five Areas of HIPAA Compliance for Hospitals to Focus On

Assuming that most hospitals already comply with the HIPAA Administrative Requirements (as this is also a condition of Medicare participation), the five areas of HIPAA compliance for hospitals to focus on are:

  • The standards of the Privacy Rule relating to patients’ rights
  • Permissible uses and disclosures of Protected Health Information
  • Policies and procedures to comply with the Breach Notification Rule
  • The Administrative, Physical, and Technical Safeguards of the Security Rule
  • Reasonable due diligence on Business Associates and ensuring HIPAA-compliant Business Associate Agreements are in place

The Standards of the Privacy Rule Relating to Patients’ Rights

The standards of the Privacy Rule relating to patients’ rights are more comprehensive than those that apply for Medicare participation, and right of access failures are one of the leading reasons for complaints being made to HHS’ Office for Civil Rights.

Additionally, Protected Health Information can be maintained in multiple designated record sets – which is why it is beneficial to compile an inventory of Protected Health Information so this information can be used to respond to patients exercising their access rights more efficiently.

It is also important to be aware patients’ rights under HIPAA go much further than Medicare. For example, patients can choose how they are contacted, request certain health information is withheld, and request an accounting of disclosures to ensure their wishes are complied with.

Permissible Uses and Disclosures of Protected Health Information

The permissible uses and disclosures of Protected Health Information is one of the most complicated areas of the Privacy Rule – notwithstanding that sources provide conflicting information about what is considered Protected Health Information under HIPAA. Privacy Officers must develop policies and procedures that clearly explain which uses and disclosures are permissible and which require authorization from a patient, and when patients should be given an opportunity to agree or object to a use or disclosure. The policies and procedures should be included in HIPAA training – along with guidance over the minimum necessary standard, incidental disclosures, and what needs to be included in a patient’s authorization to ensure it is valid.

Policies and Procedures to Comply with the Breach Notification Rule

Also included in HIPAA training should be an explanation of how members of the workforce should report violations of HIPAA to their supervisor or Privacy Officer. Ideally, a system should be implemented to facilitate anonymous reports. Thereafter, there needs to be a system in place to determine whether a violation of HIPAA constitutes a breach of unsecured Protected Health Information, and – if so – there also needs to be procedures prepared for notifying individuals and the HHS’ Office for Civil Rights. If not already included in HIPAA training, all members of the workforce must be advised of the sanctions for violating HIPAA and be given a copy of the organization’s HIPAA sanctions policy, even if a sanctions policy already exists in the employees’ terms of employment.

The Administrative, Physical, and Technical Safeguards of the Security Rule

Most hospitals will already have some administrative, physical, and technical safeguards in place – not necessarily due to complying with the Medicare requirements of participation, but because of the need to secure data, servers, and networks from external threats. However, it is important that any existing risk management programs, access management programs, and emergency response programs are updated to HIPAA standards, and that technologies are upgraded to support requirements such as audit trails and event logs. Security and awareness training is required for all members of the workforce – not only those with authorized access to electronic Protected Health Information – and the Security Rule also requires a sanctions policy to mitigate the risk of non-compliance with Security Rule policies.

Reasonable Diligence on Business Associates and Business Associate Agreements

The term “reasonable diligence” applies frequently throughout the HIPAA Administrative Simplification Regulations, and while it is not always in the context of transactions with other Covered Entities or Business Associates, there is an expectation that hospitals will exercise reasonable diligence before disclosing Protected Health Information to any third party. 164.504(e)(ii) of the Privacy Rule is particularly relevant to relationships with Business Associates inasmuch as this standard states, “A covered entity is not in compliance […], if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement”. The implementation specifications of this standard and in the Administrative Safeguards of the Security Rule detail what should be included in a Business Associate Agreement. Both the hospital’s Privacy and Security Officers should review existing Agreements to ensure they comply with these standards and revise the Agreements as necessary.

Further Help with HIPAA Compliance for Hospitals

As mentioned in the introduction to this article, discussing HIPAA compliance for hospitals in a single article is challenging. Not only are hospitals of different types and sizes, but they may also be at different stages of their compliance journeys. Therefore, to help hospitals with their HIPAA compliance efforts, we have compiled a HIPAA compliance checklist containing more comprehensive information on the five areas of HIPAA compliance for hospitals to focus on.

Leave a Comment