What is HIPAA compliance?
HIPAA is an acronym for Health Insurance Portability and Accountability Act. It’s a US federal
statute with a collection of standards for protecting sensitive patient information. It
regulates the use of Personal Health Information (PHI), its safe storage, and protection from
theft or misuse. The law covers physical, administrative, and technical precautions for PHI
security. The physical level involves ensuring healthcare staff lock laptops away when leaving
them. Administrative measures involve creating internal policies and rules for staff and how
they keep medical data safe. Meeting HIPAA compliance on a technical level means that everyone
who deals with confidential medical data and PHI must use programs and tools with the highest
data encryption.
How to get HIPAA compliance in signNow
signNow meets all HIPAA compliance regulations, therefore it’s a perfect solution for healthcare
institutions to use to sign their medical-related documents. It ensures a high level of data
protection, storage, and sending under AES-256 bit encryption protocols. Plus, the Audit Trail
function allows medical staff and healthcare-related organizations to control every action taken
to PHI documents. To start working under HIPAA compliance in signNow, you should contact our
Support team. They’ll switch on the functionality manually for you. HIPAA compliance is active
when the Invite to Sign option is inactive.
Who has to be HIPAA compliant?
According to the law, all hospitals, clinics, other healthcare institutions, healthcare
insurance companies, and other organizations dealing with them must meet HIPAA compliance. It
defines healthcare-related institutions that provide medical care as Covered Entities. Apart
from them, the Act demands Business Associates meet HIPAA requirements as well. These are
companies that deliver their services to hospitals and other healthcare-related institutions and
are likely to have access to patient’s personal and medical information (e.g., Internet
providers, IT companies, legal firms, accounting companies, etc.). In other words, everyone who
is enabled to access PHI.
What are the penalties for HIPAA compliance violations?
Penalties for HIPAA violations depend on the situation and state-specific rules. They can
involve both administrative (fines) or criminal punishment (arrest and imprisonment). Fines vary
a lot and are subject to how harmful the security breach was. When accidentally committed,
organizations can get a fine of up to $50,000 per case or per record. However, if it turns out
that the breach was willful (with malevolent intentions), then the punishment is more severe,
including heavy fines reaching up to $250,000 and imprisonment for a maximum of 10 years. Thus,
the lack of data protection, stolen devices, discussing or sending PHI to unauthorized people,
or stealing PHI data is detrimental.
Take action to prevent HIPAA violations:
-> regularly hold HIPAA compliance training sessions with your staff;
-> ensure your software is updated to keep data encrypted;
-> never leave files or devices with PHI data out in the open and unattended;
-> ensure all paper and digital documentation any information about patients is securely stored;
-> don’t discuss patient information with unauthorized people: in SMS, messengers, or on social
media;
-> don’t share your login credentials, even with colleagues;
-> immediately report any violations to your HIPAA compliance officer.
What are the main rules for HIPAA compliance?
HIPAA compliance involves organizations following numerous rules and standards. Here are the
four main rules you should be aware of and strictly follow to become compliant with HIPAA
regulations:
Privacy Rule. It warrants that patients have the right to have their private information well
protected. It states what PHI data must be safeguarded and what security precautions must be
held. The HIPAA Privacy Rule guarantees any records on a patient’s medical conditions,
treatment, and payments for care (whether it’s past, present, or future) are subject to privacy.
Security Rule. It outlines the mechanisms of PHI data protection, comprising physical,
administrative, and technical safeguards. These rules refer to both Covered Entities and
Business Associates. Physical measures ensure physical security of the equipment (devices) used
for processing and storing PHI. Administrative rules include internal policies, staff training,
risk evaluation, etc. The technical safeguards involve encrypting data and networks used, audit
trails of every PHI view and manipulation, and automatic logouts within a certain time.
Breach Notification Rule. This one determines how organizations must act in case of any HIPAA
breach. These are different steps to be taken depending on how harmful the breach was and how
many records it affected. Anyway, organizations must notify both patients and the HHS
departments about all violations that occurred.
Omnibus Rule. This rule is one of the most recent ones applying to Business Associates regarding
their HIPAA compliance. It enforces Covered Entities to sign BAAs (Business Associate
agreements) with third parties who store or transmit data related to patients’ PHI.
What is HIPAA compliance training?
HIPAA compliance requires companies and organizations that signed a BAA certificate to arrange
consistent annual training for employees on HIPAA. During the training sessions, it’s important
to remind your staff about Personal Health Information; the principles of using and securely
storing it, and the measures to be taken when noticing HIPAA violations. Organizations need to
hold yearly HIPAA training to re-examine staff.
