Beyond the Bounds of HIPAA Compliance
By Gil Vidals, , HIPAA Blog, Resources, Security

4 Recent & Relevant Questions about Complying with HIPAA 

With all the recent questions relating to vaccines and the requirements of the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA), it’s easy to lose sight of the real fundamentals of HIPAA

As such, we thought it might be time for a quick refresher:

1. Does asking someone for proof of vaccination violate HIPAA?

Contrary to some popular protestations, asking a person about their COVID-19 vaccination status for purposes of, say, determining whether they should wear a mask at work, does not necessarily violate HIPAA. 

Remember, HIPAA privacy rules were designed to allow covered entities (e.g. medical providers and insurance companies) to share protected health information (PHI) as required while maintaining patient privacy. 

This appropriate disclosure, or portability, remains limited to covered entities, with allowances made for emergent and life-saving situations. Beyond those limits, covered entities and their business associates (including cloud service providers) may not disclose PHI without patient consent. 

With this in mind, formulating safe practices for the workplace during a pandemic – such as mask-wearing – should not be a violation of HIPAA.

As stated by the Equal Employment Opportunity Commission, an employer who would not necessarily fit the covered-entity criteria could legitimately ask their employees for proof of Covid-19 vaccination status, in keeping with the current guidance of Public Health officials for maintaining safe and healthy workplaces. 

However, as the HIPAA Journal helpfully notes, employers should stop short of pressing employees for reasons why they may not have chosen to receive the vaccination, as this would be a violation of their privacy. 

An employee does have the right – guaranteed under federal laws – to keep their personal health condition(s) private, along with their reasons for refusing a vaccination – some of which may or may not be disability-related. This is guaranteed under the American Disabilities Act.

2. I know that no certification will “make” my business HIPAA-compliant and that there is no officially recognized certification for HIPAA. So how do I ensure that we stay within the boundaries of HIPAA compliance?

It’s been said that ‘compliance is just a snapshot in time.’ In other words, just because compliance exists today, it does not guarantee that compliance will exist tomorrow or the next day. 

For example, today, you might not make any mistakes in keeping PHI private; tomorrow, a document may be left in an insecure place (such as lying face up on a fax machine) where it could be inappropriately disclosed to others. Your business would then be compliant today, but not tomorrow. (Btw, here is where a compliant fax solution can help!) 

The heart of maintaining compliance then really flows from teaching employees about HIPAA compliance at a fundamental level and imparting a sense of what true security is: both in digital and physical uses of the word. (The risk of not doing so can be absolutely staggering. An annual data breach study conducted by the Ponemon Institute listed the current average cost of a healthcare data breach at  $8.6 million). 

Instituting a regular cycle of examining risks to your health data, and formulating a good standard operating procedure (SOP) is vital for helping to ensure compliance. Canonizing these procedures into a formal requirement is the true point of HIPAA. (Our HIPAA Checklist can help start you in the right direction). 

Maintaining this regular cycle of security fundamentals (and making sure that every employee is aware of the reasons and procedures involved) helps everyone to see abnormalities or mistakes before they happen. Starting with a strong base of security is also much cheaper than launching a complete compliance initiative and SOP overhaul after the fact.

3. Remind me again – what constitutes Protected Health Information (PHI)?

The HIPAA Journal again provides a nice summary:

“PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.

  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal, and voiceprints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
4. We’re a new healthcare startup, just beginning to consider HIPAA’s boundaries. Where do we start?  

First, understand the complete life cycle of the protected health data before taking the first steps of checking off HIPAA Compliance requirements. Perceive where the data goes from a top-down perspective, then try to predict breaches before they happen. 

Be cognizant of the information life cycle as well. Make sure that all steps in the process are fundamentally sound from a security perspective. (Designating a Compliance Officer at the start is a wise move).

Next, understand that HIPAA-compliant infrastructures for PHI can be complex. An experienced Managed Security Service Provider (MSSP) – particularly one who has proven HIPAA expertise for healthcare like HIPAA Vault – can play a strategic, partnering role, providing:

  • A secure, scalable, and responsive environment
  • Identification and mitigation of threats that continue to grow in type and complexity
  • Real-time analysis of networks and logs, SIEM and alerts, and monitoring of encrypted servers – all important parts of a HIPAA compliant environment.
  • The latest security patches to operating systems – necessary to preserve the integrity and availability of PHI. An MSSP will be on the “front line” on your behalf, helping prevent the possibility of a costly data breach.
  • Streamlining of business operations, and reduction of capital equipment and IT expenditures (typically used for servers, onsite data centers, maintenance, etc.)
  • An extension of your business, understanding your real needs, with 24/7 responsiveness.

It’s noteworthy to mention that even with a well-designed security framework, protected health information (PHI) is a unique kind of beast. The risk of compromise is so much higher than in many other industries, even when following all HIPAA guidelines and security requirements. 

Breaches can still occur because mistakes can be made. An employee might be unwittingly fooled by a phishing scam. For this reason, you must anticipate and plan out your incident breach response in advance.

Have a solid Disaster Recovery Plan in place (with offsite backups), and review the Breach Notification Rule.  The following article on How to Comply with the HIPAA Breach Notification Rule may also be helpful.   

With a trusted MSSP, a well-informed employee pool, and fundamental attention to the core concepts of security, it is possible to not only maintain compliance but also keep your sensitive healthcare data highly available and secure.

If you have any questions on HIPAA or on the services we can provide, please contact us! 760-290-3460, or online at www.hipaavault.com.

HIPAA Vault is a low-cost leader of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.