Data privacy and security are a rapidly expanding area of regulatory activity and patient attention. For most health care providers, central data privacy and security legal obligations flow from the federal Health Insurance Portability and Accountability Act (“HIPAA”).  As such, adhering to HIPAA is a core compliance obligation for health care providers.  Indeed, in recent years, numerous heath care providers, ranging from large integrated health systems to solo practitioners, have experienced sanctions, unwanted public attention and reputational harm, and other negative consequences due to their failure to comply with their HIPAA obligations.

Importantly, as a general rule HIPAA does not make special exceptions for smaller health care providers. Rather, subject to a few more technical exceptions, all regulated HIPAA health care providers must comply with similar baseline requirements under HIPAA – whether a large health system or a sole practitioner. Thus, all regulated health providers – regardless of their size – need to be mindful of their legal obligations under HIPAA. This article provides a basic roadmap of the key steps a practice needs to take to conform with HIPAA and an overview of how to respond to a potential breach of HIPAA-regulated data.

Of course, every practice and situation are different. In particular, a practice’s HIPAA risk profile and compliance burden is partially dictated by its activities. For instance, if a practice has a slew of complex data sharing arrangements with vendors and other partners, its HIPAA compliance obligations may be that much more involved.

First though, a few points of basic HIPAA terminology. First, “covered entities” under HIPAA are the entities that are primarily regulated by HIPAA. They include health care providers who submit electronic transactions in standardized formats, such as claims or eligibility queries. Notably, healthcare providers who do not submit any third-party claims for insurance, such as cash-only concierge providers, may not be subject to HIPAA.[1] Second, the primary HIPAA regulator is the U.S. Department of Health and Human Services, Office of Civil Rights, or “OCR.” This agency promulgates HIPAA regulations and guidance, and it also investigates and sanctions in cases of there is a potential HIPAA violation. 

Basics of HIPAA Compliance

HIPAA compliance is a complex and ongoing process, and many organizations overlook some, if not many, requirements. Some of the most essential, basic elements that a compliant practice needs to have in place include the following:

• Policies and Procedures. A covered entity needs to have a comprehensive set of policies and procedures in place covering the HIPAA privacy rule (focusing on rules concerning permitted uses and disclosures of “protected health information” or “PHI”), the HIPAA security rule (keeping electronic PHI safe and secure), and the HIPAA breach notification rule (dealing with inappropriate uses or disclosures). Some consultants will provide form policies and procedures, but these need to be customized for the specific practice.
  • A particularly critical policy is a HIPAA compliant “notice of privacy practices” or “NPP,” which in general, must be provided to all patients, posted online if the practice has a web presence, and be physically posted.
• Workforce Training. The practice’s workforce should be trained on HIPAA at hire and periodically thereafter. Workforce includes all employees and independent contractors, especially everyone who has potential access to PHI.
• HIPAA Risk Assessment. The HIPAA risk assessment is a written assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. It typically includes where electronic PHI is stored, the risks to PHI, who has access to PHI, and security protocols used. The risk assessment should be reviewed periodically and updated as risks shift. As this analysis can be fairly technical, many providers hire an IT security consultant to assist with this aspect of HIPAA compliance, at least initially.
• Designated Compliance Leaders. The practice should formally designate the individual responsible for compliance with HIPAA’s privacy requirements – known as the HIPAA “Privacy Officer” and the individual responsible for HIPAA’s security requirements – known as the HIPAA “Security Officer.” Given the technical aspects of the HIPAA security rule, the “Security Officer” is often an individual with an IT background, while the ”Privacy Officer” often has a more general compliance or management function.
• Business Associate Management. HIPAA “business associates” are essentially all the provider’s vendors who have access to PHI or that use PHI on its behalf. Common examples are (1) electronic health record providers, (2) lawyers, consultants, and similar advisers if they are accessing PHI, (3) cloud storage providers, and (4) claims processors. Most other health care providers are not business associates, because they are not accessing the PHI on the practice’s behalf; instead they are covered entities themselves. Similarly, vendors and other contractors who do not access PHI (e.g., a landscaper) are not typically business associates. The covered entity is responsible to ensure that HIPAA compliant “business associate agreements” are maintained and entered into prior to the disclosure of PHI to such vendor. Covered entities should keep an inventory of all HIPAA business associates and the accompanying agreements.
• Promptly Responding to Patient Inquiries. Patients have a right to their records under HIPAA. Further, OCR has recently been focused on validating this right. In recent years, it has investigated and sanctioned numerous providers, including small practices, for failure to comply with the HIPAA patient right of access.[2] Moreover, recent amendments to HIPAA strengthen this right. Today, providers must generally respond to patient requests within 30 days (either producing the records, denying them on a legally valid basis, or following the rules for a 30-day extension, which may only be obtained once). So, providers should prioritize responding to patient requests.
• Ongoing Auditing; Other Requirements. As part of ongoing quality improvement, practices should audit their HIPAA compliance, and particularly be on the lookout for non-permitted uses or disclosures. In addition, be mindful that HIPAA sets a legal floor. This means that other laws – both state and federal – may require more of a practice, depending on the nature and location of the enterprise and the affected individuals.

Roadmap for Responding to an Unauthorized Use or Disclosure

Providers should be monitoring for unauthorized uses and disclosures of PHI. In the event one is identified (whether from a workforce member, business associate, or otherwise), prompt action is critical. If the incident is a breach, the provider only has 60 days from the date of discovery to make the necessary reports to the individual. While every incident is fact specific, and close engagement with counsel is often necessary, here are the key steps:

1. Promptly Investigate. Key facts to uncover include the date(s) of the incident, the number of impacted individuals, the identifiers, to whom the PHI was disclosed or used, and how the risk of harm can be mitigated. Be sure to have a good understanding of how the incident occurred and the root causes. If the disclosure is ongoing, take steps to prevent additional disclosures. Investigation should begin immediately, but providers can – and often must – act before the investigation is completed.
2. Breach Analysis. Determine whether the incident qualifies as a reportable HIPAA breach. Not all unauthorized uses or disclosures of PHI are HIPAA reportable breaches. Specifically, if a covered entity determines there is low probability that the PHI has been compromised based on a risk assessment that includes specific factors, it does not have treat the incident as a breach. This analysis is fairly technical, and it needs be documented. Many providers engage legal counsel to assist with this analysis.
3. Contact Insurer. Outreach to insurers should begin early in in the process, especially if the provider has a cybersecurity policy, which are becoming industry standard. It is worthwhile to consult with one’s insurance broker to determine whether the practice has cybersecurity insurance and, if not, whether to procure coverage.
4. Assess Other Legal Obligations. Every state has a data breach reporting statute, and additional federal requirements may apply depending on the nature of the breach. In addition, data breaches can implicate contractual requirements. These areas should be considered as part of the response.
5. Remediate. Remediation could include workforce discipline or training, restructuring of business associate relationships, IT improvements, or others, depending on the nature of the incident.
6. Conduct Notifications. If a HIPAA reportable breach occurs, then the breach needs to be reported to the impacted individuals and OCR. The notifications need to be in writing and adhere to specific content requirements. Individuals have to be notified without unreasonable delay and no later than 60 days after discovery. OCR timing depends on the size of the breach. For larger breaches, notice to the media is also required.

Given the increasing regulation of data in the United States, fulsome HIPAA compliance is becoming ever more important. However, while HIPAA compliance is a complex and ongoing project, there are a set of core elements are readily obtainable for practices of any size.

[1] Of course, providers have other medical confidentiality obligations, and patients may expect HIPAA-type compliance. So, adherence to HIPAA-like standards is a common practice even for non-regulated health care providers.

[2] See, for example: Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA (July 15, 2022) https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html.