HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR). The OCR’s role in maintaining medical HIPAA compliance comes in the form of routine guidance on new issues affecting health care and in investigating common HIPAA violations. Through a series of interlocking regulatory rules, HIPAA compliance is a living culture that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information.


HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Privacy Rule standards address the use and disclosure of individuals' health information—called "protected health information" by organizations subject to the Privacy Rule — called "covered entities," as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights ("OCR") has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.


Who Needs to Be HIPAA compliant?

HIPAA regulation identifies two types of organizations that must be HIPAA compliant.


HIPAA Rules and Regulations

HIPAA regulation is made up of a number of different HIPAA Rules. The HIPAA Rules were all passed in the 20+ years that have come and gone since HIPAA was first enacted in 1996.

The HIPAA Rules that you should be aware of include:

HIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. The HIPAA Privacy Rule only applies to covered entities, not business associates. Some of the standards outlined by the HIPAA Privacy Rule include: patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure HIPAA release forms and Notices of Privacy Practices, and more. The regulatory standards must be documented in the organization’s HIPAA Policies and Procedures. All employees must be trained on these Policies and Procedures annually, with documented attestation.

HIPAA Security Rule:The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI. The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any health care organization. Specifics of the regulation must be documented in the organization’s HIPAA Policies and Procedures. Staff must be trained on these Policies and Procedures annually, with documented attestation.

HIPAA Breach Notification Rule:The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule lays out different requirements for breach reporting depending on the scope and size. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach. The specifics of the HIPAA Breach Notification Rule are outlined in the sections below.

HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an addendum to HIPAA regulation that was enacted in order to apply HIPAA to business associates, in addition to covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant, and also outlines the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared. The details regarding BAAs are outlined in more depth in the sections below.


HIPAA Compliance Requirements

HIPAA regulation outlines a set of national standards that all covered entities and business associates must address.

Self-Audits: HIPAA requires covered entities and business associates to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.

Remediation Plans: Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.

Policies, Procedures, Employee Training: Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.

Documentation:HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass strict HIPAA audits.

  • Business Associate Management:Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
  • Incident Management: If a covered entity or business associate has a data breach, they must have a process to document the breach and notify patients that their data has been compromised in accordance with the HIPAA Breach Notification Rule. Specific details about the HIPAA Breach Notification Rule and explored below.

What is a HIPAA Violation?

A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI.

A HIPAA violation differs from a data breach. Not all data breaches are HIPAA violations. A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization’s HIPAA policies.

Under HIPAA regulation, there are specific protocols that must be followed in the event of a data breach. The HIPAA Breach Notification Rule outlines how covered entities and business associates must respond in the event of a breach.

Breaches affecting fewer than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires entities to gather data on all smaller breaches that occur over the course of the year and report them to HHS OCR within 60 days of the end of the calendar year in which they occurred. Affected individuals must be notified that their data was involved in a breach within 60 days of the discovery of the breach.

Breaches affecting more than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires that larger breaches be reported to HHS OCR within 60 days of the discovery of the breach. Additionally, any affected individuals must be notified upon discovery of the breach. Local law enforcement agencies should also be contacted immediately, in addition to local media agencies in order to alert potentially affected individuals within the necessary jurisdiction.

All breaches affecting 500 or more individuals are posted on the HHS Breach Notification Portal, or “Wall of Shame.” The HHS Wall of Shame is a permanent archive of all HIPAA violations caused by large-scale breaches that have occurred in the US since 2009. This searchable database is a concrete consequence of a HIPAA violation that can permanently damage the reputation of healthcare organizations that experience a HIPAA violation or large-scale breach.


HIPAA Compliance at Global Health Opinion Inc. (GHO)

As a global health organization dedicated to improving healthcare outcomes, Global Health Opinion Inc. (GHO) recognizes the importance of adhering to the Health Insurance Portability and Accountability Act (HIPAA) to protect patient data and maintain the trust of our clients and partners. Our commitment to HIPAA compliance reflects our values of transparency, accountability, and excellence in healthcare delivery.


HIPAA Principles Applied at GHO

1.Privacy Rule Compliance

GHO strictly adheres to the HIPAA Privacy Rule, which regulates the use and disclosure of Protected Health Information (PHI). We ensure that only authorized personnel have access to PHI, safeguarding patient confidentiality. Patients are provided with transparent communication about their privacy rights and how their information is used. Additionally, GHO complies with the Privacy Rule’s requirements for Use and Disclosure forms and Notices of Privacy Practices, reinforcing our commitment to protecting sensitive health information.

2. Security Rule Adherence

As a leader in health technology, GHO complies with the HIPAA Security Rule to manage electronic Protected Health Information (ePHI) securely. Our safeguards include administrative controls, such as policies for ePHI access, regular audits, and risk assessments. Physical safeguards ensure secure facilities and strict access controls for data storage. Technical safeguards involve advanced encryption, secure communication channels, and routine system updates to mitigate cybersecurity risks.

3. Breach Notification Rule

GHO has established comprehensive protocols to handle potential data breaches effectively. In the event of a breach, affected individuals are notified immediately, ensuring transparency. We report breaches to the HHS Office for Civil Rights (OCR) as mandated and conduct annual reviews to continuously improve our incident management processes. These measures underscore our proactive approach to maintaining the integrity of PHI and ePHI.


Compliance Measures at GHO

Self-Audits and Risk Assessments

GHO conducts annual audits to evaluate the effectiveness of its administrative, technical, and physical safeguards. These assessments ensure alignment with HIPAA requirements and help identify any gaps in compliance. Regular risk assessments are also performed to proactively address vulnerabilities and enhance the security of Protected Health Information (PHI).

Policy Development and Training

To maintain a culture of compliance, GHO regularly updates its Policies and Procedures to reflect the latest HIPAA regulations and organizational practices. Mandatory annual training is provided to all staff, ensuring they fully understand HIPAA standards and their responsibilities in protecting PHI. This training fosters a knowledgeable workforce committed to safeguarding sensitive information.

Documentation and Reporting

GHO prioritizes meticulous documentation of all compliance efforts, including training records, audit findings, and breach response actions. In the event of a data breach, transparent reporting is conducted in accordance with the HIPAA Breach Notification Rule. This ensures accountability and demonstrates GHO’s commitment to regulatory compliance and patient trust.

Business Associate Management

Recognizing the importance of secure collaborations, GHO executes Business Associate Agreements (BAAs) with all third-party vendors that handle PHI. These agreements regulate the secure processing and transmission of sensitive data. Annual reviews of BAAs are conducted to ensure continued compliance with evolving regulatory requirements, fostering strong partnerships and data protection practices


HIPAA as an Integral Part of GHO Services

Second Opinions and Peer Reviews

GHO’s second-opinion services are meticulously designed to safeguard patient privacy and data security. All consultations and reviews are conducted through secure, HIPAA-compliant platforms, ensuring that sensitive medical records and communications remain protected. Access to Protected Health Information (PHI) is restricted to authorized specialists, who utilize the information exclusively for diagnosis reviews and treatment recommendations, maintaining the highest standards of confidentiality.

Telemedicine and Mental Health Services

GHO's telehealth and mental health services are developed with a strong focus on privacy and security. Real-time interactions between patients and licensed professionals are conducted on platforms designed with encryption and privacy-by-design principles, ensuring the confidentiality of all data. These secure systems enable patients to access high-quality healthcare services while adhering to HIPAA requirements for protecting PHI.

Technology-Driven Solutions

In leveraging advanced technologies like Artificial Intelligence (AI) and Machine Learning (ML), GHO ensures full compliance with HIPAA Security Rule standards. These innovations are integrated into healthcare platforms to enhance care delivery without compromising data privacy or security. Furthermore, all external tools and vendor collaborations are governed by stringent Business Associate Agreements (BAAs). This approach guarantees compliance across the supply chain and reinforces the security of patient data processed through GHO's platforms.