HIPAA Compliance: Covered Entities (CEs) & Business Associates (BAs)

HIPAA Compliance: Covered Entities (CEs) & Business Associates (BAs)

 

Cybersecurity in Healthcare, At a Glance

Cyber attackers are constantly looking for new ways to exploit vulnerabilities in organizations’ systems and networks. They are especially interested in targeting industries and organizations that are likely to be more vulnerable, such as those that handle sensitive data or that have limited security resources.

Because the healthcare industry is one of the most high-profile, important industries in the world with access to an abundance of sensitive information, they have become prime, lucrative targets for cyber attackers on the black market. Furthermore, healthcare facilities often have complex, interconnected IT infrastructures, which makes them more susceptible to cyber threats.  As the threat landscape evolves and becomes more sophisticated, healthcare organizations are finding it more and more difficult to gain the visibility and oversight they need to ensure their data is staying protected at all times.

The Purpose of HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a set of regulations with rules for how healthcare organizations use, store, transmit, electronically exchange, and leverage patient information.  It was established nearly 30 years ago to protect the privacy and security of protected health information (PHI) or electronic PHI (ePHI)–any information that can be used to identify an individual, such as their name, address, Social Security number, and medical records.

Here are some of the key things that HIPAA does:

  • Defines protected health information (PHI): PHI is any information that can be used to identify an individual, including their name, address, Social Security number, and medical records.
  • Establishes rules for how PHI can be used and disclosed: HIPAA’s privacy regulations establish rules for how PHI can be used and disclosed. For example, PHI can only be used or disclosed for certain purposes, such as treatment, payment, or healthcare operations.
  • Requires healthcare organizations to implement safeguards to protect PHI: HIPAA’s security regulations require healthcare organizations to implement safeguards to protect PHI. These safeguards include physical security measures, such as locks and security cameras, and technical security measures, such as encryption.
  • Establishes penalties for violations of HIPAA: HIPAA’s enforcement regulations establish penalties for violations of HIPAA. These penalties can include civil and criminal penalties.

 

Although privacy is the most well-known regulation, HIPAA includes the following:

 

  • Privacy regulations:  Rules for how health information can be used and disclosed.
  • Security regulations: Rules for how health information must be stored and transmitted.
  • Administrative simplification regulations: Rules to standardize how health information can be exchanged electronically.
  • Fraud and abuse regulations: Rules for how health information can be used for marketing purposes to reduce fraud and abuse of PII.

Types of Healthcare Organizations: CEs and BAs

HIPAA regulations apply to all organizations that handle PHI, including those organizations that work in healthcare indirectly. These include:

    • Healthcare providers: Healthcare providers, such as hospitals, doctors’ offices, and clinics, must comply with HIPAA to protect the health information of their patients.
    • Health insurance companies: Health insurance companies must comply with HIPAA to protect the health information of their policyholders.
    • Pharmacies: Pharmacies must comply with HIPAA to protect the health information of their customers.
    • Billing companies: Billing companies that work with healthcare providers must comply with HIPAA to protect the health information of their clients’ patients.
    • IT consultants: IT consultants that work with healthcare providers must comply with HIPAA to protect the health information of their clients’ patients.
    • Marketing firms: Marketing firms that work with healthcare providers must comply with HIPAA to protect the health information of their clients’ patients.

 

These healthcare companies are grouped into two categories: covered entities and business associates.

Covered entities (CEs) are organizations, or entities, that provide treatment or services to patients, transmit or receive protected health information (PHI) in connection with certain transactions. Covered entities include healthcare providers, health plans, and clearinghouses.

Business associates (BAs) are individuals or organizations, other than a member of the workforce of a covered entity, that do not provide healthcare services directly to patients, but still handle protected health information.  BAs functions or activities can involve creating, receiving, maintaining, or transmitting PHI on behalf of a CE or another BA. This includes organizations such as billing companies, IT consultants, and marketing firms. 

 

Both covered entities and business associates must comply with HIPAA’s privacy and security rules. Even if an organization does not provide healthcare services directly, if  they handle protected healthcare information (PHI), they are still responsible for protecting the privacy of the . This means that they must comply with all of the same HIPAA regulations as healthcare organizations.   This means that they must take steps to protect the confidentiality, integrity, and availability of ePHI.

 

Unique Challenges for Business Associates (BAs)

Lack of resources. Many BAs are small businesses that do not have the resources to dedicate to HIPAA compliance.
Complexity of the regulations. HIPAA is a complex set of regulations, and it can be difficult for BAs to understand and implement all of the requirements.
Changing threat landscape. The threat landscape is constantly changing, and BAs need to stay up-to-date on the latest security threats in order to protect PHI.
Shortage of  resources. CEs are responsible for ensuring that their BAs are compliant with HIPAA, but many CEs do not have the resources to adequately oversee their BAs.

 

Consequences of Non-Compliance

There are a number of consequences of not being HIPAA compliant ranging from civil penalties to criminal charges, including:

  • Civil penalties: The Office for Civil Rights (OCR) can impose civil penalties on BAs that are not HIPAA compliant. The amount of the penalty will depend on the severity of the violation.
  • Criminal penalties: In some cases, non-compliance with HIPAA can also result in criminal penalties. For example, if a BA knowingly and willfully discloses PHI without authorization, they could be charged with a felony.
  • Damage to reputation: If a BA is found to be non-compliant with HIPAA, it could damage their reputation and make it difficult to do business with CEs.
  • Loss of business: If a BA is found to be non-compliant with HIPAA, they could lose their business. CEs may not want to do business with a BA that is not compliant with HIPAA, as this could put their own PHI at risk.

 

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Tier 1 Reasonable Efforts $127 $63,973 $1,919,173
Tier 2 Lack of Oversight $1280 $63,973 $1,919,173
Tier 3 Neglect – Rectified within 30 days $12,794 $63,973 $1,919,173
Tier 4 Neglect – Not Rectified within 30 days $63,973 $1,919,173 $1,919,173

*The HIPAA Journal 2022

How Concertium Can Help

By partnering with Concertium–a leading provider of Orchestrated Cybersecurity and IT services–healthcare organizations can address the challenges associated with achieving HIPAA compliance, safeguarding patient data, and building a culture of security and privacy. Through our comprehensive solution suite, we offer expertise in risk analysis, compliance consulting, vulnerability management, 24/7 incident detection and response, breach containment and remediation, policy development, employee security awareness training, and more.

We help healthcare organizations achieve HIPAA compliance by providing:

 

  • Expert guidance on HIPAA compliance. Concertium’s team of experts can help healthcare organizations understand their current risk, identify and strategize policy and procedure recommendations and remediation guidance for areas requiring compliance improvement.
  • Comprehensive security solutions. Concertium’s security solutions can help healthcare organizations protect PHI from unauthorized access, use, disclosure, alteration, or destruction.
  • Managed services. Concertium can provide managed services to help healthcare organizations maintain their security and HIPAA compliance programs.

 

Do you have questions about our HIPAA compliance services and solutions? We are here to help! Contact us today to start getting better protection for your business.

Call us at (813) 490-4260 or email us at sales@concertium.com.