The Health Insurance Portability and Accountability Act, also known as HIPAA, was enacted in 1996 with the goal of protecting the privacy of patients’ health information. The law imposes limitations on how healthcare providers can share patient information, and sets standards for securing electronic medical records.
HIPAA has been amended several times over the years, most recently in 2015, to account for changes in technology and to provide more protections for patients. Despite the changes, HIPAA remains a complex and often confusing law. This blog post will provide an overview of HIPAA’s key provisions and explain why they are important.
What is HIPAA for?
HIPAA is a federal law that mandates continuous health insurance coverage for employees who lose or change jobs. It also aims to reduce healthcare costs by standardizing electronic transmission of administrative and financial transactions in an effort to increase efficiency within our medical industry, as well as to protect patients’ privacy rights when it comes to accessing necessary care.
Combating abuse, fraud, and waste in health insurance and healthcare delivery are also goals, as is improving access to long-term care services and health insurance.
What are the 5 main components?
There are 5 sections, or titles. Which are:
- Title I: Health Insurance Reform under HIPAA. The primary goal of the first Section is to protect individuals who are no longer employed so that they can continue to be covered by health insurance plans. Furthermore, it prohibits group health plans from denying coverage to people with specific diseases or pre-existing conditions, as well as establishing lifetime coverage limits.
- Title II HIPAA Administrative Simplification is covered . The US Congress has directed the Department of Health and Human Services to establish national standards for processing electronic healthcare transactions, as well as to require organizations that receive funding from this agency or maintain operations within its jurisdiction – such as hospitals – to comply with privacy regulations on data protection at all times.
- Title III: HIPAA Tax-Related Health Provisions. Title III includes tax-related provisions and guidelines for medical care.
- Title IV: Group Health Plan Requirements Application and Enforcement defines health insurance reform in greater detail, including provisions for people with preexisting conditions and those seeking continued coverage.
- Title V Revenue Offsets: is a complex section of the tax code that covers a wide range of topics. One important topic covered in this chapter is company-owned life insurance and how it applies when a person loses citizenship for income tax purposes.
In healthcare circles, most people refer to HIPAA compliance as adhering to HIPAA Title II. Title II, also known as the Administrative Simplification provisions, includes the HIPAA compliance requirements listed below:
- Standard for National Provider Identification. The National Provider Identifier is a 10-digit number that must be obtained by all healthcare providers, including individuals and employers. Anyone seeking services from an accredited provider can use this unique code to ensure quality control over their care package delivery process.
- Standard Transactions and Code Sets To submit and process insurance claims, healthcare organizations must use a standardized mechanism for electronic data interchange (EDI).
- The HIPAA Privacy Rule Officially, the privacy rule was known as the Standards for Privacy of Individually Identifiable Health Information. This standard safeguards patients’ personal health information and establishes national guidelines for how it should be handled, accessed, or used to ensure that all individuals have access rights when they are most needed.
- The HIPAA Security Rule The Security Standards for the Protection of Electronic Protected Health Information (ePHI) establishes guidelines for the security of patient data.
- HIPAA Compliance Rule This rule establishes guidelines for HIPAA compliance investigations.
The HHS Office for Civil Rights (OCR), which enforces HIPAA, conducts audits and has the authority to levy penalties for noncompliance. HIPAA violations can be expensive for healthcare organizations.
HIPAA Privacy Rule
The HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes the first national standards in the United States to protect patients’ personal or protected health information (PHI).
The Department of Health and Human Services has issued new regulations to protect patients’ privacy rights while being treated by doctors. The rule requires that any entity receive patients’ private information while still providing them with the relevant healthcare services they require to recover faster.
The HIPAA Privacy Rule guarantees patients the right to receive their own personal health information from healthcare providers covered by this Act upon request.
Your medical information is safeguarded by the HIPAA Privacy Rule. It also requires that if you work with a covered entity, they have specific safeguards in place for any private health data used or disclosed as part of the business associate agreement (BA).
What are HIPAA-covered entities?
HIPAA only applies to covered entities and their BAs. Any organization or corporation that directly handles PHI or personal health records is considered a HIPAA-covered entity (PHRs). For the protection of PHI and PHRs, covered entities must follow HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) Act mandates.
Covered entities fall into three categories:
- Healthcare providers are individuals and organizations who work and contribute to the country’s healthcare services, such as doctors, nurses, dentists, psychiatrists, psychologists, nursing homes, pharmacies, and so on. It cannot be overstated that these are the backbone of the country, as they are responsible for the health and well-being of citizens.
- Plan for your health. Health insurance companies, health maintenance organizations (HMOs), company health plans, and government healthcare programs such as Medicare, Medicaid, and military healthcare programs are all examples of health plans.
- Healthcare clearinghouses are an important part of our healthcare system. They convert nonstandard information from other entities into standard formats and convert it back when necessary so that the data can be used by its original owner or secondary users such as billing services and community hospitals for patient record management.
Entities can use the HHS online tool to determine whether they are a HIPAA-covered entity or BA and, as a result, whether they must comply or not.
What information is protected under HIPAA?
The Privacy Rule safeguards all personally identifiable health information held or transmitted by a covered entity or a BA. This data can be stored in any format, including digital, paper, or oral.
PHI includes but is not limited to the following:
- a patient’s name, address, birth date, Social Security number, biometric identifiers, or other personally identifiable information (PII)
- an individual’s past, present, or future physical or mental health condition.
- any care provided to an individual
- and information concerning the patient’s past, present, or future payment for the care provided to the individual that identifies the patient or information that there is a reasonable basis to believe could be used to identify the patient.
PHI does not include the following:
- Employment records, including educational information, and other records subject to or defined by the Family Educational Rights and Privacy Act (FERPA)
- and deidentified data, which means data that does not identify or provide information that could identify an individual and has no restrictions on use or disclosure.
HIPAA privacy laws safeguard patients’ identifying information, such as their name or social security number.
Blood pressure readings from a consumer device are one example of non-identifying health data that is not covered by these regulations because they are not shared with any healthcare providers who could use this information in treating them – but there’s still plenty to worry about when you get your own medical bill.
The Privacy Rule specifies certain administrative requirements that covered entities must meet. Among these requirements are the following:
- A privacy official, such as a chief privacy officer (CPO), who is in charge of developing and implementing policies and procedures at a covered entity, must be appointed.
- Employees, including volunteers and trainees, must receive policy and procedure training.
- To protect the privacy of PHI in a covered entity, appropriate administrative, technical, and physical safeguards must be maintained.
- A covered entity must have a process in place for individuals to file complaints about policies and procedures.
- If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate any harmful effects to the greatest extent actionable.
HIPAA-permitted uses and disclosures
When a covered entity may use or disclose an individual’s PHI, the Privacy Rule specifies. Use or disclosure is permitted under two conditions:
- The Privacy Rule allows covered entities to share data with other businesses for purposes such as fraud prevention or detection. The privacy rule permits organizations that have received permission from their customers.
- if the subject of the information provides written consent
These requirements are intended to improve the interoperability of the health information technology (IT) environment by ensuring that electronic health information is made available to the appropriate people at the appropriate time. In certain circumstances, such as a national emergency (such as a pandemic), parts of the Privacy Rule may be changed to allow PHI disclosure that would otherwise be illegal.
HIPAA Privacy Rule penalties
The Privacy Rule is a federal law that mandates that all healthcare providers safeguard your personal information. If a healthcare provider is a victim of the most recent data breach or fails to provide patients with access to their own PHI, OCR may fine them. The severity of the infraction determines the severity of the privacy rule penalties. They are classified into four groups:
- The fine for unknowingly violating HIPAA is $100 per violation, with a maximum annual fine of $25,000 for repeat violations.
- The reasonable cause penalty for HIPAA violations is $1,000 per violation, with a yearly maximum of $100,000 for repeat violations.
- Willful neglect, but the violation is corrected within a certain time frame, is $10,000 per violation, with a maximum annual penalty of $250,000 for repeat violations.
- The penalty for willful neglect is $50,000 per violation, with a maximum annual penalty of $1.5 million for repeat violations.
The Federal Trade Commission has announced that health care organizations and individuals will face fines of up to $50,000 if they intentionally obtain or disclose personal information without permission under HIPAA rules. If this is done under false pretenses, the penalties can be even harsher, including a year in prison and fines.
HIPAA compliance training programs can help organizations reduce the risk of regulatory action. The OCR provides guidance by offering educational courses on privacy and security rules compliance, which are available for many consultancies and can even be created internally within your organization if you so desire! Healthcare providers can also design their own customized workshops that cover all aspects of the subject, including how to best implement current policies, among other things.
While there is no official HIPAA compliance certification program, training companies provide certification credentials to demonstrate understanding of the act’s guidelines and regulations.
HIPAA Security Rule
The HIPAA Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes national standards for securing patient data that is stored or transferred electronically. It is based on the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST).
OCR enforces the HIPAA Security Rule, which aims to balance patient security with medical technology advancement.
The rule requires the installation of physical and electronic safeguards to ensure the secure transmission, maintenance, and receipt of PHI. Healthcare organizations should ask three key risk analysis questions when addressing the risks and vulnerabilities associated with PHI and ePHI:
- Can the sources of ePHI and PHI within the organization — including all PHI created, received, maintained or transmitted — be identified?
- What are the external sources of PHI?
- What are the human, natural and environmental threats to information systems that contain ePHI and PHI?
Organizations can use the answers to these questions to determine what steps they need to take to maintain or develop a HIPAA-compliant security management process, such as:
- Create a personnel screening procedure; determine which data to back up;
- decide how and where to save data
- decide where and how encryption should be used;
- determine which data should be authenticated to ensure data integrity and put in place access control for physical workstations, electronic media, and data.
Health care providers who have been certified by the government to use medical data meaningfully must adhere to strict privacy regulations. The HIPAA act requires them to certify that they have mechanisms in place to protect patient records, such as firewalls and encryption software on all devices where they are stored or transmitted.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule modifies the HIPAA Privacy, Security, and Enforcement Rules to implement HITECH Act statutory amendments. It represented the most significant revisions to the HIPAA Privacy and Security Rules since they were first implemented. Among the changes are the following:
- enhancing privacy and security safeguards for individuals’ PHI
- modifying the Breach Notification Rule for unsecured PHI and establishing more objective standards for determining a healthcare provider’s liability in the aftermath of a data breach;
- modifying the HIPAA Privacy Rule to strengthen genetic information privacy protections;
- describing OCR’s data privacy and security enforcement strategies for the electronic health record (EHR) era, as mandated by the HITECH Act;
- extending the Breach Notification Rule to EHR and EHR-related system vendors;
- In terms of compliance, HIPAA BAs are held to the same standards for protecting PHI as covered entities, including BA subcontractors.
- requiring patients who pay cash to instruct their provider not to share information about their treatment with their health plan;
- imposing new restrictions on how information is used and disclosed for marketing and fundraising purposes
- prohibiting the sale of an individual’s health information without their permission
- making it easier for parents and others to give permission to share proof of a child’s immunization with a school
- streamlining an individual’s ability to authorize the use of their health information for research purposes
- increasing penalties for noncompliance based on the level of negliness
What are HIPAA business associates and their contract requirements?
A BA is defined by HIPAA as any organization or individual who works with or provides services to a covered entity and handles or discloses PHI or PHRs. Any HIPAA BA that serves a healthcare provider or institution is subject to audits by OCR within HHS under the HITECH Act and can be held accountable for a data breach and penalized for noncompliance.
According to the HHS, some examples of BAs include the following:
- when a health plan hires a third-party administrator to assist with claims processing;
- when a certified public accounting (CPA) firm provides accounting services to a healthcare provider and has access to protected health information; when a hospital hires a consultant to perform utilization reviews;
- when a healthcare clearinghouse translates a claim from a nonstandard format for a healthcare provider and then sends the process transaction to a payer
- when a physician uses an independent medical transcriptionist’s services;
- when a pharmacy benefits manager manages a health plan’s pharmacist network; and
- when a covered entity uses a cloud storage service to store PHI.
Mobile application developers could also be considered HIPAA BAs because many healthcare mobile applications handle PHI.
HHS provided an example of how an app developer could be considered a HIPAA BA: A provider instructs a patient to download a health app to their smartphone. A contract exists between the app developer and the provider for patient management services such as remote patient health counseling, patient messaging, food and exercise monitoring, EHR integration, and application program interfaces (APIs). Furthermore, the information entered by the patient into the application is automatically entered into the EHR.
A HIPAA BA agreement (BAA) is a contract that is entered into between a HIPAA-covered entity and a HIPAA BA. The contract safeguards PHI in accordance with regulations. HHS requires that HIPAA BA contracts or other written arrangements do the following:
- explain how the BA is allowed and required to use PHI
- require the BA not to use or disclose PHI for any purpose other than those specified in the contract or required by law;
- require the BA to implement appropriate safeguards to ensure that the PHI is used in accordance with the contract;
- show how a BA would report and respond to a data breach, including data breaches caused by a BA’s subcontractors
- show how the BA would react to an OCR investigation and
- require the covered entity to take reasonable steps to cure any HIPAA BA breach if and when they become aware of one; if this is unsuccessful, the covered entity must terminate the contract with the BA; if termination is also unsuccessful, the covered entity must report the incident to the OCR.
HIPAA is an important law that helps protect people’s privacy. It is important to understand the key provisions so you can be sure your business is compliant. Have you ever had a situation where you needed to share someone’s health information? Let us know in the comments!