Our HIPAA Explained article provides information about the Healthcare Insurance Portability and Accountability Act, the most recent changes to the Act in 2013, and how the provisions within the Act currently affect the healthcare industry.
Originally proposed in 1996 to enable workers to carry forward insurance and healthcare rights between jobs, HIPAA has since been expanded into an act of legislation that also governs health insurance fraud, tax provisions for medical savings accounts and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes.
HIPAA was also used to force the healthcare industry to computerize paper records. This led to concerns over who could access electronically stored “Protected Health Information” (ePHI) and led to the development of new privacy regulations by the U.S. Department of Health & Human Services. The regulations are now enforced by the Office for Civil Rights, while state Attorney Generals can also take action against organizations discovered to have violated HIPAA.
More recently, security regulations were enacted in HIPAA to account for technological changes and different working practices in the healthcare industry since the original legislation was passed. One of the most significant developments in recent years has been the growth of “Bring Your Own Device” policies and the risk that personal mobile devices present to the integrity of confidential patient data.
Please Note: For information relating to HIPAA prior to 2013, and its relationship with the HITECH Act of 2009, please refer to our “HIPAA History” page. Greater detail of the HIPAA Privacy and Security Rules is contained within our “HIPAA Compliance Checklist”.
Who is Covered by HIPAA?
Before launching into HIPAA explained it is best to clarify who the legislation applies to. Practically all healthcare organizations, their medical staff and other employees will be HIPAA-covered entities, along with healthcare insurance providers and healthcare clearing houses.
Business Associates and other third party service providers do not necessarily have to implement all the criteria contained within HIPAA, but they do need to sign Business Associate Agreements confirming that they will be responsible for any ePHI they come into contact with. Business Associates are answerable to the Office for Civil Rights for any breaches of ePHI that they cause.
A grey area exists with regard to trainers, researchers, fundraisers and marketing personnel who, although having to seek consent from a patient before being able to use their personal information, will be subject to the same HIPAA regulations as covered entities or Business Associates; depending on how they intend using and communicating patient “personal identifiers” and ePHI.
To clarify what is meant by a “personal identifier”, it is any element of a patient´s ePHI that can be linked with another element of ePHI to identify a patient. In the Security Rule of HIPAA, a personal identifier is defined as any or part of a patient´s medical history or payment history. Consequently the following elements can all be considered to be “personal identifiers”:
|Names or part of names||Any other unique identifying characteristic|
|Geographical identifiers||Dates directly related to an individual|
|Phone numbers||Fax numbers|
|Email addresses||Social Security numbers|
|Medical record numbers||Health insurance beneficiary numbers|
|Account numbers||Certificate or license numbers|
|Vehicle license plate numbers||Device identifiers and serial numbers|
|Web URLs||IP addresses|
|Fingerprints, retinal and voice prints||Full face or any comparable photographic images|
HIPAA Explained Post 2013
Since the introduction of the Final Omnibus Rule, which enacted new regulations within HIPAA in 2013, new guidelines have been issued on how ePHI must be accessed and communicated in a medical-related environment. The revised Act gives patients further rights to know and control how their health information is used and extends the controls on HIPAA-covered entities to how patient information is accessed and communicated.
HIPAA-covered entities must implement mechanisms to restrict the flow of information to within a private network, monitor activity on the network and take measures to prevent employees from communicating ePHI beyond the network´s boundaries. More attention must be given to conducting risk assessments, and new reporting procedures have been developed to cover data breaches involving ePHI.
The HIPAA Security Rule and Privacy Rule dictate the conditions that must be in place for HIPAA-compliant storage and the communication of ePHI. Tthe Office for Civil Rights conducts audits on HIPAA-covered entities to ensure they comply with the regulations. When avoidable breaches of ePHI are discovered, the Office for Civil Rights has the authority to impose financial penalties and bring criminal charges against the negligent entity.
The Required and Addressable Safeguards of HIPAA Explained
One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Effectively every safeguard of HIPAA is “required” unless there is a justifiable reason not to implement the safeguard or an appropriate alternative to the safeguard is implemented that achieves the same objective.
A scenario in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – only have to be encrypted if they are sent beyond a firewalled, internal server. If a healthcare organization only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to implement this addressable safeguard.
The decision not to implement email encryption will have to be supported by a risk assessment and documented in writing. Other factors that may have to be taken into consideration is the organization´s risk mitigation strategy and other safeguards put in place to protect the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of all PHI is always recommended.
The Implications of HIPAA to Patients
The implications of HIPAA to patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare providers. Electronically stored health information is now better protected than paper records ever were, and healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing an improved efficiency. This manifests -as far as patients are concerned – as a higher standard of healthcare.
On the negative side, healthcare organizations are not solely concerned with the standard of healthcare they can provide to individual patients. Healthcare organizations want to increase the services they can provide, want to raise the quality of care and improve patient safety through research. However, research is restricted by HIPAA and restricted access to ePHI has the potential to slow down the rate at which improvements can be made in the healthcare industry.
There is also a price to pay for improved data security. Implementing the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance has potential to actually reduce the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare organizations furthers strains the limited resources available.
The Implications of HIPAA to Healthcare Organizations
If data privacy and security is not addressed, the Office for Civil Rights can issue fines for non-compliance. Preventable data breaches are likely to see considerable financial penalties issued. Under the penalty structure introduced by HITECH, violations can result in fines up to $1.5 million being issued by the OCR, while lawsuits can be filed by both attorney generals and the victims of data breaches.
The high probability of healthcare organizations becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification letters, offering credit monitoring services and covering the OCR fines – is far in excess of the cost of achieving full compliance.
While the initial cost of investment in the necessary technical, physical and administrative safeguards to secure patient data may be high, the improvements have been seen to enhance efficiency and can result in cost savings over time.
Organizations that have already implemented mechanisms to comply with HIPAA have seen their employee´s workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive – allowing healthcare organizations to reinvest their savings and deliver a higher standard of healthcare to patients.
New Technology and HIPAA Privacy and Security Rules
New technology is constantly being developed to protect the integrity of PHI. Compliance with the HIPAA Privacy and Security Rules is becoming easier each day due to innovations such as web filtering, secure email archiving and secure message solutions.
Web filtering is an excellent mechanism to mitigate the risks from malware – particularly surveillance malware that can record keystrokes to obtain usernames and passwords. Several recent data breaches have been the result of malware downloads – including several that would not have occurred with the implementation of a web filtering mechanism.
Secure email archiving is another area in which healthcare organizations can improve their online security posture. Maintaining six years of emails can create a storage problem. However, by using a third-party secure email archiving service, healthcare organizations release resources within their own IT structure while complying with the HIPAA Privacy and Security Rules.
It was mentioned earlier in this HIPAA Explained article that some of the most recent changes to HIPAA account for the risks from “Bring Your Own Device” policies. Some healthcare organizations have eliminated the risks by implementing secure messaging solutions. These solutions enable authorized users to securely access and communicate PHI from their personal mobile devices via secure messaging apps.
As with all third-party service providers, the onus is one the healthcare organization to ensure the Business Associate is HIPAA-compliant. The costs of failing to ensure compliance can be substantial, as our HIPAA Explained infographic below demonstrates.