Our HIPAA Explained article provides information about the Healthcare Insurance Portability and Accountability Act (HIPAA), the most recent changes to the Act in 2013, and how provisions within the Act currently affect patients, the healthcare industry as a whole, and the individuals who work within it.
HIPAA Simplified History
Originally proposed in 1996 in order that workers could carry forward insurance and healthcare rights between jobs, our HIPAA simplified history shows the Act has since expanded into an act of legislation that also governs health insurance fraud and tax provisions for medical savings accounts, and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes. Primarily, however, HIPAA concerns the privacy and security of patient health information.
HIPAA (via the HITECH Act) was also used to encourage the healthcare industry to computerize paper records. This led to concerns over unauthorized disclosures of “Protected Health Information” (PHI) and resulted in the development of further privacy and security regulations in 2013. The regulations addressed technological advances in the healthcare industry since the original legislation was passed, and expanded responsibility for the integrity of PHI to Business Associates.
The HIPAA regulations are enforced by the U.S. Department of Health & Human Services´ Office for Civil Rights, while state Attorney Generals can also take action against parties discovered not to be in compliance with HIPAA. The Office for Civil Rights has the authority to impose fines on Covered Entities and Business Associates for breaches of PHI unless the offending party can demonstrate a low probability that patient health information was compromised.
HIPAA for Dummies
Although it may be considered unkind to entitle a section of this article “HIPAA for Dummies”, there are still some people unaware of what patient health information is “protected”. To clarify what is consider to be “Protected Health Information”, we have listed below the eighteen “personal identifiers” that individually – or linked with any other personal identifier – could reveal the identity of an individual, their medical history or payment history:
|Names or part of names||Any other unique identifying characteristic|
|Geographical identifiers||Dates directly related to an individual|
|Phone numbers||Fax numbers|
|Email addresses||Social Security numbers|
|Medical record numbers||Health insurance beneficiary numbers|
|Account numbers||Certificate or license numbers|
|Vehicle license plate numbers||Device identifiers and serial numbers|
|Web URLs||IP addresses|
|Fingerprints, retinal and voice prints||Full face or any comparable photographic images|
Who is Covered by HIPAA?
Before launching into HIPAA explained it is best to clarify who the legislation applies to. Practically all health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card are considered to be “HIPAA Covered Entities” under the Act. Typically, these are entities that come into contact with Protected Health Information on a regular basis.
“Business Associates” are also covered by HIPAA. These are entities who do not create, receive, maintain or transmit Protected Health Information in their primary occupation, but who provide third party services and activities for Covered Entities during the course of which they will encounter PHI. Prior to undertaking a service or activity on behalf of a Covered Entity, a Business Associate must sign a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access.
A grey are exists with regard to self-insured single employer group health plans and employers who act as intermediaries between employees and health care providers. HIPAA states employers are not Covered Entities unless the nature of their business falls within the criteria to be a Covered Entity (i.e. an employing Medical Center would be a Covered Entity). However, as self-insuring and intermediary employers handle PHI that is protected by the HIPAA Privacy Rule, they are considered “Virtual Entities” and subject to HIPAA compliance.
HIPAA Explained Post 2013
Please Note: For information relating to HIPAA prior to 2013, and its relationship with the HITECH Act of 2009, please refer to our “HIPAA History” page. Greater detail of the HIPAA Privacy and Security Rules is contained within our “HIPAA Compliance Checklist”.
Since the introduction of the Final Omnibus Rule, which enacted new regulations within HIPAA in 2013, new guidelines have been issued on how PHI must be accessed and communicated in a medical-related environment. The revised Act gives patients further rights to know and control how their health information is used and extends the controls on HIPAA-covered entities and Business Associates to how patient information is accessed and communicated.
HIPAA-covered entities and Business Associates must implement mechanisms to restrict the flow of information to within a private network, monitor activity on the network and take measures to prevent the unauthorized disclosure of PHI beyond the network´s boundaries. More attention must be given to conducting risk assessments, and new reporting procedures have been developed to cover data breaches.
Revisions to the HIPAA Security Rule dictate the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are described in the HIPAA Security Rule as either “required” or “addressable”. In fact all the safeguards are generally required – irrespective of how they are described – as the following section explains.
The Office for Civil Rights conducts audits on HIPAA-covered entities to ensure they comply with the regulations. When avoidable breaches of ePHI are discovered, the Office for Civil Rights has the authority to impose financial penalties and bring criminal charges against the negligent entity.
The Required and Addressable Safeguards of HIPAA Explained
One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Effectively every safeguard of HIPAA is “required” unless there is a justifiable reason not to implement the safeguard or an appropriate alternative to the safeguard is implemented that achieves the same objective.
A scenario in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – only have to be encrypted if they are sent beyond a firewalled, internal server. If a healthcare organization only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to implement this addressable safeguard.
The decision not to implement email encryption will have to be supported by a risk assessment and documented in writing. Other factors that may have to be taken into consideration is the organization´s risk mitigation strategy and other safeguards put in place to protect the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
The Implications of HIPAA to Patients
The implications of HIPAA to patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare providers. Electronically stored health information is now better protected than paper records ever were, and healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing an improved efficiency. This manifests – as far as patients are concerned – as a higher standard of healthcare.
On the negative side, healthcare organizations are not solely concerned with the standard of healthcare they can provide to individual patients. Healthcare organizations want to increase the services they can provide, want to raise the quality of care and improve patient safety through research. However, research is restricted by HIPAA and restricted access to PHI has the potential to slow down the rate at which improvements can be made in health care.
There is also a price to pay for improved data security, and although the enactment of the Meaningful Use program provided financial incentives for healthcare providers to computerize paper records, implementing the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance has the potential to reduce the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare organizations furthers strains the limited resources available.
How to Explain HIPAA to Patients
- They have the right to request their medical records whenever they like.
- They have the right to request you amend their medical records when appropriate.
- They have the right to limit who has access to their personal health information.
- They have to right to choose how healthcare providers communicate with them.
- They also have the right to complain about the unauthorized disclosure of their PHI.
Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain, false pretenses or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could result in up to ten years´ imprisonment.
The Implications of HIPAA to Healthcare Organizations
If data privacy and security is not addressed, the Office for Civil Rights can issue fines for non-compliance. Preventable data breaches are likely to see considerable financial penalties issued. Under the penalty structure introduced by HITECH, violations can result in fines up to $1.5 million being issued by the OCR, while lawsuits can be filed by both attorney generals and – as mentioned above – the victims of data breaches.
The high probability of healthcare organizations becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification letters, offering credit monitoring services and covering the OCR fines – is far in excess of the cost of achieving full compliance. But, while the initial cost of investment in the necessary technical, physical and administrative safeguards to secure patient data may be high, the improvements can result in cost savings over time as a result of improved efficiency.
Organizations that have already implemented mechanisms to comply with HIPAA have seen their employee´s workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive – allowing healthcare organizations to reinvest their savings and deliver a higher standard of healthcare to patients.
How to Explain HIPAA to Employees
Explaining HIPAA to employees of Covered Entities and Business Associates requires far more effort than explaining HIPAA to patients. In order to comply with HIPAA, Covered Entities and Business Associates have to compile privacy and security policies for their workforces, and a sanctions policy for employees who fail to comply with the requirements. Therefore it is necessary to explain HIPAA to employees in greater detail.
The best way to explain HIPAA to employees is in special compliance training sessions. Although the HIPAA regulations state training should be provided annually, we would suggest there is so much for employees to take in relating to the security and privacy of personal health information, compliance training sessions should be short and frequent. Trying to explain HIPAA to employees in a four-hour training session will likely be unsuccessful.
A lot of the explanation will revolve around maintaining the integrity of PHI, but how this is implemented will likely have an impact on the employees themselves. For example, employees will be unable to discuss patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare facilities implementing BYOD policies, this will mean employees have to download secure communication apps to their personal mobile devices.
New Technology and HIPAA Privacy and Security Rules
New technology is constantly being developed to protect the integrity of PHI. Compliance with the HIPAA Privacy and Security Rules is becoming easier each day due to innovations such as web filtering, secure email archiving and secure message solutions.
Web filtering is an excellent mechanism to mitigate the risks from malware – particularly surveillance malware that can record keystrokes to obtain usernames and passwords. Several recent data breaches have been the result of malware downloads – including several that would not have occurred with the implementation of a web filtering mechanism.
Secure email archiving is another area in which healthcare organizations can improve their online security posture. Maintaining six years of emails can create a storage problem. However, by using a third-party secure email archiving service, healthcare organizations release resources within their own IT structure while complying with the HIPAA Privacy and Security Rules.
It was mentioned earlier in this HIPAA Explained article that some of the most recent changes to HIPAA account for the risks from “Bring Your Own Device” policies. Some healthcare organizations have eliminated the risks by implementing secure messaging solutions. These solutions enable authorized users to securely access and communicate ePHI from their personal mobile devices via secure messaging apps.
As with all third-party service providers, the onus is one the healthcare organization to ensure the Business Associate is HIPAA-compliant. The costs of failing to ensure compliance can be substantial, as our HIPAA Explained infographic below demonstrates.