HIPAA Explained
Our HIPAA explained article provides information about the Health Insurance Portability and Accountability Act (HIPAA) and the Administrative Simplification Regulations – which include the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is an Act passed in 1996 that primarily had the objectives of enabling workers to carry forward healthcare insurance between jobs, prohibiting discrimination against beneficiaries with pre-existing health conditions, and guaranteeing coverage renewability multi-employer health insurance plans.
At the time, the cost of health insurance was rising rapidly. To prevent health insurance companies further increasing premiums and deductibles due to the costs associated with the portability and accountability provisions, cost-cutting measures were added as the Act passed through Congress to reduce health care fraud and to make the administration of health claims processing more efficient.
Further measures relating to medical liability reform, medical savings accounts, and revenue offsets were later added to the Act, but these were fairly minor amendments to existing laws rather than the groundbreaking legislation within Titles 1 and 2 that has impacted millions of workers, patients, and employees of organizations working in the health insurance and health care industries.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- Title 1 – Health Care Access, Portability, and Renewability
- Title 2 – Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform
- Title 3 – Tax-Related Health Provisions Governing Medical Savings Accounts
- Title 4 – Application and Enforcement of Group Health Insurance Requirements
- Title 5 – Revenue Offset Governing Tax Deductions for Employers
It is important to acknowledge the measures Congress adopted to tackle health care fraud. These included setting up a Fraud and Abuse Control Program and a Medicare Integrity Program, and increasing the penalties for health care providers found guilty of abusing the health insurance system. These measures saved health plan members, employers, and taxpayers billions of dollars.
However, in the context of answering the question what is HIPAA, most people associate HIPAA compliance with the HIPAA Privacy, Security, and Breach Notification Rules of the Administrative Simplification Regulations. Certainly, these are the provisions of HIPAA which require the most explaining – along with why they were developed, what do they do, and who is required to comply with them.
The Administrative Simplification Regulations of HIPAA Explained
Prior to the passage of HIPAA, a Congressional Report claimed that 10% of all spending on health care in the U.S. was lost to “fraudulent or abusive practices by unscrupulous health care providers”. One of the reasons the figure was so high was that different health care providers and different health plans used different transaction rules and code sets to process health claims.
To mitigate fraud and abuse due to the patchwork of claims procedures, Congress instructed the Secretary of Health and Human Services (HHS) to develop nationwide standards for all transactions relating to health claims processes (eligibility checks, treatment authorizations, claims for payment, etc.). These evolved into the HIPAA Administrative Requirements which can be found in Part 162 of HIPAA subparts I to S.
Because an increasing number of transactions were conducted electronically, Congress also instructed HHS to develop standards and requirements for the electronic transmission of health information (subsequently published as the HIPAA Security Rule) and to make recommendations with respect to the privacy of health information (subsequently published as the HIPAA Privacy Rule).
The Breach Notification Rule was a later addition to the HIPAA Administrative Simplification Regulations – being introduced in 2009 via the HITECH Act. This Rule requires covered entities to notify affected individuals and HHS of any unauthorized disclosures of unsecured PHI, and business associates to notify covered entities of any security incident even if it does not result in a data breach.
HIPAA Simplified History
Our HIPAA simplified history shows the timeline of HIPAA and the dates on which the HIPAA Administrative Simplification Rules became effective. The significant gap between the passage of HIPAA and the effective date of the HIPAA Privacy Rule was attributable to Congress having the option to pass separate privacy regulations. When the option expired, The HIPAA Privacy Rule took four years to finalize due to the concerns of industry stakeholders.
- August 1996 – HIPAA Signed into Law by President Bill Clinton.
- April 2003 – Effective Date of the HIPAA Privacy Rule.
- April 2005 – Effective Date of the HIPAA Security Rule.
- March 2006 – Effective Date of the HIPAA Enforcement Rule.
- September 2009 – Effective date of HITECH and the Breach Notification Rule.
- March 2013 – Effective Date of the Final HIPAA Omnibus Rule.
The inclusion of the HITECH Act in the timeline is significant. HITECH was the launch pad for the Meaningful Use program which incentive healthcare providers to digitalize healthcare records. Many of the provisions within the Final HIPAA Omnibus Rule were attributable to HITECH and the consequences of transferring volumes of healthcare data from paper to EHRs and cloud-based systems.
The HIPAA Administrative Simplification Regulations are enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights and Centers for Medicare and Medicaid Services, while state Attorneys General can also take enforcement action in the event that a citizen of the state suffers harm due to the non-compliance of a HIPAA covered entity or business associate. The Office for Civil Rights has the authority to impose fines and corrective action plans on covered entities and business associates for violations of HIPAA and data breaches unless the offending party can demonstrate a low probability that health information has been compromised. The Centers for Medicare and Medicaid Services can impose fines and corrective action plans for violations of the Part 162 HIPAA requirements, and also has the authority to prohibit healthcare organizations from participation in publicly-funded health programs.
Who is Covered by HIPAA?
Before launching deeper into HIPAA explained it is best to clarify who the legislation applies to. Practically all health plans, health care clearinghouses, and health care providers are considered to be “HIPAA covered entities” under the Act if they conduct electronic transaction for which HHS has adopted standards in Part 162 of the HIPAA Administrative Simplification Regulations.
“Business associates” are also covered by HIPAA. These are entities who create, receive, maintain, or transmit Protected Health Information for on on behalf of a covered entity for an activity regulated by HIPAA. Prior to undertaking a service or activity on behalf of a covered entity, a business associate must enter ionto a Business Associate Agreement guaranteeing to ensure the confidentiality, integrity, and availability of any PHI to which it has access.
A grey exists with regard to self-insured single employer group health plans and employers who act as intermediaries between employees and health care providers. HIPAA states employers are not covered entities unless the nature of their business falls within the criteria to be a covered entity (i.e., an employing Medical Center would be a Covered Entity with regards to patient health information). However, as self-insuring and intermediary employers handle PHI that is protected by the HIPAA Privacy Rule, they are considered “Hybrid Entities” and subject to HIPAA compliance for any transaction for which the Department of Health and Human Services has published standards.
HIPAA Explained Post 2013
Since the introduction of the Final HIPAA Omnibus Rule, which enacted new regulations within HIPAA in 2013, new guidelines have been issued on how PHI must be accessed and communicated in a medical-related environment. The revised Act gives patients further rights to know and control how their health information is used and extends the controls on HIPAA-covered entities and Business Associates to how patient information is accessed and communicated.
HIPAA-covered entities and business associates must implement mechanisms to restrict the flow of information to within a private network, monitor activity on the network and take measures to prevent the unauthorized disclosure of PHI beyond the network´s boundaries. More attention must be given to conducting risk assessments, and new reporting procedures have been developed to cover data breaches.
HHS’ Office for Civil Rights frequently conducts audits to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules. When avoidable violations of PHI are discovered, the Office for Civil Rights has the authority to impose corrective action plans and financial penalties. In addition, the Centers for Medicare and Medicaid Services can conduct audits on organizations required to comply with the HIPAA Administrative Requirements (Part 162).
The Required and Addressable Safeguards of HIPAA Explained
One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Effectively every standard of HIPAA is “required” unless there is a justifiable reason not to implement the safeguard or an appropriate alternative to the safeguard is implemented that achieves the same objective.
A scenario in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – only have to be encrypted if they are sent beyond a firewalled, internal server. If a healthcare organization only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to implement this addressable safeguard.
The decision not to implement email encryption will have to be supported by a risk assessment and documented in writing. Other factors that may have to be taken into consideration is the organization´s risk mitigation strategy and other safeguards put in place to protect the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
The Implications of HIPAA to Patients
The implications of HIPAA to patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare providers. Electronically stored health information is now better protected than paper records ever were, and healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing improved efficiency. This manifests – as far as patients are concerned – as a higher standard of healthcare.
On the negative side, healthcare organizations are not solely concerned with the standard of healthcare they can provide to individual patients. Healthcare organizations want to increase the services they can provide, want to raise the quality of care, and improve patient safety through research. However, research is restricted by HIPAA and restricted access to PHI has the potential to slow down the rate at which improvements can be made in health care.
There is also a price to pay for improved data security, and although the enactment of the Meaningful Use program provided financial incentives for healthcare providers to computerize paper records, implementing the necessary controls to secure PHI can carry a substantial cost. Increasing funding for compliance has the potential to reduce the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare organizations further strain the limited resources available.
How to Explain HIPAA to Patients
As health care providers are now required by law to give patients a notice of their HIPAA Privacy Policy, it will be necessary to explain HIPAA to patients as they have to sign a copy of the policy to say they have received it. The best way to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a synopsis of what the policy contains. For example, explain to the patient:
- They have the right to request their medical records whenever they like.
- They have the right to request you amend their medical records when appropriate.
- They have the right to limit who has access to their personal health information.
- They have to right to choose how healthcare providers communicate with them.
- They also have the right to complain about the unauthorized disclosure of their PHI.
Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain, false pretenses or other personal gain will have criminal penalties imposed upon them by the Department of Justice that could result in up to ten years’ imprisonment.
The Implications of HIPAA to Healthcare Organizations
If data privacy and security is not addressed, the Office for Civil Rights can issue fines for non-compliance. Preventable data breaches are likely to see considerable financial penalties issued. Under the penalty structure introduced by HITECH, violations can result in fines up to $2.1 million per violation being issued by the OCR, while lawsuits can be filed by both attorney generals and the victims of data breaches – victims under state law, rather than HIPAA.
The high probability of healthcare organizations becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification letters, offering credit monitoring services, and covering the OCR fines – is far in excess of the cost of achieving full compliance. But, while the initial cost of investment in the necessary technical, physical, and administrative safeguards to secure patient data may be high, the improvements can result in cost savings over time as a result of improved efficiency.
Organizations that have already implemented mechanisms to comply with HIPAA have seen employees’ workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive – allowing healthcare organizations to reinvest their savings and deliver a higher standard of healthcare to patients.
How to Explain HIPAA to Employees
Explaining HIPAA to employees of Covered Entities and Business Associates requires far more effort than explaining HIPAA to patients. In order to comply with HIPAA, Covered Entities and Business Associates have to compile privacy and security policies for their workforces, and a sanctions policy for employees who fail to comply with the requirements. As a result, it is necessary to explain HIPAA to employees in greater detail.
The best way to explain HIPAA to employees is in special compliance training sessions. Although the HIPAA regulations do not state training should be provided annually, we suggest there is so much for employees to take in relating to the security and privacy of personal health information, compliance training sessions should be short and frequent. Trying to explain HIPAA to employees in a one-off session will likely be unsuccessful.
A lot of the explanation will revolve around uses and disclosures, but how policies relating to this requirement are implemented will likely have an impact on the employees themselves. For example, employees will be unable to discuss patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare facilities implementing BYOD policies, this will mean employees have to download secure communication apps to their personal mobile devices or use an alternative, compliant channel of communication.
HIPAA Explained FAQs
Who enforces HIPAA?
This depends on which section of HIPAA is being enforced. The Centers for Medicare and Medicaid Services enforce the Administrative Requirements, HHS´ Office for Civil Rights enforces the Privacy, Security, and Breach Notification Rules for HIPAA-covered organizations, while the Federal Trade Commission enforces the Breach Notification Rule for organizations not covered by HIPAA.
If a violation is suspected to have a criminal motive, it is referred to the Department of Justice for investigation, and State Attorneys General can also pursue civil or criminal action against organizations that fail to comply with any of the HIPAA Rules if a citizen of the state has suffered harm due to a HIPAA violation or the unauthorized disclosure of unsecured PHI.
What information does the HIPAA Privacy Rule protect?
The HIPAA Privacy Rule protects individually identifiable health information relating to the past, present, or future condition of a patient, treatment for the condition, payment for the treatment, and any other related information that could be used to identify the subject of the health information maintained in the same designated record set.
The protection only stops once a designated record set is “deidentified” – typically for research purposes. This means that any piece of information that could be used to identify the subject of the health information is removed from the designated record set before the remaining health information is disclosed. You can find out more about the deidentification of PHI in §164.514.
Why are “practically all” health care providers considered to be HIPAA covered entities? Why not all?
Only health care providers that conduct electronic transactions for which HHS has published standards are covered entities. Any healthcare provider that conducts health claims processes manually (including by fax and landline phone) or bills patients directly does not qualify as a HIPAA covered entity. There are also some health insurance providers that do not qualify as HIPAA covered entities when the provision of health insurance is secondary to a primary insurance product (i.e., auto insurance)..
However, if a non-covered health care provider or health plan performs a service for or on behalf of a covered entity that involves a use or disclosure of PHI, the non-covered organization becomes a business associate of the covered entity and must comply with the HIPAA Security and Breach Notification Rules, along with any standards of the HIPAA Privacy Rule applicable to the service being provided by the business associate.
What penalties can CMS impose on organizations that violate the Administrative Requirements?
CMS has the same options available to it as the Office for Civil Rights inasmuch as it can offer technical assistance to noncompliant organizations, impose a corrective plan, or issue a civil monetary penalty. Noncompliant healthcare organizations can also be excluded from the Medicare and Medicaid programs temporarily or permanently.
Which organizations are not covered by HIPAA but are required to comply with the Breach Notification Rule?
Any organization that collects individuals’ health information is required to notify individuals and the enforcing authority if a security incident results in the unauthorized disclosure of individually identifiable health information. For HIPAA-covered organizations, this would mean notifying HHS’ Office for Civil Rights. For non-covered organizations – such as those who collect health data via a fitness tracker, diet app, or blood pressure cuff – this would mean notifying the Federal Trade Commission (FTC).
