Our HIPAA Explained article provides information about the Healthcare Insurance Portability and Accountability Act (HIPAA), the most recent changes to the Act in 2013, and how provisions within the Act currently affect patients, the healthcare industry as a whole, and the individuals who work within it.
What is HIPAA?
The Healthcare Insurance Portability and Accountability Act (HIPAA) is an act of legislation passed in 1996 which originally had the objective of enabling workers to carry forward healthcare insurance and healthcare rights between jobs. Over the course of the Act´s passage through Congress, additional objectives were added to the bill, and it´s final text had five Titles:
- Title 1 – Health Care Access, Portability, and Renewability
- Title 2 – Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform
- Title 3 – Tax-Related Health provisions Governing Medical Savings Accounts
- Title 4 – Application and Enforcement of Group Health Insurance Requirements
- Title 5 – Revenue Offset Governing Tax Deductions for Employers
In the context of answering the question what is HIPAA, Title 2 impacts the healthcare and health insurance industries the most. This Title of the Act has led to the U.S. Department of Health and Human Services (HHS) promulgating five sets of Rules which now govern how patient health information is protected from theft, corruption, and unauthorized deletion.
The six sets of Rules are known collectively as the Administrative Simplification Rules, and they have been introduced in stages over the lifetime of HIPAA as operations have changed, as technology has advanced, and as other Acts of legislation have modified HIPAA – for example, the Health Information and Technology for Economic and Clinical Health Act (HITECH) in 2009.
Title 2 of HIPAA Explained in Simple Terms
The combined text the HIPAA Administrative Simplification Rule has been combined into a single document of 115 pages by the HHS, which makes it a very lengthy read, but it is possible to summarize HIPAA in a few sentences and explain HIPAA in simple terms.
Title 2 of HIPAA was an attempt by Congress to improve efficiency in healthcare, eliminate wastage, combat fraud, and ensure that health information that can be tied to an individual and would allow them to be identified is protected and kept private and confidential.
The HHS has since introduced sets of standards for healthcare organizations to follow to ensure everyone is singing from the same hymn sheet. Standard codes and identifiers have been created to make it easier for health information exchange, and healthcare providers, health insurers, and their business associates are required to use the same codes for electronic transactions to ensure data could be exchanged efficiently.
The Administrative Simplification Rules also stipulate the allowable uses and disclosures of health information, restrict who is allowed to access health information and under what circumstances. HIPAA now makes it easier for citizens to obtain copies of their health data, to check their health records for errors, and to share their records with whoever they wish. HIPAA also sets standards for protecting health data to make it harder for health information to be accessed by individuals who had no right to view the information.
HIPAA Simplified History
Our HIPAA simplified history shows the timeline of HIPAA and the dates on which the Administration Simplification Rules became effective. The significant gap between the passage of HIPAA and the effective date of the Privacy Rule was attributable to Congress having the option to pass separate privacy regulations. When the option expired, The Privacy Rule took four years to develop due to the concerns of industry stakeholders.
- August 1996 – HIPAA Signed into Law by President Bill Clinton.
- April 2003 – Effective Date of the HIPAA Privacy Rule.
- April 2005 – Effective Date of the HIPAA Security Rule.
- March 2006 – Effective Date of the HIPAA Breach Enforcement Rule.
- September 2009 – Effective date of HITECH and the Breach Notification Rule.
- March 2013 – Effective Date of the Final Omnibus Rule.
The inclusion of the HITECH Act in the timeline is significant. HITECH was the launch pad for the Meaningful Use program which incentive healthcare providers to digitalize healthcare records. Many of the provisions within the Final Omnibus Rule were attributable to HITECH and the consequences of transferring volumes of healthcare data from paper to EHRs and cloud-based systems.
The HIPAA regulations are enforced by the U.S. Department of Health & Human Services´ Office for Civil Rights, while state Attorney Generals can also take action against parties discovered not to be in compliance with HIPAA. The Office for Civil Rights has the authority to impose fines on Covered Entities and Business Associates for violations of HIPAA and data breaches unless the offending party can demonstrate a low probability that health information has been compromised.
HIPAA for Dummies
Although it may be considered unkind to entitle a section of this article “HIPAA for Dummies”, there are still some people unaware of what patient health information is “protected”. To clarify what is consider to be “Protected Health Information”, we have listed below the eighteen “personal identifiers” that individually – or linked with any other personal identifier – could reveal the identity of an individual, their medical history or payment history:
|Names or part of names||Any other unique identifying characteristic|
|Geographical identifiers||Dates directly related to an individual|
|Phone numbers||Fax numbers|
|Email addresses||Social Security numbers|
|Medical record numbers||Health insurance beneficiary numbers|
|Account numbers||Certificate or license numbers|
|Vehicle license plate numbers||Device identifiers and serial numbers|
|Web URLs||IP addresses|
|Fingerprints, retinal and voice prints||Full face or any comparable photographic images|
Who is Covered by HIPAA?
Before launching into HIPAA explained it is best to clarify who the legislation applies to. Practically all health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card are considered to be “HIPAA Covered Entities” under the Act. Typically, these are entities that come into contact with Protected Health Information on a regular basis.
“Business Associates” are also covered by HIPAA. These are entities who do not create, receive, maintain or transmit Protected Health Information in their primary occupation, but who provide third party services and activities for Covered Entities during the course of which they will encounter PHI. Prior to undertaking a service or activity on behalf of a Covered Entity, a Business Associate must sign a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access.
A grey are exists with regard to self-insured single employer group health plans and employers who act as intermediaries between employees and health care providers. HIPAA states employers are not Covered Entities unless the nature of their business falls within the criteria to be a Covered Entity (i.e. an employing Medical Center would be a Covered Entity). However, as self-insuring and intermediary employers handle PHI that is protected by the HIPAA Privacy Rule, they are considered “Virtual Entities” and subject to HIPAA compliance.
HIPAA Explained Post 2013
Since the introduction of the Final Omnibus Rule, which enacted new regulations within HIPAA in 2013, new guidelines have been issued on how PHI must be accessed and communicated in a medical-related environment. The revised Act gives patients further rights to know and control how their health information is used and extends the controls on HIPAA-covered entities and Business Associates to how patient information is accessed and communicated.
HIPAA-covered entities and Business Associates must implement mechanisms to restrict the flow of information to within a private network, monitor activity on the network and take measures to prevent the unauthorized disclosure of PHI beyond the network´s boundaries. More attention must be given to conducting risk assessments, and new reporting procedures have been developed to cover data breaches.
Revisions to the HIPAA Security Rule dictate the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are described in the HIPAA Security Rule as either “required” or “addressable”. In fact all the safeguards are generally required – irrespective of how they are described – as the following section explains.
The Office for Civil Rights conducts audits on HIPAA-covered entities to ensure they comply with the regulations. When avoidable breaches of ePHI are discovered, the Office for Civil Rights has the authority to impose financial penalties and bring criminal charges against the negligent entity.
The Required and Addressable Safeguards of HIPAA Explained
One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Effectively every safeguard of HIPAA is “required” unless there is a justifiable reason not to implement the safeguard or an appropriate alternative to the safeguard is implemented that achieves the same objective.
A scenario in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – only have to be encrypted if they are sent beyond a firewalled, internal server. If a healthcare organization only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to implement this addressable safeguard.
The decision not to implement email encryption will have to be supported by a risk assessment and documented in writing. Other factors that may have to be taken into consideration is the organization´s risk mitigation strategy and other safeguards put in place to protect the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
The Implications of HIPAA to Patients
The implications of HIPAA to patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare providers. Electronically stored health information is now better protected than paper records ever were, and healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing an improved efficiency. This manifests – as far as patients are concerned – as a higher standard of healthcare.
On the negative side, healthcare organizations are not solely concerned with the standard of healthcare they can provide to individual patients. Healthcare organizations want to increase the services they can provide, want to raise the quality of care and improve patient safety through research. However, research is restricted by HIPAA and restricted access to PHI has the potential to slow down the rate at which improvements can be made in health care.
There is also a price to pay for improved data security, and although the enactment of the Meaningful Use program provided financial incentives for healthcare providers to computerize paper records, implementing the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance has the potential to reduce the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare organizations furthers strains the limited resources available.
How to Explain HIPAA to Patients
- They have the right to request their medical records whenever they like.
- They have the right to request you amend their medical records when appropriate.
- They have the right to limit who has access to their personal health information.
- They have to right to choose how healthcare providers communicate with them.
- They also have the right to complain about the unauthorized disclosure of their PHI.
Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain, false pretenses or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could result in up to ten years´ imprisonment.
The Implications of HIPAA to Healthcare Organizations
If data privacy and security is not addressed, the Office for Civil Rights can issue fines for non-compliance. Preventable data breaches are likely to see considerable financial penalties issued. Under the penalty structure introduced by HITECH, violations can result in fines up to $1.5 million being issued by the OCR, while lawsuits can be filed by both attorney generals and – as mentioned above – the victims of data breaches.
The high probability of healthcare organizations becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification letters, offering credit monitoring services and covering the OCR fines – is far in excess of the cost of achieving full compliance. But, while the initial cost of investment in the necessary technical, physical and administrative safeguards to secure patient data may be high, the improvements can result in cost savings over time as a result of improved efficiency.
Organizations that have already implemented mechanisms to comply with HIPAA have seen their employee´s workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive – allowing healthcare organizations to reinvest their savings and deliver a higher standard of healthcare to patients.
How to Explain HIPAA to Employees
Explaining HIPAA to employees of Covered Entities and Business Associates requires far more effort than explaining HIPAA to patients. In order to comply with HIPAA, Covered Entities and Business Associates have to compile privacy and security policies for their workforces, and a sanctions policy for employees who fail to comply with the requirements. Therefore it is necessary to explain HIPAA to employees in greater detail.
The best way to explain HIPAA to employees is in special compliance training sessions. Although the HIPAA regulations state training should be provided annually, we would suggest there is so much for employees to take in relating to the security and privacy of personal health information, compliance training sessions should be short and frequent. Trying to explain HIPAA to employees in a four-hour training session will likely be unsuccessful.
A lot of the explanation will revolve around maintaining the integrity of PHI, but how this is implemented will likely have an impact on the employees themselves. For example, employees will be unable to discuss patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare facilities implementing BYOD policies, this will mean employees have to download secure communication apps to their personal mobile devices.
New Technology and HIPAA Privacy and Security Rules
New technology is constantly being developed to protect the integrity of PHI. Compliance with the HIPAA Privacy and Security Rules is becoming easier each day due to innovations such as web filtering, secure email archiving and secure message solutions.
Web filtering is an excellent mechanism to mitigate the risks from malware – particularly surveillance malware that can record keystrokes to obtain usernames and passwords. Several recent data breaches have been the result of malware downloads – including several that would not have occurred with the implementation of a web filtering mechanism.
Secure email archiving is another area in which healthcare organizations can improve their online security posture. Maintaining six years of emails can create a storage problem. However, by using a third-party secure email archiving service, healthcare organizations release resources within their own IT structure while complying with the HIPAA Privacy and Security Rules.
It was mentioned earlier in this HIPAA Explained article that some of the most recent changes to HIPAA account for the risks from “Bring Your Own Device” policies. Some healthcare organizations have eliminated the risks by implementing secure messaging solutions. These solutions enable authorized users to securely access and communicate ePHI from their personal mobile devices via secure messaging apps.
As with all third-party service providers, the onus is one the healthcare organization to ensure the Business Associate is HIPAA-compliant. The costs of failing to ensure compliance can be substantial, as our HIPAA Explained infographic below demonstrates.