HIPAA Rules and Regulations
The HIPAA rules and regulations are the standards and implementation specifications adopted by federal agencies to streamline healthcare transactions and protect the privacy and security of individually identifiable health information. This guide explains why the HIPAA rules and regulations exist, what they consist of, and who they apply to.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) with the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto plan members and employers, and that this would negatively impact tax revenues, Congress added a second Title to HIPAA – “Preventing Health Care Fraud and Abuse; Administrative Simplification”.
The provisions in Title II were intended to neutralize the cost of the reforms. The measures introduced to prevent health care fraud and abuse gave HHS’ Office of Inspector General more resources to identify fraud and abuse in the healthcare industry, increased the civil and criminal penalties for violations of the Social Security Act, and widened the criteria for exclusion from federal health programs such as Medicare and Medicaid.
The Administrative Simplification measures instructed the Secretary for Health and Human Services to standardize the administration of healthcare transactions, adopt security standards for health information maintained or transmitted electronically, and “make recommendations with respect to the privacy of certain health information.” These instructions evolved into what many consider to be the HIPAA Rules and Regulations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HIPAA Administrative Simplification Regulations
The HIPAA Administrative Simplification Regulations occupy Parts 160, 162, and 164 in Title 45 of the Code of Federal Regulations (Public Welfare).
- Part 164 includes General Provisions (Subpart A), the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E).
- Part 162 includes further General Provisions (Subpart A), the Identifier Regulations (Subparts D to F), and the Transactions and Code Sets Rules (Subparts I to S).
- Part 160 also includes General Provisions (Subpart A), as well as the Enforcement Rule (Subparts C and E), and the process for determining HIPAA Civil Penalties (Subpart D).
The above HIPAA rules and regulations are administered and enforced by HHS’ Office for Civil Rights (Parts 160 and 164) and HHS’ Centers for Medicare and Medicaid (Part 162). Other agencies involved in administrative activities include the Internal Revenue Service (who issue Employer ID Numbers), while the Federal Trade Commission has its own Health Breach Notification Rule for organizations not covered by the HIPAA rules and regulations.
In addition, State Attorneys General can take enforcement action against covered entities and business associates when a breach of unprotected health information harms a resident of the state, or when an organization violates a state privacy or security regulation that overlays HIPAA. Some states also have Breach Notification Rules with shorter notification periods than HIPAA and/or consumer data protection laws that allow for a private right of action.
The HIPAA Rules and Regulations in Part 164
General Provisions
All three Parts of the HIPAA Rules and Regulations commence with the General Provisions for that Part. General Provisions typically consist of an introduction to the Part, a list of definitions for terms that are only used in the Part, and any unique arrangements that apply to the Part. For example, the General Provisions of Part 164 include a definition of hybrid entities and standards for how the healthcare component(s) of a hybrid entity should operate.
The HIPAA Security Rule
The HIPAA Security Rule contains the standards and implementation specifications considered necessary to ensure the confidentiality, integrity, and security of electronic Protected health Information (ePHI). The Rule applies to all covered entities, business associates, and subcontractors with access to ePHI, who are responsible for ensuring all members of the workforce comply with this Subpart regardless of their access to ePHI.
HIPAA Rules on Contingency Planning
HIPAA Medical Records Destruction Rules
How to Make Your Email HIPAA Compliant
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule exists to ensure covered entities alert patients and plan members to a data breach in a timely manner so the victims of a breach can take steps to protect themselves against fraud and identity theft. The Rule covers topics such as the burden of proof, non-notifiable disclosures, law enforcement delays, notifications to HHS’ Office for Civil Rights, and – when required – notifications to the media.
The HIPAA Breach Notification Rule
Breach Notification Requirements
Healthcare Data Breach Statistics
Healthcare Data Breaches due to Phishing
How to Respond to a Healthcare Data Breach
The HIPAA Privacy Rule
The HIPAA Privacy Rule has two objectives – the protect the privacy of individually identifiable health information and increase individuals’ rights over how their health information is used and who it is disclosed to. Individuals also have the right to request copies of their health information, review it for errors, request amendments when errors exist, and transfer their health information to a different provider or health plan.
HIPAA and Social Media Guidelines
HIPAA Guidelines on Telemedicine
HIPAA Compliance for Home Health Care
HIPAA Rules on Disclosures to Family and Friends
How to Handle a HIPAA Privacy Complaint
The HIPAA Rules and Regulations in Part 162
General Provisions
The HIPAA rules and regulations in Part 162 apply to covered entities that conduct covered transactions in-house, healthcare clearinghouses, and business associates that conduct covered transactions on behalf of a covered entity. It is also necessary for healthcare providers who outsource covered transactions to monitor business associate compliance with the HIPAA rules and regulations in Part 162 for the reasons given below.
HIPAA Unique Health Identifier Regulations
Unique health identifiers are used to identify employers (EINs) when a plan member is enrolled or disenrolled from a health plan, and to identify healthcare providers (NPIs) in all HIPAA covered transactions. Healthcare providers need to ensure NPIs are used correctly in all covered transactions – regardless of whether they are conducted in–house or subcontracted – to prevent delayed eligibility checks, treatment authorizations, and payments.
HIPAA Unique Identifiers Explained
HIPAA Transactions and Code Sets Rules
The HIPAA transactions and code sets rules determine whether a healthcare provider qualifies as a covered entity or not. If a healthcare provider conducts any transactions electronically for which code sets exists, they qualify as a covered entity. If they do not conduct covered transactions electronically (i.e., only bill patients directly), they do not qualify as a covered entity and do not have to comply with the HIPAA rules and regulations.
HIPAA Transactions and Code Set Rules
The HIPAA Rules and Regulations in Part 160
General Provisions
The General Provisions in Subpart A of Part 160 and the section relating to the Preemption of State Law in Subpart B are very important in the context of understanding the HIPAA rules and regulations because they clarify when standards and implementation specifications apply to business associates, provide definitions of the most commonly used terms in HIPAA, and explain when a provision of state law preempts a provision of HIPAA.
Limited Data Sets under HIPAA?
Complying with HIPAA California Law
When Does State Privacy Law Supersede HIPAA?
The HIPAA Enforcement Rule
The Enforcement Rule was originally one Subpart of Part 160 – “Procedures for Investigations, Imposition of Penalties, and Hearings”. As the number of standards increased and the penalty structure was amended by the HITECH Act, the Enforcement Rule was split into separate Subparts “Investigations” (Subpart C) and “Hearings“ (Subpart E). The “Imposition of Penalties” now occupies Subpart D as HIPAA civil penalties are amended annually.
What Happens if You Violate HIPAA?
What Happens after a HIPAA Complaint is Filed?
HIPAA Civil Penalties
The HIPAA Civil Penalties are often a last resort for persistent offenders – HHS agencies preferring to “seek and promote voluntary compliance” with the HIPAA rules and regulations. However, although organizations might not be fined by HHS’ Office for Civil Rights, compliance with the HIPAA rules and regulations may be considered the “standard of care” in State Attorney General civil actions, private lawsuits, and class action lawsuits.
Penalties for HIPAA Violations
Enforcement Trends and Outlook
HIPAA Enforcement by State Attorneys General
MedData Settles Class Action Lawsuit for $7 Million
Who Do The HIPAA Rules and Regulations Apply To?
The HIPAA rules and regulations apply to health plans, healthcare clearinghouses, and healthcare providers who conduct covered transactions electronically – collectively “covered entities”. An individual or organization that provides a service for or on behalf of a covered entity – other than as a member of the covered entity’s workforce – is a business associate if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).
Business associates and subcontractors of business associates are required to comply with the Security and Breach Notification Rules, any other Administrative Simplification Regulations that apply to the service being provided, and any specific provisions included in the Business Associate Agreement between the parties. Compliance is required even when a business associate or subcontractor has “no view access” to Protected Health Information.
Workforce members are also required to comply with HIPAA. Workforce compliance is often assumed to be limited to workplace policies and procedures. However, §164.530(e)(1) requires covered entities to apply sanctions against workforce members” who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D of this part [the Breach Notification Rule]”
Applicability, Exceptions, and the Flexibility of Approach
In the context of who do the HIPAA rules and regulations apply to, it is important to be aware that covered entities, business associates, and workforce members do not have to comply with every standard and implementation specification – only those that are applicable to their operations. Those that are applicable should be determined by conducting a HIPAA risk assessment to identify where PHI is created, received, stored, or transmitted.
In addition, there are also a number of HIPAA exceptions. These can apply in circumstances where – for example – a state law preempts HIPAA, a patient provides their authorization for an otherwise impermissible disclosure, or when a covered entity conducts a patient safety activity such as a fire drill. Some third-party service providers may also not be required to comply with the HIPAA rules and regulations if they are exempted by the HIPAA Conduit Exception Rule.
The flexibility of approach provisions can also affect how a covered entity or business associate complies with HIPAA. The provisions in §164.306(b) allow covered entities and business associates to take into account factors such as complexity, capabilities, and costs when deciding how they will comply with the Security Rule. Any decisions made on the basis of these factors must be justified and documented in case of a subsequent compliance investigation.
Future Changes to the HIPAA Rules and Regulations
In addition to complying with the current HIPAA rules and regulations, it is necessary to be aware of future changes to the HIPAA rules and regulations. This is because, when a new or revised standard is published, there is a limited time between publication, the effective date, and the compliance date. Some organizations may find it difficult to make whatever changes are necessary and provide workforce training on the changes within the time allowed.
When large-scale changes occur – such as happened in 2013 with the HIPAA Omnibus Rule – almost every covered entity and business associate is impacted by the changes. This makes it harder to seek appropriate guidance from HHS and raises the likelihood of standards being misinterpreted. Fortunately, the changes since 2013 have been limited in scale (i.e., the NIC amendment to the Privacy Rule) or regular in nature (i.e., HCPCS code updates).
However, there is a growing list of HIPAA updates and changes in the pipeline – ranging from new Part 162 standards for electronic signatures on healthcare transactions, to new Security Rule standards to comply with HHS’ Healthcare Sector Cybersecurity Strategy. Significantly, it has been hinted that a failure to comply with the new Security Standards might not only result in a civil monetary penalty, but also in expulsion from federal health programs such as Medicare.
HIPAA Updates and HIPAA Changes
HIPAA Compliance Needs to be Approached Holistically
Because of the wide range of applicable HIPAA rules and regulations, the wide range of covered entities and business associates they apply to, and the potential for exceptions, flexibilities, and changes, compliance with the HIPAA rules and regulations needs to be holistic, rather than piecemeal. Individuals and organizations subject to HIPAA compliance are advised to seek professional compliance advice if assistance is needed adopting a holistic approach to HIPAA compliance.
HIPAA Data Retention Requirements
