What Does HIPAA Mean?
HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed by Congress in 1996 with the primary objectives of reforming the health insurance industry, enabling health insurance portability between jobs, and prohibiting practices that denied or limited access to health care benefits for employees with pre-existing conditions.
However, the measures Congress introduced to achieve these objectives incurred costs for the health insurance industry. To avoid insurance companies passing on the costs to employers and group plan members in the form of higher premiums, Congress introduced further measures to tackle health insurance fraud and improve the efficiency of the health insurance industry.
The measures to improve the efficiency of the health insurance industry evolved into the Administrative Simplification Regulations (45 CFR Parts 160, 162, and 164). These regulations:
- Standardize health claims transactions, code sets, and identifiers (the Administrative Requirements),
- Protect the privacy of individually identifiable health information (the Privacy Rule),
- Set standards for the security of electronic Protected Health Information (the Security Rule),
- Describe the process for notifying unauthorized disclosures and data breaches (the Breach Notification Rule), and
- Explain how the regulations are enforced and what the penalties are for non-compliance (the Enforcement Rule).
In the context of what does HIPAA mean, most people associate HIPAA compliance with the Privacy, Security, and Breach Notification Rules. The following is a brief synopsis of these three Rules.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Privacy Rule
The Privacy Rule defines what individually identifiable health information is protected, when “Protected Health Information” can be used and disclosed, and how Covered Entities – and Business Associates when applicable – should comply with the standards (i.e., by developing policies and procedures, training staff on policies and procedures, implementing a sanctions policy, etc.).
The Privacy Rule also explains individuals´ rights to request a copy of health information maintained in designated record sets, request corrections to errors or omissions, and request that their health information is transferred to another provider. The Rule also gives patients the right to request an accounting of disclosures for certain uses and disclosures that are not generally permissible.
The Privacy Rule applies to most health plans, health care clearinghouses, and healthcare providers (“Covered Entities”), and “where provided” to third party organizations that provide a service to or on behalf of a Covered Entity that involves the creation, receipt, use, or transmission of Protected Health Information. These third party organizations are known as Business Associates.
The Security Rule
The Security Rule applies to all Covered Entities and Business Associates and to the subsection of Protected Health Information that is created, received, used, or transmitted electronically. Primarily, the Security Rule stipulates what Administrative, Physical, and technical Safeguards must be implemented to secure electronic Protected Health Information from unauthorized access.
The Administrative Requirements take up the most space in the Security Rule – explaining concepts such as the security management process, risk management, and workforce security inasmuch as all members of the workforce (which includes any person under the direct control of the Covered Entity or Business Associate) have to undergo security and awareness training.
The Physical Safeguards cover the physical security of facilities, workstations, and devices on which electronic Protected Health Information is stored, while the Technical Safeguards contain standards relating to identity and access management, audit and integrity controls, and transmission security (i.e., encryption). A few safeguards also relate to emergency access requirements.
The Breach Notification Rule
The Breach Notification Rule requires Covered Entities to notify affected individuals and HHS´ Office for Civil Rights when an impermissible disclosure or data breach exposes unsecured Protected Health Information to compromise. This Rule also applies to Business Associates, who are required to report all security incidents – not only data breaches – to the Covered Entity.
The Breach Notification Rule stipulates the timelines in which notifications must be made and what information notifications must contain. It puts a burden of proof on Covered Entities to ensure all notifications are made in a timely manner or to demonstrate by means of a risk assessment that a data breach resulted in a low probability of Protected Health Information being compromised.
Importantly, the Breach Notification Rule not only applies to HIPAA Covered Entities and Business Associates, but to any organization that collects, receives, uses, or transmits individually identifiable health information – for example, vendors of personal health devices. When a non-HIPAA breach occurs, organizations must report the breach to individuals and the Federal Trade Commission.
What Does HIPAA Mean? FAQs
What does HIPAA mean to Covered Entities?
Although complying with the Administrative Simplification Regulations requires a lot of effort, the reward can be significant. Eligibility checks, treatment authorizations, and payments are transacted much quicker, while the changes made to HIPAA via the HITECH Act have had a positive effect on the quality, safety, and efficiency of care according to a 2016 report to Congress.
What does HIPAA mean to Business Associates?
HIPAA has not had such a dramatic impact on Business Associates. However, the mandatory requirement to train all members of the workforce on security and awareness – even those with no access to Protected Health Information – has improved online security generally at a time when cybercriminals are increasingly targeting health information.
What does HIPAA mean to individuals?
Possibly the biggest impact of HIPAA has been for individuals – especially patients of healthcare providers. Research has shown that when patients trust health information will remain private, they tend to disclose more intimate details to healthcare providers. This enables healthcare providers to make better informed decisions about treatments, which result in better patient outcomes.
Why does the Privacy Rule apply to most healthcare providers and not all?
In order to qualify as a Covered Entity, healthcare providers must conduct electronic transactions for which the Department of Health and Human Services has published standards (in the Administrative Requirements). If a healthcare provider does not conduct transactions electronically, or bills patients directly, they do not qualify as a Covered Entity under HIPAA.
What are the penalties for non-compliance with HIPAA?
When HHS´ Office for Civil Rights receives a complaint or a notification of a data breach – and there is evidence of non-compliance– it will conduct an investigation. Most often, the investigation is resolved via a corrective action plan; but, in a minority of cases, the agency will reach a financial settlement with the organization or impose a civil monetary penalty within the following bands:
| Level of Culpability | Minimum Penalty per Violation Type | Maximum Penalty per Violation Type | Annual Penalty Limit |
|---|---|---|---|
| Lack of Knowledge | $141 | $35,581 | $35,581 |
| Lack of Oversight | $1,424 | $71,162 | $142,355 |
| Willful Neglect | $14,232 | $71,162 | $355,808 |
| Willful Neglect not Corrected within 30 days | $71,162 | $2,134,831 | $2,134,831 |
