HIPAA compliance is a necessary, yet challenging, process that many organizations in the healthcare and healthcare insurance industry must undertake. To comply with HIPAA, it is essential for organizations subject to the regulations to understand what HIPAA is and what is covered by its rules.
A consequence of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was the development of national standards to prevent unauthorized uses and disclosures of sensitive patient health information. HIPAA also provided regulations that gave patients more rights to access, correct, and transfer health information, as well as the ability to know who has access to their information.
HIPAA compliance is mandatory for most organizations that transmit health care or payment information electronically. These organizations are known as Covered Entities (CEs) and include most health plans, health care clearinghouses and healthcare providers. Additionally, HIPAA standards apply to pharmacies and third-party organizations with whom Protected Health Information (PHI) is shared for the provision of a service.
These third-party organizations are known as Business Associates (BAs). Potential HIPAA BAs include vendors of E-prescribing software, third party disposal services, and Managed Service Providers. For HIPAA compliance, all BAs must sign a contract which clarifies what PHI is being disclosed to the BA and the permissible uses and disclosures of PHI by the BA. This contract is known as a Business Associate Agreement (BAA).
The requirements for HIPAA compliance consist of complying with the standards and implementation specifications set by the Administrative Simplification Regulations. For most Covered Entities and Business Associates, this requires complying with the relevant sections of the Administrative Requirements and the Privacy, Security, and Breach Notification Rules.
There can be challenges requiring with the requirements for HIPAA compliance. The Security Rule in particular, while looking straightforward, includes a “flexibility of approach” and implementation specifications which are either “required” or “addressable”.
Addressable implementation specifications offers the opportunity for CEs and BAs to decide whether a given implementation specification is “reasonable and appropriate”. CEs and BAs can choose to implement an alternative measure that achieves the same objective or to not use the measure at all if justifiable in the given circumstances. The decision will depend on a variety of factors such as the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
The HIPAA Privacy Rule was issued with the intention of protecting the confidentiality of patients’ individually identifiable health information, while allowing for the flow of patient health information when it is required. The HIPAA Privacy Rule stipulates who can have access to PHI, who it can be disclosed to, and the circumstances in which it can be used. Patients have rights over their PHI and must be notified of their rights via a Notice of Privacy Practices. These rights include:
Other than when requested by a patient, the only other time CEs and BAs MUST disclose PHI is when it is requested by HHS´ Office for Civil Rights. CEs are PERMITTED to use and disclose PHI for treatment, payment, and healthcare operations; but these uses and disclosures are subject to the Minimum Necessary Standard which stipulates only the minimum necessary to fulfill the intended purpose can be disclosed without patient authorization.
A patient authorization is required for all other uses and disclosures of PHI. The authorization must state what PHI is being disclosed, who it is being disclosed to, and for what reason. The authorization form must also make it clear to the patient (or their representative) that they have the right to withdraw their authorization at any time.
The HIPAA Security Rule was promulgated to support the protection of electronic Protected Health Information (ePHI). While the Privacy Rule primarily applies to CEs, the Security Rule applies to CEs and BAs in its entirety.
The Security Rule required both CEs and BAs to comply with 3 types of safeguards in order to protect and secure the integrity of PHI created, transmitted, used or maintained electronically. These three types are Physical, Administrative, and Technical Safeguards.
The Physical safeguards are measures intended to prevent unauthorized access to a CE’s or BA’s information systems and buildings. Physical HIPAA safeguards provide guidance on the measures, policies, and procedures CEs and BAs should have to secure their ePHI.
The Administrative Safeguards are measures intended to ensure that the necessary administrative actions are taken by CEs and BAs to protect the breach of patient health information. These include the designation of a Security Officer who is responsible for generating a security management program and conducting risk assessments for implementing measures to protect ePHI.
As mentioned previously, the implementation specifications of the Security Rule are categorized as either required or addressable. It is the responsibility of the CE or BA to ensure they implement the correct measures for HIPAA compliance.
When there is unauthorized access to, use of, or disclosure of unsecured sensitive patient information, CEs are required to notify potentially impacted clients. The requirement also applies to BAs, who must inform the CE for whom they are providing a service to when a breach of unsecured PHI occurs. This requirement is known as the HIPAA Breach Notification Rule.
The Department of Health and Human Services maintains that the unauthorized use or disclosure of unsecured PHI is considered to be a breach unless the CE or determines there is a low probability the PHI has been compromised based on a risk assessment consisting of at least the following factors:
Unless a low probability of compromise can be proven, the HIPAA Breach Notification Rule requires CEs to send a notification of the breach to the HHS’ Office for Civil Rights (OCR) which includes the following:
If a breach has occurred and the number of incidents exceeds 500 individuals, a CE must notify the OCR and individuals potentially impacted by the breach no later than 60 days following its detection. If the breach involves less than 500, notifications to individuals potentially impacted must be within 60 days, but notifications to the OCR can wait until the end of the calendar year. CEs are required to report all incidents through the Office for Civil Rights (OCR) portal.
Prior to the enactment of the HIPAA Breach Notification Rule in 2009, CEs had no responsibility to report the exposure of unsecured PHI. The responsibility was the OCR’s to prove whether harm had occurred as a result of the breach before pursuing enforcement action. Since the enactment of the HIPAA Breach Notification Rule, the responsibility has shifted. CEs and BAs must prove that no harm has occurred as a result of a breach if choosing not to report the breach to the OCR or patients.
Periodically, HIPAA guidelines are updated to expand the scope of HIPAA compliance, address evolving challenges, and progress towards a more efficient health system. The HITECH Act in 2009 and the enactment of HIPAA related provisions via the Final Omnibus Rule in 2013 are examples of subsequent changes to the HIPAA requirements.
The HITECH Act consists of four subtitles. Subtitle D includes additional provisions for the privacy and security of ePHI. Part 1 concerns the improvement of privacy and security of ePHI while part 2 is regards the relationship between the HITECH Act and other laws. Under this subtitle, some rules took immediate effect – for example, the Breach Notification Rule. The OCR was given the authority to apply penalties to non-compliant CEs and BAs. In addition, state attorneys general were also given the right to pursue civil and criminal action on behalf of affected citizens.
The Final Omnibus Rule reflected the evolution of technology since the effective date of HIPAA in 1996. By 2013, the Final Omnibus Rule was introduced to address some shortcomings of the original Privacy and Security Rules. With these shortcomings addressed, the OCR were given the means to increase enforcement action.
Non-compliance with HIPAA can lead to large fines and even criminal penalties. The primary enforcer of HIPAA is the Department of Health and Human Services’ Office for Civil Rights. However, subsequent changes such as the HITECH Act has given state attorney generals the ability to prosecute non-compliant CEs and BAs independently on behalf of citizens. In addition, the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC) all have enforcement powers to some extent.
There are various ways in which the enforcers of HIPAA learn about non-compliance to HIPAA. The use of online reporting portals by employees and the public is typically how violations are identified. Breach notifications made by CEs and BAs to the OCR are another way in which violations are identified by enforcers. The OCR may find violations independent from the assistance of employees or patients of a CE. Prompted by the execution of a Corrective Action Order or technical assistance, the OCR may carry out audits and inspections which regularly result in the OCR identifying violations of HIPAA.
The OCR has the means to punish non-compliance with HIPAA harshly. When a violation of a serious nature occurs, the OCR can issue fines of up to $1,806,757 per violation (2023). The size of the penalty is determined by multiple factors. These include:
State Attorneys General have the authority to impose fines, while agencies such as the CMS can fine CEs in receipt of Medicare and Medicaid payments for practices considered to constitute information blocking. Individuals can be subject to criminal charges if a violation is discovered which has the intention of personal financial gain or causing harm.
In order to avoid penalties for non-compliance with HIPAA, it is necessary for CEs to fully understand its regulations. HIPAA compliance can be confusing and difficult to follow. Organizations may find it difficult to implement the appropriate safeguards for the protection of PHI. In addition, the HIPAA requirements are frequently changing and CEs and BAs must keep up-to-date with these changes. Therefore, it is advised that those subject to the HIPAA Rules seek expert advice to ensure full HIPAA compliance.
The Administrative Simplification Regulations that evolved as a result of HIPAA are important because they set minimum national standards for the privacy of Protected Health Information and give individuals rights over uses and disclosures of individually identifiable health information. Consequently, the failure to comply with these regulations jeopardizes individual privacy and data security.
The initial purpose of HIPAA was to address the issue of “job lock”. This issue existed because many employees could not take existing health coverage into new jobs or lost benefits when they did so. HIPAA facilitated the portability of health insurance between jobs and, to avoid the cost of increased portability being passed onto plan members, introduced measures to simplify the administration of health claims.
The Administrative Simplification measures standardized transactions between health care organizations and health plans to increase efficiency and reduce fraud. However, because transactions were increasingly being conducted electronically, Congress instructed the Secretary for Health and Human Services to develop standards to ensure the confidentiality and integrity of healthcare data.
The standards subsequently developed are the “Standards for the Privacy of Individually Identifiable Health Information” (the “Privacy Rule”) and the “Security Standards for the Protection of Electronic Protected Health Information” (the “Security Rule”). The Breach Notification Rule was added in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA compliance is important for different reasons depending on the perspective. For example, HIPAA compliance is important to healthcare organizations because, if an organization willfully neglects to comply with HIPAA, it can face substantial sanctions in the event of a patient complaint or data breach. Similarly, healthcare professionals that fail to comply with their employer´s HIPAA policies and procedures can face disciplinary action including termination of contract.
Conversely, HIPAA compliance can help support a healthcare environment in which patients trust personal information will remain private and are prepared to disclose more about their symptoms, leading to more accurate diagnoses and treatments, which can result in better patient outcomes. Better patient outcomes raise workplace morale, helps with employee retention, and contribute to higher patient satisfaction scores. Effectively, everyone wins with HIPAA compliance.
HIPAA benefits patients in many ways. As mentioned previously, if patients trust personal information will remain private, they are prepared to disclose more about their symptoms which can result in better outcomes. Patients also have more control over how personal information is used and disclosed and have the right to request an accounting of disclosures to ensure their healthcare provider is complying with HIPAA. If not, patients have the right for their medical records to be transferred to another provider.
Additionally, HIPAA requires Covered Entities and Business Associates to notify individuals with 60 days when there has been a breach of unsecured health information and provide information about the nature of data disclosed. The notifications enable patients to take measures to protect themselves against identity theft and fraud to reduce the risk of financial and personal losses.
HIPAA is important to employees because it sets guidelines on when Protected Health Information (PHI) can be used or disclosed. These guidelines ensure the availability of PHI when it is needed for treatment and healthcare operations, while preventing impermissible and unauthorized disclosures that could damage the trust between a patient and a healthcare provider.
HIPAA violations – as opposed to data breaches – should be reported at the first possible opportunity to mitigate the consequences of the violation and prevent it reoccurring. If the violation is reported to HHS´ Office for Civil Rights, there is a 180 day time limit from the date of discovery except for data breaches affecting fewer than 500 individuals, which should be reported at the end of each year.
This depends on the nature of the violation. If the violation involves an event that does not result in harm – for example, an incidental disclosure with no consequences – the investigation could be resolved in minutes with the outcome of a verbal warning. If the violation is of a serious nature, it may take months to conduct an investigation into how it happened and how it can be prevented in the future.
The HIPAA Administrative Simplification regulations streamlined the claims process and led to the development of privacy and security standards which facilitated the introduction of the Meaningful Use program – a scheme that incentivized the digitalization of medical records. The digitalization of medical records means that healthcare providers can access information much quicker than before to provide a higher level of healthcare to patients.
Protected Health Information (PHI) is individually identifiable health information collected, received, maintained, or used by a Covered Entity or Business Associate that relates to an individual´s past, present, or future health condition, treatment for the condition, and payment for the treatment. Any other identifiable information maintained in the same designated record set as individually identifiable health information is also considered PHI under HIPAA and is subject to the same protections.
The word “information” has many definitions in the text of HIPAA depending on which section of which Title is being referred to. For example, in Title I, “information” could relate to an individual´s work record, insurance contribution record, health information, or information about dependents who may also be entitled to insurance coverage. Therefore, a question of this nature needs to be more specific.
HIPAA has multiple purposes. Initially it was developed to increase the portability of health insurance between employments. As the measures to increase portability would have incurred costs for health insurance companies – which may have been passed on to employers and plan members as higher premiums – Congress introduced further measures to mitigate the costs of compliance.
These included measures to reduce fraud in the healthcare industry and simplify the administration of health claims to make the process more efficient. This led to the standardization of health claim processes, measures to secure health information when it was transmitted electronically between insurance companies and healthcare providers, and standards to protect the privacy of patient data.
Individually identifiable health information that relates to an individual’s past, present, or future health condition, treatment for a condition, and payment for the treatment is automatically protected by HIPAA. Additionally, any information that could be used to identify the subject of the health information is also protected when it is maintained in the same designated record set.
This depends on the nature of the violation and whether the accusation is justified. Based on data provided by HHS´ Office for Civil Rights, more than two-thirds of complaints are not justified because either the individual or organization being accused is not subject to HIPAA, or because the complaint relates to a use or disclosure of Protected Health Information permitted by the Privacy Rule.
If you are aware that you have violated HIPAA, you should acknowledge the accusation, report it to a compliance officer, and allow the compliance officer to conduct an investigation. If you are not aware you have violated HIPAA, seek advice from a compliance officer – who should investigate if a violation has actually occurred and respond to the accuser on your behalf.
This depends on who is responsible for the violation. If a Covered Entity or Business Associate is responsible for a data breach due to willful neglect, they can be fined up to $1,919,173 per violation (max. for 2023). Employees who knowingly obtain or disclose Protected Health Information for personal gain can be fined up to $250,000 and sent to prison for up to 10 years.
The 18 HIPAA identifiers are the identifiers that have to be removed from a designated record set before any information remaining in the designated record set is considered de-identified under the safe harbor method described in §164.514 of the Privacy Rule. However, it is important to be aware that removing just the 18 identifiers listed in this standard might not be enough to avoid a HIPAA violation.
This is because there are now more ways to identify an individual than there were when the Privacy Rule was published. Therefore, if – for example – information relating to an emotional support animal is maintained in a designated record set, and the information could be used to identify the subject of the record set, this information also has to be removed so that any remaining information is de-identified.
It is also important to be aware that, although this standard states that de-identified information is no longer individually identifiable health information and therefore no longer protected by the Privacy Rule, the 18 HIPAA identifiers should not be confused with Protected Health Information. The 18 HIPAA identifiers (and any others that could be used to identify an individual) are only protected by HIPAA when they are maintained in the same designated record set as health information.
As a member of a Covered Entity´s or Business Associate´s workforce, what happens of you violate HIPAA depends on the nature of the violations, its consequences, and what sanctions exist in the organization´s sanctions policy. Violations of a minor nature – or with minor consequences – are usually dealt with by a verbal warning and/or additional training.
However, if the violation is repeated or has more serious consequences, the sanctions could range from a written warning, to suspension, to termination of contract. In events where PHI has been obtained or disclosed for personal gain, the organization is required to notify HHS´ Office for Civil Rights, who will refer the case to the Department of Justice for further action.
The failure to comply with any standard of the Administrative Requirements, or the Privacy, Security, and Breach Notification Rules is considered a HIPAA violation. Some violations are considered more serious than others. For example, the failure to obtain a patient’s authorization before disclosing information about them on social media is more serious than using the wrong code in a claims transaction.
Any information can be shared without violating HIPAA provided you obtain a written authorization from the subject of the information before sharing it. However, it may be important to inform the subject that you may not be able to comply with a revocation request if, for example, you post information about an individual on social media, after which you have no control over what happens to it.
Prior to HIPAA, a patchwork of state laws did little to keep individuals´ health information private and secure. The HIPAA Privacy Rule is a federal floor of privacy protections and individuals´ rights in the healthcare and health insurance industries. Therefore, while some states have laws that are more stringent than HIPAA, patients can be sure of a minimum level of healthcare data privacy and security wherever they are located in the United States.
HIPAA compliance means complying with the HIPAA Privacy, Security, and Breach Notifications Rules, and – where appropriate – the Administrative Regulations relating to electronic claims transactions. The compliance requirements only apply to entities by HIPAA (generally – but not always – health plans, health care clearinghouses, and healthcare providers) and third-party “Business Associates” who provide a service for or on behalf of a Covered Entity.
A HIPAA authorization is an authorization obtained from an individual (i.e., patient or plan member) that allows a Covered Entity to use or disclose Protected Health Information for a purpose not permitted by the Privacy Rule. This “safeguard” prevents Covered Entities from disclosing individuals´ information for purposes such as marketing without the authorization of the individual.
It is important to be aware of the distinction between HIPAA violations and HIPAA breaches. A HIPAA violation is the failure to comply with any standard of the Administrative Requirements, or the Privacy, Security, and Breach Notification Rules; whereas a HIPAA breach is the unauthorized accessing, use, or disclosure of unsecured Protected Health Information.
Like with most HIPAA violations, the consequences of the violation usually depend on the nature of the violation, the harm caused by the violation, and the content of the organization´s sanctions policy. Consequently, if a nurse inadvertently violates the minimum necessary standard, but the disclosure does not harm anybody, the sanction will likely be a written warning or training.
If, however, a nurse repeatedly denies a patient’s request to access PHI or receive an accounting of disclosures, and the violation is escalated by the patient to HHS´ Office for Civil Rights, the likely outcome will be a fine for the organization, the requirement to comply with a Corrective Action Plan, and a written warning for the nurse or temporary suspension.
A HIPAA certification is a point-in-time acknowledgment that an organization has reached a certain level of HIPAA compliance or that an individual has completed a certain level of HIPAA training. Certification is not required by HIPAA, but if an organization is investigated following a complaint to HHS´ Office for Civil Rights, a certification demonstrates a good faith effort to be HIPAA compliant.
ComplianceHome is a registered trademark. Copyright © 2024 ComplianceHome. All rights reserved.