The Health Insurance Portability and Accountability Act (HIPAA) is an important legislative Act relating to data privacy and safeguarding medical information in the US healthcare and healthcare insurance industries. Originally introduced with the objective of improving health insurance portability for employees when they changed jobs, HIPAA has been updated and added to since its passage in 1996, and is now acknowledged as revolutionizing data protection legislation in the US.
Most individuals, organizations, and agencies that create, modify, have access to, or store Protected Health Information (PHI) are required to comply with HIPAA. This not only includes individuals such as healthcare professionals, organizations such as hospitals, and agencies such as healthcare insurance brokers (usually referred to as “Covered Entities”), but also any third-party “Business Associate” given access to PHI in order to provide a service for the Covered Entity.
HIPAA is formed of a number of Rules, which have been added to the original Act over time as a means of updating the legislation. The Rules themselves are frequently updated to account for new technologies and working practices, and guidance is regularly provided by the US Department of Health and Human Services (HHS) stipulating how data should be used, protected, and shared. In addition, Rules also exist stipulating how breaches of HIPAA should be reported. The Rules are summarized below.
The purpose of the HIPAA Privacy Rule is to restrict the allowable uses and disclosures of PHI. The Rule stipulates when, with whom, and under what circumstances health information can be shared. The unauthorized disclosure, modification, or deletion of PHI – whether by accident or by design – can incur significant financial penalties and potential criminal liability if a Covered Entity or Business Associate does not have adequate safeguards in place to prevent such breaches of HIPAA.
The purpose of the HIPAA Security Rule is mainly to ensure the integrity and security of electronic Protected Health Information (ePHI). The Security Rule is divided into three sections – the administrative, technical, and physical safeguards – each of which have “required” and “addressable” implementation specifications. Required safeguards are self-explanatory; they must be implemented to ensure HIPAA compliance. Addressable safeguards require additional explanation.
If an implementation specification is “addressable”, Covered Entities must either implement the safeguard, implement an alternative measure that achieves the same purpose, or document why it is neither reasonable nor appropriate to implement the safeguard or an alternative in the context of its particular security framework. Because a safeguard is “addressable”, it does not mean it can be ignored. Examples of required and addressable safeguards include:
The Breach Notification Rule of 2009 stipulates the procedures expected of a Covered Entity or Business Associate following a breach of PHI/ePHI – a breach being defined as an impermissible use or disclosure under the Privacy or Security Rule that compromises data security or patient privacy. Following a breach, Covered Entities must provide notification of the breach to affected individuals, the HHS, and – if the breach is of a significant scale – to the media. The Rule also covers Business Associates, who must notify Covered Entities if a breach occurs.
The Breach Notification Rule requires those affected by the breach to be notified that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has been identified. The breach must also be advertised on the organization´s website for 90 days after its discovery. If the breach is due to the negligence of a Business Associate, while the Covered Entity is ultimately responsible for ensuring individuals are notified, it may delegate responsibility for providing individual notices to the Business Associate.
The Enforcement Rule was introduced in March 2006 in an attempt to address non-compliance with the HIPAA Privacy and Security Rules. The Enforcement Rule gives the Department of Health and Human Services the power to investigate complaints made against Covered Entities for failing to comply with the Privacy Rule. If it is found a security breach occurred due to the Covered Entity failing to implement the safeguards outlined in the Security Rule, the Enforcement Rule grants HHS the authority to fine the Covered Entity.
The Enforcement Rule also gives HHS the ability to bring criminal charges against Covered Entities who repeatedly violate HIPAA and fail to introduce corrective measures within 30 days of an offence. The Enforcement Rule also gives more power to individuals if their PHI is disclosed without permission and the impermissible disclosure results in “serious harm” (for example, causing them to become a victim of identity fraud). In such cases, the Enforcement Rule grants the individual the right to pursue civil legal action against the Covered Entity.
The Final Omnibus Rule of 2013 includes the most recent updates to HIPAA. Unlike the other rules, the Final Omnibus Rule does not introduce any new legislation; it is designed to remove any ambiguity in existing HIPAA and HITECH regulations. Important examples of this include the specification of encryption standards, and the introduction of new administrative standards to reflect the fact that technological advances have changed how PHI is transmitted and shared between healthcare professionals.
The update includes several definitions to improve the clarity of the language used in the Security and Privacy Rules. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of the Covered Entity or Business Associate. The Breach Notification Rule was also updated with higher penalties applicable to Covered Entities in breach of HIPAA.
Technology has revolutionized the healthcare industry – instant messaging platforms such as WhatsApp are used to rapidly transmit data between healthcare professionals, and cloud-based data storage solutions are being used as alternatives to storing data on site. However, users of such technology in the healthcare industry must be wary. Special measures must be taken to ensure the use of such services is compliant with HIPAA’s strict rules on data security; and, while the software itself may be HIPAA-compliant, users may still violate HIPAA rules if they do not use these services in an appropriate manner.
Each service must be carefully considered before use in a healthcare industry setting. Google Drive, a cloud-based file storage service, is used below as an illustrative example of the actions Covered Entities should take before uploading ePHI onto the platform.
If you have any other queries regarding your organisation’s use of Google Drive, or other cloud-based platforms, you are advised to seek legal counsel to ensure that your organisation remains HIPAA-compliant.
One of the most crucial aspects of ensuring HIPAA compliance is performing regular and thorough risk assessments. By identifying potential areas for improvement in an organisation, as well as highlighting areas that are particularly vulnerable to breaches, an organisation is able to create a more robust security framework. Although HIPAA itself fails to provide any guidance on what should be addressed in a risk assessment, HHS has set a list of objectives that should be met in performing each risk assessment. These include:
Although HIPAA does not explicitly state data encryption is necessary for the protection of ePHI, it is certainly one of the best ways of ensuring unauthorized individuals do not gain access to sensitive information. With the increase of cyberattacks and phishing incidents, data encryption provides organisations a level of safety; for, even if the data is stolen, it is rendered unreadable unless the criminal also manages to gain access to the encryption key. It is a security measure that should be seriously considered by organisations, as it goes a long way to ensure that they are HIPAA-compliant. If an organisation decides not to use encryption to protect data, they must record the decision and provide an explanation why data is unencrypted.
Those who violate HIPAA face substantial financial penalties. The Omnibus Rule in March 2013 introduced fines in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). According to the Omnibus Rule, new penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses, and all other Covered Entities or Business Associates who are also guilty of violating HIPAA Rules.
The penalty structure is divided into four categories. The categories are formulated according to the seriousness of the violation, if appropriate safeguards were in place before the violation, and how soon it tool before the violation was discovered. Thereafter, HHS will apply penalties based on the following criteria:
If the Covered Entity could not have been reasonably expected to foresee the circumstances of the violation, HHS has the authority to waive any financial penalty.
There is a distinct HIPAA penalty for each category of violation. HHS will determine the financial penalty within the appropriate range following their investigation of the incident. HHR considers a wide range of factors when determining the appropriate penalty to be levied. This includes the length of time over which violation occurred, the number of people affected, the nature of the data exposed, the financial means of the organisation, and how much damage had been done by the breach. An organisation’s willingness to assist with an investigation is also taken into account, as are prior HIPAA violations (if they exist).
The tiers are as follows:
The maximum fine per violation category, per year, is $1,500,000. This is because HHS count a violation in data breaches per record exposed. Furthermore, a data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules, regardless of how minor the incident was or how insignificant the data involved is.
Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead by the number of patients affected (as above). For example, if a Covered Entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, HHS may decide to apply a penalty for each day the Covered Entity has been in violation of HIPAA. In this case, the penalty would be multiplied by 365.
A HIPAA violation can result in criminal charges being filed against the individual(s) responsible for a breach of PHI if the case is particularly severe. These are brought against the Covered Entity in conjunction to financial penalties. Criminal penalties for HIPAA violations are divided into their own tier system. A judge considers the facts of each individual case and determines the term and an appropriate fine according to the tier to which the penalty belongs. As with HHS penalties, a number of factors are considered which will affect the penalty. If an individual has profited from the theft, unauthorized access, or disclosure of PHI, it may be necessary for all moneys obtained from the violation to be refunded in addition to the payment of a fine.
Even if a data breach hasn’t occurred, Covered Entities and their Business Associates may still be liable for a violation of HIPAA. If a Covered Entity is audited by the HHS´ Office for Civil Rights (OCR), and is found not to be in compliance with HIPAA, OCR has the authority to issue penalties for HIPAA noncompliance. It is therefore critical organisations are fully aware of their responsibilities under HIPAA and remain compliant with its regulations at all times. Ignorance is not an acceptable excuse.
In order to assess how well healthcare organisations were following HIPAA regulations, the OCR commenced a series of compliance audits in 2012. Previously the OCR had only been aware of HIPAA violations in the aftermath of a breach. The compliance audits were used as an incentive for organisations to address compliance failings; however, the results of the pilot program revealed many organisations are failing to implement even the most basic requirements of HIPAA’s Rules. OCR issued an action plan to help those audited organisations achieve compliance, and announced that a second round of audits will soon take place. It is widely expected OCR will not be as lenient on offenders as during the first round of audits.
HIPAA is a complex piece of legislation, and ensuring every piece of it is followed is a costly and technically difficult task. If there is any doubt that certain practices within an organisation are HIPAA-compliant, it is advised legal counsel be sought. There are many organisations that provide HIPAA compliance checklists, or HIPAA compliance software.
Copyright © 2019 ComplianceHome