The Health Insurance Portability and Accountability Act, more commonly referred to as the HIPAA laws, is an Act of Congress that imposes a number of obligations on organizations in the healthcare sector; such as healthcare providers, health plan providers, and healthcare clearing houses. These obligations have evolved and multiplied since the Act was first signed into law in 1996. Additional Rules and related Acts have been introduced to deal with changing technology and emerging trends in the healthcare sector, for example the ubiquity of mobile devices and the shift to more patient inclusive and patient-centric approaches. Other revisions to HIPAA laws have expanded the number and nature of entities who fall under its control.
HIPAA itself is divided into five parts, or Titles, with each Title dealing with a different aspect of the law.
Title I: Health Care Access, Portability, and Renewability
Deals mainly with maintaining coverage for individuals and families during breaks in employment
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Sets standards for codes and identifiers used across the healthcare industry to facilitate and streamline administrative processes. Also establishes requirements related to data security and appropriate sharing of protected health information (PHI). This is the Title that has undergone the most notable updates and rule changes. Consequently, most of this article will deal with Title II.
Title III: Tax-related health provisions governing medical savings accounts
Concerns taxation issues and legislates how much pre-tax income can be placed in a specified medical savings account for certain individuals
Title IV: Application and enforcement of group health insurance requirements
Relates to how certain group plans should deal with pre-existing conditions, as well as clearing up some issues regarding the maintenance of coverage.
Title V: Revenue offset governing tax deductions for employers
Lays out regulations for how employers deal with interest on financial aspects of different health or life insurances. Title V also makes changes to how tax is imposed on certain individuals who have given up United States citizenship.
HIPAA Rules and Amendments
The first new Rules to be brought forth and introduced were the HIPAA Security Rule and the HIPAA Privacy Rule, first proposed in 1998 and 1999 respectively. Both fall under Title II.
The HIPAA Privacy Rule came into effect in 2003 following a period of public comment, development, and time to allow concerned parties to bring themselves up to code. It regulates how covered entities and their business associates can use and disclose PHI. Any transmission of information must meet a certain level of security to protect the data, and privacy policies and training must be implemented.
Typically, organizations can share PHI with other authorized groups to facilitate medical care or procedures and billing, as well as with law enforcement under certain conditions. If sharing PHI outside of these reasons, written permission from the patient may be required. In all cases, only the minimum amount of information needed for the task should be shared, in accordance with HIPAA’s Minimum Necessary Rule. Under the Privacy Rule, people can also request access to their own PHI for review or for their records.
Most HIPAA covered entities were required to be compliant with the HIPAA Security Rule by early 2005. Building on the Privacy Rule’s measures to protect electronic and paper PHI records, the Security Rule introduced even more safeguards for electronic PHI (ePHI). The increased protection covers three areas: administrative; physical; and technical. Some of the measures are required, meaning they must be implemented as laid out by the law, while others are “addressable”, meaning they can be implemented in whatever way the covered entity wishes, so long as the appropriate level of security is reached.
The administrative requirements include the introduction of policies and procedures, the appointment of officers to ensure compliance, and identification and training of authorized staff who will deal with PHI. Physical safeguards revolve more around access to facilities or equipment, as well as work space design, to prevent unauthorized individuals from viewing or obtaining PHI. The Technical aspects concern encryption of data, backing up and protecting data integrity, IT policies, and risk assessments of the systems and devices dealing with PHI.
To give HIPAA stronger teeth, the Enforcement Rule came into effect in 2006, setting financial penalties and clarifying investigation processes.
Modifications from Associated Legislation
As HIPAA does not exist in a bubble, it has been impacted and modified by other Acts that have been introduced to the United States’ legal system. One such Act is 2009’s Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH’s goal was to increase the use of health information technology in an effort to support healthcare reform.
HITECH also introduced the Breach Notification Rule, which set forth requirements for covered entities and business associates to notify the Department of Health and Human Services of data breaches where more than 500 peoples’ PHI had been compromised, as well as obliging them to notify the individuals concerned. It also updated and extended sanctions for organizations that violate HIPAA or fail to adequately notify the concerned parties in a timely manner.
The Final Omnibus Rule
Introduced a number of years later, 2013’s HIPAA Final Omnibus Rule updated sections of the Security and Breach Notification Rules. The main changes were in relation to broadening the scope of organizations covered by these rules, increasing some penalties for violations, and reversing the burden of proof required for a “significant harm” determination to be made. Previously, it had to be proved that harm had occurred. Following the introduction of the Final Omnibus Rule, the burden of proof is now placed on those who would claim that no harm occurred.
Two final considerations should be noted from this brief summary of HIPAA Laws. The first is that state laws may have different definitions or requirements than HIPAA. Your organization may follow HIPAA to the letter but find still itself in breach of local laws. It is therefore essential to know and monitor the laws that cover states where your organization operates.
The second point is somewhat related to the first. While HIPAA itself does not allow for a private right of action, HIPAA violations may be used by patients to take cases against healthcare organizations or staff under state laws. Employees should therefore be well trained and knowledgeable of this potential liability in order to minimize the risk of legal action and penalties.