The Health Insurance Portability and Accountability Act, more commonly referred to as the HIPAA laws, is an Act of Congress that imposes a number of obligations on organizations in the healthcare sector; such as healthcare providers, health plan providers, and healthcare clearing houses. These obligations have evolved and multiplied since the Act was first signed into law in 1996. Additional Rules and related Acts have been introduced to deal with changing technology and emerging trends in the healthcare sector, for example the ubiquity of mobile devices and the shift to more patient inclusive and patient-centric approaches. Other revisions to HIPAA laws have expanded the number and nature of entities who fall under its control.
Full List of HIPAA Titles
HIPAA itself is divided into five parts, or Titles, with each Title dealing with a different aspect of the law.
Title I: Health Care Access, Portability, and Renewability
Deals mainly with maintaining coverage for individuals and families during breaks in employment
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Sets standards for codes and identifiers used across the healthcare industry to facilitate and streamline administrative processes. Also establishes requirements related to data security and appropriate sharing of protected health information (PHI). This is the Title that has undergone the most notable updates and rule changes. Consequently, most of this article will deal with Title II.
Title III: Tax-related health provisions governing medical savings accounts
Concerns taxation issues and legislates how much pre-tax income can be placed in a specified medical savings account for certain individuals
Title IV: Application and enforcement of group health insurance requirements
Relates to how certain group plans should deal with pre-existing conditions, as well as clearing up some issues regarding the maintenance of coverage.
Title V: Revenue offset governing tax deductions for employers
Lays out regulations for how employers deal with interest on financial aspects of different health or life insurances. Title V also makes changes to how tax is imposed on certain individuals who have given up United States citizenship.
HIPAA Rules and Amendments
The first new Rules to be brought forth and introduced were the HIPAA Security Rule and the HIPAA Privacy Rule, first proposed in 1998 and 1999 respectively. Both fall under Title II.
The HIPAA Privacy Rule came into effect in 2003 following a period of public comment, development, and time to allow concerned parties to bring themselves up to code. It regulates how covered entities and their business associates can use and disclose PHI. Any transmission of information must meet a certain level of security to protect the data, and privacy policies and training must be implemented.
Typically, organizations can share PHI with other authorized groups to facilitate medical care or procedures and billing, as well as with law enforcement under certain conditions. If sharing PHI outside of these reasons, written permission from the patient may be required. In all cases, only the minimum amount of information needed for the task should be shared, in accordance with HIPAA’s Minimum Necessary Rule. Under the Privacy Rule, people can also request access to their own PHI for review or for their records.
Most HIPAA covered entities were required to be compliant with the HIPAA Security Rule by early 2005. Building on the Privacy Rule’s measures to protect electronic and paper PHI records, the Security Rule introduced even more safeguards for electronic PHI (ePHI). The increased protection covers three areas: administrative; physical; and technical. Some of the measures are required, meaning they must be implemented as laid out by the law, while others are “addressable”, meaning they can be implemented in whatever way the covered entity wishes, so long as the appropriate level of security is reached.
The administrative requirements include the introduction of policies and procedures, the appointment of officers to ensure compliance, and identification and training of authorized staff who will deal with PHI. Physical safeguards revolve more around access to facilities or equipment, as well as work space design, to prevent unauthorized individuals from viewing or obtaining PHI. The Technical aspects concern encryption of data, backing up and protecting data integrity, IT policies, and risk assessments of the systems and devices dealing with PHI.
To give HIPAA stronger teeth, the Enforcement Rule came into effect in 2006, setting financial penalties and clarifying investigation processes.
|The Privacy Rule||This rule protects the privacy of individuals’ health information (Protected Health Information, or PHI). It applies to health plans, healthcare clearinghouses, and any healthcare provider who transmits health information in electronic form. The rule regulates the use and disclosure of PHI, which can be any information about health status, provision of health care, or payment for health care that can be linked to an individual.|
|The Security Rule||This rule sets standards for protecting electronic PHI (e-PHI). The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. Covered entities must assess potential risks and vulnerabilities to e-PHI and manage them adequately. The rule is flexible and scalable, allowing covered entities to implement policies, procedures, and technologies that are suited to their size, structure, and risks to consumers’ e-PHI.|
|Breach Notification Rule||When a breach of unsecured PHI occurs, covered entities must provide notification of the breach to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media. In addition, business associates of covered entities must notify the covered entity of breaches at or by the business associate. The Breach Notification Rule also stipulates the content, manner, and timing of the required notifications.|
|Enforcement Rule||The Enforcement Rule contains regulations relating to compliance activities and investigations into potential HIPAA violations. The rule also stipulates the procedures for hearings and the imposition of civil money penalties when a covered entity or business associate fails to comply with the HIPAA rules.|
|Omnibus Rule||The Omnibus Rule was implemented to make modifications to the HIPAA Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The rule also incorporates the increased and tiered civil money penalty structure provided by the HITECH Act, strengthens the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization.|
The HIPAA Privacy Rule
The HIPAA Privacy Rule is a key component of the U.S. healthcare system, created to protect patients’ personal health information and to govern how certain health care providers, health plans, and healthcare clearinghouses handle this sensitive data. This rule provides federal protections for what’s referred to as Protected Health Information (PHI) and extends certain rights to patients over their PHI.
The Privacy Rule applies to three types of entities: healthcare providers that conduct certain transactions electronically (such as sending a claim to a health plan), health plans, and healthcare clearinghouses. These entities are known as covered entities and are responsible for maintaining the privacy of PHI in accordance with the Privacy Rule. PHI is any information that can be used to identify a patient or client of a covered entity and relates to the individual’s past, present, or future physical or mental health, the provision of healthcare, or the past, present, or future payment for the provision of healthcare. PHI includes a wide variety of information such as medical records, billing information, and health insurance data. Both oral and recorded health information are included under the Privacy Rule.
Covered entities are required under the Privacy Rule to use, disclose, and request only the minimum necessary amount of PHI to accomplish the intended purpose. For example, a doctor may need to share certain information with a specialist for referral purposes, but that information should be limited to only what is necessary for the referral. In terms of patient rights, the Privacy Rule provides patients with the right to inspect, copy, and request corrections to their own PHI. Patients also have the right to request a record of instances where their PHI has been disclosed for purposes other than treatment, payment, and healthcare operations. If a patient feels that their rights under the Privacy Rule have been violated, they can file a complaint with the Office for Civil Rights (OCR) of the Department of Health and Human Services. Covered entities are also required to have written privacy procedures in place, including procedures for individuals to complain about the entity’s compliance with these procedures. Entities must train employees on these procedures and must designate an individual to be responsible for ensuring the procedures are followed.
While the Privacy Rule ensures the protection of PHI, it also recognizes the need for the efficient exchange of information necessary for high-quality healthcare. Thus, the rule allows for the disclosure of PHI without the patient’s consent for treatment, payment, and healthcare operations. This facilitates, for example, the referral of a patient from one provider to another. The HIPAA Privacy Rule plays an essential role in balancing the need for the fluid exchange of health information necessary for optimal patient care and the equally important need to protect patients’ personal health information. By ensuring both the right of individuals to control the use and disclosure of their health information and the necessity of the healthcare industry to use and disclose this information, the Privacy Rule forms a cornerstone of health information law in the United States.
The HIPAA Security Rule
The HIPAA Security Rule is an essential part of the HIPAA law. While the Privacy Rule focuses on the rights of individuals over their Protected Health Information (PHI), the Security Rule specifically addresses the protection of Electronic Protected Health Information (e-PHI) that is created, received, maintained, or transmitted by a HIPAA covered entity or their business associates. The HIPAA Security Rule requires that healthcare providers, health plans, and healthcare clearinghouses, referred to as covered entities, along with their business associates, implement necessary physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and security of e-PHI. This goes beyond just protecting against unauthorized access but also ensuring the data’s reliability and precision, along with the systems housing the data.
The HIPAA Security Rule is purposely flexible to adapt to the various types of entities dealing with e-PHI, from small rural clinics to large metropolitan hospitals, to insurance providers. It allows these organizations to evaluate their own situation, risks, and objectives, and decide on the best ways to reach the required performance criteria. Administrative safeguards form the foundation for the development, implementation, and maintenance of policies and procedures. They involve conducting risk assessments to identify potential vulnerabilities or threats to e-PHI, implementing security measures to reduce risks, creating contingency plans, restricting third-party access, training workforce members, and regularly reviewing and updating security controls and procedures.
Physical safeguards focus on the physical access to electronic information systems and facilities. They involve implementing policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed while ensuring that properly authorized access is allowed. Physical safeguards also encompass workstation and device security, outlining how workstations and electronic media are to be accessed and used securely. Technical safeguards center around the technology that protects e-PHI and controls access to it. They involve implementing mechanisms to control and monitor access to electronically stored e-PHI, including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption. Furthermore, they include measures to protect against malicious software, facilitate secure data transmission, and establish audit controls to record and examine activity in systems containing e-PHI.
The Security Rule also requires covered entities to have a contingency plan in place in case of an emergency affecting systems containing e-PHI, including data backup plans, disaster recovery plans, and emergency mode operation plans. By implementing the Security Rule, the Department of Health and Human Services (HHS) aims to ensure the secure passage, storage, and retrieval of e-PHI in the healthcare sector. The Security Rule ensures the technical and non-technical infrastructure that the healthcare industry uses to transmit health information is adequate to protect the confidentiality, integrity, and availability of that information. It provides a framework for healthcare organizations to protect patients’ sensitive health information, while still allowing the efficient and effective exchange of information needed for patient care.
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is an essential component of the the HIPAA Law, requiring healthcare organizations, known as covered entities, and their business associates to provide notification when a breach of unsecured PHI occurs. A breach, according to HIPAA, is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. Such impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated.
Covered entities must notify individuals affected by the breach without unreasonable delay, and no later than 60 days from the discovery of the breach. The notice must include a brief description of what happened, including the date of the breach and the date of the discovery of the breach if known, the types of unsecured PHI that were involved in the breach, any steps individuals should take to protect themselves from potential harm resulting from the breach, a brief description of what the covered entity is doing to investigate the breach, mitigate harm, and protect against further breaches, and contact procedures for individuals to ask questions or learn additional information. For breaches affecting more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets serving the state or jurisdiction. Additionally, all breaches, regardless of size, must be reported to the Secretary of the Department of Health and Human Services (HHS). For breaches involving fewer than 500 individuals, the covered entity may log the breaches and submit them annually to the HHS. For breaches affecting 500 or more individuals, the covered entity must report the breach to the HHS without unreasonable delay and no later than 60 days from the discovery of the breach.
Business associates of covered entities also have an obligation under the HIPAA Breach Notification Rule. If a breach of unsecured PHI occurs at or by a business associate, the business associate must notify the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. The covered entity is then responsible for notifying the affected individuals. The HIPAA Breach Notification Rule is an essential part of HIPAA as it ensures that individuals affected by a breach of their PHI are informed about the breach and can take necessary steps to protect themselves. This rule also holds healthcare organizations accountable, encouraging them to protect patient data effectively and to respond appropriately if a breach does occur.
The HIPAA Enforcement Rule
The HIPAA Enforcement Rule, as the name suggests, governs the enforcement of the HIPAA Law. This rule is crucial in ensuring that the privacy and security measures laid out by HIPAA are effectively implemented by covered entities, which include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. The Enforcement Rule was introduced to provide a structure for the imposition of civil money penalties for violations of HIPAA Rules, including the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Transactions and Code Sets and Identifier Rules. One of the main provisions of the Enforcement Rule is the establishment of a tiered civil penalty system. This structure is designed to reflect the severity of the violation and the culpability of the entity in question. The tiered structure is as follows:
- If the entity was unaware and could not have reasonably known of the violation, the penalty for each violation ranges from $100 to $50,000.
- If the violation had a reasonable cause and was not due to willful neglect, the penalty for each violation ranges from $1,000 to $50,000.
- If the violation was due to willful neglect but was corrected within a specified time period, the penalty for each violation ranges from $10,000 to $50,000.
- If the violation was due to willful neglect and was not corrected, the penalty for each violation is $50,000.
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. OCR investigates complaints made by individuals and conducts compliance reviews to ensure covered entities are in compliance. The Enforcement Rule also contains provisions relating to compliance and investigations. It clarifies that investigations and compliance reviews will be conducted by OCR to determine if a covered entity or business associate is in compliance with the applicable administrative simplification provisions. If the investigation or compliance review indicates a violation, OCR may resolve the matter by obtaining the entity’s satisfactory assurances of compliance or corrective action, through a resolution agreement or through settlement.
In the event of a violation, a formal hearing may be held if the covered entity or business associate requests it, before an administrative law judge who decides whether the penalties proposed by OCR are supported by the evidence and are otherwise lawful. Through the Enforcement Rule, the HHS aims to ensure that healthcare entities take the protection of PHI seriously and strive to maintain and uphold the privacy and security standards established by HIPAA. It demonstrates the government’s commitment to protecting patients’ rights and personal health information, holding entities accountable, and encouraging strong, robust, and compliant health data systems.
The HIPAA Omnibus Rule
Modifications from Associated Legislation
As HIPAA does not exist in a bubble, it has been impacted and modified by other Acts that have been introduced to the United States’ legal system. One such Act is 2009’s Health Information Technology for Economic and Clinical Health Act, or the HITECH Act. HITECH’s goal was to increase the use of health information technology in an effort to support healthcare reform.
HITECH also introduced the Breach Notification Rule, which set forth requirements for covered entities and business associates to notify the Department of Health and Human Services of data breaches where more than 500 peoples’ PHI had been compromised, as well as obliging them to notify the individuals concerned. It also updated and extended sanctions for organizations that violate HIPAA or fail to adequately notify the concerned parties in a timely manner.
The HITECH Act significantly modified HIPAA by enhancing patient rights, extending obligations to business associates, strengthening enforcement of the HIPAA rules, and increasing penalties for non-compliance. Many of these changes were implemented in the HIPAA Omnibus Rule of 2013.
|HITECH Act Provisions||Description|
|Increased Penalties||Penalties for HIPAA violations were significantly increased, with a maximum annual fine of $1.5 million for violations of the same provision.|
|Breach Notification||Introduced the requirement for covered entities to notify affected individuals and the HHS in the event of a breach of unsecured PHI.|
|Expansion of HIPAA to Business Associates||HIPAA rules were expanded to include business associates, making them directly responsible for compliance with certain aspects of the HIPAA rules.|
|Increased Enforcement||The Act called for more enforcement of HIPAA, including more audits and investigations, and a portion of monetary penalties to be distributed to harmed individuals.|
|More Stringent Marketing and Fundraising Rules||The Act tightened the rules on using PHI for marketing and fundraising purposes. Covered entities must now get authorization from an individual before they can send them marketing materials based on their PHI.|
|Greater Patient Rights||The Act granted patients new rights over their health information, including the right to get an electronic copy of their health records, and the right to request that their information not be shared with their health plan if they pay out-of-pocket for a service.|
The Final Omnibus Rule
Introduced a number of years later, 2013’s HIPAA Final Omnibus Rule updated sections of the Security and Breach Notification Rules. The main changes were in relation to broadening the scope of organizations covered by these rules, increasing some penalties for violations, and reversing the burden of proof required for a “significant harm” determination to be made. Previously, it had to be proved that harm had occurred. Following the introduction of the Final Omnibus Rule, the burden of proof is now placed on those who would claim that no harm occurred.
Two final considerations should be noted from this brief summary of HIPAA Laws. The first is that state laws may have different definitions or requirements than HIPAA. Your organization may follow HIPAA to the letter but find still itself in breach of local laws. It is therefore essential to know and monitor the laws that cover states where your organization operates.
The second point is somewhat related to the first. While HIPAA itself does not allow for a private right of action, HIPAA violations may be used by patients to take cases against healthcare organizations or staff under state laws. Employees should therefore be well trained and knowledgeable of this potential liability in order to minimize the risk of legal action and penalties.