The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage – such as portability and the coverage of individuals with pre-existing conditions.
Although responsible for widespread changes in the healthcare and healthcare insurance industries, the changes did not occur overnight. When the Act was passed in 1996, it only required the Secretary of Health and Human Services (HSS) to propose standards that would protect individual health information. The first set of proposed “Code Set” standards was not published until 1999, and the first proposals for the Privacy Rule only emerged in 2000.
The current HIPAA legislation has evolved significantly since its earliest incarnation. Not only has the language of the Act been modified to address advances in technology, but the scope of the Act has been extended to cover Business Associates – third party service providers that perform a function on behalf of a HIPAA-Covered Entity that involves the use or disclosure of Protected Health Information (PHI).
The HIPAA regulations are policed by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). State Attorney Generals can also take action against Covered Entities and Business Associates found not to be in compliance with HIPAA. Both OCR and State Attorney Generals have the authority to impose financial penalties on Covered Entities and Business Associates for violations of HIPAA.
The purpose of HIPAA has remained the same as mentioned above. However, the way in which it is implemented is constantly changing to accommodate the advances in technology and changes to working practices – both of which have resulted in new threats to patient privacy and the security of PHI. For example, the original HIPAA legislation was drafted eight years before Facebook and eleven years before the first iPhone was released.
Therefore, since the original Privacy Rule, there has been a number of new HIPAA Rules (expanded on in the “HIPAA Explained” section below) plus frequent guidance issued by OCR regarding how Covered Entities and Business Associates should address such issues as BYOD policies, cloud computing and Workplace Wellness Programs. OCR guidance has also gone digital with the release of its Listserv application.
Much of the original language of HIPAA has remained unaltered because, despite the changing technological landscape, it was written to cover a great number of diverse scenarios. Therefore, whether a Covered Entity is a medical center maintaining patient records or an insurance company transferring the healthcare rights of an individual who is changing jobs, the purpose of HIPAA remains the same as it did on 1996.
It is important to note that HIPAA is technology-neutral and does not favor one way of addressing a security vulnerability over another – provided the mechanism introduced to patch a weakness undergoes a risk assessment and the reason for implementing it is recorded. It is also important to note HIPAA does not preempt state law, except for in circumstances in which the state´s privacy and security regulations are weaker than those in HIPAA.
For the benefit of clarification, we have detailed below the eighteen personal identifiers that on their own – or linked with any other personal identifier – could reveal the identity of a person, their medical history or payment records. In the context of HIPAA for Dummies, these personal identifiers are most commonly known as “Protected Health Information” or “PHI”. When stored or communicated electronically, the acronym “PHI” is preceded by an “e” – i.e. “ePHI”.
|Names or part of names||Any other unique identifying characteristic|
|Geographical identifiers||Dates directly related to a person|
|Phone number details||Fax number details|
|Details of Email addresses||Social Security details|
|Medical record numbers||Health insurance beneficiary numbers|
|Account details||Certificate or license numbers|
|Vehicle license plate details||Device identifiers and serial numbers|
|Website URLs||IP address details|
|Fingerprints, retinal and voice prints||Complete face or any comparable photographic images|
The main takeaway for HIPAA compliance is that any company or individual that comes into contact with PHI must enact and enforce appropriate policies, procedures and safeguards to protect data. HIPAA violations occur when there has been a failure to enact and enforce appropriate policies, procedures and safeguards, even when PHI has not been disclosed to or accessed by an unauthorized individual.
Violations of HIPAA often result from the following:
Some HIPAA violations are accidental offences – for example, leaving a document containing PHI on a desk in clear view of anyone passing by. However, OCR does not consider ignorance an adequate excuse for HIPAA violations; and, although OCR may refrain from imposing a significant financial penalty on a Covered Entity for an accidental offence if the offence has not resulted in the unauthorized disclosure of PHI, it is likely a course of “corrective action” will be required.
Before trying to explain the ins and outs of HIPAA it is best to state when the legislation applies. Practically all health plans, healthcare clearinghouses, healthcare suppliers and endorsed sponsors of the Medicare prescription drug discount card are considered to be “HIPAA Covered Entities” (CEs) under the Act. Normally, these are bodies that come into contact with PHI on a constant basis.
Under the definition of HIPAA Covered Entities provided by HHS, most employers are not considered to be CEs, even if they maintain records of employees’ health information. If employers use schemes such as the Employee Assistance Program (EAP), they are then considered “hybrid entities” and are required to be HIPAA-compliant.
“Business Associates” (BA) are also covered by HIPAA. These are entities who do not create, receive, manage or transmit PHI in the course of their main occupations, but who supply services and perform certain functions for a Covered Entities, during which they have access to PHI. Before undertaking a service or activity on behalf of a CE, a BA must complete a Business Associate Agreement guaranteeing to maintain the integrity of any PHI to which it has access.
HIPAA legislation is essentially comprised of a number of rules, each of which lays out different requirements for HIPAA compliance. The rules are as follows:
HIPAA Privacy Rule: The Privacy Rule dictates how, when and under what circumstances PHI can be disclosed. Enacted for the first time in 2003, it applies to all healthcare organizations, clearing houses and entities that provide health plans. Since 2013, it has been extended to include Business Associates.
The Privacy Rule sets limits regarding the use of patient information when no prior authorization has been given by the patient. Additionally, it mandates patients and their representatives have the right to obtain a copy of their health records and request necessary changes. CEs have a 30-day deadline respond to such requests.
HIPAA Security Rule: The Security Rule sets the minimum standards to safeguard ePHI. Anybody that can access, create, alter or transfer ePHI or personal identifiers must follow these standards. Technical safeguards include encryption to NIST standards if the data goes outside the company’s firewall.
Physical safeguards may relate to the layout of workstations (e.g. screens cannot be seen from a public area), whereas administrative safeguards unite the Privacy Rule and the Security Rule. They require a Security Officer and Privacy Officer to conduct regular risk assessments and audits. These assessments aim to identify any ways in which the integrity of PHI is threatened and build a risk management policy off the back of this.
Breach Notification Rule: The Department of Health and Human Services must be notified if a data breach has been discovered. This must be within 60 days of the breach’s discovery. The media and those who personal information has been compromised must also be informed if more than five hundred patients are affected.
Omnibus Rule: The omnibus Rule activated HIPAA-related changes that had been part of HITECH. These included the extension of HIPAA coverage to BAs, the prohibition of using PHI for marketing or fundraising purposes without authorization and new penalty tiers for violations of HIPAA which gave OCR the resources to conduct much more stringent investigations into data breaches.
Enforcement Rule: Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been determined, appropriate fines can be issued. For example, if it is determined that the violation was due to ignorance, a fine of up to $50,000 can be levied against the negligent party. If the violation was because of willful neglect and not rectified within 30 days, a fine of $50,000 per offence may be charged.
Since the Final Omnibus Rule was introduced passing additional regulations within HIPAA in 2013, new guidelines have been released on how PHI must be accessed and sent in a medical-related environment. The revised Act allocates patients further rights to know and manage how their health information is used.
HIPAA-covered bodies and Business Associates must put in place mechanisms to limit the flow of information inside a private network, monitor activity on the network and take steps to stop the unauthorized disclosure of PHI beyond the network´s boundaries. More attention must be invested in conducting risk assessments, and new reporting procedures have been implemented to cover data breaches.
Changes to the HIPAA Security Rule list the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are referred to in the HIPAA Security Rule as either “required” or “addressable”. In fact, all the security measures are generally required – irrespective of how they are listed – as the following section explains.
One area of HIPAA that has resulted in some confusion is the difference between “required” and “addressable” security measures. Practically every safeguard of HIPAA is “required” unless there is a justifiable rationale not to implement the safeguard, or an appropriate alternative to the safeguard is put in place that achieves the same objective.
An instance in which the implementation of an addressable safeguard might be not required is the encryption of email. Emails containing PHI – either in the body or as an attachment – only have to be encrypted if they are shared beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to adapt this addressable safeguard.
The decision not to use email encryption will have to be backed up by a risk assessment and documented in writing. Other factors that may have to be considered are the organization’s risk mitigation strategy and other security measures put in place to secure the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
HIPAA-covered entities are required to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI. Arguably one of the most important safeguards is encryption, especially on portable devices such as laptop computers that are frequently taken off site.
Encryption renders ePHI unreadable and undecipherable. The data can only be read if a key or code is applied to decrypt the data. If a portable device containing encrypted ePHi is stolen, and the code or key to decrypt the data is not also obtained, the data cannot be viewed.
While HIPAA was deliberately technology-agnostic, data encryption is mentioned in the HIPAA Security Rule, but is only an addressable specification. HIPAA-covered entities must consider using encryption, but it is not mandatory for ePHI to be encrypted at rest or in transit.
HIPAA-covered entities should conduct a risk analysis and determine which safeguards are the most appropriate given the level of risk and their workflow.
If the decision is taken not to use encryption, an alternative safeguard can be used in its place, provided it is reasonable and appropriate and provides an equivalent level of protection. If encryption is not used, the decision not to encrypt must be documented along with the reasons why encryption was not used and the alternative safeguards that were used in its place.
If the decision is taken to encrypt data, HIPAA-covered entities should use an appropriate encryption standard. The National Institute of Standards and Technology (NIST) recommends Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption, OpenPGP, and S/MIME.
HIPAA is vague when it comes to specific technologies and controls that can be applied to secure ePHI and systems that store health information, and this is certainly true for passwords.
Even though passwords are one of the most basic safeguards to prevent unauthorized accessing of data and accounts, there is little mention of passwords in HIPAA. The only HIPAA password requirements are specified are that HIPAA-covered entities and their business associates must implement “Procedures for creating, changing, and safeguarding passwords.”
Even though password requirements are not detailed in HIPAA, HIPAA covered entities should develop policies covering the creation of passwords and base those policies on current best practices. It is strongly recommended that healthcare organizations follow the advice of NIST when creating password policies.
While NIST has previously recommended the use of complex passwords, its advice on passwords has recently been revised. Highly complex passwords may be ‘more secure’ but they are difficult to remember. As a result, employees often write their passwords down. To avoid this, passwords should be difficult to guess but also memorable. The use of long passphrases rather than passwords is now recommended.
There are no HIPAA record retention requirements as far as medical records are concerned but medical record retention requirements are covered by state laws. Data retention policies must therefore be developed accordingly.
For instance, a hospital in the state of South Carolina must retain medical records for 11 years after the discharge date, while in Florida medical records must be retained by physicians for five years after the last patient contact and hospitals must retain medical records for seven years after the discharge date.
When medical records are retained, they must be kept secure at all times. HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI from the date of creation of ePHI to its secure disposal.
While there is not a minimum HIPAA medical record retention period, HIPAA does require covered entities to retain HIPAA-related documents. CFR §164.316(b)(2)(i) states that HIPAA-related documents must be retained for a period of six years from the date that the document was created. For policies, it is six years from when the policy was last in effect.
Insurance companies may be subject to FINRA laws which cover the retention of certain records. The Fair Labor Standards Act and the Employee Retirement Income Security Act also require certain records to be retained and the Centers for Medicare & Medicaid Services (CMS) requires healthcare providers to retain cost reports for five years after the closure of the cost report, while Medicare managed care program providers are required to retain records for ten years.
The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires notifications to be issued after a breach of unsecured protected health information.
A breach is defined as a use or disclosure of protected health information not permitted by the HIPAA Privacy Rule that compromises the security or privacy of protected health information. Notifications are not required if a HIPAA-covered entity or business associate can demonstrate there is a low probability that PHI has been compromised.
If notifications are required, they must be issued to patients/health plan members ‘without unnecessary delay’ and no later than 60 days after the discovery of a breach. A media notice must also be issued if the breach impacts more than 500 individuals, again within 60 days. The notice should be provided to a prominent media outlet in the state or jurisdiction where the breach victims are located.
The individual and media notices should include a brief description of the security breach, the types of information exposed, a brief description of what is being done by the breached entity to mitigate harm and prevent future breaches, and the steps that can be taken by breach victims to reduce the potential for harm.
The HHS’ Secretary must also be notified within 60 days of the discovery of a breach if the breach impacts more than 500 individuals, and within 60 days of the end of the calendar year in which the breach was experienced if the breach impacts fewer than 500 individuals.
A copy of the breach notices should be retained along with documentation showing that notifications were issued. If a security breach did not warrant the issuing of notifications, documentation must be retained detailing the risk assessment that established there was a low probability that PHI was compromised.
A HIPAA violation is the failure to comply with any of the provisions of HIPAA Rules. While there are many potential areas where HIPAA Rules can be violated, ten of the most common HIPAA violations are detailed below. These violations have been discovered by OCR during investigations of data breaches and complaints filed by employees, patients, and plan members through the OCR complaints portal.
One of the most common HIPAA violations discovered by OCR is the failure to perform a comprehensive, organization-wide risk analysis. HIPAA requires covered entities and their business associates to conduct regular risk analyses to identify vulnerabilities to the confidentiality, integrity, and availability of PHI.
All risks identified during the risk analysis must be subjected to a HIPAA-compliant risk management process and reduced to a reasonable and appropriate level. Risk management is critical to the security of ePHI and PHI and is a fundamental requirement of the HIPAA Security Rule.
While HIPAA does not demand the use of encryption, encryption is an addressable implementation specification and must be considered. The failure to use encryption or an alternative equivalent safeguard to ensure the confidentiality, integrity, and availability of ePHI has resulted in many healthcare data breaches.
HIPAA requires covered entities and business associates to implement a security awareness training program for all members of the workforce, including management. Training should be provided regularly and the frequency should be determined by means of a risk analysis.
When PHI or ePHI is no longer required it must be disposed of securely in a manner that ensures PHI is “unreadable, indecipherable, and otherwise cannot be reconstructed.” Paper records should be shredded, burnt, pulped, or pulverized, while electronic media should be cleared, purged, degaussed, or destroyed.
An impermissible disclosure of PHI is a disclosure not permitted under the HIPAA Privacy Rule. This includes providing PHI to a third party without first obtaining consent from a patient and ‘disclosures’ when unencrypted portable electronic devices containing ePHI are stolen.
Covered entities must take steps to limit access to PHI to the minimum necessary information to achieve the intended purpose.
The Privacy Rule permits patients to access and obtain copies of their protected health information on request. Requests for copies of PHI must be dealt with promptly and copies provided within 30 days of the request being received.
Healthcare organizations may require individuals or entities to provide services that require access to PHI. Prior to any disclosure of PHI, the entity that performs those functions must enter into a business associate agreement (BAA) with the covered entity. The BAA outlines the business associate’s responsibilities to safeguard PHI, explains the permissible uses and disclosures of PHI, and other requirements of HIPAA.
In the event of a data breach, notifications must be issued to affected individuals to alert them to the exposure of their PHI. Breach notifications must be issued without unreasonable delay and no later than 60 days from the date of discovery of the breach.
The HIPAA implications for patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare suppliers. Electronically stored health information is now better secured than paper records ever were, and healthcare groups that have put in place mechanisms to adhere with HIPAA regulations are witnessing greater efficiency. This results – as far as patients are concerned – in a higher standard of healthcare.
On the negative side, healthcare groups are not only concerned with the standard of healthcare they can give to individual patients. Healthcare groups want to increase the services they can supply, want to enhance the quality of care and improve patient safety through research. Regrettably, research is limited by HIPAA, and restricted access to PHI has the potential to slow the pace at which improvements can be made in healthcare.
There is also a price to pay for better data security, and although the enactment of the Meaningful Use program gave financial incentives for healthcare providers to digitalize paper records, adapting the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance may reduce the level of patient care, while the administrative strain that HIPAA-compliance places of healthcare organizations furthers exhausts available resources.
Unless the patient has experienced physical or financial harm due to the unauthorized disclosure of their PHI, they cannot bring a civil action against the negligent party. However, CEs and BAs who breach HIPAA for personal gain or under false pretenses will have criminal penalties imposed by the Office for Civil Rights that could lead to up to ten years´ imprisonment.
If data privacy and security is not adequately managed, the Office for Civil Rights can issue fines for non-compliance. Avoidable data breaches could see considerable financial penalties applied. Under the penalty structure brought in by HITECH, violations can lead to fines up to $1.5 million per year per offence being issued by the OCR, while lawsuits can be initiated by both attorney generals and – as stated above – the victims of data breaches.
The high odds of healthcare groups becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification correspondence, offering credit monitoring services and covering the OCR fines – is far higher than the cost of achieving full compliance. But, while the initial investment in the necessary technical, physical and administrative security measures to secure patient data may be high, the improvements can lead to savings over time as a result of improved efficiency.
Groups that have already implemented mechanisms to adhere with HIPAA have seen their workflows streamlined, less time is spent playing “phone tag” and workforces have become more productive – allowing healthcare organizations to reinvest their savings and provide a higher standard of healthcare to patients.
Explaining HIPAA to staff members of CEs and BAs requires far more work than explaining HIPAA to patients. In order to adhere with HIPAA, organizations must compile privacy and security policies for their employees, and a sanctions policy for staff member who do not comply with the requirements. Therefore it is important to explain HIPAA to workers in greater detail.
The best method of explaining HIPAA to employees is in special compliance training tutorials. Although the HIPAA regulations require training to be provided annually, we would feel there is so much for employees to take in relating to the security and privacy of personal health information, compliance training sessions should be short and often. Trying to explain HIPAA to employees in a four-hour training session will likely fail.
A lot of the explanation will concentrate on maintaining the integrity of PHI, but how this is adapted will likely have an effect on the employees themselves. For instance, employees will be unable to exchange information about patient healthcare via their mobile device unless appropriate controls are implemented. Due to the number of healthcare centers adapting BYOD policies, this will mean workers may have to download safe communication apps to their personal mobile devices.
In a way, the Act was quite forward-thinking. Although Congress had been passing privacy laws since the 1970s, HIPAA addressed the digitalization of medical records and stipulated the safeguards HIPAA-covered entities should apply in order to protect healthcare data in both paper and digital formats. The digitalization of medical records was later encouraged via amendments in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Compliance with HIPAA is an ongoing exercise. There is no one-off compliance test or certification one can achieve that will absolve a Covered Entity from sanctions if an avoidable breach of violation of HIPAA subsequently occurs. Indeed OCR has issued a statement advising Covered Entities and Business Associates it does not endorse any private consultants’ or education providers’ seminars, materials or systems, nor certify any persons or products as “HIPAA compliant.”
However, if you are unsure about any element of HIPAA, it is recommended you seek professional help. It has already been mentioned above that ignorance of HIPAA is not an adequate excuse for violations of HIPAA, and there does not necessarily need to have been an unauthorized disclosure of PHI in order for a violation of HIPAA to have occurred. Therefore, although the resources required to achieve HIPAA compliance may be considerable, there is no alternative if your organization collects, processes, stores or disposes of PHI or ePHI.
You may find the following articles useful: