First proposed in 1996 in order that workers could carry forward insurance and healthcare rights between places of work and roles, our HIPAA simplified history shows the Act has since evolved into an act of legislation that also governs health insurance fraud and tax provisions for medical savings accounts and ensures acceptance of workers with pre-existing stipulatios into occupational healthcare insurance schemes. Mainly though, HIPAA concerns the privacy and security of patient health information.
HIPAA (via the HITECH Act) was also used to encourage the healthcare sector to digitalize paper records. This led to worries over unauthorized disclosures of “Protected Health Information” (PHI) and lead to in the development of further privacy and security legislation in 2013. The regulations addressed technological developments in the healthcare sector since the original legislation was passed, and expanded responsibility for the integrity of PHI to Business Associates.
The HIPAA regulations are policed by the U.S. Department of Health & Human Services’ Office for Civil Rights, while State Attorney Generals can also take action against parties found not to be in compliance with HIPAA. The Office for Civil Rights has the power to impose financial penalties on Covered Entities and Business Associates for breaches of PHI unless the offending party can show a low probability that patient health information was violated.
HIPAA Guide for Dummies
Although it may be thought of as unkind to entitle a section of this article “HIPAA Guide for Dummies”, there are still some people not familiar with what patient health information is “protected”. To clarify what is considered as “Protected Health Information”, we have detailed below the 18 “personal identifiers” that on their own – or linked with any other personal identifier – could reveal the identity of a person, their medical history or payment records:
|Names or part of names||Any other unique identifying characteristic|
|Geographical identifiers||Dates directly related to a person|
|Phone number details||Fax number details|
|Details of Email addresses||Social Security details|
|Medical record numbers||Health insurance beneficiary numbers|
|Account details||Certificate or license numbers|
|Vehicle license plate details||Device identifiers and serial numbers|
|Website URLs||IP address details|
|Fingerprints, retinal and voice prints||Complete face or any comparable photographic images|
Who does HIPAA cover?
Before trying to explain HIPAA it is best to state who the legislation applies to. Practically all health plans, health care clearinghouses, health care suppliers and endorsed sponsors of the Medicare prescription drug discount card are thought to be “HIPAA Covered Entities” under the Act. Normally, these are bodies that come into contact with Protected Health Information on a constant basis.
“Business Associates” are also included in HIPAA. These are entities who do not create, receive, manage or transmit Protected Health Information in their main occupation, but who supply third party services and activities for Covered Entities during the course of which they will come across PHI. Before undertaking a service or activity for a Covered Entity, a Business Associate must complete a Business Associate Agreement guaranteeing to enshrine the integrity of any PHI to which it has access.
A grey area exists in relation to self-insured single employer group health plans and employers who behave as intermediaries between employees and health care suppliers. HIPAA states employers are not Covered Entities unless the nature of their business falls within the stipulations to be a Covered Entity (i.e. an employing Medical Center would constitute a Covered Entity). However, as self-insuring and intermediary employers manage PHI that is secured by the HIPAA Privacy Rule, they are thought to be “Virtual Entities” and subject to HIPAA compliance.
Post 2013 HIPAA Explained
Since the Final Omnibus Rule was introduced, which passed new regulations within HIPAA in 2013, new guidelines have been released on how PHI must be accessed and sent in a medical-related environment. The revised Act allocates patients further rights to know and manage how their health information is used and extends the measures on HIPAA-covered entities and Business Associates to how patient data is accessed and shareed.
HIPAA-covered bodies and Business Associates must put in place mechanisms to limit the flow of information inside a private network, monitor activity on the network and take steps to stop the unauthorized disclosure of PHI beyond the network´s boundaries. More attention must be invested in conducting risk assessments, and new reporting procedures have been implemented to cover data breaches.
Changes to the HIPAA Security Rule list the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are referred to in the HIPAA Security Rule as either “required” or “addressable”. In fact, all the security measures are generally required – irrespective of how they are listed – as the following section explains.
The Office for Civil Rights completes audits on HIPAA-covered entities to ensure they adhere with the regulations. When preventable breaches of ePHI are found, the Office for Civil Rights has the authority to issue financial penalties and bring criminal charges against the negligent body.
The Necessary and Addressable Security Measures of HIPAA Explained
One area of HIPAA that has resulted in some confusion is the difference between “required” and “addressable” security measures. Practically every safeguard of HIPAA is “required” unless there is a justifiable rationale not to implement the safeguard or an appropriate alternative to the safeguard is put in place that achieves the same objective.
An instance in which the implementation of an addressable safeguard could be not required is the encryption of email. Emails holding PHI – either in the body or as an attachment – only have to be encrypted if they are shared beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to adapt this addressable safeguard.
The decision not to use email encryption will have to be backed up by a risk assessment and documented in writing. Other factors that may have to considered are the organization’s risk mitigation strategy and other security measures put in place to secure the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
HIPAA Implications for Patients
The HIPAA implications for patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare suppliers. Electronically stored health information is now better secured than paper records ever were, and healthcare groups that have put in place mechanisms to adhere with HIPAA regulations are witnessing a greater efficiency. This results – as far as patients are concerned – in a higher standard of healthcare provided.
On the negative side, healthcare groups are not only concerned with the standard of healthcare they can give to individual patients. Healthcare groups want to increase the services they can supply, want to enhance the quality of care and improve patient safety through research. However, research is limited by HIPAA and restricted access to PHI has the potential to slow the pace at which improvements can be made in health care.
There is also a price to pay for better data security, and although the enactment of the Meaningful Use program gave financial incentives for healthcare providers to digitalize paper records, adapting the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance may reduce the level of patient care, while the administrative strain that HIPAA-compliance places of healthcare organizations furthers exhausts the limited resources available.
Explaining HIPAA to Patients
- They may request their medical records whenever they like.
- They may request you amend their medical records when appropriate.
- They can limit who has access to their personal health information.
- They can choose how healthcare providers communicate with them.
- They have right to complain about the unauthorized disclosure of their PHI.
Unless the patient has experienced physical or financial harm due to the unauthorized disclosure of their PHI, they cannot bring a civil action against the negligent party. However, Covered Entities and Business Associates who breach HIPAA for personal gain, false pretenses or other personal gain will have criminal penalties imposed by the Office for Civil Rights that could lead to up to ten years´ imprisonment.
Healthcare Organizations and the Implications of HIPAA
If data privacy and security is not adequately managed, the Office for Civil Rights can issue fines for non-compliance. Avoidable data breaches could see considerable financial penalties applied. Under the penalty structure brought in by HITECH, violations can lead to fines up to $1.5 million being issued by the OCR, while lawsuits can be initiated by both attorney generals and – as stated above – the victims of data breaches.
The high odds of healthcare groups becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification correspondence, offering credit monitoring services and covering the OCR fines – is far higher than the cost of achieving full compliance. But, while the initial investment in the necessary technical, physical and administrative security measures to secure patient data may be high, the improvements can lead to savings over time as a result of improved efficiency.
Groups that have already implemented mechanisms to adhere with HIPAA have seen their staff members workflows streamlined, less time is spent playing “phone tag” and the workforce has become more productive – allowing healthcare organizations to reinvest their savings and provide a higher standard of healthcare to patients.
Explaining HIPAA to Staff
Explaining HIPAA to staff members of Covered Entities and Business Associates requires far more work than explaining HIPAA to patients. In order to adhere with HIPAA, Covered Entities and Business Associates have to compile privacy and security policies for their employees, and a sanctions policy for staff member who do not comply with the requirements. Therefore it is important to explain HIPAA to workers in greater detail.
The best method of explaining HIPAA to employees is in special compliance training tutorials. Although the HIPAA regulations require training to be provided annually, we would feel there is so much for employees to take in relating to the security and privacy of personal health information, compliance training sessions should be short and often. Trying to explain HIPAA to employees in a four-hour training session will likely fail.
A lot of the explanation will concentrate on maintaining the integrity of PHI, but how this is adapted will likely have an affect on the employees themselves. For instance, employees will be unable to talk about patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare centers adapting BYOD policies, this will mean workers have to download safe communication apps to their personal mobile devices.