HIPAA for Dummies

HIPAA

Why was HIPAA created?

First proposed in 1996 so that workers could carry forward insurance and healthcare rights between jobs, HIPAA has since evolved into a piece of legislation that governs a broad range of health-related issues, from health insurance fraud and tax provisions for medical savings accounts to the acceptance of workers with pre-existing stipulations into occupational healthcare insurance schemes. Primarily, however, HIPAA concerns the privacy and security of patient health information. (PHI). In addition to the above roles, it allows health-related information to be transferred between

Through the HITECH Act, the Health Insurance Portability and Accountability Act (HIPAA) was also used to encourage the healthcare sector to digitalize paper records. This stemmed from the realisation that not only was keeping solely hard copies of files inefficient, it was risky as they could easily be lost. However, the move to digitization led to worries over unauthorized disclosures of “Protected Health Information” (PHI) and lead to in the development of further privacy and security legislation in 2013 (via the HIPAA Privacy and Security Rules). The regulations addressed technological developments in the healthcare sector since the original legislation was passed, and expanded responsibility for the integrity of PHI to Business Associate (BAs).

The HIPAA regulations are policed by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). State Attorney Generals can also take action against parties found not to be in compliance with HIPAA. The OCR has the power to impose financial penalties on Covered Entities and Business Associates for breaches of PHI unless the offending party can show a low probability that patient health information was violated.

What is the purpose of HIPAA?

As discussed above, when HIPAA was first conceived in the early 1990’s, its main purpose was to streamline the transfer of PHI between parties. However, it was noted that there was a lack of adequate legislation to protect such data, especially in the digital age. Cyber-attacks were becoming a real threat, and it was no surprise that health information was a prime target. Additionally, with the widespread use of bank cards, billing information was another susceptible target.

This is where HIPAA came in. After the initial act was created in 1996, the Privacy Law (1999) was the first piece of legislation to come into force. This requires appropriate safeguards to be in place before any PHI can be stored or transferred electronically.

The safeguards include the “minimum necessary” rule, which means that only the information needed to allow the required action to be executed is transferred, and no more. This means that, for example, when a healthcare provider is sending information to a billing company, they do not, for example, send the patient’s entire medical history. Any non-routine requests must be dealt with on an individual basis. Essentially, the purpose of the Privacy Rule is to ensure that sensitive patient information is not unnecessarily disclosed.

The Security Rule is another important piece of information that makes up HIPAA. When it was first enacted, the creators of the Security Rule realised that technology was advancing at an unprecedented rate. Thus, they decided to leave some terms of the legislation vague in order to accommodate these developments.

For example, encryption is considered an “addressable” requirement. Rather than explicitly naming encryption as the technology to be used, the Security Rule allows for other means of protection if they can be shown to be at least as protective as encryption. The same goes for passwords: in this case, companies may instead choose to use two-factor authentication.

But why are cybercriminals interested in PHI? It turns out, medical data is worth a lot on the black market. PHI can be used to make fake ID cards that allow criminals to buy medical equipment or access drugs that can then be sold on for huge profits. The data may also be used to fraudulently bill unsuspecting patients. HIPAA, and its continual updates, help protect patients from such attacks.

Understanding HIPAA for Dummies

There are still some people working in the healthcare industry not familiar with what patient health information is “protected”. To clarify what is considered to be “Protected Health Information”, we have detailed below the 18 personal identifiers that on their own – or linked with any other personal identifier – could reveal the identity of a person, their medical history or payment records.

Names or part of names Any other unique identifying characteristic
Geographical identifiers Dates directly related to a person
Phone number details Fax number details
Details of Email addresses Social Security details
Medical record numbers Health insurance beneficiary numbers
Account details Certificate or license numbers
Vehicle license plate details Device identifiers and serial numbers
Website URLs IP address details
Fingerprints, retinal and voice prints Complete face or any comparable photographic images

The main takeaway for HIPAA compliance is that any company that comes into contact with PHI must enact adequate technical, physical and administrative safeguards to protect that data. HIPAA violations occur when there has been a breach in this protection and the PHI has been accessed or used by an unauthorised individual.

Violations of HIPAA often result from the following:

  • Lack of adequate risk analyses across the organisation
  • Inadequate Business Associate Agreements
  • Inappropriate sharing of PHI
  • Ignorance of the minimum necessary rule
  • Failure to report breaches within an adequate timeframe.

Many of these are accidental offences – for example, leaving a document on a desk in clear view of anyone passing by. However, the OCR does not consider ignorance an adequate excuse, and do not forgive HIPAA violations that result from it.

There is one clear exception: cyberattacks. If it is clear that an organisation enacted appropriate safeguards, but PHI was accessed by cybercriminals, this is not considered a HIPAA violation.

Who does HIPAA apply to?

Before trying to explain the ins and outs of HIPAA it is best to state when the legislation applies. Practically all health plans, health care clearinghouses, health care suppliers and endorsed sponsors of the Medicare prescription drug discount card are considered to be “HIPAA Covered Entities” (CEs) under the Act. Normally, these are bodies that come into contact with Protected Health Information (PHI) on a constant basis.

Under these definitions, employers are not considered to be CEs, even if they maintain records of employees’ health information. If employers use schemes such as the Employee Assistance Program (EAP), they are then considered “hybrid entities” and are required to be HIPAA-compliant.

“Business Associates” (BA) are also included in HIPAA. These are entities who do not create, receive, manage or transmit Protected Health Information in their main occupation, but who supply third party services and activities for Covered Entities during the course of which they will come across PHI. BAs may include accountants, Before undertaking a service or activity for a CE, a BA must complete a Business Associate Agreement guaranteeing to enshrine the integrity of any PHI to which it has access.

A grey area exists in relation to self-insured single employer group health plans and employers who behave as intermediaries between employees and health care suppliers. HIPAA states employers are not CEs unless the nature of their business falls within the stipulations to be a CEs (i.e. an employing Medical Center would constitute a Covered Entity). However, as self-insuring and intermediary employers manage PHI that is secured by the HIPAA Privacy Rule, they are thought to be “Virtual Entities” and subject to HIPAA compliance.

HIPAA Explained

HIPAA legislation is essentially made up of a number of rules, each of which lay out different requirements for HIPAA compliance. The rules are as follows:

HIPAA Privacy Rule: The Privacy Rule dictates how, when and under what circumstances PHI can be disclosed. Enacted for the first time in 2003, it applies to all healthcare organisations, clearing houses and those that provide health plans. Since 2013, it has been extended to include business associates.

The Privacy Rule sets limits regarding the use of patient information when no prior authorization has been given by the patient. Additionally, it mandates that patients and their representatives have the right to obtain a copy of their health records and request necessary changes. CEs have a 30-day deadline respond to such requests.

HIPAA Security Rule: The Security Rule sets the minimum standards to safeguard ePHI. Anybody that can access, create, alter or transfer the ePHI or personal identifiers must follow these standards. Technical safeguards include encryption to NIST standards if the data goes outside the company’s firewall.

Physical safeguards may relate to the layout of workstations (e.g. screens cannot be seen from a public area), whereas administrative safeguards unite the Privacy Rule and the Security Rule. They require a Security Officer and Privacy Officer to conduct regular risk assessments and audits. These assessments aim to identify any ways in which the integrity of PHI is threatened and build a risk management policy off the back of this.

Breach Notification Rule: The Department of Health and Human Services must be notified if a security breach has been discovered. This must be within 60 days of the breach’s discovery. The media must also be immediately informed if more than 500 patients are affected. If fewer patients affected, the OCR will publish a report.

Omnibus Rule: A later addition, the Omnibus Rule addresses overlooked areas in HIPAA legislation. As per the Health Information Technology for Economic and Clinical Health (HITECH) Act, it tiered offences and changed the harm threshold. It also banned the use of ePHI for marketing.

Enforcement Rule: Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been determined, appropriate fines can be issued. For example, if it is determined that the violation was due to ignorance, a fine of up to $50,000 can still be levied against the negligent party. If the violation was because of willful neglect and not rectified within 30 days, a fine of $50,000 may be charged. Civil lawsuits may also be filed by victims.

Since the Final Omnibus Rule was introduced passing additional regulations within HIPAA in 2013, new guidelines have been released on how PHI must be accessed and sent in a medical-related environment. The revised Act allocates patients further rights to know and manage how their health information is used and extends the measures on HIPAA-covered entities and BAs to how patient data is accessed and shared.

HIPAA-covered bodies and Business Associates must put in place mechanisms to limit the flow of information inside a private network, monitor activity on the network and take steps to stop the unauthorized disclosure of PHI beyond the network´s boundaries. More attention must be invested in conducting risk assessments, and new reporting procedures have been implemented to cover data breaches.

Changes to the HIPAA Security Rule list the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are referred to in the HIPAA Security Rule as either “required” or “addressable”. In fact, all the security measures are generally required – irrespective of how they are listed – as the following section explains.

The Office for Civil Rights completes audits on HIPAA-covered entities to ensure they adhere with the regulations. When preventable breaches of ePHI are found, the Office for Civil Rights has the authority to issue financial penalties and bring criminal charges against the negligent body.

The Necessary and Addressable Security Measures of HIPAA Explained

One area of HIPAA that has resulted in some confusion is the difference between “required” and “addressable” security measures. Practically every safeguard of HIPAA is “required” unless there is a justifiable rationale not to implement the safeguard or an appropriate alternative to the safeguard is put in place that achieves the same objective.

An instance in which the implementation of an addressable safeguard could be not required is the encryption of email. Emails holding PHI – either in the body or as an attachment – only have to be encrypted if they are shared beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to adapt this addressable safeguard.

The decision not to use email encryption will have to be backed up by a risk assessment and documented in writing. Other factors that may have to considered are the organization’s risk mitigation strategy and other security measures put in place to secure the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.

HIPAA Implications for Patients

The HIPAA implications for patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare suppliers. Electronically stored health information is now better secured than paper records ever were, and healthcare groups that have put in place mechanisms to adhere with HIPAA regulations are witnessing a greater efficiency. This results – as far as patients are concerned – in a higher standard of healthcare provided.

On the negative side, healthcare groups are not only concerned with the standard of healthcare they can give to individual patients. Healthcare groups want to increase the services they can supply, want to enhance the quality of care and improve patient safety through research. Regrettably, research is limited by HIPAA and restricted access to PHI has the potential to slow the pace at which improvements can be made in health care.

There is also a price to pay for better data security, and although the enactment of the Meaningful Use program gave financial incentives for healthcare providers to digitalize paper records, adapting the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance may reduce the level of patient care, while the administrative strain that HIPAA-compliance places of healthcare organizations furthers exhausts the limited resources available.

Explaining HIPAA to Patients

As health care suppliers are now required by law to give patients a notice of their Privacy Policy, it will be necessary to explain HIPAA to patients as they have to sign a copy of the policy to say they have been given it. The best fashion to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a summary of what the policy contains. For instance, explain to the patient:

  • They may request their medical records whenever they like.
  • They may request you amend their medical records when appropriate.
  • They can limit who has access to their personal health information.
  • They can choose how healthcare providers communicate with them.
  • They have right to complain about the unauthorized disclosure of their PHI.

Unless the patient has experienced physical or financial harm due to the unauthorized disclosure of their PHI, they cannot bring a civil action against the negligent party. However, CE and BA who breach HIPAA for personal gain or under false pretenses will have criminal penalties imposed by the Office for Civil Rights that could lead to up to ten years´ imprisonment.

Healthcare Organizations and the Implications of HIPAA

If data privacy and security is not adequately managed, the Office for Civil Rights can issue fines for non-compliance. Avoidable data breaches could see considerable financial penalties applied. Under the penalty structure brought in by HITECH, violations can lead to fines up to $1.5 million being issued by the OCR, while lawsuits can be initiated by both attorney generals and – as stated above – the victims of data breaches.

The high odds of healthcare groups becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach notification correspondence, offering credit monitoring services and covering the OCR fines – is far higher than the cost of achieving full compliance. But, while the initial investment in the necessary technical, physical and administrative security measures to secure patient data may be high, the improvements can lead to savings over time as a result of improved efficiency.

Groups that have already implemented mechanisms to adhere with HIPAA have seen their staff members workflows streamlined, less time is spent playing “phone tag” and the workforce has become more productive – allowing healthcare organizations to reinvest their savings and provide a higher standard of healthcare to patients.

Explaining HIPAA to Staff

Explaining HIPAA to staff members of CEs and BAs requires far more work than explaining HIPAA to patients. In order to adhere with HIPAA, organisations must compile privacy and security policies for their employees, and a sanctions policy for staff member who do not comply with the requirements. Therefore it is important to explain HIPAA to workers in greater detail.

The best method of explaining HIPAA to employees is in special compliance training tutorials. Although the HIPAA regulations require training to be provided annually, we would feel there is so much for employees to take in relating to the security and privacy of personal health information, compliance training sessions should be short and often. Trying to explain HIPAA to employees in a four-hour training session will likely fail.

A lot of the explanation will concentrate on maintaining the integrity of PHI, but how this is adapted will likely have an effect on the employees themselves. For instance, employees will be unable to talk about patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare centres adapting BYOD policies, this will mean workers have to download safe communication apps to their personal mobile devices.

HIPAA Summary for Dummies

In summary, HIPAA was initially devised and enacted to allow employees to move their health records and insurance more easily between employers. It thus encouraged the digitization of healthcare data, making it more efficient but also more susceptible to cyberattacks. Thus, the legislation was expanded to focus on the protection of private patient data.

The act achieved this through a set of rules (the Privacy, Security, Breach Notification, Omnibus and Enforcement Rules). Each focussed on a different aspect of data security, from the use of data in the Privacy Rule to the penalties for non-compliance in the Enforcement Rule. They also outline safeguards to be enacted to ensure the protection of the patient’s data. Though many of these are described as “addressable”, all safeguards are necessary.

Finally, it is important to make both staff and patients aware of HIPAA Legislation and what it means on a practical level. For staff, it is best to do this via a series of training days focussed at different aspects of the legislation. For patients, summarising the legislation in a Privacy Policy that they are required to read is the best option.