Most people in healthcare-related industries know the basics of HIPAA law, usually in relation to their specific roles. However, in order to fully understand HIPAA compliance and why HIPAA regulations are written in the way they are, it is beneficial to have a little knowledge about the origins of the Healthcare Insurance Portability and Accountability Act and the changes to HIPAA law made since its enactment in 1996. If every employee knows this broader information, as well as being familiar with the specific elements relating to their own work, it can help to prevent accidental HIPAA violations.
The origins of HIPAA law go back a long way before the Healthcare Insurance Portability and Accountability Act was enacted in 1996. The original proposals – to prohibit self-insuring employers and the insurance industry from denying coverage to employees with pre-existing conditions – evolved from Congressional Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA). However, in the early 1990’s it was decided that data protection laws needed an upgrade, especially with the advent of new technologies. Thus, HIPAA was conceived.
The proposals relating to healthcare insurance portability and accountability were passed under the Senate´s Health Insurance Reform Bill in 1995 and eventually became Title I of HIPAA. Originally, the purpose of the legislation was to “improve the portability and accountability of health insurance coverage”, protecting those that were moving between jobs. Other aspects of the legislation focused on reducing incidences of fraud and data abuse in the healthcare sector.
The privacy and security regulations most people associate with HIPAA law today did not materialize until 1999, when the Department of Health & Human Services (HHS) released a proposed “Privacy Rule” for public comment in compliance with the Administrative Simplification Provision (part of Title II of HIPAA). Detailed further below, the Privacy Rule primarily sought to define “Protected Health Information” as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to the individual”. This is an important definition, as it clarified what kinds of data HIPAA applies to. In addition to the Privacy Rule, HIPAA has seen the incorporation of other rules since it was signed into law.
A final Privacy Rule was published in December 2000 and subsequently modified in 2002. Defined above, the Rule set the standards for the protection of individually identifiable health information (termed “Protected Health Information”, or “PHI”) by health plans and healthcare clearinghouses, and healthcare providers. The standards had the objective of protecting personal data in order to prevent fraud and abuse in the healthcare system; but because they apply to so many use cases, the language used in the Privacy Rule may seem somewhat ambiguous in places.
Examples of PHI include:
A final Security Rule was published three years after the Privacy Rule. This Rule established national standards to ensure the confidentiality, integrity and availability of PHI when it is created, received, used, stored or transmitted electronically. The Security Rule requires the implementation of appropriate administrative, physical and technical safeguards. HIPAA-covered entities were required to comply with the Security Rule safeguards by April 2005.
Frustratingly, many safeguards are vague in their terminology. There was deliberate intention behind this, as it ensured that the Rule did not need to be routinely updated as technology advanced. Many safeguards – primarily the technical safeguards – are termed “addressable”. This means that if another technology, other than the one specified in the legislation, provides at least the same degree of protection it can be used instead.
An important addressable safeguard is encryption. It is important to ensure that all PHI is encrypted according to NIST standards once it leaves the protection of a company’s firewall. PHI is valuable, with a “complete” set of data fetching hundreds of dollars on the black market. Consequently, healthcare organizations are targeted by hackers seeking access to PHI. The number of cyberattacks on healthcare organizations continue to increase. The safeguards demanded by the HIPAA Security Rule are therefore of vital importance.
Physical safeguards are varied but must are intuitive. They are perhaps the most important safeguards as far as the day to day workflows of healthcare employees are concerned. They include making sure that physical PHI and mobile devices containing PHI are not left unattended. Many data breaches have occurred as a result of mobile devices being lost or stolen.
Administrative safeguards are often overlooked, but their importance should not be underestimated. The administrative safeguards are largely related to policies and procedures, and include workforce training, appointing a HIPAA officer. The Security Rule requires organisations to conduct regular audits on their practices, as well as ensuring that they have clear means of reporting violations.
In 2003, HHS published the first “Procedures for Investigations, Imposition of Penalties and Hearings” for enforcing HIPAA law. This was largely as a response to Covered Entities who were aware of HIPAA, but chose not to comply with its requirements. A draft HIPAA Enforcement Rule was published in 2005, and took effect in 2006. The Enforcement Rule was supposed to address the unauthorized use or disclosure of PHI and resolve complaints from the public about breaches of the Privacy Rule, such as when they were not allowed access to their own health information.
The new rule also allowed the Department of Health and Human Services (HSS) to prosecute anyone found to be breaching HIPAA. Specifically, the HHS’ Office for Civil Rights was given guidelines on how to conduct investigations if a breach is reported. The Enforcement Rule also instructs OCR on how to determine the most appropriate punishment for HIPAA breaches, depending on the situation.
OCR lacked the resources to deal with the volume of complaints received from the public, and very little enforcement action was taken until the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This Act introduced the Breach Notification Rule and new penalties for violating HIPAA which gave HHS the tools to effectively enforce HIPAA law.
The aim of the HITECH Act was to make the healthcare system more efficient by encouraging the adoption and meaningful use of health information technology. In order to ensure compliance with the HIPAA Privacy and Security Rules as the volume of electronic transactions increased, higher penalties were introduced for noncompliance.
As a result of the HITECH Act, the Omnibus Final Rule was added to HIPAA legislation. The most recent addition to HIPAA, the Omnibus Final Rule was needed to amend HIPAA and introduce requirements of the HITECH Act. The HITECH Act mandated a new, tiered civil monetary penalty system and also changed the harm threshold previously set out by HIPAA. The Omnibus Final Rule included other additions: It stipulated that the use of ePHI for marketing purposes was not permitted, for example. It also modified HIPAA to make HIPAA compliant with the Genetic Information Non-discrimination Act, prohibiting the disclosure of genetic information for underwriting purposes.
The HITECH Act also introduced the Breach Notification Rule – A Rule that requires breaches of PHI to be reported to HHS and for notifications to be sent to victims of breaches. Notifications to affected individuals must be sent within sixty days of the discovery of a breach. Breaches of 500 or more records must be reported to the HHS within 60 days and a media notice must be issued to a prominent media outlet serving the area where breach victims are located. Smaller breaches must be reported to the HHS within 60 days of the end of the calendar year in which the breach occurred.
The cost of non-compliance with HIPAA law can be significant. If a breach of PHI occurs – such as an cyber-attack – the incident may be investigated by OCR. If HIPAA violations are discovered during the course o that investigation, CEs will be instructed to agree a course of corrective action. This can include further employee training, upgrades to security, and revisions of policies and procedures.
Serious violations of HIPAA Rules, including widespread noncompliance, can attract financial penalties. The HHS’ Office of Civil Rights has the authority to impose fines of up to $50,000 per violation. The maximum penalty for violations of the same provision is $1,500,000 per year in the highest penalty tier. Such large penalties are necessary to encourage CEs to comply with HIPAA. Thus, they are in place to protect the interests of patients.
It is important to note that ignorance of HIPAA requirements is not considered an adequate excuse for HIPAA violations. Thus, it is imperative that employees are regularly trained on HIPAA legislation and know how to apply the requirements to their working lives.
Following the publication of the Omnibus Final Rule in 2013, “Business Associates” – entities to whom PHI is lawfully disclosed for the provision of a service on behalf of a health plan, healthcare clearinghouse or healthcare provider – are also required to comply with HIPAA law and are subject to the same penalties when violations occur. BAs are usually contracted by the CE to carry out services such as accounting or billing. Therefore, they do not usually create PHI but may be involved processing PHI. Before they are used, BAs are required to sign a Business Associate Agreement (BAA). This is essentially a contract that is used to advise them of their responsibilities with respect to HIPAA. By signing the BAA, the business associate agrees to abide by HIPAA legislation and ensure the confidentiality, integrity, and availability of PHI and limit uses and disclosures.
It is a legal requirement that all patients must be made aware of their rights under HIPAA. Most CEs choose to inform patients via their Notice of Privacy Practices that patients are required to read and sign before healthcare services are provided. Some key points may be highlighted to the patient verbally by the person collecting the data or highlighted on an electronic form if one is being used.
Some of those key rights include the right to:
HIPAA legislation is undoubtedly complicated, and it would be unfair to expect all employees to have a detailed understanding of its breadth and implications. However, they should know why it was created, what it is for, what it means for their daily workflow and when and how HIPAA applies. Management should have a more detailed understanding of the different rules – Privacy, Security, Enforcement, Breach Notification and Omnibus Rules – as this will equip them to deal with privacy-related situations as they arise.
HIPAA breaches are very serious; not only do they attract hefty financial fines, they also put the patient safety at risk and leaves them vulnerable to fraud. Thus, if a breach occurs, all staff should know how to report the breach and what short-term actions can be implemented to prevent further breaches. Patients should also be informed of their rights under HIPAA, and doing so can help prevent privacy violations. While HIPAA is a complex piece of legislation, there are many practices that help protect patients and the privacy and security of health information.