Most people in healthcare-related industries know elements of HIPAA law, usually in relation to their specific roles. However, in order to fully understand HIPAA compliance and why HIPAA regulations are written in the way they are, it is beneficial to have a little knowledge about the origins of the Healthcare Insurance Portability and Accountability Act and the changes to HIPAA law made since its enactment in 1996. If every employee knows this broader information, as well as being familiar with the specific elements relating to their own work, it can help to prevent HIPAA breaches.
The origins of HIPAA law go back a long way before the Healthcare Insurance Portability and Accountability Act was enacted in 1996. The original proposals – to prohibit self-insuring employers and the insurance industry from denying coverage to employees with pre-existing conditions – evolved from Congressional Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA). However, in the early 1990’s it was decided that data protection laws needed an upgrade, especially with the advent of new technologies. Thus, HIPAA was conceived.
The proposals relating to healthcare insurance portability and accountability were passed under the Senate´s Health Insurance Reform Bill in 1995 and eventually became Title I of HIPAA. Originally, the purpose of the legislation was to “improve the portability and accountability of health insurance coverage”, protecting those that were moving between jobs. Other aspects of the legislation focussed on reducing incidents of fraud and data abuse in the healthcare sector.
The privacy and security regulations most people associate with HIPAA law today did not materialize until 1999, when the Department of Health & Human Services (HHS) released a proposed “Privacy Rule” for public comment in compliance with the Administrative Simplification Provision (part of Title II of HIPAA). Detailed further below, the Privacy Rule primarily sought to define “Protected Health Information” as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to the individual”. This is an important definition, as it clarified what kinds of data HIPAA applies to. In addition to the Privacy Rule, HIPAA has seen the incorporation of other rules since it was signed into law.
A final Privacy Rule was published in December 2000 and subsequently modified in 2002. Defined above, the Rule set the standards for the protection of individually identifiable health information (termed “Protected Health Information”, or “PHI”) by healthcare plans and healthcare clearing houses, and by certain healthcare providers. The standards had the objective of protecting personal data in order to prevent fraud and abuse in the healthcare system; but because they apply to so many use cases, the language used in the Privacy Rule is ambiguous in certain circumstances.
Examples of PHI are as follows:
A final Security Rule was published three years after the Privacy Rule. This Rule established national standards to ensure the confidentiality, integrity and security of PHI when it is created, received, used, stored or transmitted electronically. The Security Rule requires the implementation of appropriate administrative, physical and technical safeguards and HIPAA-covered entities were required to comply with the Security Rule safeguards by April 2005.
Frustratingly, many safeguards are vague in their terminology. There was deliberate intention behind this, as it ensured that the Rule did not need to be routinely updated as technology developed. Instead, many safeguards – primarily the technological safeguards – are termed “addressable”. This means that if another technology, other than the one specified in the legislation, provides at least the same degree of protection it can be used instead. A good example of this is two-factor authentication, an increasingly popular alternative to passwords.
Another important safeguard to note is that all data is encrypted as per NIST standards once it leaves the company’s firewall. PHI is lucrative, with a “complete” set of data fetching an estimated $1,200 on the black market. Thus, it can be expected that cyber-attacks will become more common in the future and the technical safeguards stipulated by the Security Rule will be ever more important.
Physical safeguards are varied and may seem intuitive, though they are perhaps the most important on a day-to-day level. So-called “Bring Your Own Device” (BYOD) policies are popular in many organisations as they lower company costs. However, such policies leave an obvious vulnerability: if an employee loses a device, the data is also lost. Additionally, the device may not be as well protected as it would be should the company provide it. Regrettably, an estimated 40% of HIPAA breaches are the result of an employee losing a device or the device being stolen. There are some simple ways to protect against this; clear-desk policies can reduce theft and applications that allow device location can find lost devices.
Administrative safeguards are often overlook, though should not be underestimated. The Security Rule requires organisations to conduct regular audits on their practices, as well as ensuring that they have clear means of reporting any breaches.
Also in 2003, HHS published the first “Procedures for Investigations, Imposition of Penalties and Hearings” for enforcing HIPAA law. This was largely as a response to the general ignorance of HIPAA: though Covered Entities (CEs, those who held PHI) were aware of HIPAA, they chose not to enact any of its regulations. Thus, the HIPAA Enforcement Rule was supposed to address the unauthorized use or disclosure of PHI and resolve complaints from the public about breaches of the Privacy Rule, such as when they were not allowed access to their own health information.
The new rule also allowed the Department of Health and Human Services (DHSS) the right to prosecute anyone found to be breaching HIPAA. Specifically, the Office for Civil Rights – part of DHSS – was given guidelines on how to conduct any investigations if a breach is reported. The Enforcement Rule also instructs the OCR on how to determine the most appropriate punishment for HIPAA breaches, depending on the situation.
However, as the DHSS lacked the resources to deal with the volume of complaints received from the public, very little enforcement action was taken until the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This Act introduced the Breach Notification Rule and new penalties for violating HIPAA which gave HHS the tools to effectively enforce HIPAA law.
The aim of the HITECH Act was to make the healthcare system more efficient by encouraging the adoption and meaningful use of health information technology. In order to ensure compliance with the HIPAA Privacy and Security Rules as the volume of electronic transactions increased, higher penalties were introduced for the unauthorized disclosure of PHI due to a lack of compliance.
As a result of HITECH, the Omnibus Rule was added to HIPAA legislation. The most recent addition to HIPAA, the Omnibus Rule was needed to amend HIPAA in accordance with HITECH. HITECH required that a tiered civil financial penalty system was introduced, as well as changes to the harm threshold previously set out by HIPAA. The Omnibus Rule included other additions: it stipulated that the use of ePHI for marketing purposes was illegal, for example. It also modified HIPAA such that it was compliant with the Genetic Information Non-discrimination Act, prohibiting the disclosure of genetic information for underwriting purposes.
HITECH also introduced the Breach Notification Rule – a Rule that required breaches of PHI affecting more than 500 individuals to be reported to HHS within sixty days. Additional procedures were also required in order to inform those affected by the breach and provide credit monitoring services were necessary. Any breaches that involved fewer patients required a report to be published on the OCR’s website. Failure to comply with the Breach Notification Rule incurred a penalty.
The cost of non-compliance with HIPAA law can be significant. If an unforeseeable breach of PHI occurs – such as an unpreventable cyber-attack – CEs will often be asked to agree a course of corrective action. This can include greater employee training on cybersecurity and threats such as phishing, or to upgrade their security systems by implementing two-factor authentication.
Nevertheless, the HHS´ Office of Civil Rights has the authority to impose fines of up to $50,000 per violation when breaches of PHI are attributable to wilful neglect of HIPAA law. If such a violation occurs, is reported yet is not rectified within 30 days, additional fines of up to $50,000 can be levied against the negligent party. It is important to note that ignorance is not considered an adequate excuse for HIPAA violations. Thus, it is imperative that employees are regularly trained on HIPAA legislation and how best to put it into practice.
Such large penalties are necessary to encourage CEs to comply with HIPAA. Thus, they are in place to protect the interests of patients.
Following the publication of the Final Omnibus Rule in 2013, “Business Associates” – entities to whom PHI is lawfully disclosed for the provision of a service on behalf of a healthcare plan, healthcare clearing house or healthcare provider – are also required to comply with HIPAA law and subject to the same penalties when breaches of PHI occur. BAs are usually contracted by the CE to carry out services such as accounting or billing. Therefore, they do not usually create PHI but may be involved in its processing. Before they are hired, BAs are required to sign a Business Associate Agreement (BAA). This essentially means that they agree to abide by HIPAA legislation and maintain the integrity of PHI.
Under HIPAA, both state attorney generals and civilians may bring a lawsuit against CEs or BAs if a breach occurs. Though rarer, the financial penalties associated with such lawsuits are often higher.
HIPAA legislation is undoubtedly complicated, and it would be unfair to expect all employees to have a detailed understanding of its breadth and implications. However, they should know why it was created, what it is for, what it means for their daily workflow and when it applies. Management staff should have a more detailed understanding of the different rules – Privacy, Security, Enforcement, Breach Notification and Omnibus Rules – as this will equip them to deal with privacy-related situations as they arise.
HIPAA breaches are very serious; not only do they attract hefty financial fines, they also put the patient’s safety at risk and leaves them vulnerable to fraud. Thus, if a breach occurs, all staff should know how to report the breach and what short-term actions can be implemented to prevent further breaches. Patients should also be informed of their rights under HIPAA, and doing so can help prevent privacy violations. Thus, though HIPAA is a complex piece of legislation, there are many practices that help protect patients and the integrity of PHI.