Most people in healthcare-related industries know the basics of HIPAA law, usually in relation to their specific roles. However, in order to fully understand HIPAA compliance and why HIPAA regulations are written in the way they are, it is beneficial to be aware of the origins of the Healthcare Insurance Portability and Accountability Act and the changes made to HIPAA law since its enactment in 1996. If every Covered Entity and Business Associate is aware of this broader information and builds it into employee training courses, it can help to prevent accidental HIPAA violations.
The origins of HIPAA law go back a long way before the Healthcare Insurance Portability and Accountability Act was enacted in 1996. The original proposals – to prohibit self-insuring employers and the insurance industry from denying coverage to employees with pre-existing conditions – evolved from Congressional Acts such as the Employee Retirement Income Security Act (ERISA) in 1974 and the Consolidated Omnibus Reconciliation Act of 1985 (COBRA). However, in the early 1990’s it was decided the existing patchwork of data privacy laws needed standardization. Thus, a second Title was added to HIPAA requiring HIPAA Covered Entities to establish policies and procedures for maintaining the privacy and security of individually identifiable health information (the “Administrative Simplification Rules”).
The proposals relating to healthcare insurance portability and accountability were passed under the Senate´s Health Insurance Reform Bill in 1995 and eventually became Title I of HIPAA. The Administrative Simplification Rules were added as Title II, and subsequently further Titles were added relating to medical savings accounts (Title III), group health insurance requirements (Title IV), and tax deductions for employers providing company-owned life insurance premiums (Title V). The five Titles of HIPAA law were passed by the House in March 1996, and by the Senate in April 1996, before being signed into law in August 1996.
However, the privacy and security regulations most people associate with HIPAA law did not materialize until 1999, when the Department of Health & Human Services (HHS) released a proposed “Privacy Rule” for public comment in compliance with the Administrative Simplification Rules. Detailed further below, the Privacy Rule primarily sought to define “Protected Health Information” as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to the individual”. This is an important definition, as it clarified what kinds of data HIPAA applies to. In addition to the Privacy Rule, HIPAA has seen the incorporation of other rules since it was signed into law.
A final Privacy Rule was published in December 2000 and subsequently modified in 2002. Defined above, the Rule set the standards for the protection of individually identifiable health information (termed “Protected Health Information”, or “PHI”) by health plans and healthcare clearinghouses, and healthcare providers. The standards had the objective of protecting personal data in order to prevent fraud and abuse in the healthcare system; but because they apply to so many use cases, the language used in the Privacy Rule may seem somewhat ambiguous in places.
Examples of PHI include:
A final Security Rule was published three years after the Privacy Rule. This Rule established national standards to ensure the confidentiality, integrity and availability of PHI when it is created, received, used, stored or transmitted electronically. The Security Rule requires the implementation of appropriate administrative, physical and technical safeguards. HIPAA-covered entities were required to comply with the Security Rule safeguards by April 2005.
Frustratingly, many safeguards are vague in their terminology. There was deliberate intention behind this, as it ensured that the Rule did not need to be routinely updated as technology advanced. Many safeguards – primarily the technical safeguards – are termed “addressable”. This means that if another technology, other than the one specified in the legislation, provides at least the same degree of protection it can be used instead.
An important addressable safeguard is encryption. It is important to ensure that all PHI is encrypted according to NIST standards once it leaves the protection of a company’s firewall. PHI is valuable, with a “complete” set of data fetching hundreds of dollars on the black market. Consequently, healthcare organizations are targeted by hackers seeking access to PHI. The number of cyberattacks on healthcare organizations continue to increase. The safeguards demanded by the HIPAA Security Rule are therefore of vital importance.
Physical safeguards are varied but most are intuitive. They are perhaps the most important safeguards as far as the day to day workflows of healthcare employees are concerned. They include making sure that physical PHI and mobile devices containing PHI are not left unattended. Many data breaches have occurred as a result of mobile devices being lost or stolen.
Administrative safeguards are often overlooked, but their importance should not be underestimated. The administrative safeguards are largely related to policies and procedures, and include workforce training, appointing a HIPAA officer. The Security Rule requires organizations to conduct regular audits on their practices, as well as ensuring that they have clear means of reporting violations.
In 2003, HHS published the first “Procedures for Investigations, Imposition of Penalties and Hearings” for enforcing HIPAA law. This was largely as a response to Covered Entities who were aware of HIPAA, but chose not to comply with its requirements. A draft HIPAA Enforcement Rule was published in 2005, and took effect in 2006. The Enforcement Rule was supposed to address the unauthorized use or disclosure of PHI and resolve complaints from the public about breaches of the Privacy Rule, such as when they were not allowed access to their own health information.
The new rule also allowed the Department of Health and Human Services (HSS) to prosecute any Covered Entity found to be violating HIPAA. Specifically, the HHS’ Office for Civil Rights was given guidelines on how to conduct investigations if a breach is reported. The Enforcement Rule also instructs OCR on how to determine the most appropriate punishment for HIPAA breaches, depending on the situation.
OCR lacked the resources to deal with the volume of complaints received from the public, and very little enforcement action was taken until the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. This Act introduced the Breach Notification Rule and new penalties for violating HIPAA which gave HHS the tools to effectively enforce HIPAA law.
The aim of the HITECH Act was to make the healthcare system more efficient by encouraging the adoption and meaningful use of health information technology. In order to ensure compliance with the HIPAA Privacy and Security Rules as the volume of electronic transactions increased, higher penalties were introduced for noncompliance.
As a result of the HITECH Act, the Omnibus Final Rule was added to HIPAA legislation. The most recent addition to HIPAA, the Omnibus Final Rule was needed to amend HIPAA and introduce requirements of the HITECH Act. The HITECH Act mandated a new, tiered civil monetary penalty system and also changed the harm threshold previously set out by HIPAA. The Omnibus Final Rule included other additions: It stipulated that the use of ePHI for marketing purposes was not permitted, for example. It also modified HIPAA to make HIPAA compliant with the Genetic Information Non-discrimination Act, prohibiting the disclosure of genetic information for underwriting purposes.
The HITECH Act also introduced the Breach Notification Rule – A Rule that requires breaches of PHI to be reported to HHS and for notifications to be sent to victims of breaches. Notifications to affected individuals must be sent within sixty days of the discovery of a breach. Breaches of 500 or more records must be reported to the HHS within 60 days and a media notice must be issued to a prominent media outlet serving the area where breach victims are located. Smaller breaches must be reported to the HHS within 60 days of the end of the calendar year in which the breach occurred.
The cost of non-compliance with HIPAA law can be significant. If a breach of PHI occurs – such as an cyber-attack – the incident may be investigated by OCR. If HIPAA violations are discovered during the course o that investigation, CEs will be instructed to agree a course of corrective action. This can include further employee training, upgrades to security, and revisions of policies and procedures.
Serious violations of HIPAA Rules, including widespread noncompliance, can attract financial penalties. The HHS’ Office of Civil Rights has the authority to impose fines of up to $50,000 per violation. The maximum penalty for violations of the same provision is $1,500,000 per year in the highest penalty tier. Such large penalties are necessary to encourage CEs to comply with HIPAA. Thus, they are in place to protect the interests of patients.
It is important to note that ignorance of HIPAA requirements is not considered an adequate excuse for HIPAA violations. Thus, it is imperative that employees are regularly trained on HIPAA legislation and know how to apply the requirements to their working lives.
The situation regarding HIPAA law and Business Associates is complicated by several changes to the Privacy and Security Rules subsequent to their original publication. For example, the Department of Health and Human Services´ Guide for Business Associates opens by stating “By law, the HIPAA Privacy Rule only applies to Covered Entities”.
However, subsequent guidance issued by the HHS´ Office for Civil Rights relating to liability for HIPAA violations states that Business Associates are directly liable for certain violations of the Privacy Rule – for example the failure to comply with the Minimum Necessary Standard or release PHI to a patient when requested to do so.
The relationship between HIPAA Law and Business Associates with regards to the Security Rule has been clear since 2013 – 45 CFR § 164.302 amended to state: “A Covered Entity or Business Associate must comply with the applicable standards, implementation specifications, and requirements [of the HIPAA Security Rule] with respect to electronic Protected Health Information of a Covered Entity”.
The Breach Notification Rule has applied to Business Associates since 2009. However, under 45 CFR § 164.410, Business Associates are only required to report a breach to the Covered Entity for whom they are providing a service. There is no requirement to notify the breach to the Department of Health and Human Services. That burden still belongs to the Covered Entity.
Consequently, Business Associates need to have a solid understanding of HIPAA law to determine which parts of the law applies to their relationship with a Covered Entity. It is also important to ensure appropriate safeguards are put in place to prevent any disclosure of ePHI other than provided for in the Business Associate Agreement with the Covered Entity.
It is a legal requirement that all patients must be made aware of their rights under HIPAA. Most CEs choose to inform patients via their Notice of Privacy Practices that patients are required to read and sign before healthcare services are provided. Some key points may be highlighted to the patient verbally by the person collecting the data or highlighted on an electronic form if one is being used.
Some of those key rights include the right to:
HIPAA legislation is undoubtedly complicated, and it would be unfair to expect all Covered Entities and Business Associates to have a detailed understanding of its breadth and implications. However, they should know why it was created, what it is for, what it means for their daily workflow and when and how HIPAA applies. Management should have a more detailed understanding of the different rules – Privacy, Security, Enforcement, Breach Notification and Omnibus Rules – as this will equip them to deal with privacy-related situations as they arise.
HIPAA breaches are very serious; not only do they attract hefty financial fines, they also put the patient safety at risk and leaves them vulnerable to fraud. Thus, if a breach occurs, all staff should know how to report the breach and what short-term actions can be implemented to prevent further breaches. Patients should also be informed of their rights under HIPAA, and doing so can help prevent privacy violations. While HIPAA is a complex piece of legislation, there are many practices that help protect patients and the privacy and security of health information.
Strictly speaking, the term “HIPAA law” applies to the five Titles of the Healthcare Insurance, Portability and Accountability Act 1996. However, most people in the healthcare industry are only concerned about Title II (the Administration Simplification Rule) which led to the development of the HIPAA Privacy and Security Rules, the HITECH Act, and the Breach Notification Rule.
The content of HIPAA law – in the context of the HIPAA Privacy Rule - was originally proposed by the Department for Health and Human Services (HHS) in 1999. Following stakeholder comments, public hearings, and other communications, HHS published the original Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”) in December 2000.
The HIPAA laws have been frequently changed or added to since the publication of the original Privacy Rule in 2000. The Privacy Rule itself was modified in 2002 to address concerns of the healthcare industry, and then again following the enactment of the HITECH Act in 2009. Further proposed changes are currently under consideration.
Prior to the HIPAA law being introduced – specifically the Privacy Rule – a patchwork of state and federal laws existed that often failed to prevent unauthorized disclosures of personal health information. The Privacy Rule introduced a minimum national set of standards that protect the confidentiality of personal health information.
Prior to HIPAA law being enacted, ten states granted individuals privacy rights in their constitutions. In addition, the privacy of some individuals suffering specific conditions was required by law – for example, the Veterans Omnibus Health Care Act 1976 protects the privacy of medical records held by the Department of Veterans Affairs relating to drug abuse, alcohol abuse, and AIDS.
Unless a patient was protected by an existing state or federal privacy law, healthcare information could be exchanged between (for example) health plans and finance agencies which might affect the patient´s ability to apply for a home mortgage. Similarly, a health plan could increase a patient´s premiums or deductible - even if a patient had paid for treatment privately.
Although HIPAA is a federal law which applies to businesses in the U.S., there can be scenarios in which it applies internationally. These scenarios occur when a Covered Entity or Business Associate discloses PHI to a third party service provider located outside the U.S. – for example a European-based data analysis company.
As a Business Associate to a Covered Entity (or other Business Associate), the European-based data analysis company must enter into a Business Associate Agreement requiring the company to comply with the Security Rule, the Breach Notification Rule, and whichever provisions of the Administrative Requirements and Privacy Rule are stipulated by the Business Associate Agreement.