The HIPAA Privacy Rules – or “Standards for Privacy of Individually Identifiable Health Information” – were published in 2002 to protect the confidentiality of patient healthcare and payment data in order to prevent abuse and fraud in the healthcare system. Since their publication, and despite massive advances in technology, the Rules have not changed. The only significant differences between 2002 and today is who the HIPAA Privacy Rules apply to and how they are enforced.
The HIPAA Privacy Rules consist of a series of standards relating to how individually identifiable health information is used and disclosed. There are eighteen “identifiers” which individually or together could reveal information about a patient´s healthcare or payment history, and these are classified as “Protected Health Information” or “PHI”.
The Rules apply to all PHI, whether it is maintained in electronic or paper format, and when it is disclosed orally. They stipulate who can have access to PHI, the circumstances in which it can be used and who it can be disclosed to. Entities in possession of PHI have to comply with the Rules or face enforcement action by the Department of Health & Human Services´ Office for Civil Rights.
The Rules stipulate that PHI in the possession of a Covered Entity cannot be disclosed to a third party without the authorization of the patient(s) to whom the PHI relates to. The exception is when the PHI is required for the provision of treatment or for the payment for healthcare or healthcare-related events. When permitted, the disclosure of PHI must be kept to the minimum necessary to accomplish the intended purpose.
Entities covered by the HIPAA Privacy Rules not only have to comply with the Rules, but demonstrate they are doing so by conducting and chronicling risk assessments and risk analyses, and developing policies that are consistent with the Rules. Covered Entities also have to implement measures to address any security weaknesses and vulnerabilities revealed in the risk assessments in order to prevent an unauthorized disclosure of PHI.
Potential threats to the confidentiality of data exist both within each Covered Entity and from outside. Due to an increase in healthcare professionals using their personal mobile devices for work, there is an increased risk of unauthorized disclosures due the loss or theft of a mobile device. Recent research found more than 40% of data breaches are attributable to portable media – including mobile devices – being lost or stolen.
With healthcare data fetching up to $1,200 for a complete set on the black market, PHI has become a highly-sought after target for cybercriminals. Hackers use many different methods to infiltrate healthcare networks, and Covered Entities have to be prepared to defend against malware, ransomware and phishing attacks to ensure PHI is not disclosed without authorization. Cyberattacks are responsible for more than half of the PHI breaches reported to the HHS´ Office for Civil Rights. So phishing training and cybersecurity training is essential for all staff.
One of the most significant changes to the HIPAA Privacy Rules since their original publication is who they apply to. Whereas in 2002, only healthcare providers, health plans, and healthcare clearinghouses – such as billing services and community health information systems – had a responsibility to comply with the HIPAA Privacy Rules, the Rules were changed in 2013 so “Business Associates” were also liable should PHI in their possession be disclosed without authorization.
The term “Business Associate” covers any entity that performs a service for a healthcare provider, health plan or healthcare clearinghouse – including cloud service providers. Although healthcare providers, health plans and healthcare clearinghouses are expected to conduct due diligence on their Business Associates to ensure they are HIPAA-compliant before sharing PHI, the Business Associate can now also be fined for an avoidable breach of PHI.
The HIPAA Privacy Rules are often criticized for a lack of specific guidelines which leave them open to interpretation. However, the Rules were deliberately designed that way because healthcare-related industries have diverse structures and the Rules have to be flexible in order to cover the variety of permitted uses and disclosures. Consequently, it is up to every Covered Entity and Business Associate in possession of PHI to ensure they comply with the HIPAA Privacy Rules.
The penalties for non-compliance are substantial. Should a breach of PHI occur in a scenario in which the Covered Entity has made no attempt to comply with the HIPAA privacy Rules, the HHS´ Office for Civil Rights regards the Covered Entity as being “willfully neglectful” and can impose a fine of between $50,000 and $1.5 million. Attorneys General and affected patients can also take legal action, with fines of the same magnitude being imposed on neglectful Covered Entities.