The HIPAA Privacy Rule – or “Standards for Privacy of Individually Identifiable Health Information” – were introduced in 2002 to protect the confidentiality of patient healthcare and payment data in order to prevent abuse and fraud in the healthcare system. Since their publication, and despite massive advances in technology, the Rules have not changed. The only significant differences between 2002 and today is who the HIPAA Privacy Rules apply to and how they are enforced.
The HIPAA Privacy Rule consists of a series of standards relating to how individually identifiable health information can be used and disclosed. There are eighteen “identifiers” which individually or together could reveal information about a patient’s healthcare or payment history. When these are combined with health information data is classified as “Protected Health Information” or “PHI”.
The Privacy Rule applies to all PHI, whether it is maintained in electronic or paper format, as well as when it is disclosed orally. They stipulate who can have access to PHI, the circumstances in which PHI can be used, and whom it can be disclosed. Entities that create, maintain, receive, store or transmit PHI electronically have to comply with the Privacy Rule or face enforcement actions by the Department of Health & Human Services´ Office for Civil Rights and state attorneys general.
The Privacy Rule stipulates that PHI in the possession of a Covered Entity cannot be disclosed to a third party without the authorization of the patient(s) to whom the PHI relates to. The exception is when the PHI is required for the provision of treatment or for the payment for healthcare or healthcare operations (Commonly referred to as TPO). When permitted, the disclosure of PHI must be kept to the minimum necessary amount to accomplish the intended purpose. For uses other than TPO, without individual authorizations from patients, uses and disclosure – with some very limited exceptions – are prohibited.
Entities covered by the HIPAA Privacy Rule not only have to comply with its provisions, they must also demonstrate they are doing so by documenting their compliance efforts and developing policies that are consistent with its requirements.
The HIPAA Privacy Rule also gives a number of rights to patients and health plan members. They are given the right to access the PHI held on them by a Covered Entity or Business Associate. Copies of PHI must be provided within 30 days of a request being received. They have the right to request amendments be made to their health information if errors are identified. Individuals must be informed, via a Notice of Privacy Practices, how their health information will be used by the covered entity and their rights under HIPAA. Patients can file complaints against a Covered Entity or Business Associate if they believe their rights or HIPAA Rules have been violated.
Individuals can also request a copy of a Covered Entity’s accounting of disclosures – A list of disclosures of an individual’s PHI that have been made, to whom, and for what purpose. They can also request to restrict disclosures of their PHI.
Potential threats to the confidentiality of data exist both within each Covered Entity and from outside. Due to an increase in healthcare professionals using their personal mobile devices for work, there is an increased risk of unauthorized disclosures due the loss or theft of mobile devices. Recent research found more than 40% of data breaches are attributable to portable media – including mobile devices – being lost or stolen.
With healthcare data fetching hundreds of dollars for a complete set of health records on the black market, PHI has become a highly-sought after target for cybercriminals. Hackers use many different methods to infiltrate healthcare networks, and Covered Entities have to be prepared to defend against intrusions, malware, ransomware, and phishing attacks to ensure PHI is not obtained by unauthorized individuals. Cyberattacks are behind more than half of the PHI breaches reported to the HHS´ Office for Civil Rights each year. So security awareness and cybersecurity HIPAA training is essential for all employees.
One of the most significant changes to the HIPAA Privacy Rule since its original enactment is to whom the Rule applies. Whereas in 2002, only healthcare providers, health plans, and healthcare clearinghouses had a responsibility to comply with the HIPAA Privacy Rule, the Omnibus Final Rule in 2013 expanded compliance requirements to Business Associates of HIPAA covered entities. Since the Omnibus Final Rule was signed into law, Business Associates of HIPAA covered entities can be fined directly for violations of the HIPAA Privacy and Security Rules.
The term Business Associate covers any entity that performs a service for a healthcare provider, health plan or healthcare clearinghouse that requires contact with PHI. Although healthcare providers, health plans and healthcare clearinghouses are expected to conduct due diligence on their Business Associates to ensure they are HIPAA-compliant before sharing PHI, Business Associates can be fined for avoidable breaches of PHI.
Some aspects of compliance with the HIPAA Privacy Rule is left to the discretion of the covered entity or business associate. The Privacy Rule was deliberately designed that way because healthcare organizations have diverse structures. HIPAA Rules need to incorporate some flexibility to to cater to the different types and sizes of covered entity and the varied ways in which they operate.
It is the responsibility of every Covered Entity and Business Associate to assess all requirements of the HIPAA Privacy Rule and ensure that they are in compliance with all of its provisions.
If Covered Entities or Business Associates are discovered to have violated any aspect of HIPAA Rules, the penalties for noncompliance can be considerable. The maximum penalty for each violation is $50,000 up to a total annual penalty of $1,500,000 per violation category per year in cases where there has been willful neglect of HIPAA Rules and no effort has been made to correct the violation within a reasonable time frame. Even less egregious violations of HIPAA Rules carry stiff penalties, as detailed in the infographic below.