There are many interpretations of the question what does it mean to be HIPAA compliant, and therefore many answers. While most of the answers are correct, an explanation of why so many interpretations exist can be useful to students of HIPAA law and HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 with the primary objective of reforming the health insurance industry. To achieve its objective Title I of HIPAA added new sections to the Employee Retirement Income Security Act and the Public Health Service Act and amended existing sections of the Internal Revenue Code.
The new and amended sections apply to group health plans, health insurance issuers, and health maintenance organizations. So, what does it mean to be HIPAA compliant in this instance is that qualifying group health plans, health insurance issuers, and health maintenance organizations must comply with the applicable Acts and Internal Revenue Code as amended by HIPAA.
What is Compliance with Title II of HIPAA?
Title II of HIPAA – the Title from which the Privacy and Security Rules evolved – mostly focuses on amendments to the Social Security Act to establish a fraud and abuse control program to protect federal healthcare plans (i.e., Medicare). Subtitles A to E of Title II effectively increase the civil and criminal penalties for making fraudulent health claims against the government.
It is only when you get to Subtitle F of Title II that you understand why common interpretations of the question what does it mean to be HIPAA compliant focus on the privacy of Protected Health Information (PHI) and the confidentiality, integrity, and availability of electronic PHI – and even these sections are well disguised among the provisions for developing transaction standards.
In fact, the small sections of text that relate to the privacy and security of PHI occupy less than one page of the 169 page text of HIPAA. These sections instruct the Secretary for Health and Human Services (HHS) to develop standards for the security of health information created, collected, maintained, or transmitted during electronic transactions, and to make recommendations “with respect to the privacy of certain health information”.
As it was almost seven years before the Privacy Rule became effective, and almost nine years before the Security Rule became effective, it is not even accurate to use these two Rules to answer the question what does it mean to be HIPAA compliant with Title II. So how did the interpretations of what it means to be HIPAA compliant that refer to the Privacy and Security Rules come about?
HIPAA Compliance Effectively Started in 2013
Although HHS had published an Enforcement Rule in 2006 and an Interim Breach Notification Rule in 2009, very few organizations took HIPAA compliance seriously until the publication of the HIPAA Final Omnibus Rule in January 2013. At the time, HHS’ Office for Civil Rights had only issued thirteen civil monetary penalties for HIPAA violations and State Attorney Generals only five.
However, the HIPAA Final Omnibus Rule made several key changes to the enforcement of the Privacy, Security, and Breach Notification Rules. Not only did the Final Rule make business associates directly liable for data breaches, but it also applied a four-scale tier of penalties for HIPAA violations – raising the maximum an organization could be fined for a violation from $25,000 to $1.5 million.
Additionally, the HIPAA Final Omnibus Rule reversed the burden of proof so covered entities and business associates had to demonstrate a low probability of harm if not notifying a data breach. Previously HHS’ Office for Civil Rights had to demonstrate a high probability of harm before pursuing enforcement action for a violation of HIPAA – which explains why so few penalties were issued.
Subsequent enforcement action saw a four-fold increase in the number of penalties issued by HHS’ Office for Civil Rights and State Attorneys General as covered entities and business associates scrambled to comply with the “new” Rules. It was because the new Rules came into force 17 years after the passage of HIPAA that many interpretations of what does it mean to be HIPAA compliant only refer to “post-Omnibus HIPAA”, rather than any other provisions among the 5 Titles of HIPAA.
What Does it Mean to be HIPAA Compliant in 2023?
Ten years after the publication of the HIPAA Final Omnibus Rule, there are still different interpretations of what does it mean to be HIPAA compliant. Some answers claim HIPAA compliance is compliance with the Administrative, Physical, and Technical Safeguards of the Security Rule – which can be correct depending on the nature of a business associate’s operations and the notification clause in the Business Associate Agreement.
Other answers may include the Privacy Rule, Breach Notification Rule, and the entirety of the Security Rule (because there’s more to the Security Rule than the three Safeguards), while the most accurate answers include the applicable standards of the HIPAA General Provisions and Transaction Rules – notwithstanding that covered entities and business associates only need comply with standards that apply to their functions to comply with HIPAA.
If you are unsure about what does it mean to be HIPAA compliant in 2023 – and you are responsible for the privacy or security of PHI in your organization – it is advisable to seek professional compliance advice. There are a number of changes to HIPAA under consideration which may be implemented in the near future, and it will be easier for organizations that are already compliant with HIPAA to comply with the new regulations than have two set of standards to catch up on.