The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996 but why was HIPAA created? What are its aims and why is HIPAA so important? In this post we explain about the history of HIPAA, why the legislation is important, and what it has achieved.
HIPAA was established to “improve the portability and accountability of health insurance coverage” for employees between jobs. Other aims of HIPAA were to tackle waste, fraud and abuse in health insurance and healthcare provision. The Act also included sections to promote the use of medical savings accounts by introducing tax breaks, providing coverage for employees with pre-existing medical conditions and making the administration of health insurance easier.
The methods for simplifying the administration of health insurance became a catalyst to encourage the healthcare industry to computerize patients’ medical records. This particular section of the Act led to the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which subsequently led to the introduction of the Meaningful Use incentive program. The HITECH Act was referred to by leaders in the healthcare sector as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years”.
The HIPAA Privacy and Security Rules Evolve
Once HIPAA legislation had been passed into law, the US Department of Health and Human Services set about formulating the first HIPAA Privacy and Security Rules. The Privacy Rule had an effective compliance date of April 14, 2003, and defined Protected Health Information (PHI) and limited uses and disclosures of that information. PHI is “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
Standards were introduced on how PHI could be shared and required permission to be obtained before that information could be used for marketing, fundraising and research and allowed them to obtain copies of their health information from their providers. The Privacy Rule also allowed patients to withhold information about their healthcare from health insurance companies when their treatment is privately funded.
The HIPAA Security Rule came into being two years after the Privacy Rule on April 21, 2005. Dealing specifically with electronically held PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical and technical – that must be implemented in full in order to be compliant with HIPAA. The safeguards had the following aims:
- Administrative – To put in place policies and procedures designed to clearly display how the entity will comply with the HIPAA
- Physical – To manage physical access to areas of data storage to safeguard against inappropriate access
- Technical – To ensure communications containing ePHI were secured when transmitted electronically over open networks
What Date Did HIPAA Become Effective?
HIPAA was signed into law on August 21, 1996, but there have been major amendments to HIPAA over the past two decades, including the introduction of the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule.
The most significant effective dates to remember are:
- August 21, 1996 was the date HIPAA was signed into law
- April 14, 2003 for the HIPAA Privacy Rule, although there was an addition of one year for small health plans which were not required to comply with HIPAA Privacy Rule provisions by April 14, 2004.
- April 21, 2005 was the effective compliance date for the HIPAA Security Rule. Similar to the HIPAA Privacy Rule, small health plans were given an extra year to comply with its requirements and had an effective compliance date of April 21, 2006.
- March 2006 –Date the HIPAA Breach Enforcement Rule became effective
- September 23, 2009 saw the introduction of the HIPAA Breach Notification Rule
- March 26, 2013 was the date the Omnibus Final Rule was signed into law
The Enforcement Rule
As a result of many covered bodies failing to fully comply with the HIPAA Privacy and Security Rules, the Enforcement Rule was introduced in March 2006. This rule gave the Department of Health and Human Services the authority to investigate complaints against covered entities over failures to comply with the Privacy and Security Rules and the authority to fine covered entities for serious violations of HIPAA.
The HHS’ Office for Civil Rights (OCR) was also given the power to bring criminal charges against continual offenders who do not introduce corrective measures within 30 days to address known HIPAA violations.
The Breach Notification Rule and the HITECH Act
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced. The HITECH Act had the main goal of encouraging healthcare providers to adopt electronic health records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use was initiated the following year, which encouraged healthcare organizations to maintain the protected health information of patients in electronic format, instead of using paper files and charts. Financial incentives were offered to offset the cost of implementing EHRs.
Along with the incentive program also came an extension of HIPAA Rules to business associates – third-party vendors serving the healthcare sector – and the introduction of the Breach Notification Rule. The Breach Notification Rule requires all breaches of PHI affecting 500 or more people to be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of the discovery of a breach. Small breaches can be reported annually. Notifications must also be sent to affected individuals within 60 days of the discovery of a breach. The criteria for reporting breaches of PHI were augmented in the Omnibus Final Rule of March 2013.
2013: The Omnibus Final Rule
The Omnibus Final Rule of 2013 remains the most recent act of legislation in HIPAA history. The rule did not contain much new legislation, but filled gaps in existing HIPAA and HITECH Act regulations. For instance, it specified the encryption standards that should be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
Many definitions were changed or enhanced to clear up gray areas, for example, the definition of “workforce” was amended to make it obvious that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct management of the covered entity or business associate.
The Privacy and Security Rules were also amended to allow patient’s health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied – as dictated by the HITECH Act – to covered entities that fell afoul of the HIPAA Enforcement Rule.
Amendments were also added to account for evolving work practices brought about due to technological advances, specifically covering the use of mobile devices. A major number of healthcare professionals are now using their own mobile devices to access and transmit ePHI, and the Final Omnibus Rule included new administrative procedures and policies to account for this, and to cover use cases which could not have been predicted in 1996. The full Omnibus Final Rule can be seen here.
After many delays, the final deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and the Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was set as October 1, 2015.
Final Omnibus Rule Consequences
The Omnibus Final Rule was more successful than any previous legislation in making covered entities more aware of HIPAA safeguards.
Many healthcare organizations – who had been in violation of HIPAA for almost two decades – put in place a number of measures to adhere with the regulations, such as using data encryption on portable devices and computer networks, establishing secure messaging solutions for internal communications with care teams, and taking more care to archive emails and other data safely and securely.
This was due, mostly, to the increased penalties for HIPAA violations. The financial sanctions now being applied for data breaches caused as a result of HIPAA violations, along with the massive costs of issuing breach notifications, providing credit monitoring services, and completing damage mitigation, makes investment in new technology to protect data cost effective by comparison.
The HIPAA Compliance Audit Program
In 2011, the Office for Civil Rights began a series of pilot compliance audits to examine how healthcare organizations were progressing with their HIPAA Privacy and Security Rule compliance programs. The initial round of audits was finished in 2012 and highlighted the dire state of healthcare compliance.
Audited organizations were found to have violated HIPAA Breach Notification Rule, Privacy Rule and Security Rule requirements, with the latter often the main reason why data breaches occurred. OCR put in place plans to help those organizations achieve compliance, such as issuing technical advice and releasing guidance on compliance with various HIPAA provisions.
The second phase of compliance audits commenced in 2016 and assessed compliance with specific areas of HIPAA which proved difficult for so many covered entities in the past. A permanent audit program is expected to follow. The era of lax security standards has now ended and the healthcare sector, like the financial sector before it, must now ensure standards are met and confidential data remains safe and secure.
Any covered entity that does not put in place the necessary controls to secure patient data, or violates the provisions of the HIPAA Privacy Rule, faces financial penalties, sanctions, potential loss of license and even criminal proceedings.
Achieving Full HIPAA Compliance
Our HIPAA Compliance Guide details the make-up of the Health Insurance Portability and Accountability Act with respect to the storage, transmission and disposal of electronic protected health information, the actions covered entities and business associates must take following date breaches and the policies and procedures which must be implemented to gain full compliance with all aspects of HIPAA Rules.
HIPAA regulations may be strict, yet covered entities are given a degree of flexibility with regards to the privacy and security measures they implement. Data encryption, for example, must be addressed but not necessarily put in place if other controls provide the necessary security protections. The flexibility also makes it easier for small healthcare organizations to comply with HIPAA.
Some of the main technical security measures used to protect and manage ePHI actually help to streamline communication and information flow, and organizations which have implemented secure communications channels and established data controls have benefited from improved efficiency, quicker response times, and have improved patient outcomes, while ensuring patient health data remains fully secure at all times.
ePHI Technical Safeguards and Personal Identifiers
Using mobile devices for storing or accessing ePHI often leads to a data breach if those devices are lost, stolen or improperly disposed. Password protection on the devices – and the data they contain – is a reasonable step to stop unauthorized access, but alone it is not enough to provide the necessary protection for health data. Passwords can be guessed by hackers and do not provide a sufficiently high level of security.
Data encryption involves the conversion of data into indecipherable symbols – termed cipher text – by complex algorithms. A security key is required to change the data back into its original form. Data encryption ensures privacy, but can provide other security benefits such as verification of users, access logging, the prevention of record changes and non-repudiation of access and/or theft.
The level of encryption can be based on the sensitivity of the data it is used to safeguard. Data may be encrypted with single security key access or with separate keys for encryption and decryption (symmetric and asymmetric data encryption). NIST guidelines should be followed for encryption as some methods of encryption are not as secure as was thought at the time when the encryption standards were introduced.
If a mobile device is lost or stolen or if computer networks are subjected to a cyberattack, while this will be considered a security breach, it would not be a HIPAA violation or reportable breach unless the access key is also obtained.
The healthcare sector and the pager seem to be almost inseparable, yet this now changing. Pagers are not HIPAA compliant and their uses are limited. Mobile devices such as smartphones have many more benefits, but they cannot be used to send identifiable patient data over unsecured networks.
BYOD schemes have now been established by many healthcare providers, although the use of modern mobile devices have even greater potential to result in HIPAA violations due to the ease at which personal identifiers and ePHI can be transmitted. Policies and procedures may be implemented to control how these devices can are used, although surveys indicate that in practice many medical professionals still use the devices to send ePHI.
Secure messaging solutions serve as more useful alternatives to pagers and allow ePHi to be transmitted on mobile devices without violating HIPAA Rules. They work by managing ePHI on a secure database and then allowing only authorized medical professionals to view the data via downloadable secure messaging apps. Communications are conducted through a secure messaging platform which has administrative controls in place to limit access and audit controls to review the activity of users.
Many covered entities have reported that the introduction of secure messaging solutions has improved productivity by streamlining communications, increasing message accountability and quickening response times. According to studies carried out in HIPAA-compliant medical facilities, efficiency has also improved, leading to a higher standard of healthcare being delivered to patients.
Cloud Storage and HIPAA Compliance
The shift from physical health records to electronic data formats has needed major investment in IT infrastructure. The demands inflicted on healthcare organizations to continually upgrade servers and networks, and hire the staff to manage data centers, can be considerable. In addition to the hardware, space must be dedicated to storing the equipment and physical controls must be used to manage access.
The computer equipment now needed to operate large networks and store healthcare data needs cooling systems to be installed to dissipate the heat the equipment generates. The most affordable solution for many healthcare providers is to outsource IT and data storage and take advantage of the cloud. HIPAA-compliant cloud hosting incorporates all the appropriate controls to secure stored and transmitted data and satisfies the requirements of the HIPAA Security Rule. By outsourcing, healthcare organizations can comply with HIPAA regulations without having to spend so much on IT infrastructure.
App Development (Compliant Mobile Platforms)
Mobile health apps are popular with patients for reviewing and monitoring health and fitness, and wearable devices can revolutionize home healthcare. They can be used in tandem with e-visits to provide home healthcare services to patients and reduce healthcare center visits.
Patient portals similarly have great potential to improve interactions between care providers and patients while minimizing unnecessary spending and helping to improve patient outcomes. The development of HIPAA compliant mobile app frameworks, compliant storage and HIPAA compliant web solutions means healthcare providers can gain the benefits of new technology without endangering the privacy and security of patient information.
More technical safeguards to keep ePHI safe and secure will no doubt be required as technology advances and further changes to HIPAA can be expected in the future.
Origins of HIPAA: FAQ
What is insurance portability?
Simply put, health insurance portability gives the policyholder the right to transfer benefits such as no-claims bonuses when they switch insurance providers. It also prevents individuals being denied policies based on pre-existing conditions. Granting these rights to individuals was one of the main motivators of creating HIPAA.
What is the difference between HIPAA and HITECH?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It covers a variety of topics but is most well-known as an act that establishes standards and procedures to safeguard patients’ protected health information.
HITECH is the Health Information Technology for Economic and Clinical Health Act, passed in 2009. It incentivized healthcare organizations to use electronic health records (EHRs). It also introduced new penalty and patient notification structures in the event of a HIPAA violation.
How does HIPAA define PHI?
Protected Health Information is defined as any data that includes one of the 18 following identifiers:
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image
- Any other characteristic that could uniquely identify the individual
If these pieces of data are contained in information that is used in a HIPAA-covered transaction, the information is considered to be PHI and must be protected. This also relates to electronic PHI, which is any PHI that is created, stored, or transmitted electronically.
What are the main HIPAA Rules?
Since it was enacted in 1996, HIPAA has been updated several times. This includes adding “Rules” to the Act, which stipulate standards and procedures required to safeguard patient privacy. Some important rules are:
- The HIPAA Privacy Rule (2003), which stipulates who can access PHI and how they can use it.
- The HIPAA Security Rule (2005) outlines the minimum administrative, technical, and physical safeguards needed to maintain the integrity of PHI.
- The HIPAA Enforcement Rule (2006), which allowed the Department for Health and Human Services to investigate HIPAA breaches and issue fines.
- The HIPAA Breach Notification Rule (2009), which lays out the procedures a CE must undertake after they identify a HIPAA breach.
- The HIPAA Omnibus Final Rule (2013), which covered a variety of topics and generally updated the Act.
These rules also apply to Business Associates (BA).