Why was HIPAA created?

HIPAA Regulations

The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law, on August 21, 1996 – but why was HIPAA created? HIPAA was established to “improve the portability and accountability of health insurance coverage” for employees between jobs. Other aims of the HIPAA Act were to tackle waste, fraud and abuse in health insurance and healthcare provision. The Act also included sections to promote the use of medical savings accounts by bringing in tax breaks, providing coverage for employees with pre-existing medical conditions and making the administration of health insurance easier.

The methods for simplifying the administration of health insurance became a catalyst to encourage the healthcare industry to computerize patients´ medical records. This particular section of the Act led to the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which subsequently lead to the introduction of the Meaningful Use incentive program –referred to by leaders in the healthcare sector as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years”.

The HIPAA Privacy and Security Rules Evolve

Once HIPAA legislation had been passed into law, the US Department of Health and Human Services set about formulating the first HIPAA Privacy and Security Rules. The Privacy Rule set an effective compliance date of April 14, 2003, and it defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.

Guidelines were issued on how PHI should be shared and that permission should be received from patients before using their personal information for marketing, fundraising or research. It also allowed patients the right to withhold information about their healthcare from health insurance suppliers when their treatment is privately funded.

The HIPAA Security Rule came into being two years after the initial legislation on April 21, 2005. Dealing specifically with electronically held PHI (ePHI), the Security Rule laid down three security safeguards – administrative, physical and technical – that must be complied with in full in order to adhere with HIPAA. The safeguards had the following aims:

  • Administrative – to put in place policies and procedures designed to clearly display how the entity will comply with the Act.
  • Physical – to manage physical access to areas of data storage to safeguard against inappropriate access
  • Technical – to communications containing PHI safe when transmitted electronically over open networks

What Date Did HIPAA Become Effective?

HIPAA was signed into law on August 21, 1996, but there have been major amendments to HIPAA over the past 20 years including the introduction of the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule.

The most significant effective dates to remember are: April 14, 2003 for the HIPAA Privacy Rule, although there was an addition of one year for small health plans, that were required to adhere with the HIPAA Privacy Rule provisions by April 14, 2004.

April 21, 2005 was the effective compliance date for the HIPAA Security Rule. Similar to the HIPAA Privacy Rule, small health plans were given an extra year to adhere with the requirements of the HIPAA Security Rule and had an effective compliance date of April 21, 2006.

The HIPAA Breach Notification Rule became live on September 23, 2009 and the Omnibus Final Rule became live on March 26, 2013.

The Enforcement Rule

In light of many covered bodies failing to fully comply with the HIPAA Privacy and Security Rules the Enforcement Rule was introduced in March 2006. This rule gave the Department of Health and Human Services the authority to investigate complaints against covered bodies for failing to adhere with the Privacy Rule, and to fine covered entities for avoidable violations of ePHI due to not following the safeguards outlined by the Security Rule.

The Department´s Office for Civil Rights was also allocated the power to bring criminal charges against continual offenders who do not introduce corrective measures within 30 days. Individuals also have the right to begin civil legal action against the covered body if their personal healthcare information has been disclosed without their permission if it inflicts “serious harm” on them.

The Breach Notification Rule and HITECH 2009

In 2009 the Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced. HITECH had the main goal of pressing healthcare authorities to begin the use of Electronic Health Records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use was initiated the following year, encouraging healthcare organizations to maintain the Protected Health Information of patients in electronic format, instead of in paper files.

Along with the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare sector, and the introduction of the Breach Notification Rule – which stated that all breaches of ePHI affecting more than 500 people must be made known to the Department of Health and Human Services’ Office for Civil Rights (OCR). The criteria for reporting breaches of ePHI were then added to in the Final Omnibus Rule of March 2013.

2013: The Final Omnibus Rule

The Final Omnibus Rule of 2013 remains the most recent act of legislation in HIPAA history. The rule barely did not contain much new legislation, but filled gaps in existing HIPAA and HITECH regulations. For instance, it specified the encryption standards that should be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a violation.

Many definitions were changed or enhanced to clear up grey areas – for example the definition of “workforce” was amended to make it obvious that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct management of the covered body or Business Associate.

The Privacy and Security Rules were also amended to allow patient´s health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied – as dictated by HITECH – to covered entities that fell afoul of the HIPAA Enforcement Rule.

Amendments were also added to account for evolving work practices brought about due to technological advances, specifically covering the use of mobile devices. A major number of healthcare professionals are now using their own mobile devices to access and transmit ePHI, and the Final Omnibus Rule included new administrative procedures and policies to account for his, and to cover cases which could not have been predicted in 1996. The full Final Omnibus Rule can be seen here.

After many delays, the final deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was set as October 1, 2015. All HIPAA covered bodies must implement ICD-10-CM.

HIPAA History Important Dates

  • August 1996 – HIPAA Signed into Law.
  • April 2003 – Date the HIPAA Privacy Rule became effective
  • April 2005 – Date the HIPAA Security Rule became effective
  • March 2006 –Date the HIPAA Breach Enforcement Rule became effective
  • September 2009 – Date of HITECH and the Breach Notification Rule becoming effective
  • March 2013 –Date the Final Omnibus Rule became effective

In certain instances, CEs and BAs were given a duration of time to comply with the provisions of each separate Rule. For example, although the effective date of the Final Omnibus Rule was March 2013, CEs and BAs were given 180 days to adhere.

Final Omnibus Rule Consequences

What the Final Omnibus Rule was more successful than any previous legislation in making covered entities more aware of HIPAA safeguards that they had to adhere to.

Many healthcare groups – who had been in violation of HIPAA for almost two decades – put in place a number of measures to adhere with the regulations, such as using data encryption on portable devices and computer networks, establishing secure messaging solutions for internal communications with care teams, installing web filters and taking more care to archive emails safely.

The financial sanctions now being applied for data breaches along with the massive costs of issuing breach notifications, providing credit monitoring services and completing damage mitigation makes investment in new technology to protect data appear cos effective by comparison.

The HIPAA Compliance Audit Program

In 2011, the Office for Civil Rights began a series of pilot compliance audits to examine how well healthcare providers were putting in place HIPAA Privacy and Security Rules. The initial round of audits was finished in 2012 and highlighted the dire state of healthcare compliance.

Audited organizations filed many violations of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule, with the latter resulting in the largest number of breaches. The OCR put in place plans to help those organizations achieve compliance; however, for the second round of audits it is expected to be stricter.

Audits are predicted to target the specific areas which proved difficult for so many healthcare providers, while a permanent audit plan is being formulated to ensure continued HIPAA compliance. The era of lax security standards has now ended and the healthcare sector, like the financial sector before it, must improve standards to ensure confidential data remains safe.

Any covered body that does not put in place the necessary controls faces financial penalties, sanctions, potential loss of license and even criminal proceedings for not securing ePHI.

Achieving Full HIPAA Compliance

Our “HIPAA Compliance Checklist” details the make-up of the Health Insurance Portability and Accountability Act referring the storage, transmission and disposal of electronic Protected Health Information, the actions groups must take in reaction to a breach and the policies and procedures which must be implemented to gain full compliance.

HIPAA regulations may be strict, yet covered groups are permitted some flexibility on the privacy and security measures used to protect data. Data encryption, for example, must be addressed but not necessarily put in place if other controls provide the necessary security protection.

Some of the main technical security measures used to protect and manage ePHI actually help to streamline communication and information flow, and organizations which have implemented secure communications channels and established data controls have benefited from improved efficiency, quicker response times and have improved patient results, while ensuring that patient health data remains fully safe at all times.

ePHI Technical Safeguards and Personal Identifiers

Data Encryption

Using laptop computing technology and other mobile devices for storing or accessing ePHI inevitably leads to a HIPAA breach if those devices are lost, stolen or improperly recycled. Password protection on the devices  and the data they contain  is a reasonable step to stop unauthorized access, but alone it is not enough to provide the necessary protection for health data. Passwords can simply be obtained by hackers and do not provide a sufficiently high level of security.

Data encryption involves the conversion of data into indecipherable symbols – termed cipher text – by complex algorithms, that need a security key to change the data back into its original form. Data encryption ensures privacy, but can provide other security benefits such as verification of users, access logging, the prevention of record changes and non-repudiation of access and/or theft.

The level of security can be amended as appropriate based on the sensitivity of the data it is used to safeguard. Data may be encrypted with single security key access or with separate keys for encryption and decryption (symmetric and asymmetric data encryption).

If a mobile device is lost or stolen or if computer networks are subjected to a cyberattack, while this will be considered a security breach, it would not be a HIPAA violation unless the access key is also obtained.

Secure Messaging

The healthcare sector and the pager seem to be almost inseparable, yet this is about to change. The focus on HIPAA compliance currently centers on Smartphones and wearable technology, yet pagers are not HIPAA compliant. All mobile devices send data over unsecured networks and therefore depend on the users not sending ePHI.

BYOD schemes have now been established by many healthcare providers, although modern mobile devices have even greater ability to cause HIPAA violations due to the ease at which personal identifiers and ePHI can be transmitted. Policies and procedures may be implemented to control how these devices are used, although surveys indicate that in practice many medical professionals are still using the devices to send ePHI.

Secure messaging solutions stop this. They work by managing ePHI on a secure database and then allowing authorized medical professionals to obtain the data via downloadable secure messaging apps. Communications are conducted through a secure messaging platform which has administrative controls in place to review the activity of the authorized professionals. They also allow compliance officers to complete risk assessments, as required by HIPAA and Office for Civil Rights’ auditors.

Many healthcare groups have reported that the introduction of secure messaging solutions has improved productivity by streamlining communications, increasing message accountability and quickening reaction times. According to studies carried out in HIPAA-compliant medical facilities, efficiency has also improved, leading to a higher standard of healthcare being delivered to patients.

Cloud Storage and HIPAA Compliance

The shift from physical health records to electronic data formats has needed major investment in IT infrastructure. The demands inflicted on healthcare organizations to continually upgrade servers and networks, and hire the staff to manage data centers, can be considerable. In addition to the hardware, space must be dedicated to storing the equipment and physical controls must be used to manage access.

The computer equipment now needed to operate large networks and store healthcare data needs cooling systems to be installed to dissipate the heat the equipment generates. The most affordable solution for many healthcare providers is to outsource data storage and take advantage of the cloud to contain data. HIPAA-compliant cloud hosting uses the appropriate controls to secure all stored data with encryption. By outsourcing, healthcare organizations can adhere with HIPAA regulations without having to spend so heavily on IT infrastructure.

App Development (Compliant Mobile Platforms)

Mobile health apps are popular with patients for reviewing and monitoring health and fitness, and wearable devices can revolutionize home healthcare. They can be used in tandem with e-visits to provide home healthcare services to patients and reduce healthcare center visits.

Patient portals similarly have great possibility to improve interaction between care providers and patients, and minimize unnecessary spending while helping to improve patient outcomes. The development of HIPAA compliant mobile apps frameworks, compliant storage and HIPAA compliant web solutions means healthcare providers can gain the benefits of new technology without endangering the privacy and security of patient information.

More technical safeguards to keep ePHI and personal identifiers safe are no doubt in development now and will impact HIPAA history going forward.