Health IT.com

HIPAA (Health Insurance Portability and Accountability Act)

By Ben Lutkevich

HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the many health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers.

The federal law was signed by President Bill Clinton on Aug. 21, 1996. HIPAA overrides state laws regarding the safety of medical information, unless the state law is considered more stringent than HIPAA.

What is the purpose of HIPAA?

HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job and to ultimately reduce the cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery, and improving access to long-term care services and health insurance.

What are the 5 main components of HIPAA?

HIPAA contains five sections, or titles:

In healthcare circles, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:

The HHS Office for Civil Rights (OCR), which enforces HIPAA, performs audits and can issue penalties for HIPAA noncompliance. HIPAA violations can prove quite costly for healthcare organizations.

HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients' personal or protected health information (PHI).

HHS issued the rule to limit the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients by requiring doctors to provide patients with an account of each entity to which the doctor discloses PHI for billing and administrative purposes, while still allowing relevant health information to flow through the proper channels.

The Privacy Rule also guarantees patients the right to receive their own PHI, upon request, from healthcare providers covered by HIPAA.

The HIPAA Privacy Rule applies to organizations that are considered HIPAA-covered entities. It also requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the BA uses or discloses.

What are HIPAA-covered entities?

HIPAA only applies to covered entities and their BAs.

A HIPAA-covered entity is any organization or corporation that directly handles PHI or personal health records (PHRs). Covered entities are required to comply with HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) Act mandates for the protection of PHI and PHRs.

Covered entities fall into three categories:

  1. Healthcare provider. Healthcare providers include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
  2. Health plan. Health plans include health insurance companies, health maintenance organizations (HMOs), company health plans and government healthcare programs, such as Medicare, Medicaid and military healthcare programs.
  3. Healthcare clearinghouse. Healthcare clearinghouses are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services and community healthcare systems for managing health data.

Entities can use the HHS online tool to determine if they qualify as a HIPAA-covered entity or BA and, consequently, if they must comply with HIPAA or not.

What information is protected under HIPAA?

The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a BA. This information can be held in any form, including digital, paper or oral.

PHI includes but is not limited to the following:

PHI does not include the following:

Specific examples of PHI include a medical record, laboratory report or hospital bill because these documents contain identifying information -- the patient's name, for example -- associated with health data.

One example of information that is not PHI would be blood pressure or heart rate data collected by a consumer health device, like a smartwatch, because it is not shared with a covered entity.

Administrative requirements

The Privacy Rule lays out certain administrative requirements that covered entities must have in place.

These requirements include the following:

HIPAA-permitted uses and disclosures

The HIPAA Privacy Rule defines when a covered entity may use or disclose an individual's PHI. There are two conditions in which use or disclosure is allowed:

  1. if the Privacy Rule specifically permits or requires it -- if the covered entity is using the data themselves, or transmitting it to another covered entity, the Privacy Rule permits it; and
  2. if the subject of the information gives written authorization.

These stipulations aim to facilitate the interoperability of the health information technology (IT) environment by making sure that electronic health information is made available to the right people at the right time. In certain cases -- like a national emergency (a pandemic, for example) -- parts of the Privacy Rule may be changed to permit PHI disclosure that would, in normal circumstances, be a violation.

HIPAA Privacy Rule penalties

Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from OCR.

Privacy rule penalties vary depending on the severity of the infraction. They are split into four categories:

  1. Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
  2. Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  3. Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  4. Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.

Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR offers guidance through educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization's current HIPAA privacy and security policies, the HITECH Act, mobile device management (MDM) processes and other applicable guidelines.

While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information, commonly known as the HIPAA Security Rule, establishes national standards for securing patient data that is stored or transferred electronically. It draws from the National Institute of Standards and Technology's (NIST) Cybersecurity Framework.

OCR enforces the HIPAA Security Rule, which aims to balance patient security with the advancement of health technology.

The rule requires the placement of safeguards, both physical and electronic, to ensure the secure passage, maintenance and reception of PHI. When addressing the risks and vulnerabilities associated with PHI and ePHI, healthcare organizations should ask three key risk analysis questions:

  1. Can the sources of ePHI and PHI within the organization -- including all PHI created, received, maintained or transmitted -- be identified?
  2. What are the external sources of PHI?
  3. What are the human, natural and environmental threats to information systems that contain ePHI and PHI?

Using the answers to these questions, organizations can decide what measures they need to take to maintain or develop a HIPAA-compliant security management process, for example:

Under HHS' meaningful use program for certified health IT, healthcare organizations receiving federal incentive payments must attest to following privacy and security procedures based on HIPAA.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule modifies the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under the HITECH Act.

The HIPAA Omnibus Rule marked the most extensive changes to the HIPAA Privacy and Security Rules since they were first implemented. Changes include the following:

What are HIPAA business associates and their contract requirements?

HIPAA defines a BA as any organization or person working in association with or providing services to a covered entity who handles or discloses PHI or PHRs.

Under the HITECH Act, any HIPAA BA that serves a healthcare provider or institution is subject to audits by OCR within HHS and can be held accountable for a data breach and penalized for noncompliance.

According to the HHS, some examples of BAs include the following:

Mobile application developers could also be considered HIPAA BAs because many healthcare mobile applications handle PHI.

HHS gave a scenario where an app developer would be considered a HIPAA BA: A patient is told by their provider to download a health app to their smartphone. The app developer and the provider have a contract for patient management services that includes remote patient health counseling, patient messaging, food and exercise monitoring, and EHR integration and application program interfaces (APIs). Furthermore, the information the patient inputs into the application is automatically incorporated in the EHR.

A HIPAA BA agreement (BAA) is a contract between a HIPAA-covered entity and a HIPAA BA. The contract protects PHI in accordance with HIPAA guidelines.

According to HHS, HIPAA BA contracts or other written arrangements should do the following:

28 Aug 2020

All Rights Reserved, Copyright 2009 - 2024, TechTarget | Read our Privacy Statement