The Health Insurance Portability and Accountability Act of 1996 – more commonly known as HIPAA – is a law intended to protect the privacy of healthcare patients’ personal information and ensure healthcare providers and their associates are penalized for noncompliance.
These national standards were initially put in place by the United States Congress and have since been updated by other organizations, such as the Office for Civil Rights and the Department of Health and Human Services (HHS) in order to offer better protection to patients and their medical records.
Anyone working directly in the healthcare industry – such as doctors and other healthcare providers, their business associates, and those working in related fields handling patient information – must comply meticulously with HIPAA regulations.
Healthcare professionals found guilty of committing HIPAA violations are subject to steep penalties, so it is important to be intimately familiar with these guidelines. Employers in affected industries are encouraged to seek out a HIPAA compliance checklist on the web and distribute it among their staff to promote HIPAA awareness.
Read on for a detailed explanation of the HIPAA regulatory standards. This article is a good complement to our HIPAA training for employees course.
Table of Contents
What is the Health Insurance Portability and Accountability Act of 1996?
HIPAA is a law put into place by Congress with the assistance of the Department of Health and Human Services in order to safeguard the privacy and security of the medical information of patients across the United States.
It delineates and enforces a series of strict guidelines and regulations that must be followed by all entities in the healthcare industry and their business associates for safely and securely handling sensitive personal information.
Additional amendments were added in 2009 specifically to address the privacy of electronically protected health information, as well as guidelines for handling modern challenges to the healthcare industry, such as hacking and the occurrence of a data breach.
Which Professionals Must Adhere to HIPAA Compliance Requirements?
Every individual and organization that works with patient health information must comply with the HIPAA privacy and security rules. This sounds like a simple guideline, but it applies to much more than just doctors and healthcare organizations.
Read below for a breakdown of the main professions and industries that are subject to HIPAA compliance.
The primary organizations and individuals handling information that is pertinent to HIPPA privacy regulations are considered “covered entities.” A covered entity is typically directly involved in the provision of healthcare services.
The most obvious individuals under the umbrella of “covered entities” subject to HIPAA rules are healthcare providers, including doctors, nurses, technicians, and other healthcare professionals who provide healthcare services directly to patients. These individuals must do everything in their power to ensure the privacy and security of any information pertaining to their patients.
This includes refusing to disclose PHI to unauthorized parties, using safe methods of storing and notating medical data, and following all of the policies and procedures delineated by the act. Breaches in compliance by a medical professional may result in corrective action, including but not limited to severe fines.
Additional covered entities include health plans as well as healthcare clearinghouses. Health plans are companies that provide insurance and financial support for medical purposes.
Due to the nature of their function, health plans are constantly transmitting information pertaining to medical histories and billing data and thus must be held to the same standard as other organizations bound by the HIPAA rules.
Healthcare clearinghouses are another form of a covered entity. These organizations transfer medical data between other covered entities, such as doctors’ offices and laboratories.
Due to the high level of personal information being processed by these covered entities, they also must follow the HIPAA rules regarding privacy and security.
Business Associates of Healthcare Organizations and Covered Entities
As opposed to a covered entity, a business associate has a more indirect relationship to the provision of healthcare. However, because their business associate agreements allow them to access PHI in order to provide their services, these entities are subject to the same policies and procedures that must be followed by other organizations subject to HIPAA.
Billing companies, answering services, medical transcription services, data processing companies, auditors, and health information exchanges all fall under the category of “business associate”. All of these entities must maintain compliance and adhere to the privacy and security regulations set forth by HIPAA.
What Constitutes Protected Health Information (PHI)?
Protected health information (PHI) is a relatively broad category comprising more than just medical records and health insurance information.
In order to make sure your organization maintains HIPAA compliance, it is important to have a comprehensive understanding of everything that is considered protected health information by governing bodies such as the HHS office.
Patient Health Information
The HIPAA privacy rule defines patient health information as any form of individually identifiable health information that refers to a particular patient.
Any entity subject to HIPAA regulation must follow all of the required policies and procedures in order to safeguard the security of this information and prevent it from falling into the hands of unauthorized parties.
This category of information is specific to healthcare, but it is not the only type of data that is protected by HIPAA.
Personally Identifiable Information
Personally identifiable information refers to any form of data that can be traced back to a specific individual, whether or not it specifically relates to healthcare, such as demographic information. HIPAA compliance requires the security of this identifying data to be thoroughly protected by those with access to it.
In order to prevent a HIPAA violation from occurring, workers in the healthcare industry are encouraged to ignore the distinction between medical and non-medical data and protect the security of all personal data equally.
Electronic Protected Health Information
Electronic Protected Health Information, also known as ePHI, refers to any form of classified medical data kept in electronic form. This category was added in 2009 when the HITECH Act was introduced to safeguard electronic data better.
The privacy rule set forth by HIPAA makes no distinction between physical and electronic information in terms of priority. The security of all forms of patients’ medical and personal data must be protected in order to maintain compliance with HIPAA regulations.
What Are the 4 Main Rules of HIPAA?
The Health Insurance Portability and Accountability Act denote four main rules for professionals and organizations to follow with regard to protecting patient information.
These include the HIPAA privacy rule, a guideline for handling a breach notification, the HIPAA security rule, and a set of regulations for enforcing the policies when HIPAA violations occur.
In order to prevent HIPAA violations, all four HIPAA rules must be followed meticulously.
HIPAA Privacy Rule
What is the HIPAA privacy rule for healthcare workers? The privacy rule delineates exactly what circumstances patients’ data may be shared under.
Any disclosure of patient information by parties who lack the proper authorization or under circumstances that are not clearly stated in the HIPAA privacy rule will result in a HIPAA violation.
According to the HIPAA privacy rule, in most cases, only the patient themselves or the Department of Health and Human Services may receive this data upon request. Additionally, only the bare minimum information necessary under the circumstances may be disclosed.
HIPAA Enforcement Rule
The HIPAA enforcement rule details the extent of the penalties for failure to comply with the regulations. Fines between $100 and $50,000 may be imposed for each violation, with an annual limit of $1.5 million. Further action may be taken at the discretion of a compliance officer.
HIPAA Security Rule
The HIPAA security rule determines what mechanisms are used to protect the security of private information. The security rule includes three sets of protections: administrative, physical, and technical.
- The technical safeguards set forth by the security rule are in place to protect electronic data from hacking and other cyber security threats.
- The physical safeguards ensure that no one can access equipment storing sensitive patient data without proper authorization.
- The administrative safeguards address the overall management of the security system.
HIPAA Breach Notification Rule
The HIPAA breach notification rule details how organizations should respond if a data breach occurs. If sensitive information is illegally obtained through hacking or inadvertently disclosed to an unauthorized party, both the affected individuals and the HHS secretary must be informed.
These guidelines give different deadlines depending on whether or not the breach affected more or less than 500 individuals. Breaches affecting fewer than this number require a notification to be sent out at least 60 days before the end of the year. Notifications for breaches affecting more people must be sent out within 60 days of the breach.
What Is a Requirement Under HIPAA for Patients?
According to the official guidelines, patients have the right to have their personal information safeguarded from unauthorized individuals. Unless they give explicit permission, patients’ medical data cannot be shared with their employers or sold to other interested parties.
Patients also have the right to access their own health information for any reason.
How Do Healthcare Professionals Remain HIPAA Compliant?
HIPAA compliance can be easily maintained by following the regulations meticulously, meeting all of the documentation requirements, prioritizing thorough instruction on HIPAA compliance during employee training, and never disclosing information without clear authorization.
Respect Patient Privacy, Avoid Penalties, Maintain HIPAA Compliance
For healthcare professionals, protecting the privacy of their patients regarding their individually identifiable health information should be a top priority.
This is necessary not only out of respect for patients but also in order to prevent medical practitioners and their associates from incurring fines and criminal penalties.
Please seek out a free HIPAA checklist to ensure that you and your fellow healthcare professionals remain HIPAA compliant.