What is HIPAA? If you have employees that deal with Private Health Information or PHI, then you need to train them on the ins and outs of HIPAA. President Clinton signed the Health Insurance Portability and Accountability Act, or HIPAA, into law in 1996. Covered entities in the healthcare industry, and their business associates, must ensure that their organizations comply with HIPAA rules.
But what are the HIPAA rules, and who falls under the designations of “covered entities” and “business associates?” Here, we will provide an overview of this complex and challenging law. This article, along with our more complete HIPAA training program, will help get your employees the training they need to remain compliant with the law.
Table of Contents
The original intent of HIPAA was the creation of national standards for health insurance portability.
Four of the act’s five titles (sections) extend company-owned life insurance, group health plans, and health insurance coverage for workers who leave their jobs or change health insurers. It also references medical savings accounts.
- Title I covers health insurance portability to new health insurers. HIPAA health insurance reform protects health insurance coverage by limiting health plans’ ability to deny benefits based on a pre-existing condition.
- Title III provides HIPAA guidelines for health insurance and associated law, aiming at administrative simplification.
- Title IV is another critical part of HIPAA health insurance reform, covering group health plan requirements and continuing health insurance coverage, touching on the COBRA act.
- Title V touches on interest allocation rules and cover for US citizens who renounce their US citizenship. Interest allocation rules govern the interest expenses of multinational companies.
When covered entities and their business associates refer to HIPAA compliance and the HIPAA regulations, this generally refers to title II and its five rules.
Title II of the Health Insurance Portability and Accountability Act governs various aspects of handling protected health information (PHI), including electronically protected health information (ePHI) stored and shared through data networks.
The growing importance of this title has led to federal legislators expanding it by introducing five rules emphasizing the “accountability act” aspect of HIPAA.
Title II features HIPAA administrative simplification rules regarding electronic healthcare transactions (a financial institution rule) and a national provider identifier system to streamline medical care.
The administrative simplification aspects of the Health Insurance Portability and Accountability Act found under Title II lighten the workload for medical providers. This allows them to focus on providing health care.
To assist small healthcare organizations, the US federal government’s Health and Human Services division, which oversees HIPAA compliance, has produced guidance materials covering HIPAA privacy.
The recently implemented Omnibus rule modifies the HIPAA privacy, security, and enforcement rules (including the breach notification rule).
As most information regarding HIPAA was written before the adoption of this rule, we include notes regarding the specific changes wrought by Omnibus under the relevant headings.
Organizations will have to provide training for their staff to understand and implement these changes. The Omnibus rule helps integrate disparate pieces of other legislation into HIPAA, enhancing administrative simplification.
Healthcare organizations and individuals in the healthcare field may wonder whether they fall under the umbrella of “covered entities” and what constitutes a business associate.
Covered entities comprise all health plans and health care providers who electronically transmit health data in connection with transactions standardized by the HHS, for example, claims.
Health plans include HMOs, health insurance companies, company-owned life insurance, government programs such as Medicare, Medicaid, military personnel, veterans care, and medical savings accounts associated with public or private health insurance plans.
Healthcare providers include doctors, dentists, psychologists, chiropractors, pharmacies, clinics, hospitals, and nursing homes. The size of the practice is irrelevant to determining whether an entity is a covered entity or not; it is the transmission of patient data that is pertinent.
The term covered entities refers to the requirement that these organizations comply with the provisions of the HIPAA privacy rule.
Healthcare providers and health plans often engage other companies’ services to provide health care to patients; these ancillary service providers require access to some patient health data.
Examples include claims processing services, medical transcriptionists, accounting services, attorneys, pharmacy benefits managers, and utilization review consultants.
The privacy rule permits a covered entity to share protected health information with these business associates, subject to specific provisions that prohibit the business associate from using this data for their benefit.
These caveats are that the business associate undertakes not to use the data for any other purpose than helping the covered entity, safeguards the information, and assists the covered entity in complying with their duties as specified by the HIPAA privacy rule.
Healthcare clearinghouses are sometimes considered covered entities. Still, often they are classified as business associates in terms of the data processing services they render to healthcare providers and health plans.
Healthcare clearinghouses include health management information systems that process health data, including individually identifiable health information, from one format to another.
They may transform health data in a nonstandard format into a standard one for ease of use by their clients or vice versa when a client requires a custom data format for a particular use.
One everyday use case is transforming nonstandard claim data into a format that meets HIPAA standards for healthcare transactions.
The HIPAA privacy and security rules dictate that a covered entity into a contract with any business associates. Any business associate assisting a covered entity who subcontracts certain functions must also create a contract to govern this relationship.
Such contracts (or similar written arrangements) are business associate contracts; they clarify how a business associate may use or disclose patient information. The only exception to these stipulations is disclosure required by law.
The contracts bind the associate to direct liability under HIPAA regulations, subject to civil or even criminal penalties for unauthorized use or disclosure as outlined in the privacy rule, and civil penalties should they fail to safeguard such data as prescribed by the security rule.
The Omnibus rule amendments mean that much of the privacy rule and all of the security rule now applies to business associates and subcontractors, and they are subject to enforcement.
This administrative simplification means that covered entities should review their business associate contracts accordingly, particularly concerning liability protection clauses.
Despite often holding some health information, various entities are not subject to HIPAA regulations.
These include most law enforcement agencies, including state and local police. State agencies such as nutritional assistance programs and child protective services, employers, schools, and school districts are also excluded. These are subject to the Family Educational Rights and Privacy Act.
Companies providing life insurance loans are also not subject to HIPAA but can access some data, such as blood test results and prescription medication purchases from third-party sellers.
Because healthcare providers must access and exchange information to render services to patients, they must share some data. Medical records such as blood type, diagnosis, BMI, EKG readings, and so on fall under information health care providers require to do their jobs.
Individually identifiable health information such as names, birth dates, addresses, social security numbers, medical record numbers, facial photos, and contact details, which link medical records to specific individuals, are protected health information.
Electronically protected health information that falls into the wrong hands can be used for several purposes, ranging from blackmailing individuals with stigmatized conditions to purchasing medication for resale on the black market.
HIPAA regulations require healthcare providers and business associates to keep this information confidential and share it on a need-to-know basis or as required by law.
The HIPAA privacy rule does not apply to situations where individually identifiable health information, such as an employee’s contact details at a medical clinic, is not linked with electronic health records. Thus no compromise of individual security can occur.
Electronic health records such as heart rate or blood sugar readings that are not linked with individually identifiable health information are also exempt, as compromising patient confidentiality is also not possible in this scenario.
The five HIPAA rules include privacy and security rules and others that specify how a covered entity should act to fulfill the aims of these regulations. The fifth of the HIPAA rules is an enforcement rule that governs HIPAA violations.
The HIPAA privacy rule protects all of a patient’s protected health information (physical or electronic) and is foundational to HIPAA compliance.
It establishes national standards regarding the circumstances in which a covered entity may or may not disclose this data and whether patient consent is required.
The HIPAA privacy rule regulates the storage and sharing of protected health information and electronically protected health information by covered entities, such as health care professionals and health plans, to ensure that this data remains protected.
It sets minimum standards for healthcare organizations’ internal HIPAA compliance policies and documents.
Associated forms govern requests for access or restriction to information, permission for disclosure, the notice of privacy practices that informs patients of their HIPAA rights, and the privacy complaint form.
The Omnibus rule has introduced changes relating to marketing and fundraising communications, payment for PHI, disclosures to health care personnel or payment services, and student immunization records.
Covered entities must update any documentation affected.
The Omnibus rule extends HIPAA regulations regarding health information to include genetic data, thus implementing the Genetic Information Nondiscrimination Act (GINA).
Health and Human Services have introduced restrictions prohibiting medical insurance from adjusting their underwriting calculations based on a user’s genetic flaws or employers screening employees when hiring or promoting.
The HIPAA privacy rule gives healthcare providers a right to access and share patients’ medical records for purposes such as providing appropriate treatment, healthcare operations, or handling payment.
These routine uses do not require patient consent. The covered entity can rely on “informal consent” to use and disclose information in medical emergencies or disasters or to notify family members (something covered entities are often reluctant to do).
Disclosure of information incidental to such uses is not considered a violation of the HIPAA privacy rule, provided the covered entity shared the minimum necessary data and took reasonable precautions.
Other disclosures of protected health information (PHI), such as those used in research, require prior written authorization from the patient.
Healthcare organizations may also apply for permission not to disclose patient health information when they believe such disclosure could harm patients or their family members.
Covered entities must disclose information to law enforcement personnel under particular circumstances.
- Patients with gunshot or stab wounds
- Patients suspected of criminal activity
- Patients posing serious and imminent threats to public health or safety
- Patients suspected of child abuse
- Any other case where required by court orders, warrants, subpoenas, or similar documents.
The HIPAA privacy rule stipulates that patients have a right of access. This guarantees they may view their patient health information, obtain a physical or electronic copy, and request corrections.
They may also request that personal health information, including electronic health information, not be shared.
Certain data, such as a mental health care professional’s notes not stored as part of medical records, administrative data used to review and improve services, or data gathered by medical providers to defend against legal action, is exempt from this provision.
The HIPAA security rule complements the privacy rule, defining how electronically protected health information (ePHI) should be protected and setting national standards for securely maintaining, processing, and transmitting such data.
The security rule defines three elements of security: administrative, technical, and physical.
Administrative security policies assign a team to maintain security policies and procedures that ensure HIPAA compliance. These internal security policies must detail specifics 0f the HIPAA security rule.
The security rule stipulates that staff at a covered entity must receive annual training regarding these policies, with written attestation.
Technical safeguards are any security rule aimed at preventing unauthorized remote access to data by nefarious actors, such as hacking the site where it is stored, cracking insecure user passwords, or infecting the computers with malware.
Technical safeguards against such attacks include powerful data encryption, user authentication, and policing of password strength used by persons authorized to access data.
The HITECH Act (Health Information Technology for Economic and Clinical Health) was amended in 2021 to mandate the HHS to consider recognized security practices (RSPs) employed by covered entities and business associates concerning the security rule.
When the Office for Civil Rights, which falls under the Health and Human Services division, considers the RSPs that a covered entity has had in place during the previous 12 months when assessing HIPAA security rule compliance or executing enforcement actions.
Although RSP implementation is voluntary, evidence demonstrating that entities have implemented these security best practices can be a mitigating factor in Office for Civil Rights audits, investigations, and fines calculations following a data breach.
Entities can choose between:
- An RSP based on the National Institute of Standards and Technology Act’s Cybersecurity Framework
- One based on the Cybersecurity Act’s Health Industry Cybersecurity Practices
- Any other framework recognized by federal law.
Physical safeguards protect sensitive data from falling into the wrong hands by direct physical means, such as people viewing monitor displays or stealing laptops, tablets, and cell phones.
To accomplish this, a covered entity may put in place a security rule that monitors must be positioned so that members of the public cannot see them. Another helpful security rule is a requirement for users to log in and log out of a session.
If an employee takes a laptop from a healthcare facility without a physical security policy and it is stolen, the covered entity that employs them will be held responsible for leaked data.
However, if healthcare organizations enact security policies forbidding laptops from being removed from the workplace, the responsibility rests with the worker if such an incident occurs.
Physical safeguards include restricting access to healthcare facilities, data management measures such as backups and end-of-life disposal, and workstation security.
HIPAA Security Rule Standards and Implementation Specifications cover four major areas of security: physical, administrative, and technical safeguards, plus the requirements for policies, procedures, and documentation.
The Health Insurance Portability and Accountability Act include this financial institution rule stipulating a standardized mechanism that health insurance plans and covered healthcare providers must follow when filing and processing electronic healthcare transactions.
These healthcare transactions include benefit eligibility inquiries, claims and encounter information, claims status, referral authorization requests, payment and remittance advice, and other situations covered by the HIPAA rules for transactions.
HIPAA administrative simplification rules intend to reduce the complexity of transactions. All covered entities who wish to be paid must adhere to national standards for healthcare transactions.
Another of the HIPAA administrative simplification provisions, the unique identifiers rule, provides national standards for identifying covered entities involved in administrative and financial transactions governed by HIPAA.
Healthcare providers are identified by means of a 10-digit number, the National Provider Identifier. Health plans and covered entities paying under the Center for Medicare & Medicaid Services are identified by the National Health Plan Identifier (NHI).
Employers involved in HIPAA-regulated transactions are identified by the Standard Unique Employer Identifier, which is considered equivalent to the Employer Identification Number (EIN) issued by the IRS.
There are ten billion possible permutations of a 10-digit number, so this system allows every entity involved in healthcare transactions to have a unique, arbitrary identifier.
The unique identifiers rule reinforces the aims of the privacy and security rules by creating a way to identify all employers and covered entities while not sharing individually identifiable health information.
A national standard identifier for health plans helps eliminate the ambiguity associated with them that required human intervention, allowing the American Medical Association’s third-party payment system to be automated.
Although electronic healthcare transactions still require sharing some protected health information, such as payment details and patient contact details, the National Provider Identifier provides an unambiguous way of anonymously identifying entities.
The Office of Civil Rights is responsible for monitoring HIPAA violations and implementing the HIPAA enforcement rules that govern penalties for offenders.
Penalties for HIPAA violations can be severe. Accidental violations, known as reasonable cause, attract fines ranging from $100 to $50,000 each but do not involve criminal charges that could lead to jail time.
Wilful neglect violations attract fines ranging from $10,000 to $50,000 each (up to a cap 0f $1.5 million) and can involve criminal charges and possible imprisonment. Should a preliminary review indicate possible wilful neglect, the OCR must investigate compliance.
Healthcare organizations that discover disclosure or use of electronically protected health information not permitted under the privacy rule, which compromises its privacy or security, must notify the Office of Civil Rights and affected individuals of the breach.
Large-scale data breaches involving the leaking of protected health information of 500 patients or more are posted on the “Wall of Shame” or Breach Notification Portal.
The Omnibus rule has amended the HIPAA breach notification rule so that virtually all information leakages constitute a reportable data breach.
The five leading violations of HIPAA rules are caused by the following:
- Employees losing computing or storage devices
- Being hacked due to insufficient cybersecurity
- Unauthorized employee access to patient data
- Poor filing and disposal practices
- The release of information when authorization is no longer required.
Remaining HIPAA-compliant helps businesses and entities manage patient data more efficiently and avoid federal fines. Responsible parties should understand and follow each Act’s title to the letter and ensure proper recovery measures are in place in case of a breach.
Keep this information on hand – keep your organization HIPAA-compliant.