First proposed in 1996 in order that workers bring carry forward insurance and healthcare rights between jobs, our HIPAA simplified history shows the Act has since grown into an act of legislation that also governs health insurance fraud and tax provisions for medical savings accounts, and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes. Chiefly though, however, HIPAA relates to the privacy and security of patient health information.
HIPAA (via the HITECH Act) was also used to encourage the healthcare sector to computerize paper records. This resulted in concerns over unauthorized disclosures of “Protected Health Information” (PHI) and lead to the development of further privacy and security regulations in 2013. The regulations addressed technological advances in the healthcare sector since the original legislation was passed, and expanded responsibility for the integrity of PHI to Business Associates.
The HIPAA regulations are governed by the U.S. Department of Health & Human Services´ Office for Civil Rights, while state Attorney Generals can also implement actions against parties found not to be in compliance with HIPAA. The Office for Civil Rights has the authority to apply fines on Covered Entities and Business Associates for breaches of PHI unless the offending party can show a low probability that patient health information was compromised.
HIPAA Described in Basic Terms
The combined text of all the HIPAA Administrative Simplification Regulations have been put together into a single document of 115 pages by the HHS, which makes it a very lengthy read, but it is possible to summarize HIPAA in a couple of sentences and explain HIPAA in simple terms.
HIPAA was an effort by Congress to improve efficiency in healthcare, eliminate wastage, tackle fraud, and ensure that health information that can be tied to an individual and would permit them to be identified is protected and kept private and confidential.
HIPAA brought in a set of new standards for healthcare organizations to follow to ensure everyone was singing from the same song sheet. Standard codes and identifiers were developed to make it easier for health information exchange and healthcare providers, health insurers, and their business associates were needed to use the same codes for electronic transactions to ensure data could be exchanged efficiently. This saved a great deal of time, effort, and resulted in massive cost savings.
HIPAA stated the allowable uses and disclosures of health information, restricting who is permitted to access health information and under what circumstances. HIPAA gave Americans the right to receive copies of their health data to check their health records for errors and to share their records with whoever they wish. HIPAA also set standards for protecting health data to make it harder for health information to be accessed by individuals who had no right to view the data.
HIPAA Made Easy
Although it may be thought of as unkind to entitle a section of this article “HIPAA for Dummies”, there are still some people unaware of what patient health information is “protected”. To clarify what is thought of as “Protected Health Information”, we have listed below the eighteen “personal identifiers” that individually – or related to any other personal identifier – could reveal the identity of an individual, their medical history or payment history:
|Names or part of names||Any other unique identifying characteristic|
|Geographical identifiers||Dates directly related to an individual|
|Phone numbers||Fax numbers|
|Email addresses||Social Security numbers|
|Medical record numbers||Health insurance beneficiary numbers|
|Account numbers||Certificate or license numbers|
|Vehicle license plate numbers||Device identifiers and serial numbers|
|Web URLs||IP addresses|
|Fingerprints, retinal and voice prints||Full face or any comparable photographic images|
Who is Included in HIPAA?
Before beginning an HIPAA explanation to clarify who the legislation applies to. Most health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card are though of as “HIPAA Covered Entities” under the Act. Typically, these are entities that come into contact with Protected Health Information on a regular basis.
“Business Associates” are also included in HIPAA. These are groups who do not create, receive, maintain or transmit Protected Health Information in their primary occupation, but who supply third party services and activities for Covered Entities during the course of which they will work with PHI. Before undertaking a service or activity on behalf of a Covered Entity, a Business Associate must complete a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access.
There’s a grey area in relation to self-insured single employer group health plans and employers who act as intermediaries between employees and health care supplierrs. HIPAA states employers are not Covered Entities unless the manner of their business falls within the criteria to be a Covered Entity (i.e. an employing Medical Center would be a Covered Entity). However, as self-insuring and intermediary employers manage PHI that is protected by the HIPAA Privacy Rule, they are considered “Virtual Entities” and subject to HIPAA compliance.
Explanation of the Required and Addressable Safeguards of HIPAA
One aspect of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Effectively every security measure of HIPAA is “required” unless there is a justifiable reason not to implement the safeguard or an appropriate alternative to the safeguard is in place that achieves the same objective.
An instance in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – only have to be encrypted if they are sent beyond a firewalled, internal server. If a healthcare group only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to put in place this addressable safeguard.
The decision not to put in place email encryption will have to be supported by a risk assessment and recorded in writing. Other factors that may have to be considered s the organization´s risk mitigation strategy and other safeguards put in place to safeguard the integrity of PHI. As a footnote to this particular section of HIPAA explained, the encryption of PHI at rest and in transit is recommended.
HIPAA Implications for Patients
The implications of HIPAA to patients are that their healthcare data is treated more sensitively and can be accessed more quickly by their healthcare suppliers. Electronically stored health information is now better protected than paper records ever were, and healthcare groups that have implemented mechanisms to comply with HIPAA regulations are witnessing an enhanced efficiency. This results – as far as patients are concerned – as a higher standard of healthcare.
On the negative side, healthcare groups are not solely concerned with the standard of healthcare they can provide to specific patients. Healthcare organizations want to increase the services they can provide, want to raise the quality of care and enhance patient safety through research. However, research is hindered by HIPAA and restricted access to PHI has the potential to slow down the rate at which improvements can happen in health care.
There is also a price to pay for enhanced data security, and although the enactment of the Meaningful Use program provided financial incentives for healthcare suppliers to computerize paper records, establishing the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance has the potential to lessen the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare groups furthers strains the limited resources available.
How to Describe HIPAA to Patients
- They can request their medical records whenever they like.
- They can request you amend their medical records when appropriate.
- They can limit who has access to their personal health information.
- They can choose how healthcare providers communicate with them.
- They cant to complain about the unauthorized disclosure of their PHI.
Unless the patient has experienced a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who breach HIPAA for personal profit, false pretenses or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could lead to ten years´ imprisonment.
HIPAA Implications for Healthcare Organizations
If data privacy and security is not tackled, the Office for Civil Rights can issue penalties for non-compliance. Preventable data breaches are likely to result in considerable financial penalties issued. Under the penalty structure brought in by HITECH, violations can result in fines up to $1.5 million being issued by the OCR, while lawsuits can be filed by both attorney generals and – as mentioned before – the victims of data breaches.
The high probability of healthcare groups becoming targets for cybercriminals and the exorbitant cost of addressing data breaches – issuing breach alert letters, offering credit monitoring services and covering the OCR fines – is far more than the cost of achieving full compliance. But, while the initial cost of investment in the necessary technical, physical and administrative security measures to secure patient data may be high, the improvements can result in cost savings over time as a result of improved efficiency.
Groups that have already implemented mechanisms to adhere with HIPAA have seen their employee´s workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive – allowing healthcare groups to reinvest their savings and give a higher standard of healthcare to patients.
How to Describe HIPAA to Employees
Describing HIPAA to employees of Covered Entities and Business Associates requires far more effort than describing HIPAA to patients. In order to adhere with HIPAA, Covered Entities and Business Associates have to gather privacy and security policies for their workforces, and a sanctions policy for employees who fail to adhere with the requirements. Therefore it is necessary to describe HIPAA to employees in greater detail.
The best manner to explain HIPAA to employees is in special compliance training sessions. Although the HIPAA regulations state training should be given annually, we would suggest there is so much for employees to take in relating to the security and privacy of personal health data, compliance training sessions should be short and frequent. Attempting to explain HIPAA to employees in a four-hour training session will likely be unsuccessful.
Most of the explanation will revolve around managing the integrity of PHI, but how this is put in place will likely have an impact on the employees themselves. For instance, employees will be unable to speak about patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare clinics putting in place BYOD policies, this will mean employees have to install secure communication apps to their personal mobile devices.