Understanding HIPAA for Dummies

HIPAA Origins

The Health Insurance Portability and Accountability Act (HIPAA) was first introduced in 1996 by the United States Congress. Initially, the legislation was introduced to ensure that people who were temporarily out of work would still be covered by health insurance. Although it still serves this purpose, it is now more famous for its role in introducing new standards for the protection of sensitive healthcare information. Data breaches can have significant consequences for patients, as criminals may use healthcare information may commit identity theft or fraud. As such, healthcare organisations are always under attack from hackers who wish to steal this information to sell on the black market for a substantial profit.

HIPAA’s role is still evolving, adapting to the new threats the healthcare industry faces. It is one of the most important pieces of healthcare legislation in the United States.

Why do we need HIPAA?

Before HIPAA, there was no consensus amongst healthcare professionals as to the best practices for protecting private healthcare information (PHI). HIPAA introduced several industry-wide standards to address the issues of PHI security.

Additionally, HIPAA was introduced to improve efficiency and patient experience in the healthcare industry. HIPAA introduced new practices to help healthcare organisations across the country to reduce the amount of paperwork, thus creating a better workflow. HIPAA requires code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organisations and insurers. This has had the effect of streamlining eligibility checks, billing, payments, and other healthcare operations. It is hoped that with more efficient management of patient data, the patient’s experience is improved.

HIPAA has served a great deal more, less famous, functions. It covers areas from the banning of tax-deduction of interest on life insurance loans to the standardisation of the amount that may be saved in a pre-tax medical savings account.

HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including:

  • the Public Health Service Act
  • the Employee Retirement Income Security Act
  • the Health Information Technology for Economic and Clinical Health (HITECH) Act

What is PHI?

Understanding what constitutes as PHI is a critical aspect of HIPAA compliance. PHI encompasses any information which could be used to identify which patient is connected to the healthcare record. If an unauthorised individual gains access to this information, the patient may be at risk of identity fraud. Here we have listed eighteen so-called “personal identifiers”.

  • Names or part of names
  • Geographical identifiers
  • Phone numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Vehicle license plate numbers
  • Web URLs
  • Fingerprints, retinal and voice prints
  • Full face or any comparable photographic images
  • IP addresses
  • Device identifiers and serial numbers
  • Certificate or license numbers
  • Health insurance beneficiary numbers
  • Social Security numbers
  • Fax numbers
  • Dates directly related to an individual
  • Any other unique identifying characteristic

Who must comply with HIPAA?

HIPAA applies to health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card. These organisations are referred to as “HIPAA Covered Entities” (CEs). Under certain circumstances, an organisation may be exempt from HIPAA.

If an organisation provides a third-party service to a CE and may come into contact with PHI by doing so, they are required to follow HIPAA’s Rules. These organisations are known as “Business Associates” (BAs). Although they do not create, receive, maintain or transmit PHI, they must ensure that they have adequate safeguards in place to ensure its protection. CEs and BAs must sign a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access before they can start any operations.

HIPAA Rules

The Rules address specific security requirements, such as the safeguards that should be implemented or response frameworks that should be in place if a data breach were to occur.

Privacy Rule –defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.

Security Rule –outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.

Breach Notification Rule – outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal. Employees must be informed on how and when to notify the OCR and the media.

Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)

Omnibus Rule –covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI.

HIPAA Safeguards

Understanding HIPAA’s safeguard requirements are an integral part of ensuring compliance. One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Each safeguard is “required” unless there is a justifiable reason not to implement the safeguard. If the CE finds a reason not to implement a certain “required” safeguard, then an appropriate alternative to the safeguard must be implemented that achieves the same objective.

The Security Rule breaks down the types of safeguards which must be adopted into three categories; administrative, physical, and technical safeguards. The safeguards outlined by the Security Rule are summarised as thus:

Technical Safeguards:

Required:

  • Implement a means of access control
  • Introduced activity logs and audit controls

Addressable:

  • Introduce a mechanism to authenticate ePHI
  • Implement tools for encryption and decryption
  • Facilitate automatic log-off of PCs and devices

Physical Safeguards:

Required:

  • Policies for the use/positioning of workstations
  • Policies and procedures for mobile devices

Addressable:

  • Facility access controls must be implemented
  • Inventory of hardware

Administrative Safeguards:

Required:

  • Conducting risk assessments
  • Introducing a risk management policy
  • Developing a contingency plan
  • Restricting third-party access

Addressable:

  • Training employees to be secure
  • Testing of contingency plan
  • Reporting security incidents

What are the HIPAA Training Requirements?

HIPAA’s training requirements are designed to be flexible so that an organisation may adjust them to their particular needs. HIPAA employee training features as an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308).

HIPAA’s Privacy Rule states that employee training should be offered “as necessary and appropriate for members of the workforce to carry out their functions”. HIPAA’s Security Rule requires CEs and BAs to “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule). There are no specific requirements as to what employers should include in a training course, how to conduct the courses, or how regularly the courses should take place.

Some advice for running a HIPAA training course includes:

  1. Keep training short and focused. We recommend that training sessions last no longer than forty minutes and are regular events rather than the annual refreshers mandated by the Department of Health and Human Services.
  2. Inform employees of the consequences of HIPAA data breaches, not just the financial implications for the CE or BA, but the implications for trainees, their colleagues, and victims of the breach.
  3. Senior management should be involved in the training as this highlights the importance of HIPAA compliance to employees.
  4. Keep the information concise and relevant and inform employees of what they are supposed to do to protect PHI and ePHI in their specific roles.
  5. Make the sessions interactive and engaging; use multimedia presentations to make the training memorable

HIPAA Violations

The cost of a HIPAA violation can be very damaging to an organisation. The OCR also has the power to prosecute a CE or a BA if they are found to be HIPAA non-compliant.

The penalty structure for HIPAA violations is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on many “general factors” and the seriousness of the HIPAA violation.

The categories of HIPAA violation are as follows:

  • Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

The OCR has the power to waive a fee if the CE in question could not have been expected to avoid a data breach, a so-called “unknown violation”.

HIPAA Violation Penalty Structure

The OCR considers a wide range of factors when determining the appropriate penalty to be levied against a CE. This includes the length of time over which violation occurred, the number of people affected, and the breach had done the nature of the data exposed, the financial means of the organisation, and how much damage. The OCR also considers the organisation’s willingness to assist with the investigation. The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.

The fines per category are:

  • Category 1: Minimum fine of $100 per violation up to $50,000
  • Category 2: Minimum fine of $1,000 per violation up to $50,000
  • Category 3: Minimum fine of $10,000 per violation up to $50,000
  • Category 4: Minimum fine of $50,000 per violation

Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead of by the number of patients affected. For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for one year, the OCR may decide to apply a penalty per day that the CE has violated the law. Therefore, in this case, the penalty would be multiplied by 365.