The Health Insurance Portability and Accountability Act (HIPAA) was first introduced in 1996 by the United States Congress. Initially, the legislation was introduced to ensure that people who were temporarily out of work would still be covered by health insurance. Although it still serves this purpose, it is now more famous for its role in introducing new standards for the protection of sensitive healthcare information. Data breaches can have significant consequences for patients, as criminals may use healthcare information may commit identity theft or fraud. As such, healthcare organisations are always under attack from hackers who wish to steal this information to sell on the black market for a substantial profit.
HIPAA’s role is still evolving, adapting to the new threats the healthcare industry faces. It is one of the most important pieces of healthcare legislation in the United States.
Before HIPAA, there was no consensus amongst healthcare professionals as to the best practices for protecting private healthcare information (PHI). HIPAA introduced several industry-wide standards to address the issues of PHI security.
Additionally, HIPAA was introduced to improve efficiency and patient experience in the healthcare industry. HIPAA introduced new practices to help healthcare organisations across the country to reduce the amount of paperwork, thus creating a better workflow. HIPAA requires code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organisations and insurers. This has had the effect of streamlining eligibility checks, billing, payments, and other healthcare operations. It is hoped that with more efficient management of patient data, the patient’s experience is improved.
HIPAA has served a great deal more, less famous, functions. It covers areas from the banning of tax-deduction of interest on life insurance loans to the standardisation of the amount that may be saved in a pre-tax medical savings account.
HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including:
Understanding what constitutes as PHI is a critical aspect of HIPAA compliance. PHI encompasses any information which could be used to identify which patient is connected to the healthcare record. If an unauthorised individual gains access to this information, the patient may be at risk of identity fraud. Here we have listed eighteen so-called “personal identifiers”.
HIPAA applies to health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card. These organisations are referred to as “HIPAA Covered Entities” (CEs). Under certain circumstances, an organisation may be exempt from HIPAA.
If an organisation provides a third-party service to a CE and may come into contact with PHI by doing so, they are required to follow HIPAA’s Rules. These organisations are known as “Business Associates” (BAs). Although they do not create, receive, maintain or transmit PHI, they must ensure that they have adequate safeguards in place to ensure its protection. CEs and BAs must sign a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access before they can start any operations.
The Rules address specific security requirements, such as the safeguards that should be implemented or response frameworks that should be in place if a data breach were to occur.
Privacy Rule –defines PHI and informs CEs and BAs of their responsibilities to protect patient data. The Minimum Necessary Rule is also part of the Privacy Rule, and stipulates that should PHI be handed over to a third party, only the minimum amount of data necessary to complete the specific task should be handed over.
Security Rule –outlines the minimum physical, technical, and administrative safeguards needed to protect electronic PHI.
Breach Notification Rule – outlines procedures that must be followed in the aftermath of a breach to ensure that the risk of damage to patients is minimal. Employees must be informed on how and when to notify the OCR and the media.
Enforcement Rule – contains guidance on the fines and penalties that may be levied against a CE should a data breach occur. (OCR and Department of Health and Human Services can alter punishments at their discretion.)
Omnibus Rule –covers a wide range of privacy-related areas, from the length of time a patient’s records can be held to the encryption requirements of PHI.
Understanding HIPAA’s safeguard requirements are an integral part of ensuring compliance. One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Each safeguard is “required” unless there is a justifiable reason not to implement the safeguard. If the CE finds a reason not to implement a certain “required” safeguard, then an appropriate alternative to the safeguard must be implemented that achieves the same objective.
The Security Rule breaks down the types of safeguards which must be adopted into three categories; administrative, physical, and technical safeguards. The safeguards outlined by the Security Rule are summarised as thus:
HIPAA’s training requirements are designed to be flexible so that an organisation may adjust them to their particular needs. HIPAA employee training features as an Administrative Requirement of the HIPAA Privacy Rule (45 CFR §164.530) and an Administrative Safeguard of the HIPAA Security Rule (45 CFR §164.308).
HIPAA’s Privacy Rule states that employee training should be offered “as necessary and appropriate for members of the workforce to carry out their functions”. HIPAA’s Security Rule requires CEs and BAs to “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule). There are no specific requirements as to what employers should include in a training course, how to conduct the courses, or how regularly the courses should take place.
Some advice for running a HIPAA training course includes:
The cost of a HIPAA violation can be very damaging to an organisation. The OCR also has the power to prosecute a CE or a BA if they are found to be HIPAA non-compliant.
The penalty structure for HIPAA violations is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on many “general factors” and the seriousness of the HIPAA violation.
The categories of HIPAA violation are as follows:
The OCR has the power to waive a fee if the CE in question could not have been expected to avoid a data breach, a so-called “unknown violation”.
The OCR considers a wide range of factors when determining the appropriate penalty to be levied against a CE. This includes the length of time over which violation occurred, the number of people affected, and the breach had done the nature of the data exposed, the financial means of the organisation, and how much damage. The OCR also considers the organisation’s willingness to assist with the investigation. The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.
The fines per category are:
Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead of by the number of patients affected. For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for one year, the OCR may decide to apply a penalty per day that the CE has violated the law. Therefore, in this case, the penalty would be multiplied by 365.
Copyright © 2019 ComplianceHome