After HIPAA had been signed into law, the US Department of Health and Human Services set about developing the first HIPAA Privacy and Security Rules. The Privacy Rule had an actual compliance date of April 14, 2003, and it defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
Instructions were published on how PHI should be disclosed and that permission should be received from patients before using their personal information for marketing, fundraising or research. It also gave patients the right to withhold information about their healthcare from health insurance suppliers when their treatment is privately financed.
The HIPAA Security Rule became enforceable two years after the original legislation on April 21, 2005. Dealing specifically with electronically stored PHI (ePHI), the Security Rule put in place three security security measures – administrative, physical and technical – that must be complied with in full in order to comply with HIPAA. The safeguards had the following aims:
- Administrative – to develop policies and procedures designed to clearly show how the entity will comply with the legislation.
- Physical – to control physical access to places where data is stored to secure against inappropriate access
- Technical – to safeguard communications which have PHI when sent electronically over open networks
When Did HIPAA Become Enforceable?
HIPAA became law on August 21, 1996, but there have been major amendments to HIPAA over the past 20 years: The introduction of the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule.
The most significant effective dates are: April 14, 2003 for the HIPAA Privacy Rule, although there was an extension of one year for small health plans, that were required to adhere with the HIPAA Privacy Rule provisions by April 14, 2004.
The effective compliance date for the HIPAA Security Rule was April 21, 2005. As with the HIPAA Privacy Rule, small health plans were given an extra year to adhere with the provisions of the HIPAA Security Rule and had an effective compliance date of April 21, 2006.
The HIPAA Breach Notification Rule became enforceable on September 23, 2009 and the Omnibus Final Rule became effective on March 26, 2013.
The Enforcement Rule
The failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules lead to the introduction of the Enforcement Rule in March 2006. The Enforcement Rule gave the Department of Health and Human Services the power to look into complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for avoidable breaches of ePHI due to not following the security provisions laid down in by the Security Rule.
The Department´s Office for Civil Rights was also given the authority to bring criminal charges against persistent offenders who fail to introduce corrective measures within 30 days. People also have the right to pursue civil legal action against the covered entity if their personal healthcare information has been shared without their permission if it causes them to come to “serious harm”.
The Breach Notification Rule & HITECH 2009
In 2009 the Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced. HITECH had the chief goal of compelling healthcare authorities to put in place the use of Electronic Health Records (EHRs) and introduced the Meaningful Use incentive program. Stage one of Meaningful Use was rolled out the following year, incentivizing healthcare groups to maintain the Protected Health Information of patients in electronic format, instead of paper files.
With the incentive program also came an extension of HIPAA Rules to Business Associates and third-party suppliers to the healthcare sector, and the introduction of the Breach Notification Rule – which stated that all breaches of ePHI affecting more than 500 people must be reported to the Department of Health and Human Services’ Office for Civil Rights. The criteria for reporting breaches of ePHI were then extended in the Final Omnibus Rule of March 2013.
2013: The Final Omnibus Rule
The latest act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule barely introduced any new legislation, but plugged gaps in existing HIPAA and HITECH regulations – for example, specifying the encryption standards that need to be put in place in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
Many definitions were changed or added to clear up grey areas – for instance the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose behaviour, in the performance of work for a covered entity or Business Associate, is under the direct management of the covered entity or Business Associate.
The Privacy and Security Rules were also altered to permit patient´s health information to be held indefinitely (the previous legislation had stated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also implemented – as dictated by HITECH – to covered bodies that fell afoul of the HIPAA Enforcement Rule.
Amendments were also included to allow for changing work practices brought about by technological evolution, covering the use of mobile devices in particular. A major number of healthcare workers are now using their own mobile devices to access and communicate ePHI, and the Final Omnibus Rule included new administrative processes and policies to account this, and to cover scenarios which could not have been predicted in 1996. The complete text of the Final Omnibus Rule can be found here.
After many delays, the deadline for the United States to use Clinical Modification ICD-10-CM for diagnosis coding and Procedure Coding System ICD-10-PCA for inpatient hospital procedure coding was established as October 1, 2015. All HIPAA covered groups must use ICD-10-CM. Another requirement is these of EDI Version 5010.
Significant Dates in HIPAA History
- HIPAA Signed into Law by President Bill Clinton – August 1996
- Effective Date of the HIPAA Privacy Rule – April 2003
- Effective Date of the HIPAA Security Rule April 2005
- Effective Date of the HIPAA Breach Enforcement Rule March 2006
- Effective date of HITECH and the Breach Notification Rule – September 2009
- Effective Date of the Final Omnibus Rule March 2013
In certain instances, CEs and BAs were given a period of time to adhere with the provisions of each Rule. For instance, although the effective date of the Final Omnibus Rule was March 2013, CEs and BAs were given 180 days to comply.
Results of the Final Omnibus Rule
What the Final Omnibus Rule achieved more than any previous legislation was to make covered groups more aware of HIPAA security measures that they had to adhere to. Many healthcare groups – who had been in breach of HIPAA for almost two decades – put in place a number of measures to comply with the regulations, such as using data encryption on portable devices and computer networks, establishing secure messaging solutions for internal communications with care teams, installing web filters and taking more care to archive emails safely.
The fines now being applied for data breaches along with the colossal costs of issuing breach alerts, providing credit monitoring services and conducting damage mitigation makes investment in new technology to safeguard data appear cheap by comparison.
Program for HIPAA Compliance Audit
In 2011, the Office for Civil Rights began a series of pilot compliance audits to assess how well healthcare providers were putting in place HIPAA Privacy and Security Rules. The initial found of audits was completed in 2012 and emphasised the dire state of healthcare compliance.
Audited organizations registered numerous breaches of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule, with the latter leading to the highest number of violations. The OCR issued action plans to help those groups achieve compliance; however for the second round of audits it is not expected to be as soft.
Audits are expected to focus on the specific areas which proved difficult for so many healthcare providers, while a permanent audit plan is being established to ensure continued HIPAA compliance. The age of lax security standards has now passed and the healthcare sector, like the financial industry before it, must raise standards to make sure confidential data remains private.
Any covered group that does not put in place the required controls faces financial penalties, sanctions, potential loss of license and even criminal proceedings for not securing ePHI.
How to Achieve Complete HIPAA Compliance
Our “HIPAA Compliance Checklist” includes the elements of the Health Insurance Portability and Accountability Act regarding the storage, transmission and disposal of electronic Protected Health Information, the actions groups must take in response to a breach and the policies and procedures which must be adopted to achieve complete compliance.
HIPAA regulations may be strict, yet covered groups are allowed some flexibility on the privacy and security safeguards used to protect data. Data encryption, for instance, must be addressed but not necessarily put in place if other controls provide the necessary protection.
Some of the main technical security measures used to protect and control ePHI actually help to streamline communication and data flow, and groups which have adopted secure communications channels and implemented data controls have benefited from enhanced efficiency, faster response times and have improved patient outcomes, while ensuring that patient health data remains fully secured at all times.
Technical Security Measures to Secure ePHI and Personal Identifiers
- Data Encryption: The implementation of laptop computers and other mobile devices for storing or accessing ePHI inevitably results in a HIPAA breach if those devices are lost, stolen or improperly recycled. Password protection of devices – and the data they include – is a reasonable step to stop unauthorized access, but alone it is insufficient to supply the necessary protection for health data. Passwords can simply be cracked by hackers and do not provide enough high level of security. Data encryption involves the conversion of data into indecipherable symbols – called cipher text – by complex algorithms, that require a security key to change the data back into its original form. Data encryption ensures privacy, but can provide other security benefits such as verification of users, access logging, the elimination of record changes and non-repudiation of access and/or theft. The level of security can be changed as appropriate based on the sensitivity of the data it is used to safeguard. Data may be encrypted with single security key access or with separate keys for encryption and decryption (symmetric and asymmetric data encryption). If a mobile device is lost or stolen or if computer networks are hacked, while this will be considered a security breach, it would not be a HIPAA violation unless the access key is also shared.
- Secure Messaging: The healthcare sector and the pager appear almost inseparable, yet this is about to change. The concentration on HIPAA compliance currently centers on Smartphones and wearable technology, yet the pager is not HIPAA compliant. All mobile devices send data over unsecured networks and therefore rely on the users not sharing. ePHI. BYOD schemes have now been introduced by many healthcare suppliers, although modern mobile devices have even greater potential to cause HIPAA violations due to the ease at which personal identifiers and ePHI can be shared. Policies and procedures may be put in place to manage how these devices are used, although surveys imply that in practice many medical professionals are still using the devices to communicate ePHI. Secure messaging solutions stop this. They work by maintaining ePHI on a secure database and then allowing authorized medical workers to access the data via downloadable secure messaging apps. Communications are sent through a secure messaging platform which has administrative controls in place to review the activity of the authorized personnel. They also ask compliance officers to produce risk assessments, as required by HIPAA and Office for Civil Rights’ auditors. Many healthcare groups have reported that the implementation of secure messaging solutions has enhanced productivity by streamlining communications, increasing message accountability and speeding up response times. According to studies carried out in HIPAA-compliant medical facilities, efficiency has also improved, leading to a higher standard of healthcare being delivered to patients.
- Compliant Cloud Storage: The shift from physical health records to electronic data formats has needed considerable investment in IT infrastructure. The demands placed on healthcare groups to continually upgrade servers and networks, and hire the staff to manage data centers, can be considerable. In addition to the hardware, space must be devoted to storing the equipment and physical controls must be implemented to control access. The computer equipment now needed to run large networks and store healthcare data requires cooling systems to be installed to dissipate the heat the equipment produces. The most cost effective solution for many healthcare suppliers is to outsource data storage and take advantage of the cloud to store data. HIPAA-compliant cloud hosting uses the proper controls to secure all stored data with encryption. By outsourcing, healthcare groups can adhere with HIPAA regulations without having to spend so heavily in IT infrastructure.
- Compliant Mobile Platforms (App Development): Mobile health applications are popular with patients for recording and monitoring health and fitness, and wearable devices have potential to revolutionize home healthcare. They can be used along with e-visits to provide home care services to patients at a fraction of the healthcare clinic visits. Patient portals similarly have great potential and enhance interaction between care providers and patients, and eliminate unnecessary costs while helping to improve patient outcomes. The evolution of HIPAA compliant mobile apps frameworks, compliant storage and HIPAA compliant web solutions means healthcare suppliers can take advantage of the benefits of new technology without endangering the privacy and security of patient data.