HIPAA dates back to 1996 and stands for the Health Insurance Portability and Accountability Act. At first HIPAA’s regulations were vague and with little to no enforcement. That changed in 2009 with HITECH Act (Health Information Technology for Economic and Clinical Health), which was part of the 2009 American Recovery and Reinvestment Act. This act charged the Office of Civil Rights (OCR) to enforce HIPAA’s policies with a minimum penalty of $50,000 and the law even states that “a medical entity’s reasonable lack of knowledge of a violation…is no longer accepted.” In 2013, HIPAA’s reach extended to companies working with medical entities, known as Business Associates (BAs).
Who Does HIPAA Regulate?
Any business that creates, stores, edits, or transfers Protected Health Information (PHI) must comply with HIPAA regulations. HIPAA defines PHI as:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
- Relates to the past, present, or future physical or mental health or condition of any individual, or the past, present, or future payment for the provision of health care to an individual.
ePHI is the electronic version of PHI, known as Electronic Protected Health Information.
HIPAA breaks businesses into two categories:
- Covered Entities (CEs)includes health plans, clearinghouses, and providers (doctors, clinics, psychologists, dentists, chiropractors, nursing and hospice homes, and pharmacies).
- Business Associates (BAs)any company that comes into contact with PHI, including an IT firm, shredding company, document storage company, attorney, accountants, collection agencies, EMR (Electronic Medical Record) companies, data centers, transcriptionists, and many more.
HIPAA also requires all CEs to have a BA Agreement (called a BAA for short) with each Business Associate they work with directly.
HIPAA’s Main Components
HIPAA is made up of 3 main aspects: Privacy, Security, & Breach Notification.
HIPAA Privacy Rule
In 2003, Congress defined what is PHI (Protected Health Information) explicitly and what privacy regulations medical entities must comply with these regulations. This ruling gave patients specific rights in regards to their medical records, created civil and criminal penalties for violations, and required all Covered Entities to provide a Notice of Privacy Practices (NPP) to patients. It required all companies complying with HIPAA to have a Privacy Officer. Although the position does not need to be a full-time job, the role does need to be part of his/her job description and evaluation.
A Privacy Officer knows HIPAA’s Privacy Rules, is the go-to person in your organization for privacy questions, and responsible for the organization’s privacy policies.
The HIPAA Privacy Rule’s Safe Harbor verbiage defined the 18 elements of Protected Health Information (PHI) that must be de-identified or encrypted before sharing as:
HIPAA Security Rule
In 2005, Congress added the Security Rule, which defined ePHI (Electronic Protected Health Information) and protected it from loss and unauthorized access. The Security Rule requires companies ensure the confidentiality, integrity, and availability of all the ePHI they create, maintain, or transmit. Moreover, to identify and protect against reasonably anticipated threats to the security and integrity of the info as well as protect it against reasonably anticipated, impermissible use or disclosures.
The Security Rule also required a Security Officer, which can be the same person as the Privacy Officer and this role must be part of the job description and evaluation. The Security Officer oversees the implementation of the Security Rule, is responsible for training the staff, and makes sure the company follows HIPAA security rules.
HIPAA notes three types of Security Safeguards:
- Physical safeguards – how you secure your building and devices
- Electronic Safeguards – how you secure your connectivity and access
- Administrative – how you implement policies and train your workforce
HIPAA is flexible when it comes to security. While not knowing is still unacceptable, auditors do take into consideration:
- Your size, complexity, and capabilities,
- Your technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to PHI
This flexibility means a single medical provider is not held to the same standards as a large hospital. HIPAA does require that CEs review and modify their security measures to continually protect PHI since the technology environment is ever changing.
HIPAA’s Breach Notification Rule
HIPAA defines a breach as any time that PHI or ePHI is out of the control of an authorized person contracted by the Covered Entity or Business Associate, including any time it is used or viewed inappropriately, even if it appears to be a simple mistake like giving the wrong folder to a patient or leaving a voicemail on the wrong phone. In both incidents, a person not authorized to do so viewed protected patient data.
When a PHI breach occurs, you should use a 4-Factor Assessment to determine if you need to notify people, which includes:
- Look at the nature and extent of the PHI/ePHI
- Evaluate the unauthorized person
- Was it actually viewed/acquired?
- The extent to which the risk was mitigated
HIPAA requires companies to have a written breach response plan and policy that notes the response team and team leader. If you have a breach, you must offer credit monitoring for those affected, as well as a toll-free phone number for information and questions that are listed on your website. As the covered entity, you must notify the affected individuals within 60 days of the incident. (Business Associates do not notify affected individuals, they notify the Covered Entity, who then notifies the individuals.)
CEs must report all breaches to HHS (Department of Health & Human Services), but the urgency varies on the magnitude.
- Less than 500 individuals – report the breach within 60 days of the end of the year [March 1]
- Over 500 individuals – notify HHS within 60 days, and issue a press release to the local media outlets
Notifying the media will deal a major blow to your organization’s reputation, and you can expect a fine from OCR (Office of Civil Rights). That fine can be up to $1.5 million per incident, per year [remember neglect and not knowing is not acceptable]. Although a patient cannot sue you for a HIPAA violation, you can go to jail and you will incur legal fees dealing with a data breach.
Compared to the cost of dealing with a breach, it is much better to be proactive and minimize your risk.
In the end, you need to create a culture of compliance within your organization.