HIPAA Privacy Rule: What Companies operating in healthcare should know?
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health Insurance Portability and Accountability (HIPAA) act or the Kennedy-Kassebaum Act is a United statute federal law. It was created initially to modernize the flow of information on healthcare and how personal health information is captured and maintained by healthcare and health insurance industries. HIPAA is a national standard to protect patients’ sensitive personal health information from fraud and theft and address healthcare insurance coverage limitations.
HIPAA act was enacted by the 104th Unites States Congress and signed by President Bill Clinton on 21st August 1996. To standardise and protect the patient’s health information from being disclosed without the patient’s content or knowledge, the US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements.
The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA Privacy Rule
The HIPAA privacy rule contains standards for individuals’ rights to understand and control how their information is used and call it “Protected Health Information” subject to the privacy rule. The entities which follow the privacy rule standards are called “Covered Entities” (Individuals and Organizations)
The privacy rule focus on:
Need for HIPAA Compliance
According to Health and Human Services (HHS), as the healthcare move to computerized operations, including Electronic Medical Records (EMR),Electronic Health Records (EHR), computerized physician order entry (CPOE) systems, radiology, pharmacy, and laboratory systems, HIPAA compliance is more important for health care providers and other entities dealing with Protected Health Information (PHI) since electronic information increases the security risks though it increases efficiency and mobility.
The privacy rule protects the technical and nontechnical entities and secure individuals’ electronic PHI(e-PHI). The office Civil Rights (OCR) is responsible for enforcing all the Privacy and Security Rules with voluntary compliance activities and civil money penalties. The security rule establishes a national set of security standards for protecting health information held/transferred in electronic form.
The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI. The Security Rule protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.
Subject to the Privacy Rule the following types of individuals and organizations are considered covered entities:
Table: Covered entities subject to the Privacy rule
Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
By law, the HIPAA Privacy Rule applies only to covered entities — health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.
The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions — not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
Requirements for HIPAA Compliance
The regulation of HIPAA sets national standards that all covered entities and business associates must address.
Once identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. The remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass HIPAA audits.
Should have a process to document the breached data if a covered entity or business associate has made a data breach and notify patients that their data has been compromised according to the HIPAA Breach Notification Rule.
Effective Compliance Program for Organizations to vet compliance programs
Seven Elements of an Effective Compliance Program has been created by the HHS Office of Inspector General (OIG) to guide organizations to vet compliance solutions or create their own compliance programs.
These are the barebones, absolute minimum requirements that an effective compliance program must address. In addition to these, a full extent of mandated HIPAA Privacy and Security standards, an effective compliance program must have all the capacity to mandate all the seven elements.
The Seven Elements of an Effective Compliance Program are given below:
To judge the effectiveness of HIPAA compliance over the course, a HIPAA investigation will be carried out by Office for Civil Rights (OCR) in response to a HIPAA violation, federal HIPAA auditors will compare your organization’s compliance program against all the Seven Elements listed above.
What is a HIPAA violation?
“A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI.”
A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization’s HIPAA policies.
Not all data breaches are HIPAA violations. A HIPAA violation differs from all other data breaches. Few examples: If the company does not have a policy barring laptop being taken offsite or encrypted when employees have an unencrypted company laptop with access to medical records and just in case if the laptop gets stolen, it is considered to be HIPAA VIOLATION as the company does not have a policy in place.
a) There are a set of protocols under HIPAA regulation that must be followed by covered entities and business associates in the vent of a breach.
b) If breach affecting fewer than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires entities to gather data on all smaller breaches that occur over the course of the year and report them to HHS OCR within 60 days of the end of the calendar year in which they occurred.
c) Affected individuals must be notified that their data was involved in a breach within 60 days of the discovery of the breach.
d) Local law enforcement agencies should also be contacted immediately, in addition to local media agencies to alert potentially affected individuals within the necessary jurisdiction.
And all the breaches affecting 500 or more individuals are posted on the HHS Breach Notification Portal, or “Wall of Shame.”
This HHS Wall of Shame is a permanent archive of all HIPPA violations covered since 2009 in the US of large-scale breaches and can be searchable. This searchable database is a concrete consequence of a HIPAA violation that can permanently damage the reputation of healthcare organizations that experience a HIPAA violation or large-scale breach.
In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. The First in the history of HIPPA enforcement, a $475,000 fine against Presence Health was levied for failure to properly follow the HIPAA Breach Notification Rule. Fines range between $100-$50,000 per incident depending on the level of perceived negligence, Federal HIPAA auditors levy HIPAA fines on a sliding scale.
If auditors detect that the organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance, fines can become astronomical.
HIPAA compliance is more important now than ever before!
What are common HIPAA violations?
Some common causes of HIPAA violations:
These HIPAA violations commonly fall into several categories:
Who is not required under HIPAA?
Many organizations that have health information about you do not have to follow these laws.
Examples of organizations that do not have to follow the Privacy and Security Rules include:
HIPAA Compliance during COVID-19 pandemic
Maintaining privacy and compliance is a more difficult task in healthcare and it is undoubtedly Healthcare, which is set to change over the next several years due to pandemics. Multiple factors have increased the risk of private health information
How to file a complaint if an individual health information privacy right is violated?
You may file a complaint with the Office for Civil Rights (OCR), if you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules. The OCR will investigate complaints against covered entities and their business associates. One can use OCR online Portal to file complaints which can be easy than failing through mail.
So, How to Avoid Issues with HIPAA Compliance?
The Department of Health and Human Services (HHS) proactively updates rules for those who fall under HIPAA coverage (aka, “covered entities”). Make sure to follow these updates from HIPAA compliance to ensure the safest environment and reputation.
“Stay Up-to-Date to Avoid Issues”
This article is for general information only and is not formal legal advice.