HIPAA Privacy Rule: What Companies operating in healthcare should know?
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health Insurance Portability and Accountability (HIPAA) act or the Kennedy-Kassebaum Act is a United statute federal law. It was created initially to modernize the flow of information on healthcare and how personal health information is captured and maintained by healthcare and health insurance industries. HIPAA is a national standard to protect patients’ sensitive personal health information from fraud and theft and address healthcare insurance coverage limitations.
HIPAA act was enacted by the 104th Unites States Congress and signed by President Bill Clinton on 21st August 1996. To standardise and protect the patient’s health information from being disclosed without the patient’s content or knowledge, the US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements.
The HIPAA Security Rule protects a subset of information covered by the HIPAA Privacy Rule.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA Privacy Rule
The HIPAA privacy rule contains standards for individuals’ rights to understand and control how their information is used and call it “Protected Health Information” subject to the privacy rule. The entities which follow the privacy rule standards are called “Covered Entities” (Individuals and Organizations)
The privacy rule focus on:
- Standards for individuals’ rights to understand and control how their health information is used.
- Ensures that individuals’ health information is properly protected while still allowing the flow of health information as needed to provide and promote high-quality health care.
- Protect the public’s health and well-being by striking a balance and permitting important information uses while protecting privacy.
- Safeguards data and prevent it from being accessed by unauthorized individuals.
- HIPAA allows patients to obtain copies of their health information
Need for HIPAA Compliance
According to Health and Human Services (HHS), as the healthcare move to computerized operations, including Electronic Medical Records (EMR),Electronic Health Records (EHR), computerized physician order entry (CPOE) systems, radiology, pharmacy, and laboratory systems, HIPAA compliance is more important for health care providers and other entities dealing with Protected Health Information (PHI) since electronic information increases the security risks though it increases efficiency and mobility.
The privacy rule protects the technical and nontechnical entities and secure individuals’ electronic PHI(e-PHI). The office Civil Rights (OCR) is responsible for enforcing all the Privacy and Security Rules with voluntary compliance activities and civil money penalties. The security rule establishes a national set of security standards for protecting health information held/transferred in electronic form.
The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI. The Security Rule protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.
Subject to the Privacy Rule the following types of individuals and organizations are considered covered entities:
Table: Covered entities subject to the Privacy rule
- Healthcare providers: Anyhealthcare provider electronically transmits health information connected with certain transactions regardless of the size of the practice. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers: and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most cases, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
By law, the HIPAA Privacy Rule applies only to covered entities — health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses.
The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions — not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
Requirements for HIPAA Compliance
The regulation of HIPAA sets national standards that all covered entities and business associates must address.
- a) Conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
- b) Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform to maintain their compliance year-over-year.
- Remediation Plans:
Once identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. The remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
- Policies, Procedures, Employee Training:
- a) Develop Policies and Procedures corresponding to HIPAA regulatory standards as outlined by the HIPAA Rules. These rules should be regularly updated and adapted in the organization.
- b) Annual staff training on these Policies and Procedures is required and should document employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
HIPAA-beholden organizations must document ALL efforts they take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS OCR to pass HIPAA audits.
- Business Associate Management:
- a) Document all the vendor’s details with whomsoever(vendors) associated with covered entities about the PHI shared in any way and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
- b) Conduct an annual review to account for changes to the nature of organizational relationships with vendors and this must be executed before ANY PHI can be shared.
- Incident Management:
Should have a process to document the breached data if a covered entity or business associate has made a data breach and notify patients that their data has been compromised according to the HIPAA Breach Notification Rule.
Effective Compliance Program for Organizations to vet compliance programs
Seven Elements of an Effective Compliance Program has been created by the HHS Office of Inspector General (OIG) to guide organizations to vet compliance solutions or create their own compliance programs.
These are the barebones, absolute minimum requirements that an effective compliance program must address. In addition to these, a full extent of mandated HIPAA Privacy and Security standards, an effective compliance program must have all the capacity to mandate all the seven elements.
The Seven Elements of an Effective Compliance Program are given below:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offences and undertaking corrective action.
To judge the effectiveness of HIPAA compliance over the course, a HIPAA investigation will be carried out by Office for Civil Rights (OCR) in response to a HIPAA violation, federal HIPAA auditors will compare your organization’s compliance program against all the Seven Elements listed above.
What is a HIPAA violation?
“A HIPAA violation is any breach in an organization’s compliance program that compromises the integrity of PHI or ePHI.”
A data breach becomes a HIPAA violation when the breach is the result of an ineffective, incomplete, or outdated HIPAA compliance program or a direct violation of an organization’s HIPAA policies.
Not all data breaches are HIPAA violations. A HIPAA violation differs from all other data breaches. Few examples: If the company does not have a policy barring laptop being taken offsite or encrypted when employees have an unencrypted company laptop with access to medical records and just in case if the laptop gets stolen, it is considered to be HIPAA VIOLATION as the company does not have a policy in place.
a) There are a set of protocols under HIPAA regulation that must be followed by covered entities and business associates in the vent of a breach.
b) If breach affecting fewer than 500 individuals in a single jurisdiction. The HIPAA Breach Notification Rule requires entities to gather data on all smaller breaches that occur over the course of the year and report them to HHS OCR within 60 days of the end of the calendar year in which they occurred.
c) Affected individuals must be notified that their data was involved in a breach within 60 days of the discovery of the breach.
d) Local law enforcement agencies should also be contacted immediately, in addition to local media agencies to alert potentially affected individuals within the necessary jurisdiction.
And all the breaches affecting 500 or more individuals are posted on the HHS Breach Notification Portal, or “Wall of Shame.”
This HHS Wall of Shame is a permanent archive of all HIPPA violations covered since 2009 in the US of large-scale breaches and can be searchable. This searchable database is a concrete consequence of a HIPAA violation that can permanently damage the reputation of healthcare organizations that experience a HIPAA violation or large-scale breach.
In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. The First in the history of HIPPA enforcement, a $475,000 fine against Presence Health was levied for failure to properly follow the HIPAA Breach Notification Rule. Fines range between $100-$50,000 per incident depending on the level of perceived negligence, Federal HIPAA auditors levy HIPAA fines on a sliding scale.
If auditors detect that the organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance, fines can become astronomical.
HIPAA compliance is more important now than ever before!
What are common HIPAA violations?
Some common causes of HIPAA violations:
- Stolen laptop
- Stolen phone
- Stolen USB device
- Malware incident
- Ransomware attack
- Business associate breach
- EHR breach
- Office break-in
- Sending PHI to the wrong patient/contact
- Discussing PHI outside of the office
- Social media posts
These HIPAA violations commonly fall into several categories:
- Use and disclosure: A Use and Disclosure violation occurs when a covered entity or business associate improperly distributes PHI or ePHI to an incorrect party. Example: A doctor’s office mailed PHI to a patient’s employer without attaining proper permission from the patient.
- Improper security safeguards: This can result in a HIPAA violation when the standards of the HIPAA Security Rule are not properly followed. HIPAA-beholden entities must have proper Physical, Administrative, and technical safeguards in place to keep PHI and ePHI secure. Medical data is worth three times as much as financial data on the black market. Hence healthcare organizations are vulnerable to cybersecurity attacks. HIPAA security safeguards can defend health care organizations against ransomware and prevent HIPAA violations.
- The Minimum Necessary Rule: This is a component of the HIPPA Privacy Rule. It states that employees of covered entities may only access, use, transmit, or otherwise handle the minimum amount of PHI necessary to complete a given task. If a large portion of a patient’s medical record is exposed more than what is necessary, it is considered a data breach and can lead to a violation of the HIPAA Privacy Rule and resultant HIPAA fines.
- Access controls: Limits the number of staff members at an organization that has access to PHI.
- Notice of Privacy Practices: It is mandatory to have a notice of Privacy to meet the standards of the HIPAA Privacy Rule. Covered entities must allow patients to review and agree to their organizational Notice of Privacy Practices before beginning treatment. Patients have certain rights to the access, privacy, and integrity of their health care data and PHI.
Who is not required under HIPAA?
Many organizations that have health information about you do not have to follow these laws.
Examples of organizations that do not have to follow the Privacy and Security Rules include:
- Life insurers
- Workers’ compensation carriers
- Most schools and Universities
- State agencies like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
HIPAA Compliance during COVID-19 pandemic
Maintaining privacy and compliance is a more difficult task in healthcare and it is undoubtedly Healthcare, which is set to change over the next several years due to pandemics. Multiple factors have increased the risk of private health information
- Multiple Care Providers
- Remote health services
- Dependency on technology
How to file a complaint if an individual health information privacy right is violated?
You may file a complaint with the Office for Civil Rights (OCR), if you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules. The OCR will investigate complaints against covered entities and their business associates. One can use OCR online Portal to file complaints which can be easy than failing through mail.
So, How to Avoid Issues with HIPAA Compliance?
The Department of Health and Human Services (HHS) proactively updates rules for those who fall under HIPAA coverage (aka, “covered entities”). Make sure to follow these updates from HIPAA compliance to ensure the safest environment and reputation.
“Stay Up-to-Date to Avoid Issues”
This article is for general information only and is not formal legal advice.