The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with several key goals in mind. First and foremost, it aimed to allow workers to maintain their healthcare coverage when changing jobs. Additionally, it aimed to protect individuals with pre-existing health conditions from discrimination by insurance providers and ensure that multi-employer health insurance plans provided renewability of coverage.During that time, the cost of health insurance was skyrocketing. To prevent insurance companies from further increasing premiums and deductibles due to the added provisions of portability and accountability, cost-cutting measures were incorporated into the Act. These measures aimed to reduce fraud in healthcare and streamline the administration of health claims processing.As the Act made its way through Congress, additional amendments were made, including measures related to medical liability reform, medical savings accounts, and revenue offsets. While these amendments were significant, the groundbreaking aspects of the Act were primarily found in Titles 1 and 2, which impacted millions of workers, patients, and employees in the health insurance and healthcare industries.
While HIPAA is commonly associated with the Privacy, Security, and Breach Notification Rules of the Administrative Simplification Regulations, it is crucial to note that HIPAA encompasses broader provisions. Among them are the titles addressing health care access, portability, and renewability, as well as tax-related health provisions governing medical savings accounts.
The passage of the Health Insurance Portability and Accountability Act (HIPAA) was prompted by a Congressional Report, which highlighted that 10% of health care spending in the U.S. was being lost due to fraudulent and unethical practices by certain health care providers. One contributing factor to this problem was the lack of uniformity in transaction rules and code sets used by different health care providers and plans when processing health claims. To address this issue, Congress directed the Secretary of Health and Human Services (HHS) to establish nationwide standards for all health claims transactions, such as eligibility checks, treatment authorizations, and claims for payment. These standards are now known as the HIPAA Administrative Requirements and can be found in Part 162 of HIPAA subparts I to S.In addition to standardizing transactions, HHS was also tasked with developing standards for the electronic transmission of health information, which later led to the publication of the Security Rule. Furthermore, recommendations regarding the privacy of health information were made and subsequently published as the Privacy Rule. Later on, through the enactment of the HITECH Act in 2009, the Breach Notification Rule was added to the Administrative Simplification Regulations. This rule mandates that Covered Entities notify affected individuals and HHS of any unauthorized release of unsecured Protected Health Information (PHI). It also requires Business Associates to report any security incidents to Covered Entities, regardless of whether a data breach occurs as a result.
In August 1996, President Bill Clinton signed HIPAA into law. However, it took several years before the regulations became effective.One of the reasons for the delay was that Congress had the option to pass separate privacy regulations, resulting in a significant gap between the passage of HIPAA and the effective date of the Privacy Rule. Eventually, the Privacy Rule came into effect in April 2003.Two years later, in April 2005, the HIPAA Security Rule became effective, followed by the HIPAA Enforcement Rule in March 2006. These rules aimed to enhance the security and enforcement of HIPAA compliance.In September 2009, the HITECH Act and the Breach Notification Rule took effect. The inclusion of the HITECH Act is crucial because it spurred the Meaningful Use program, which incentivized healthcare providers to transition from paper to electronic health records (EHRs).The Final Omnibus Rule, which incorporated provisions from HITECH, became effective in March 2013. This rule addressed the challenges and consequences of the widespread adoption of EHRs and cloud-based systems in the healthcare industry.
HIPAA designates virtually all health plans, healthcare clearinghouses, healthcare providers, and endorsed sponsors of the Medicare prescription drug discount card as "HIPAA Covered Entities." These entities are typically those that regularly come into contact with Protected Health Information (PHI). Additionally, "Business Associates" are also subject to HIPAA regulations. These are entities that do not primarily deal with PHI but may handle it while providing services or engaging in activities on behalf of a Covered Entity. Before undertaking any such service or activity, a Business Associate must sign a Business Associate Agreement, guaranteeing the safeguarding of the confidentiality, integrity, and availability of any PHI they have access to. There is some ambiguity surrounding self-insured single employer group health plans and employers who act as intermediaries between employees and healthcare providers. While HIPAA states that employers are not typically considered Covered Entities, specific circumstances may subject them to this classification (e.g., an employer who operates a medical center would be considered a Covered Entity regarding patient health information). However, as self-insured and intermediary employers handle PHI protected by the HIPAA Privacy Rule, they are considered "Hybrid Entities" and must comply with HIPAA regulations for any transaction covered by the Department of Health and Human Services' published standards.
Since the Final Omnibus Rule was implemented in 2013, bringing about changes in HIPAA regulations, there have been new guidelines establishing how Personal Health Information (PHI) should be accessed and communicated in medical environments. The updated legislation grants patients greater rights to control and be informed about the use of their health information. It also expands the responsibilities of HIPAA-covered entities and Business Associates in managing how patient information is accessed and shared. Consequently, these entities must now adopt measures to limit information flow within private networks, monitor network activity, and prevent unauthorized disclosure of PHI outside of the network. Risk assessments and new reporting procedures have also become more important in addressing data breaches. The Office for Civil Rights, under the Department of Health and Human Services, frequently carries out inspections to ensure compliance with the Privacy, Security, and Breach Notification Rules. When violations of PHI are found, the Office for Civil Rights has the authority to enforce corrective action plans and impose financial penalties. Additionally, the Centers for Medicare and Medicaid Services have the ability to conduct audits on organizations required to adhere to the HIPAA Administrative Requirements.
The distinction between "required" and "addressable" safeguards within HIPAA has caused some confusion. Basically, every standard of HIPAA is considered "required" unless there is a valid reason not to implement it or an alternative safeguard that achieves the same objective is in place. For instance, in the case of email encryption, it is only necessary if emails containing PHI are being sent outside of a secure, internal server. If a healthcare organization solely uses email for internal communication or has obtained patient authorization to send unencrypted information, there is no need to implement this addressable safeguard. Nevertheless, the decision not to use email encryption should be supported by a documented risk assessment. It is also important to take into account the organization's risk mitigation strategy and other safeguards in place to protect PHI. It is worth noting that PHI encryption at rest and in transit is strongly recommended.
The implementation of HIPAA has significant implications for patients, as it ensures that their healthcare information is handled with more sensitivity and can be accessed more quickly by their healthcare providers. Unlike paper records, electronically stored health information is now better protected, leading to improved efficiency for healthcare organizations that have implemented HIPAA regulations. As a result, patients can expect a higher standard of healthcare. However, there are some drawbacks to consider. Healthcare organizations have broader concerns than just individual patient care; they aim to expand their services, enhance the quality of care, and improve patient safety through research. HIPAA restrictions limit access to protected health information (PHI), potentially slowing down advancements in healthcare. Additionally, the improved data security comes at a cost. While the Meaningful Use program provided financial incentives for healthcare providers to digitize paper records, the implementation of necessary PHI security controls can be expensive. Increased funding for compliance may therefore affect the level of patient care, while the administrative burden placed on healthcare organizations by HIPAA-compliance strains already limited resources.
Failure to address data privacy and security can lead to fines imposed by the Office for Civil Rights (OCR). Preventable data breaches may incur substantial financial penalties. According to HITECH, violations can result in fines of up to $1.9 million imposed by the OCR, with potential lawsuits filed by attorney generals and data breach victims. Given the high likelihood of healthcare organizations being targeted by cybercriminals, the costs associated with addressing breaches, including issuing notification letters, offering credit monitoring services, and covering OCR fines, far outweigh the investment required to achieve full compliance. Despite the significant initial investment in the necessary safeguards to secure patient data, the resulting improvements can lead to long-term cost savings due to enhanced efficiency. Healthcare organizations that have already implemented HIPAA-compliant mechanisms have witnessed streamlined workflows, reduced time wasted on communication mishaps, and increased productivity among their workforce. Consequently, these organizations can reinvest their savings to provide a higher quality of healthcare to patients.
The task of explaining HIPAA to employees of Covered Entities and Business Associates is more challenging compared to patients. Compliance with HIPAA requires these entities to develop privacy and security policies for their employees, as well as sanctions for those who violate the requirements. Therefore, it is essential to provide employees with a comprehensive understanding of HIPAA. The most effective approach is to conduct specialized compliance training sessions. While HIPAA regulations do not specifically mandate annual training, we recommend frequent and concise sessions due to the vast amount of information regarding the security and privacy of personal health data. A one-time training session is unlikely to be sufficient. Much of the training will focus on the proper usage and disclosure of patient information. The implementation of policies in this area will directly impact employees. For instance, employees will be prohibited from discussing patient healthcare through their mobile devices unless the communication is encrypted. This means that, especially in light of the increasing adoption of BYOD (bring your own device) policies in healthcare facilities, employees will need to download secure communication apps on their personal devices or use alternative compliant channels for communication.
The enforcement of different sections of HIPAA depends on various entities. The Centers for Medicare and Medicaid Services oversee the implementation of the Administrative Requirements. HHS' Office for Civil Rights is responsible for enforcing the Privacy, Security, and Breach Notification Rules for organizations regulated by HIPAA. For organizations not covered by HIPAA, the Federal Trade Commission is in charge of enforcing the Breach Notification Rule. If a violation appears to have a criminal intent, it is referred to the Department of Justice for investigation. State Attorneys General are also empowered to take legal action, either civil or criminal, against organizations that do not comply with any of the HIPAA Rules. They can do so if a resident of their state has suffered harm due to a HIPAA violation or the unauthorized disclosure of unsecured PHI.
The Privacy Rule safeguards personal health information that can identify an individual, such as their medical history, current or future medical condition, treatment received, and related payment details. This protection remains in place until the information is 'deidentified' for research purposes, which involves removing any identifiers before disclosing the remaining health information.
Only health care providers who conduct electronic transactions that adhere to the standards published by HHS are considered Covered Entities. Health care providers who manually process health claims or bills (including through fax or landline phone) and those who directly bill patients are not eligible as HIPAA Covered Entities. Additionally, there are some health plans that do not meet the requirements to be considered HIPAA Covered Entities.However, if a healthcare provider or health plan that is not covered by HIPAA performs a service for a Covered Entity or on its behalf, which involves the use or disclosure of Protected Health Information (PHI), then the non-covered organization becomes a Business Associate of the Covered Entity. The Business Associate must comply with the Security and Breach Notification Rules and any privacy standards outlined in a Business Associate Agreement, as well as any relevant standards from the Privacy Rule.
The CMS, similar to the Office for Civil Rights, possesses a range of options to address noncompliance among organizations. These include providing technical support, implementing a corrective action plan, or imposing a civil monetary penalty. In addition, noncompliant healthcare organizations can face temporary or permanent exclusion from the Medicare and Medicaid programs.
Every organization that gathers personal health data must inform both individuals and the proper governing body if a security breach leads to the unauthorized exposure of identifiable health information. In the case of organizations covered under HIPAA, this would entail notifying the Office for Civil Rights at HHS. However, for non-covered organizations that collect health data through devices like fitness trackers, diet apps, or blood pressure cuffs, the required notification should be sent to the FTC.
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you