What is HIPAA?

The history of Health Insurance Portability and Accountability Act -HIPAA for short- goes back to 1996, when it was passed by 104th United States Congress. The act itself is designed for effective management and protection of personally identifiable information (PII) within the healthcare industry. The act consists of five titles, each of them covering different areas in the healthcare industry such as health insurance coverage in case of changing jobs, administrative simplification provisions on electronic healthcare transactions, pre-tax medical spending accounts, group health plans and company-owned insurance policies. The main need for HIPAA emerges from the fact that the replacement of paper processes with the use of electronic systems and technologies in healthcare increases the potential security risks of handling PII data. Therefore, the Secretary of U.S. Department of Health and Human Services (HSS) has developed regulations against certain health information to ensure their protection of privacy and security in line with Title II, The Administrative Simplification provisions. The HHS published the HIPAA Privacy Rule and HIPAA Security Rule to introduce and establish national standards for effective protection of certain health information.

What does HIPAA do: Health Organizations and Patient Privacy

Protected health information, PHI is defined as individually identifiable health information of patients, which are held or transmitted by a covered entity or its business associates in any format including electronic, written or oral. PHI includes demographic information and common identifiers that can be used to identify a person such as social security number, name, address, etc. PHI also includes past or present health conditions or health care provision of an individual, and any information related to medical history that is relatable and attributable to identify a person. HIPAA in general applies to organizations that store or transmit health care related information specified by HIPAA. These organizations -health care providers, health plan or health care clearinghouses that provide services such as billing or community health information systems- are defined as covered entities within the HIPAA standards. Additionally, any business associate that these covered entities work with, say a person, an organization or contracted workforce that provides services on behalf of the covered entity is also subject to HIPAA requirements if their functions include the usage or disclosure of PHI.

HIPAA compliance

HIPAA requires covered entities and business associates which have access to PHI adhere to its specified rules to operate. The HIPAA aims to protect the confidentiality, integrity and the availability of data and ensure the data is protected and secured continuously. There are 5 key rules represented by HIPAA, each contributing to effective management of sensitive data in the healthcare system.

1. Security Rule

By this rule, HIPAA requires covered entities to undertake 3 safeguard actions, namely technical safeguards, administrative safeguards and physical safeguards. Since not all subtopics of each safeguard action are not required by the rule, the optional actions are adjustable to organizational needs, structure, size and so on.

The covered standards in the technical safeguards are access controls, audit controls, integrity, authentication and data transmission security which support organizations to effectively manage their electronic conduct of business to comply with PHI privacy and security. On the other hand, administrative safeguards refer to organization-wide management of data handling, namely security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation and business associate contracts. These standards ensure the organizational environment is aligned with the specified security procedures and implementations of HIPAA. Lastly, physical safeguards refers to securing the physical facilities and organizational structure such as access controls, workplace security, device and media controls.

2. Privacy Rule

The nation-wide standards represented by HIPAA Privacy Rule are designed to protect the personal health information and limit the use and disclosure of such information without permission. Under this rule, patients or their nominated representatives have the right to access their health records held by the covered entities or request a correction to be made if needed, ensuring the integrity of their PHI. Covered entities are required to respond to PHI access requests made by patients within 30 days by the rule. In general, Privacy Rule prohibits PHI from unpermitted use or disclosure and holds organizations accountable for any disclosure.

3. HIPAA Enforcement Rule

This rule specifies the penalties associated with violations and noncompliance based on the levels such as from reasonable causes to willful negligence. The violation fines vary with the number of patients affected by the breach or the amount of harm and can even transform into criminal charges. The common HIPAA violation incidents happen due to unencrypted data, insufficient employee awareness on privacy and security, business associates and finally the insufficient protection of the devices where the data is stored.

4. HIPAA Breach Notification Rule

Under this rule, HIPAA covered entities are required to notify patients in the case of a PHI breach. If the number of individuals affected by such information breach exceeds 500 people, the regulations developed by OCR requires the covered entities to notify the HHS Secretary and media as well as the affected individuals. For the rest of information breach incidents that affect less than 500 hundred patients, the covered entities are expected to report these to the HHS Secretary on a yearly basis.

5. HIPAA Omnibus Rule

Lastly, this rule extends the HIPAA compliance requirements for Business Associates and other subcontractors. Covered entities are responsible for designing their contracts with their business associates in compliance with HIPAA, update the privacy procedures and adapt the changes made in HIPAA such as the harm threshold in data breaches.

In conclusion, HIPAA establishes a set of standards to put effective safeguards to protect and secure personally identifiable health information and sets limits of its use and disclosure. The HIPAA requirements also apply to organizational-wide business conduct and contracts with business associates to ensure privacy, integrity and security of sensitive health data in all work processes.

If you need any help on HIPAA compliance -on how to design your technology operations to achieve HIPAA compliance or how to remain compliant- our experienced compliance advisory consultants are here to design and implement your compliance roadmap in line with your ongoing system needs. Please reach out to us, [email protected]