What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996, because of the increasing need to address growing technological changes and the problems with standards that were arising from it.
With the introduction of HIPAA, health standards and privacy protections for individually identifiable health information (PHI) were standardized federally, in a manner that would prevent the erosion of privacy owing to new technology.
Part of HIPAA regulates group health plans and some individual health insurance policies. But the most commonly referenced part provides policies, procedures, and guidelines for preserving the privacy and security of PHI. It also identifies offenses related to healthcare, and sets out penalties for violating the rules.
Compliance with HIPAA is mandatory when organizations deal with PHI in any way. HIPAA exists to protect the security and the privacy of patients and their information. The act covers both protections from breaches and the necessary steps that must be taken if a violation does occur.
The best way to ensure your organization is HIPAA compliant is to know what compliance entails.
There are four important aspects of HIPAA compliance – the HIPAA Enforcement Rule, HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.
What is the HIPAA Enforcement Rule?
HIPAA is regulated by the US Department of Health and Human Services (HHS), and its privacy and security rules are enforced by the Office for Civil Rights.
The Enforcement Rule sets out how HIPAA will be enforced and what will happen if non-compliance is discovered.
The process of enforcement is handled by OCR, which investigates complaints filed with it. OCR also conducts compliance reviews of entities, and works with the Department of Justice if a possible criminal violation of HIPAA is discovered.
Once a complaint has been accepted for investigation, OCR will notify the complainant and entity in question. Each party is able to present information about the issue, with OCR conducting fact-finding. Entities covered under HIPAA must comply with the investigation, by law.
After reviewing information and evidence, OCR makes a decision, determining whether or not the entity breached HIPAA rules. If an entity is found to be non-compliant, OCR can implement various types of corrective action, including asking for voluntary compliance, effecting corrective action, or creating a resolution agreement. The complainant will be informed of the results.
If the entity’s response is not satisfactory, OCR can impose fines for every HIPAA violation, which can be appealed before an administrative law judge.
As an example of the way the Enforcement Rule works, consider this scenario, as outlined on the HHS website.
A patient’s PHI, including her medical condition and treatment plan, was disclosed in an unauthorized way via a telephone message from a hospital employee.
An OCR investigation looked at information from all sides of the situation and determined that the hospital, a covered entity, did not follow the requirements set out in HIPAA for dealing with confidential communications. In response, the hospital developed and implemented new procedures to handle telephone messages to avoid becoming non-compliant in the future.
What is the HIPAA Privacy Rule?
The Privacy Rule covers the use and disclosure of PHI and the standards that must be upheld for individuals to understand and control how their PHI is used by an organization.
Essentially, the Privacy Rule governs the protection of PHI, while allowing healthcare professionals and others to use the information in the course of patient’s care. It works to balance the use of information, and the privacy owed to individuals.
Here are some scenarios where covered entities can disclose PHI:
- An entity is required to disclose PHI to individuals or their representatives when requested and to HHS for compliance investigation, review, or enforcement.
- Entities must disclose PHI to HHS as part of a compliance investigation or review, or enforcement action.
- Entities are permitted to disclose PHI for treatment, payment, and healthcare operations activities.
- Individuals may be asked outright if they agree with disclosure of PHI, or otherwise given the opportunity to agree, acquiesce, or object, as a permitted type of use or disclosure.
- Incidental use and disclosure are permitted, if the covered entity has enacted reasonable privacy safeguards and the information shared is the minimum necessary.
Terms in the rule exist to cover informal authorization or authorization in emergency situations, as well as public interest and benefit activities – things like FDA regulation, judicial proceedings, and serious threats.
What is the HIPAA Security Rule?
The Security Rule sets out what safeguards must be in place to protect electronic PHI (ePHI), which is health information that is held or transferred in electronic form.
Entities covered under the Security Rule have to uphold the privacy of any ePHI in their care. This means:
- Ensuring the confidentiality, integrity, and availability of ePHI.
- Identifying and protecting against threats that can be reasonably identified.
- Protecting against reasonably anticipated impermissible uses or disclosures of ePHI.
- Ensuring that everyone within the workforce is compliant with HIPAA and the Security Rule.
Essentially, ePHI has to be protected like PHI. It can’t be disclosed or used inappropriately. It can’t be altered or destroyed in an unauthorized way. And it must be accessible and usable by authorized people. However, because ePHI has additional vulnerabilities while it’s at rest or in transit, those technical factors need to be addressed.
The Security Rule sets out required technical safeguards, physical safeguards, and administrative safeguards, covering everything from encryption, to use of mobile devices, to risk assessments.
Technical safeguards cover all of the ways a covered entity has to protect ePHI across its networks. The entity must use policies and procedures that keep ePHI in the hands of only authorized persons, and they must have a way to record and examine access.
Policies and procedures must also cover the integrity of ePHI, ensuring it is not altered or destroyed improperly. If ePHI is transmitted over an electronic network, safeguards must be in place to continue to guard the privacy of that ePHI.
Physical safeguards address physical access to a covered entity’s facilities and electronic networks. Only authorized users may access areas where ePHI is kept, both within its facilities and across workstations and electronic media.
Policies and procedures must be in place to govern transfer, removal, disposal, and reuse of electronic media in order to protect ePHI that may be in place on those media.
Administrative safeguards keep all members of a workforce in compliance with HIPAA. There must be a security official in place who handles the development of all security policies and procedures. Again, only those who are authorized to access ePHI should be permitted to do so under an entity’s policies and procedures.
All staff members must receive appropriate supervision and training in how to properly handle ePHI. There must be a system in place to sanction people who violate an entity’s policies and procedures. Period assessment must be done to ensure security measures are working correctly.
What is the HIPAA Breach Notification Rule?
Under HIPAA, a breach is considered the use or disclosure of PHI, in an impermissible way that compromises security and/or privacy. The Breach Notification Rule outlines how data breaches must be handled.
In the event of a breach, the entity has to tell all affected individuals, the OCR Secretary of Breaches, and in some cases, the media. If a breach happens due to a business associate, that company has to notify the covered entities affected.
Individuals must be notified in writing. This can be done by email if they agree to that format. They must receive a description of the breach, the types of information involved, steps to be taken for protection, what is being done in terms of an investigation, contact information for the entity or its business associate, and a toll-free number to learn more about what information was involved. All of this has to occur no later than 60 days following a breach’s discovery.
The Secretary of Breaches is informed through an electronic breach form. If a breach affects over 500 people this has to be done no later than 60 days following the discovery of a breach. If it affects fewer than 500 people, however, it can be reported up to 60 days after the end of the calendar year.
If over 500 residents of a state or jurisdiction are impacted by a breach, the entity must notify media outlets that serve that area. This must happen no later than 60 days following the breach.
What is HITECH and how does it relate to HIPAA?
The Health Information Technology for Economic and Clinical Health (HITECH) legislation was created in 2009 to encourage the adoption of electronic health records (EHR) and the technology that supports its use.
Because HITECH pushed providers toward using electronic records and newer technology, it created its own set of security concerns. With more covered entities using EHR and working with ePHI, HIPAA became all the more important, as it continued to set out the rules under which information can be shared, used, and accessed.
Under HITECH, HIPAA can be more easily enforced. HITECH mandates HIPAA audits of healthcare providers to ensure they are in compliance, creating stricter penalties for those who do not comply.
HIPAA Standard Transactions
A HIPAA transaction is an exchange of electronic information between two covered entities to carry out financial or administrative activities related to healthcare. A good example would be when a healthcare provider sends a claim to a health plan to request payment for services.
These HIPAA transactions include:
- Claims and encounter information
- Payment and remittance advice
- Claims status
- Eligibility status
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payment
Any covered entities who conduct any of these transactions are required to use an adopted standard from ASC X12N or NCPDP for certain pharmacy transactions.
But these are only standards when it’s covered entities making the exchange, the rules change when only one of the parties is a covered entity.
For example, if a patient is making a co-pay to the hospital for treatment received, that is not a standard transaction so does not need to follow any specific format for record keeping.
However, that does not exempt the covered entity from making sure the transaction itself is secure under the other areas of HIPAA regulations.
Luckily for patients and consumers, there’s little to worry about.
But for any practice dealing with insurers and health plans, it’s important to stay up to date on HIPAA transaction standards and make sure you demand your vendors do so as well.
HIPAA is complex. Even the most well-meaning healthcare providers and their business associates can inadvertently go astray when trying to maintain privacy and confidentiality of their patients’ data.
More and more people and entities are using the Internet and emerging technology to deliver healthcare. At the same time, cyberattacks on healthcare entities are becoming commonplace.
According to 2015 IBM statistics, the healthcare industry is being attacked at a higher rate than any other sector. Malicious people desperately want to access PHI and ePHI, and are finding ways to do so.
This makes it all the more important for entities to take the time to fully understand HIPAA and how it applies to your organization, to protect yourself, your business, and your patients and clients from breaches.
Be sure to use technology to your advantage, but be sure you have Business Associate Agreements in place with your vendors. Then document and implement processes to make sure you have the right Administrative and Physical safeguards in place.