HIPAA stands for the Health Insurance Portability and Accountability Act, a law that protects the rights and privacy of patients by introducing standards to healthcare. Since enacted in 1996, the U.S. Department of Health and Human Services (HHS) has included several major updates to ensure even more protections and responsibilities. In this post, we will briefly explore the history of HIPAA and its significance as well as how healthcare organizations can ensure that they are HIPAA compliant.
What is HIPAA?
HIPAA is U.S. legislation created to improve health coverage standards and combat fraud and abuse related to protected health information (PHI).
SEE ALSO: What is HIPAA? Or is it HIPPA?
The Act is regulated and enforced by the HHS Office for Civil Rights (OCR) and consists of five sections (or titles):
- Title I – regulates group health plans and certain individual health insurance policies
- Title II – establishes standards for the privacy and security of PHI
- Title III – standardizes pre-tax medical savings accounts
- Title IV – specifies conditions for group health plans and further explains coverage clarifications
- Title V – adds provisions and repeals about tax deductions for employers.
The first two sections are known as the main objectives of HIPAA while Title II is the one most commonly associated with the Act.
The importance of Title II
Title II sets policies and procedures for maintaining patient privacy as well as how OCR investigates and penalizes uncompliant covered entities (CEs) and their business associates (BAs). The section also addresses electronic transaction and identification standards (e.g. the National Provider Identifier) adopted over the years. A CE is an institution, organization, or person from one of the following categories: health plan, healthcare clearinghouse, or healthcare provider. And a BA is an associate that interacts with a CE and its PHI, whether in paper or electronic ( ePHI) form.
SEE ALSO: Business Associate Agreement Provisions
The most significant provisions of Title II address PHI as specified in a set of rules:
- Privacy Rule (2003) – covers the protection of PHI as well as standards for compliancy
- Security Rule (2005) – sets necessary security standards to protect ePHI
- Enforcement Rule (2006) – sets the standards of enforcing HIPAA and penalizing uncompliant CEs.
And enacted in 2009, the HITECH Act promotes the adoption and meaningful use of technology as it pertains to health information. This includes privacy and security concerns associated with ePHI as well as added provisions that enforce and strengthen HIPAA. Finally, along with HITECH came two additional rules:
- Breach Notification Rule (2009) – requires CEs to report breaches to OCR and affected individuals
- Final Omnibus Rule (2013) – incorporates HITECH further by improving patient privacy protections.
Overall, Title II's rules and amendments strengthen and further elucidate the building blocks necessary for patient privacy and security.
A HIPAA compliant CE is an organization that fulfills HIPAA requirements and its amendments. Meaning a CE makes a concerted effort to protect its patients’ PHI as well as itself from theft and/or a breach.
RELATED: HIPAA Breach Report for May 2020
If OCR finds a CE uncompliant and/or unable to verify its due diligence, it will more than likely financially penalize the organization. And if the violation includes criminal charges, OCR could add jail time. HIPAA violations are costly, with notification and cleanup costs sometimes equaling fines. The first step to compliance is to read and understand the regulations while the second is to translate HIPAA into workable policies and procedures.
Finally, the third step is to enact these policies and procedures using physical and technological measures such as:
|Separate servers and offline backups||Access controls|
|Continuous audits and risk assessments||Data encryption|
|Employee awareness training||HIPAA compliant email|
|Up-to-date patient notices and permissions||Antivirus software|
|Dedicated cybersecurity personnel|
And with the rapid growth of technologies, that also means readapting, reconfiguring, and retraining continuously. Ultimately, to be HIPAA compliant, healthcare organizations must demonstrate that they are doing their best to protect patients and PHI at all times.