If you are even remotely connected to the health care industry, then chances are you’ve heard of something called HIPAA (sometimes incorrectly referred to as HIPPA).
But other than being a core consideration for health care providers, what is HIPAA?
What does HIPAA stand for?
That confusing acronym, HIPAA, stands for the Health Insurance Portability and Accountability Act of 1996, which is United States legislation that sets data privacy and security provisions for safeguarding medical information, such as medical records and other identifiable health information.
The act contains five sections, called titles:
- Title I protects health insurance coverage for individuals who lose or change jobs and also prevents group health plans from denying or limiting certain coverages.
- Title II gives the U.S. Department of Health and Human Services the power to establish national standards for the health care industry when processing electronic transactions. It also requires health care organizations to secure electronic access to health data to remain in compliance.
- Title III includes tax-related provisions and guidelines for medical care.
- Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
- Title V includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.
Most of the news coverage about HIPAA violations are in reference to HIPAA Title II, in particular the sections that holds the requirements for HIPAA compliance and securing patient health data:
- HIPAA Privacy Rule. The Privacy Rule covers the use and disclosure of protected health information (PHI) and the standards that must be upheld for individuals to understand and control how their individually identifiable health information is used by an organization.
- HIPAA Security Rule. The Security Rule sets out what security standards must be in place to protect electronic protected health information (ePHI), which is health information or health records that are held or transferred in electronic form. This includes defining technical safeguards, physical safeguards and administrative safeguards.
- HIPAA Enforcement Rule. The Enforcement Rule sets out how HIPAA will be enforced and what will happen if non-compliance is discovered.
However, an undervalued piece of HIPAA Title II is the additional provisions added in 2010 from the Affordable Care Act (ACA) that covered HIPAA transactions.
Known as HIPAA Administrative Simplification, the purpose was to simplify the business side of healthcare. This is key to help interoperability and making sure organizations of all sizes within the health care system can work from the same standards.
Who does HIPAA apply to?
HIPAA regulations apply to Covered Entities and their Business Associates. A covered entity is defined as:
- A health care provider such as doctors, clinics, or pharmacies
- A health plan such as health insurance companies, HMOs, and company health plans
- A health care clearinghouse who process nonstandard health information they receive from another entity into a standard
Business associates, such as partners, are third-parties that a covered entity can designate to perform certain functions or activities that involve the use of PHI on its behalf. Some examples include:
- A third party administrator that assists a health insurer with claims processing
- An attorney whose services involve access to PHI
- An email encryption provider like Paubox
In each case, it’s important to have a Business Associates Agreement (BAA) signed to insure the third-party is taking the correct steps to meet the requirements of HIPAA compliance.
HITECH Act and the Omnibus Rule
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law to promote the adoption and meaningful use of technology in health care.
The related incentives, requirements, and regulations have been extremely impactful, and health care is still trying to keep pace. Built within HITECH act are stipulations that technologies do not violate HIPAA rules.
The HIPAA Omnibus Rule was put in place by HHS in 2013 to modify HIPAA in accordance with guidelines set by HITECH act concerning the responsibilities of business associates of covered entities. It also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
Avoiding HIPAA violations
HIPAA violations can prove quite costly for health care organizations.
At its simplest, a HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI, according to the guidelines in the HIPAA Privacy Rule.
Costs can include covered entities and any affected business associates notifying patients following a data breach. In addition to the notification costs, are any fines levied by the Office for Civil Rights (OCR) after HIPAA violations are reviewed.
The HIPAA violation fines themselves can reach $1.5 million and include jail time if there are criminal charges related to the violations.
To avoid violations requires planning. Covered entities and business associates can mitigate risks by making sure staff goes through HIPAA compliance training programs. Consultants can also come on board to make sure the correct processes are in place to avoid and deal with any breaches.
Although there’s no official seal of approval or certification program for HIPAA compliance, there are a lot of companies that offer credentials that show an organization has taken the right steps to meet the requirements of HIPAA.
As technology continues to become a part of health care, there are always going to be new potential places for a breach to occur. But by keeping in mind HIPAA rules, all organizations can be sure they are doing their best in protecting PHI.