What is HIPAA (Health Insurance Portability and Accountability Act)?
HIPAA is the acronym of the 1996 law that was initially created to help people keep their health insurance when they switch or lose jobs. It also seeks providers to protect the security and privacy of health information and control administrative costs by simplifying and standardizing electronic transactions.
There are different security measures CMS implemented to standardize this electronic exchange of health information, including claims, eligibility, claims status, ERA, and EFT. But the essential part of HIPAA has been the privacy and security provisions, which were strengthened by the same 2009 law that created the meaningful use program depending on the situation. Here, healthcare providers have invested a significant amount of effort to comply with all the regulations and data security measures as penalties for violations of them could increase to up to $1.5 million per violation. Yet, the number of data security breaches continues to grow.
So, in simple words, HIPAA is a national standard and security measure that protects the privacy of a patient's electronic health information. Thus, HIPAA-covered entities must comply with specific guidelines to provide health records in specific electronic formats to process that PHI (protected health information) with the corresponding measures.
What is PHI?
Protected Health Information (PHI) is any health information that can be clearly identified to an individual and stored, maintained, or transmitted by a HIPAA-covered entity. But what kind of information is specifically considered "individual identifiers"? There are 18 types of identifiers:
- Dates (except years)
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary digits
- Certificate/license digits
- Vehicle identifiers, serial numbers, and license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full-face photos and comparable images
- Biometric identifiers (i.e., retinal scan, fingerprints)
- Any unique identifying number or code
If at least one of the above identifiers is in a patient's health information, it's considered PHI.
Why is HIPAA important?
Nowadays, HIPAA is more important than ever as everything is computerized. According to the research report DearDoc and Compliancy Group 2022, in the US, 61% of patients affirm that digital services are important when choosing a physician, 62% want to communicate with providers by email, and 64% would schedule online. And these numbers keep growing.
But, before HIPAA, there were no universally accepted security standards in the healthcare industry that could regulate the management of confidential health information. This created friction in medical processes and unease among the parties involved as they didn't know how their data was being managed, by whom, or to what extent it was really confidential. Indeed, 68% of patients nowadays are not confident that providers actually protect their medical records, and 53% feel that providers' negligence caused or contributed to identity theft.
As said before, the number of data security breaches is still increasing over the years. Some major causes might be hackings, IT incidents, unauthorized access, theft, loss, or improper disposal. 17.000 medical records are breached daily, and 89% of Healthcare organizations have experienced a breach over the past two years, with 86% being administrative mistakes. All of these come up to people, failing people and affecting their health somehow. Hence, the importance of uprising efforts to ensure security and privacy.
But also, it's essential to bear in mind that it's not just about privacy and security; it's also crucial to increase efficiency and mobility in the medical processes.
Who must comply with HIPAA regulations?
Starting with the basics that the patients are key players in these, as all the confidential information and processes revolve around them, it's important to highlight that other important key players work with PHI and, therefore, are covered entities that must comply with HIPAA regulations. These are by:
- Health Clearinghouse (i.e., Entities that process nonstandard health information received from other entities)
- Health plans (i.e., health insurance companies, and HMOs, among others.)
- Healthcare providers (i.e., Doctors, clinics, and nursing, among others.)
Such covered entities must review and update their security measures along with the regulations to continue to protect the e-PHI in such dynamic environments.
Also, when health plans or providers that work with PHI use the services of others to help carry out their health functions, those other companies or individuals are called Business Associates and must also comply with HIPAA regulations. These create a Business Associate Agreement (BAA) before any PHI may be shared, exchanged, or transmitted between organizations.
How do I know if I'm subject to HIPAA compliance?
Every person, product, or company that collects, uses, processes, or stores the PHI of users to share it with a covered entity must comply with HIPAA regulations and protect confidential information safely. Thus, you must comply with HIPAA if you transfer or store PHI. But, there are some edge cases in which HIPAA isn't required.
To check if an organization or an individual has considered or not a covered entity that must comply with HIPAA, complete this checklist.
Who controls HIPAA Compliance?
The US Government passes the HITECH Act, a supplemental act that raises penalties for those health organizations that violate HIPAA, and the organization responsible for enforcing the Privacy and Security Rules is the Office for Civil Rights (OCR). Also, for those organizations hosting sensitive patient data, Health and Human Services (HHS) require physical safeguards such as policies to use and access E-media and workstations, E-PHI and electronic media transfer, removal, disposal, and re-use restrictions, among others. And also required technical safeguards such as using unique user IDS, and automatic log-off, among others.
HIPAA compliance requirements
To be HIPAA compliant, there are some rules you must know.
HIPAA Privacy Rule
This rule established specific national standards to protect the privacy and confidentiality of PHI. Specifically, it places limits and conditions on what can and cannot be made with it without patient authorization. Also, it states that all patients can inspect and obtain copies of their medical records and request corrections to their files if necessary.
HIPAA Security Rule
This rule established specific national security standards to protect electronic PHI. Here, it regulates and defines standards, methods, procedures, and processes of how the e-PHI must be stored, used, transmitted, and accessed. So, this rule seeks to promote covered entities to adopt new technologies and innovations that improve patient care while protecting all PHI's privacy. Also, another main goal of this security rule is to keep the integrity of e-PHI, which means it tries to ensure the information is not altered or destroyed unauthorizedly. Thirdly, it seeks to maintain the availability of this information as accessible and usable as possible, on-demand and by an authorized person.
The three safeguards levels of this security are:
- Admin safeguards: assignment of the compliance team.
- Technical safeguards: encryption and authentication methods to control data access.
- Physical safeguards protect any electronic system, equipment, or organization data. Here there are risk management protocols, for example, for hardware, software, transmissions, etc.
Still, it's important to remember that this rule is supposed to be flexible and scalable to evolve with the dynamic context we live in with so many technological advances, diverse situations, and numerous improvements in the healthcare industry.
HIPAA Transactions Rule
This rule establishes the correct use of HIPAA transactions and code sets of medical records and PHI to ensure safety, accuracy, and security.
HIPAA Breach Notification Rule
This rule requires covered entities to inform and notify patients in case of a breach of their PHI without unreasonable delay and no case later than sixty days following the discovery.
It also requires entities to notify the Department of Health and Human Services of the breach by issuing a notice to the media if and when it affects more than five hundred patients. In case of minor violations, the responsible entity must report it via the OCR web portal. These notifications must include information about the nature of the PHI involved, the unauthorized person who accessed or used the PHI, whether the PHI was actually viewed or acquired, and the extent of the risk of damage.
When Covered Entities notify a patient of a breach, they must inform the individuals about the best steps they should take to protect themselves from any potential harm. Also, they should describe the actions being followed to investigate the breach and explain the actions taken so far to prevent further security incidents.
HIPAA Enforcement Rule
This rule established provisions for violations. When breaches of PHI or HIPAA non-compliance occur, this rule states how the investigation of such incidents must be conducted, with the penalties and procedures that could take place. The fine can be imposed depending on each case and its violation category. Factors such as the number of people affected, the number of records, risks exposed, and the level of negligence involved, among others, are the key to determining the type of consequences.
It addresses five areas that all covered entities and businesses associates may comply with:
- HIPAA Security and Privacy requirements.
- Mandatory federal security and privacy breach reporting requirements.
- New penalties and enforcement methods for HIPAA violations.
- All new security requirements must be clarified in Business Associates contracts.
- Creation of new restrictions, privacy, accounting, and sales or marketing requirements.
HIPAA Omnibus Rule
This rule addresses areas where previous updates had ignored HIPAA. It clarified procedures and policies, amended definitions, and expanded the compliance list to cover Business Associates and their subcontractors.
The seven fundamentals of an effective compliance program:
- Implement written procedures, policies, and standards of conduct.
- Designate a person to ensure they are allowed.
- Conduct effective training and education.
- Develop effective lines of communication.
- Conduct internal monitoring and auditing.
- Ensure standards are enforced through publicized disciplinary measures.
- Taking corrective action as soon as an offense is detected and responding promptly to it.