All You Need to Know about HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) was originally passed by the US Congress in 1996 during the Clinton administration and while its primary purpose was to allow workers to carry forward insurance and healthcare rights between jobs, in time it became better known for its stipulations concerning the privacy and security of protected health information (PHI).
With the rise of electronic health records and healthcare providers’ own push for digitalization that began including apps, email correspondence and social media as ways of communicating with patients and customers, the Health Information Technology for Economic and Clinical Health Act (HITECH) expanded HIPAA’s privacy and security scope by increasing its legal liability and providing a stricter enforcement of its requirements.
HIPAA is governed by three main rules:
- The Privacy Rule which details how PHI can be used and disclosed;
- The Security Rule that includes the necessary standards and safeguards needed to protect electronic PHI at rest and in transit;
- The Breach Notification Rule that requires organizations to notify patients and the proper authorities in case of a PHI data breach.
The Department of Health and Human Services’ Office for Civil Rights (OCR) has been responsible for the enforcement of HIPAA since 2003.
Who does HIPAA apply to?
The general tendency is to regard PHI as the domain of hospitals and healthcare institutions. In today’s digital age however, healthcare providers rarely operate independently: they often share information with business associates or require subcontractors to perform services that may require the disclosure of PHI.
HIPAA covers all these entities: the actual providers that offer treatment, payment or operations in healthcare, but also all the associates with access to patient information that support them in the discharge of these services. Subcontractors, as well as business partners’ own associates, must comply with HIPAA.
Additionally, under the HITECH Act, healthcare providers are obligated to notify their business associates and subcontractors that they must comply with HIPAA.
What does HIPAA protect?
Protected Health Information (PHI) that falls under the incidence of HIPAA refers to information related to an individual’s past, present, or future physical or mental health and the provision of healthcare to an individual. It also includes personal identifiers such as name, address or Social Security Number that, by themselves or grouped with other identifiers, can reveal a person’s identity, medical history or payments he has made.
The Privacy Rule
In force since 2003, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. It applies to all healthcare and health plan providers, healthcare clearinghouses, and certain electronic healthcare transactions.
The Privacy Rule requires that appropriate safeguards be put in place to protect the privacy of PHI and sets the conditions and limits of the use and disclosure of PHI without patient authorization. Through it, patients or their representatives can ask for a copy of their records that they can then examine and request to be corrected.
Organizations falling under the incidence of HIPAA are required to answer such patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to explain to patients how their data will be used or shared.
The Security Rule
The Security Rule more specifically addresses the protection of individuals’ electronic protected health information (ePHI) that is created, received, used, or maintained by entities covered by HIPAA. It establishes a set of standards and safeguards that need to be put into place to ensure the confidentiality, integrity, and security of ePHI.
There are three types of safeguards under the Security Rule:
- Technical Safeguards that refer to the technology used to protect and access ePHI;
- Physical Safeguards that deal with physical access to ePHI regardless of its location;
- Administrative Safeguards that include actions, policies, and procedures responsible for the enforcement of ePHI protection and the conduct of an organization’s workforce.
The Breach Notification Rule
Similar to the GDPR’s mandatory data breach notifications, the HIPAA Breach Notification Rule requires covered entities to notify patients in case of a data breach that included their PHI as well as the OCR and the media if the breach affects more than five hundred patients.
Smaller breaches that affect fewer than 500 individuals must also be reported through the OCR web portal. Breach notifications must be made without undue delay no later than 60 days after the discovery of a breach. When patients are notified of the breach, they must be informed what they can do to protect themselves from potential harm, how the organization is investigating the incident and how it will avoid other security incidents in the future.
Fines under HIPAA
Federal fines for noncompliance with HIPAA can be issued by the OCR and state attorneys general and are separated into four tiers, depending on the level of perceived negligence at the time of the HIPAA violation. They range from as little as $100 to as much as $1.5 million per year for each violation.