The Healthcare Insurance Portability and Accountability Act (HIPAA) has become an ingrained facet of security and privacy efforts since it was signed into law in 1996. This decisive, game-changing legislation for the healthcare industry provides requirements that serve to cultivate a safe environment for patient data, offering a multi-dimensional set of security provisions and data privacy requirements.
HIPAA has two different requirements for covered entities; one addresses the way that private patient data is to be handled and defines provider responsibilities; the other outlines how that protection should be accomplished. The HIPAA Privacy and Security Rules are two of the many vital aspects of the groundbreaking legislation. Understanding their key components can prevent costly errors and help maintain HIPAA compliance.
What are Covered Entities?
The HIPAA Privacy & Security Rules apply to all covered entities and any of their business associates (BA). Covered entities are the businesses and organizations that are required to comply with HIPAA standards, both the original law and all updates that have emerged in the last three decades. Regulations also apply to subcontractors, also known as business associates of business associates.
HIPAA covered entity is any practitioner that handles electronic patient health data, such as:
- Health plans, including individual and group plans,
- Healthcare clearinghouses,
- Healthcare providers that transmit patient data electronically.
The original list of covered entities expanded in 2013, when the Health Information Technology for Economic and Clinical Health (HITECH) was passed. This new rule, referred to as the Omnibus Rule, expands HIPAA coverage. This broad umbrella can include:
- Hospitals, nursing homes, and other medical facilities,
- Research facilities,
- Government facilities,
- Data facilities,
- Cloud providers,
- SaaS platforms,
- MSP/IT contractors.
Basic Structure of HIPAA Regulations
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. It’s also known as the Kassebaum–Kennedy Act and Kennedy–Kassebaum Act after its two leading sponsors. It consists of five titles, with the first two having the greatest relevance for covered organizations.
This section deals with continuing coverage for health insurance when workers change or lose their jobs. Title II, also known as the Administrative Simplification provisions, mandates national standards regarding electronic protected health information (ePHI).
This applies to “covered entities” as defined by HIPAA, which generally includes any organization that handles EPHI in a manner regulated by HIPAA. Covered entities include health care providers, health care insurers, billing services for health care and community health care systems. Title II consists of five rules: the Privacy Rule, Security Rule, Transactions and Code Sets Rule, Unique Identifiers Rule and Enforcement Rule.
What Is the HIPAA Privacy Rule?
Healthcare organizations and physicians have access to essential personal information from patients regarding account and identity information, as well as confidential health information. Without the proper protection, such information could be used in ways that could negatively impact patients’ lives in many ways.
Therefore, patients expect that their confidential information is kept private. This is challenging in the digital age where hackers and cybercriminals relentlessly seek to steal this information, and human error inside health organizations can create pathways to disastrous breaches.
HIPAA privacy laws were enacted in 2002 to protect the confidentiality of patients’ PHI without hindering the flow of information necessary to provide treatment. These laws serve to control:
- Who can get access to PHI,
- To whom it can be disclosed, and
- The conditions under which such information can be used.
The HIPAA Privacy Rule also applies to entities beyond healthcare providers and the organizations they work with. This includes any business with any degree of access to information about a patient that—in the wrong hands—presents risk to the patient, in terms of reputation or finances.
Why the HIPAA Privacy Rule Is Important
It’s important as the first comprehensive set of national standards focused on protecting individual patients’ medical records and any other personal health information. Also known as the Rule, it requires appropriate safeguards to protect the privacy and confidentiality of PHI. It sets special limits and conditions on the use and disclosure of that information when there is no patient authorization. Further, it provides patients with rights over their health information, including the right to request corrections and obtain a copy of their health records.
Following are a few key ways that the HIPAA Privacy Rule has revolutionized the healthcare industry for the better:
- HIPAA has created a culture of compliance in an environment heavy with regulations and frequent regulatory updates. Keeping up compliance is essential, and HIPAA has been instrumental in helping companies comply.
- HIPAA has strengthened security in healthcare organizations and in organizations that work in tandem with healthcare organizations.
- In file-sharing situations, HIPAA has safely facilitated this activity between different healthcare systems. Upon patient approval for permission to share their records, many providers are able to instantly send records to the designated recipient electronically.
- HIPAA has been instrumental in developing national standards regarding patient confidentiality and healthcare information.
What Type of Information Is Protected by HIPAA Privacy Laws?
HIPAA privacy laws protect information known as “individually identifiable health information,” which is any that can expose a patient’s identity.
- Any aspect of the patient’s physical or mental condition in the past, present, or future.
- Any healthcare treatment and services provided to the patient.
- Any payment made by the patient for the provision of care in the past, present, or future.
The inclusion of payments made by patients means that the individually identifiable health information also includes the following:
- Dates of birth, death, or treatment
- Social Security number
- Telephone number
- Vehicle registration number
- Driver license number
- Medical records number
- Credit card information
- Electronic images or photographs
- Examples of a patient’s handwriting and signature
- Any other identifiable information.
It’s important to note that HIPAA privacy laws extend to all forms of protected health information, whether in electronic, written, or oral form.
What is the HIPAA Security Rule?
The HIPPA Security Rule mandates safeguards designed for personal health data and applies to covered entities and, via the Omnibus Rule, business associates. The rule is to protect patient electronic data like health records from threats, such as hackers.
Business associates are anyone who deals with PHI at any level. That would include creating it, receiving it, maintaining it, or transmitting it. For example, a billing firm would be a business associate. They don’t provide care, but they are in a position to handle patient information. Other examples of business associates include:
- Data analysis and processing
- Utilization review
- Quality assurance
- Benefit management companies
What are the Mandated Safeguards?
HIPPA’s Security Rule designates safeguards in three different areas: technical, physical and administrative. Each section has separate mandates.
Technical safeguards apply to IT management:
- Control access to reading, writing, modifying, and communicating data. User access must have unique identifiers, automatic logoffs, data encryption, and emergency access procedures.
- Audit controls.
- Integrity policies to protect data for unauthorized users.
- Authentication to verify each user attempting to access the data.
Physical safeguards protect the hardware:
- Assess controlled facility.
- Workstation security and protocols to protect against unauthorized access such as keeping them in a secure room.
- Procedures and policies for device control and the use of media. This should include management of media, records of media movement, disposal, and backup of media.
Administrative is the overall management of security:
- The implementation of security management procedures and policies to detect breaches, contain them, correct problems, and create prevention tactics including risk analysis and management.
- Designating a security official responsible for the development of the policies and procedures and ensuring implementation.
- Policies and procedures in place for employee access to patient data. Policies should cover authorization, supervision, clearance, and what to do after termination.
- The restriction of unnecessary access to data.
- Security training that covers identifying incidents and reporting them.
- Contingency plans for data backup and emergency recovery.
- Evaluation of security plans and HIPPA compliance.
- Establishing written agreements with business associates to ensure their compliance.
Required vs. Addressable
The Security Rule breaks down these safeguards into two groupings: required and addressable. Put simply, a required standard applies to everyone, and addressable is if appropriate. If an addressable standard is not appropriate, there must be documentation explaining why.
How to Ensure Compliance with HIPAA Security Regulations
Since the environment of each covered entity and business associate is different in terms of how they handle data and the resources they have, the security rule does not define the methodology for compliance. It is intentionally flexible and technologically neutral. This allows for some freedom when it comes to compliance as long as the established safeguards are met.
1. HIPAA Risk Assessment – It starts with a comprehensive assessment of risks that would feature:
- Identifying current risk factors for electronic personal health information.
- Creating a list of objectives necessary to eliminate the risks and close security loopholes.
- Listing gaps that exist between the current situation and the objectives.
2. Gap Analysis – The gap analysis pinpoints what needs to change.
3. SOC Audit – Next, a SOC 2 examination brings in an independent auditing firm to look at control objectives and test them to ensure they meet standards efficiently and effectively. A proper audit will look at:
- Automated and manual procedures,
The exam will include an analysis of company protocols to stay in compliance.
4. Finally, schedule reviews of protocols and reassessment should hardware or software change.
Privacy vs. Security Rules
Both privacy and security are essential and they differ in several key ways.
This portion of HIPAA is designed to protect PHI and private data. The privacy rule also details the patient’s rights when it comes to PHI and outlines what covered entities are required to do to protect these crucial details. This part of HIPAA clearly defines how PHI can be used, distributed, and shared.
These rules define how data can be collected and how it must be protected. PHI can be exposed in a variety of ways, from a network breach to an actual physical attack on a system. Security rules define each aspect of protection and the entity’s role in safeguarding data.
What Happens If You Do Not Comply?
Any covered entity is required to restrict access to protected health information (PHI). These security measures can include physical, technical, and logistic barriers designed to protect both the data itself and the privacy of patients.
Covered entities are required to take steps to protect the data they collect and use. Failing to comply with HIPAA rules or failing to accurately assess risk and take reasonable precautions could result in sanctions for both the practice and individuals.
The penalties for HIPAA violations can be both swift and severe. Monetary cost can be as much as $50,000 per violation, with organizations subject to up to $1.5 million in penalties per year. Yet beyond that, organizations that are hit with HIPAA penalties can face expenses related to:
- Discovery and remediation,
- Legal fees, and
- Loss of customer and patient revenue.
Penalties also include civil suits and the potential for criminal liability. Accidental offenses are handled differently from those that exploit PHI for personal gain or malicious reasons. A criminal offense could result in years of imprisonment and hefty fines. Even for those practices that do not willingly expose data, there are consequences; both fines and reputation damage impact an organization’s ability to serve and perform as usual.
Taking the time to learn about the latest changes to HIPAA policies, understanding the differences between Privacy and Security Rules and taking a proactive approach to PHI protection can help protect your organization from risk.
Related article: How to Show Proof of HIPAA Compliance.
Is Your Organization HIPAA Compliant?
Are you considering signing a BAA with a promising client? Do you need tips on compliance as a service organization? Our team at I.S. Partners, LLC. can help you sort through the complexities of the HIPAA Privacy Rule and all the associated laws so you can become and remain confidently compliant for the tenure of your business arrangement.
Call us to learn more about HIPAA privacy and security laws. Find out how crucial the Rule and its laws are to protecting patients, your clients, and your own reputation.