What is HIPAA and how can the HIPAA security rule, omnibus rule, and privacy rule apply to me and my business? Keep reading to find out.
What does HIPAA stand for? HIPAA stands for Health Insurance Portability and Accountability Act.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed by Congress and signed into law by President Clinton in 1996 to create a set of standards for managing, protecting, and sharing patient information. More specifically, this law governs when, how, and under what circumstances healthcare providers and their business associates can disclose protected health information (PHI). This law seeks to support patients in the healthcare system by providing several types of support, including the following:
- Management and transfer of healthcare information and coverage between different primary care providers (hospitals, doctors, and insurance companies)
- Reduction of information theft and identity fraud
- Standardization of record-keeping and security standards across states
- Maintenance of privacy and confidentiality for all patient records and PHI
HIPAA is administered by the U.S. Department of Health and Human Services Office for Civil Rights (HHS), which manages organizational compliance and claims against organizations for violations of regulations or system breaches. The HHS, which is tasked with developing and implementing HIPAA regulations, instituted five core sections or “rules” that outline patient rights and provider responsibilities under the law:
- The Privacy Rule
- The Security Rule
- The Transactions Rule
- The Identifiers Rule
- The Enforcement Rule
The HIPAA Privacy Rule is perhaps the most recognizable. It lays out the general definitions and expectations of patients, protected data, and provider obligations. In this section, the basis of HIPAA is articulated: Healthcare organizations and their business associates must protect PHI and other medical records against unauthorized disclosure.
Entities subject to HIPAA jurisdiction under the Privacy Rule are known as “covered entities” (CEs), and these include a limited set of organizations like doctors, hospitals, pharmacies, insurance companies, health maintenance organizations (HMOs), and a select group of related providers. Since most CEs outsource business and healthcare functions to third-party vendors and associates, a secondary category was created for these entities called “business associates” (BAs) that HIPAA also governs.
The Privacy Rule defines PHI legally. Under HIPAA, PHI is any information that relates to the following:
- Any past, present, or future information regarding a patient’s physical or mental condition
- Any provision of healthcare to patients, either mental or physical
- Any financial or payment information related to healthcare provision to that patient, whether past, present, or future
Finally, the Privacy Rule dictates that any patient has the right to access any and all PHI held by an organization for inspection, correction, or archival purposes.
The Security Rule takes the Privacy Rule and adds standards, requirements, and methods of securing PHI. Under the Security Rule, organizations must implement security measures to protect the privacy and confidentiality of patient information, specifically electronic PHI (ePHI). To accomplish this, the Security Rule provides guidelines for the levels of security expected across three contexts:
- Technical: Security controls listed in this category reflect what we may normally think of when we think of cybersecurity: encryption protocols, firewalls for data servers, anti-malware applications, etc. With the rise of cloud-based Software-as-a-Service (SaaS) programs, HIPAA also requires clear security measures to protect communications between CEs and BAs, cloud server security measures, and system backups.
- Physical: While ePHI is technically a digital asset, it exists within a physical infrastructure. Physical safeguards of ePHI focus on protecting physical access to data centers through locks, cameras, and control panels and limiting or eliminating access to workstations and mobile devices.
- Administrative: HIPAA compliance requires diligence and comprehension from the employees of any CE or BA. Administrative security measures, including proper HIPAA and security training, data governance, risk management policies, clear documentation, and institutional reporting, are expected from regulated organizations.
With these aspects of security in mind, it is therefore specified in the Security Rule that CEs and BAs must ensure the integrity, confidentiality, and availability of ePHI. They must also detect and mitigate security threats, prevent unauthorized data disclosures, and certify compliance across their organization.
The Transactions Rule standardizes coding and identification of ePHI transactions within medical systems. This rule eliminated local codes and organizational standards used on municipal, state, or private scales. These standards apply to medical records, financial records, and anything determined to fall under PHI. These codes are based on several different code sets:
- The International Classification of Diseases, 9th Revision
- The Current Procedural Terminology, published by the American Medical Association, 4th Edition
- The HCFA Common Procedure Coding System (HCPCS)
- The Code on Dental Procedures and Nomenclature, available from the American Dental Association, 2nd Edition
- National Drug Codes, which are published by the Food and Drug Administration (FDA)
Organizations must use unique identifying numbers under Internal Revenue Service (IRS) regulations to support uniform identification of healthcare organizations for privacy purposes, and these identifiers must be present on all HIPAA transactions. These include the following identifiers:
- The National Provider Identifier (NPI): A unique identifier for healthcare providers used on all administrative and financial transactions.
- Employer Identification Number (EIN): A unique number used by employers as identification on financial transactions.
Additional identifiers, including National Health Plan Identifier (HPID, a unique ID number to identify health plan providers) and Other Entity Identifier (OEID), were used and subsequently dropped from practice through rulings from the HHS.
Implemented as part of the HITECH Act, this rule changes and specifies penalties for noncompliance under HIPAA. As of 2020, the Enforcement Rule specifies different types of HIPAA violations:
- Unknowing Violations, where a CE or BA did not, and could not reasonably have been expected, to know of the violation. Penalties range from $100 to $59,000 per violation, with a maximum penalty of $25,000 per year for identical violations.
- Unknown Violations, where a CE or BA did not know of a violation but should have. Penalties range from $1,000 to $50,000 per violation with a maximum of $100,000 per year for identical violations.
- Willful Neglect with Corrective Action, where the CE or BA knew and did not address the violation but attempts were subsequently made to do so. Penalties range from $10,000 to $50,000 per violation with a maximum of $250,000 per year for identical violations.
- Willful Neglect with No Corrective Action, where the CE or BA willfully ignored or neglected breaches and made no attempt to correct them. Penalties are a minimum of $50,000 per violation with a maximum of $1.5 million per year for identical violations.
Additionally, individuals found to be in violation of the Privacy Rule with negligence without intent or specific intent to steal and profit from the theft of PHI can be subject to criminal charges. Criminal penalties can include the following:
- Violations with reasonable cause or ignorance of violation: up to one year in jail
- Obtaining PHI under false pretenses: up to five years in jail
- Obtaining PHI with malicious intent or personal gain: Up to ten years in jail
Two additional rules play a major role in HIPAA compliance:
This rule states the obligations that CEs and BAs have once a breach occurs. While different contexts call for different approaches, more generally, organizations must take the following steps after a breach:
- CEs and BAs must report breaches only if they affect unsecured PHI. If the PHI has not been encrypted, protected, or otherwise rendered unusable, then it is unsecured.
- Compliant organizations must report the breach to affected patients, either in writing or email within 60 days of uncovering the breach. In cases where the organization has incomplete contact information for 10 or more affected patients, they must post a notification on its website and provide a toll-free contact number for affected patients to call. Both notice and phone number must remain active and visible for at least 90 days.
- Breaches compromising 500 or more patients within a single state or jurisdiction must provide notifications through prominent media outlets within that state or jurisdiction. This media notification must occur within 60 days of discovering the breach.
- If the breach affects more than 500 people, the organization must notify the Secretary of Health and Human Services through a breach report form within 60 days.
Passed in 2013, the Omnibus Rule of HIPAA refines some of the language in the Privacy and Security Rules to better complement both modern ePHI technologies and the shift to electronic records promoted under the 2009 HITECH law.
Perhaps most importantly, the Omnibus Rule changes the language around business associates and their obligations. Under the new rules, BAs are equally responsible for HIPAA violations and system breaches as covered entities, and as such, they must follow the letter of the law the same as CEs. Furthermore, the definition of BA now includes any and all organizations that touch PHI as part of their work with a CE.
Finally, CEs are prohibited under the Omnibus Rule from selling patient information without consent, and they have stricter limits on how they use patient information for marketing purposes.
What PHI Disclosures Are Permitted Under HIPAA?
With all these rules and regulations, there is a select set of conditions under which a provider can disclose PHI without direct permission. These include the following:
- Disclosures to the Patient: CEs and BAs can disclose any information to the individual to whom it belongs (the subject of the report).
- Internally for Treatment: Organizations can disclose data internally as part of any of their own treatment, operational, and payment processes.
- Best Interest: Either informally or during emergencies, CEs and BAs can (in fairly limited ways) disclose any information located in facility directories for notification of family members.
- Incidental Disclosure: If PHI is accidentally exposed during an authorized disclosure and the CE or BA has taken reasonable steps to prevent such disclosure, the organization does not face a penalty under the Privacy Rule.
- Public Interest: The CE or BA may disclose patient information without permission under 12 national priority purposes:
- Public Health Activities such as pandemics, drug and medicine testing, symptom testing, and managing workplace sickness and injury.
- Abuse: CEs may disclose information to government authorities that exposes abuse, neglect, or violence.
- Oversight: Information may be disclosed as part of oversight activities to agencies defined in the Privacy Rule.
- Judicial Proceedings: Select court orders can authorize the disclosure of PHI.
- Law Enforcement: Under certain circumstances, PHI may be disclosed to law enforcement agencies for legal orders, identification of suspects or missing persons, or notification of police of a person’s death.
- Decedents: PHI may be disclosed to coroners or medical examiners to aid in identification or to determine cause of death.
- Donation: PHI may be disclosed to facilitate organ donation and transplants.
- Research: Under certain circumstances, PHI can be disclosed for certain types of authorized and protected research.
- Public Safety: PHI can be disclosed to prevent harm to individuals in certain circumstances, including threats to the patient themselves.
- Government Function: Execution of military functions, intelligence missions, or other activities related to national security require no authorization for disclosure of PHI.
- Workers’ Compensation: PHI may be disclosed under legal authorization for purposes of litigating workers’ compensation claims and benefits.
- Required by Law: These required by law PHI disclosures are included by statute, regulation, or court orders.
Meet HIPAA Compliance and Protect Patients’ Privacy
When it comes to HIPAA compliance, it is important that an organization’s IT and data management infrastructure is up to the task of protecting patients and your team members. A unified, logged, tracked, and secure system not only provides you with manageable compliance that you can report and monitor, it also gives you the foundational tools to ensure the privacy of your patients remains protected.
Finally, maintaining HIPAA compliance does not mean sealing yourself from the outside world. With the right tools, such as secure file sharing, secure email links, compliant data services, and private cloud infrastructure, you can prioritize security and compliance without sacrificing usability or customer satisfaction.
Schedule a custom demo of Kiteworks to discover how your organization can comply with HIPAA when sending and sharing PII.
Get email updates with our latest blogs news