This article does not consititute legal advice nor does it convey any rights or obligations to any party. To see Saropa’s Privacy Mission Statement click here or email us directly at hipaa.security@saropa.com.
Summary
The main goals of HIPAA are to limit the use, disclosure, and sharing of protected health care information to authorized persons. The law penalizes any U.S.-based covered entity that violates the provisions stipulated in its the main "Title" components.
The Law
The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassebaum Act, is a United States legislation signed into law by President Bill Clinton on August 21, 1996. The act was established to ensure the effectiveness and efficiency of the nation’s health care system by outlining standards to maintain and protect personally identifiable information from fraud and theft.
Another objective of the legislation was to tackle healthcare insurance coverage limitations for workers who change or lose their job. The regulation also focused on lowering the cost of care by standardizing the sharing of administrative and financial transactions electronically.
The entities covered under the legislation’s provisions include all persons within a health care facility, students, non-patient care employees, insurance companies (health plans), billing companies, and electronic medical record organizations.
In recent years, the HIPAA act has become more relevant due to the many health data breaches caused by ransomware attacks and cyber-attacks across the health care industry.
What are the 5 components of HIPAA?
HIPAA comprises five main components, called "Titles" :
Title I: HIPAA Health Insurance Reform
Title I protects health insurance coverage for health care workers and their families in the event they lose their jobs or switch to other employers. The title also limits the ability of group health plans to deny coverage to individuals with pre-existing conditions.
Title II: HIPAA Administrative Simplification
Title II prevents health care fraud and abuse by requiring the U.S. Department of Health and Human Services (HHS) to put in place standardized ways of using and disseminating electronic health care information.
This component also requires health care facilities to observe the security and privacy of individually identifiable health care information, while establishing offenses and penalties for violations.
Title II rules target covered entities, which include:
- Health care providers, such as doctors, clinics, dentists, psychologists, pharmacies, and nursing homes.
- Health plans, such as health insurance companies, HMOs, company health plans, and government programs that cater for health care expenses like Medicaid, Medicare, and the veteran's health care programs.
- Health care clearinghouses, such as community health information systems and billing services.
- HIPAA business associates, such as independent contractors.
The five rules established by the HHS regarding Administrative Simplification include:
a) Privacy Rule
The privacy rule regulates the use and disclosure of protected health information (PHI) in the hands of covered entities, as these are the parties that handle standard health care data and information.
PHI is any information that a covered entity holds regarding an individual’s unique identification details, health status, health care transactions or medical records, and health care payment. PHI does not include employment records, education details, or data that does not identify an individual.
However, covered entities are allowed to disclose PHI to law enforcement officials for legal requirements, such as court orders, subpoenas, and warrants.
b) The Transactions and Code Sets Rule
According to this rule, health care organizations must adhere to a standard way of electronic data interchange (EDI) when submitting and processing insurance claims.
c) The Security Rule
The security rule outlines the standards for protecting the integrity, confidentiality, and availability of electronically stored PHI (ePHI). The security standard defers from the privacy rule in that the former deals specifically with electronic data and information, while the latter covers all types of PHI, including paper transactions.
The security rule requires covered entities to adhere to a set of administrative, physical, and technical safeguards against data breaches.
Safeguard types
The following are the goals of the three types of safeguards:
- Administrative - Procedures and policies developed to clearly show how the covered entity will comply with the HIPAA Act.
This is by, for instance, documenting security controls and identifying employees who have access to ePHI. - Physical - To control physical access to data storage areas for protection against inappropriate access.
The covered entities must outline controls for the introduction and removal of software and hardware from the network Further, covered entities must control and monitor access to equipment containing health information. - Technical - To protect communications containing PHI when transmitted electronically over open networks and when data is not in use.
Information systems containing PHI should be protected from intrusion, and any data must not be edited or erased without authorization.
d) The Unique Identifiers Rule
This standard requires that every health care entity, including health plans, health care providers, and individuals, use a unique 10-digit National Provider Identifier number (NPI) to identify covered health care providers in standard medical care transactions.
The NPI is issued to health care providers by the Centers for Medicare and Medicaid Services (CMS), and covered providers are allowed to share it with other providers, such as clearinghouses, health plans, and any entity that needs it for billing purposes. As of today, about 7 million NPIs have been assigned.
e) The Enforcement Rule
This rule establishes guidelines for investigations into violations against HIPAA compliance guidelines. It outlines civil monetary penalties, procedures for investigations, and hearings for violators.
The most common HIPAA violations, which have attracted financial penalties, include:
- The failure to conduct an organization-wide risk analysis aimed at identifying risks to confidentiality, integrity, and availability of PHI;
- The failure to enter into a HIPAA-compliant business associate agreement (BAA). A BAA must be executed between covered entities before any PHI is shared, exchanged, or transmitted;
- Impermissible disclosures of PHI, such as access to health care records for reasons other than those allowed by the privacy rule (snooping);
- Delayed breach notifications;
- The failure to safeguard PHI.
The Breach Notification Rule - What to do in the event of a breach
According to the HHS, a breach is an impermissible use or disclosure of data, which compromises the privacy and security of PHI.
If covered entities adhere to the set technical, physical, and administrative guidelines of the security rule and ensure any ePHI is encrypted to make it “unusable, indecipherable, or unreadable,” the organizations must not report data breaches.
Therefore, data breaches only need to be reported when unsecured (non-encrypted) ePHI is compromised.
If a breach still occurs irrespective of the safeguards or precautions in place, which could lead to unauthorized disclosure of patients’ payment information or health care records, the covered entity must disclose the event to the affected patients within 60 days of the discovery of the breach.
The details of the breach should also be disclosed to the Secretary of the Department of Health and Human Services, in the form of a breach summary submitted through the Office for Civil Rights breach portal. This communication should be done within 60 days of the end of the calendar year in which the breach was identified.
Patients who are victims of the PHI or ePHI breach should be informed through a notification sent by first-class mail to their last known address, the next of kin (for a deceased patient), or the parent or guardian of a child below the age of eighteen whose PHI is compromised.
The breach notification should include:
- A brief description of the event, including what happened, the date of the breach, and the date it was discovered,
- A description of the nature or type of information compromised in the breach, such as personal identifiers like name, Social Security number, account numbers, etc.,
- What the affected individuals should do to protect themselves from potential harm,
- A brief description of the measures the covered entity is taking to investigate the breach, mitigate risks, and prevent a recurrence of the breach, and
- Contact details that the affected individuals can use to ask questions or request further information regarding the breach, including a toll-free number, email address, postal address, or website.
Title III: HIPAA Tax-Related Health Provisions
HIPAA Title III contains tax-related provisions and guidelines for medical care. It standardizes the amount that a person can save in a pre-tax medical savings account.
Title IV: Application and Enforcement of Group Health Plan Requirements
Title IV covers the conditions for group health plans, including coverage of individuals with pre-existing conditions and those seeking continued insurance coverage.
Title V: Revenue Offsets
Title V contains guidelines for company-owned life insurance, prohibiting the tax-deduction of interest earned from life insurance loans, company-related contracts, and endowments.
What Information is protected under HIPAA?
Any health care information with a unique identifier (such as a name, social security number, email address, telephone number, employer identification number, etc.) that links a patient to health care information.
The type of data protected under HIPAA includes written, spoken, paper, or electronic data, transmitted within and outside the health care facility, irrespective of its size.
HIPAA-permitted uses and disclosures
A covered entity can use or disclose an individual’s PHI, either:
- As the Privacy Rule permits or requires it, such as
- when required by legal enforcement authorities,
- when the covered entity is using the data themselves or sharing it with another covered entity, and
- when the HHS is undertaking a compliance investigation or review of enforcement action;
or - If the subject of the information gives written consent, such as when an individual or their representatives request access to their PHI.
HIPAA Privacy Rule penalties
Failure to comply with the HIPAA requirements can attract the following penalties:
- $100 per violation for unknowingly violating HIPAA - the maximum fine is $25,000 per annum for repeat violations.
- $1,000 per violation due to reasonable cause – the annual maximum is $100,000 for repeat violations.
- $10,000 per violation for wilful neglect of HIPAA, but when the violation is corrected within a given period - the annual maximum is $250,000 for repeat violations.
- $50,000 per violation for wilful neglect that remains uncorrected – the annual maximum is $1.5 million for repeat violations.
Covered entities that violate the HIPAA Privacy Rule can be fined up to $50,000 and receive a maximum prison sentence of one year. Entities that violate the policy under false pretence can be penalized up to $100,000 in fines and up to 10 years in prison.
HIPAA and the GDPR
Both HIPAA and the General Data Protection Regulation (GDPR) require complete protection of user data, including adherence to stringent data security guidelines, and compliance to the set protocols when using, sharing, and disposing of data.
In general, HIPAA intersects with the GDPR in the following areas:
Coverage
GDPR covers European Union (EU) citizens, while HIPAA relates to American citizens, but when an individual from the EU seeks or uses services outside the region, the GDPR rule can still apply because the regulation is customer-centric, and its provisions are observed by any organization across the globe.
The HIPAA rule does not apply to organizations or individuals outside the U.S. because this regulation is organization-centric.
Informed consent
American health care organizations operating in EU countries or serving EU customers should also adhere to the requirements of the GDPR on data collection, use, and disposal.
Multinational businesses should ensure adherance to HIPAA standards as well as GDPR. Best practices for adherance requires focusing on only the specific data needed, analyzing data processing, consulting a lawyer for legal requirements, and staying updated with regulatory revisions.
Violations
Both HIPAA and GDPR outline certain penalties on organizations that fail to adhere to the set standards. However, GDPR rules and violations are more stringent in assessing the violations compared to those implemented by HIPAA, because the latter provides conditions or clauses that may cause health care organizations to get away with non-compliance.
HIPAA differs from the GDPR in that the former is organization-centric, focusing on health care data security for businesses in the U.S., while the latter is customer-centric, targeting all organizations handling data belonging to EU citizens.
GDPR guidelines are more stringent in regulating and enforcing privacy, data security, and informed consent rules than HIPAA. It follows that every organization must review and understand the two standards, and how they can affect business processes and operations. Understanding the procedures for breach notification will ensure organizations are not penalized for violating the provisions of the enforcement rule.
To learn more about the GDPR click here.
- Personally Identifiable Information: HIPAA Compliance Key Facts ( paubox.com)
- HIPAA - Health Insurance Portability and Accountability Act ( techtarget.com)
- Health Insurance Portability and Accountability Act ( nih.gov)
- Health Information Privacy ( hhs.gov)
- What are the HIPAA Administrative Simplification Rules? ( compliancy-group.com)
- The HIPAA Breach Notification Rule ( hipaaguide.net)
- National Provider Identifier Standard (NPI) ( cms.gov)
- NPI Files ( cms.gov)
- The Most Common HIPAA Violations You Should Be Aware Of ( hipaajournal.com)
- Who Needs HIPAA Business Associate Agreements? ( compliancy-group.com)
- Summary of the HIPAA Privacy Rule ( hhs.gov)
- Health Insurance Portability and Accountability Act ( asha.org)
- What is the GDPR? ( saropa.com)
- GDPR Vs. HIPAA — Noting The Differences ( healthitoutcomes.com)
- Beyond HIPAA: International Health Data Protection in Europe and Canada ( atlantic.net)
Other References
- What is considered personal data under the EU GDPR? ( gdpr.eu)
- What is GDPR, the EU’s new data protection law? ( gdpr.eu)