Congress and President Bill Clinton enacted HIPAA or the Health Insurance Portability and Accountability Act in 1996. This Act aims to protect the private information of individuals that utilize health care services or health insurance. HIPAA was initially enacted to protect the rights of employees while benefiting from health insurance.
As the years progressed, the scope of HIPAA compliance grew to include the rights individuals are entitled to while getting health facilities and the rules that health care providers are expected to follow.
The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA’s security rules and penalizing those who do not comply. Every organization under HIPAA regulations is expected to have a HIPAA compliance officer employed.
You can refer to the following guide to understand the key terminologies and rules of HIPAA compliance.
Who needs to follow HIPAA compliance?
HIPAA Privacy rule
The Security Rule
Breach Notification Rule
Table of Contents
What is Protected Health Information (PHI)?
The protected information under HIPAA security rules is called Protected Health Information, which may contain any detail that can be used to determine a person’s identity or prevailing health condition. The covered entities should protect the patient’s PHI at any given time.
Some examples of PHI include health reports, billing records, test results, social security numbers, etc.
Who needs to follow HIPAA compliance?
a) Covered Entities – HIPAA compliance has defined certain professions and agencies as covered entities. All the covered entities must comply with the rules and regulations under HIPAA or be subject to a penalty. The covered entities are divided into three sections – healthcare providers, health plan providers, and healthcare clearinghouse.
- Healthcare Provider – These are the individuals or organizations that provide you with medical treatment. These include doctors, clinics, pharmacies, dentists, chiropractors, nursing homes, etc.
- Health Plan – It includes Health Insurance Companies, HMOs, Government Health Care Programs, Company Health Plans, etc.
- Healthcare Clearinghouse – This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
b) Business Associates – Business Associates are the individuals or agencies that help the covered entities in performing specific functions which involve the disclosure of PHI. For instance, an accounting firm takes care of the healthcare provider’s finances and needs access to protected health information.
The covered entities must have a written contract or arrangement with the business associates clearly stating their role in protecting the privacy of the PHI.
The HIPAA Privacy Rule
The HHS’ Office of Civil Rights implemented the privacy rule on 14 April 2003 to protect the Protected Health Information (PHI) of the individuals and establish guidelines on the roles and responsibilities of the covered entities and business associates.
Under the Privacy Rules, two fundamental rights are provided to the individuals – The “Right to Access” and the “Right to Privacy.” These rights empower individuals to access their PHI and decide which establishment or people can have access to their PHI.
Right to Access
You have the right to view and get copies of your health information in the desired format.
Right to Privacy
- Under the Right to Privacy, only you or any personal representatives authorized by you can view your PHI (Protected Health Information).
- You can also tell your health care provider to send your PHI to other people like friends or family.
- The healthcare provider can share your PHI with other healthcare providers for treatment purposes or to the insurance company for payment.
- The health care provider can also be instructed to send the health information to a mobile or computer application. In that case, the health care provider will guide you that once the info is sent to the application, the health care provider will not be responsible if the information is leaked.
- If you have paid for certain tests by yourself, you can ask the health care providers to keep the treatment secret from insurance companies.
- Your employer cannot directly ask for your medical records. However, a request can be made by the employer on the basis of compensation, leave, etc.
- Your PHI cannot be provided for sales and marketing purposes without your authorization.
- You can instruct doctors not to share your health info with certain people and companies.
- It can be requested to send your PHI to an address other than home, like your office.
- The right instructs the health care providers to provide you with the Notice of Privacy Practices at the time of the first contact. You are supposed to read the notice carefully and acknowledge that you have received the notice.
What does Notice of Privacy Practices Contain?
This notice contains necessary information about all the procedures your healthcare provider follows to protect the privacy of your PHI. It also states the conditions under which it is obliged to share your protected health information with an individual or particular institution.
It should list the complete list of rights under the “Right to Privacy” and mention the contact details to make a complaint if your rights are being violated.
The “Right to Privacy” helps individuals keep their protected health information private. If you don’t want certain people to access your PHI, they won’t be able to see it. If you want some of your family or friends to access your PHI in an emergency, you can choose them as your “personal representatives.”
Suggested Reading: 5 Questions To Ask Before Choosing a HIPAA Hosting Provider
In some cases, the healthcare provider shares your PHI with other companies. This law states that your PHI cannot be used for marketing and sales purposes without your consent.
This right empowers individuals to deny certain people access to their PHI and keep their treatment private from insurance companies if you have paid for it from your pocket.
The HIPAA Security Rule
The Security Rule was implemented on 20 April 2005. Also known as The Security Standards for the Protection of Electronic Protected Health Information, the Security Rule aims to protect the privacy and integrity of the electronically transmitted Protected Health Information or e-PHI. According to the HIPAA security rule, the covered entities of the Security Rule should deploy safeguards to protect the e-PHI and prevent an unauthorized user from accessing it.
The covered entities under the Security Rule involve all the health care providers, health plans, and clearinghouses that transmit, receive or store PHI in an electronic form.
The Security Rule encourages health care providers and insurance companies to adopt new technologies and move to digital storage and access to health records. However, the security and privacy of the individual’s protected health information should be kept in mind.
The rule instructs the covered entities to protect the confidentiality of the PHI by anticipated threats and ensure proper compliance by their employees.
Every organization complying with Security Rule should deploy safeguards to protect the e-PHI from any breach. These are termed Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
- Administrative Safeguards – The healthcare provider should maintain and implement security policies and regulations. Access to health records should only be on a “need to know” basis. A security officer should be appointed to supervise all the regulations and procedures.
- Technical Safeguards – Only concerned officers should be provided access to the portal where the PHI is stored. Provisions should be made for properly monitoring the employees that access the PHI along with the appropriate date and time.
- Physical Safeguards – These include restricting access to unauthorized people entering the facilities using access cards or fingerprint sensors. The covered entities should also secure the system through which the data is transferred or received.
Importance – We are all aware of the digitalization in the health services department. The Security Rule ensures that the covered entities protect all the data that is stored, transferred, and received electronically. It ensures that you can log in to a portal or receive emails without any apprehension.
Suggested Reading: 5 Things to Consider While Choosing a HIPAA Compliant Hosting Provider
Breach Notification Rule
HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” The disclosure of PHI to any unauthorized person is considered a breach until and unless the covered entity can prove that the chances of the PHI being compromised are very low.
The covered entities must do a risk assessment to evaluate whether the health records were viewed or acquired, the type of PHI, and its importance, among other factors.
If the breach affects 500 individuals or more, the covered entity must submit a notice to the Secretary without delay. You can submit the notice by clicking on the following link.
Importance – The Breach Notification Rule ensures that any breach in the PHI is immediately notified to the authorities so they can deal with the issue. It also ensures that the covered entities do a proper risk assessment to evaluate the severity of the breach.
The Enforcement Rule, as the name suggests, was introduced as a part of the HIPAA to enforce the covered entities and business associates to comply with the HIPAA regulations and define the process to investigate the covered entities for non-compliance. It also sets the legal penalties that can be enforced if the covered entity is found guilty of non-compliance.
The Enforcement Rule has evolved through the years with notable amendments. On 17th April 2003, the Procedures for Investigations, Imposition of Penalties, and Hearings – Interim Final Rule was introduced. Since then, changes were made in 2003, 2004, and 2005 with the Final Enforcement Rule being introduced on 16th February 2006. An Act called the HITECH ACT was introduced on 29 October 2009, adding some more features to the Enforcement Rule. Most recently, The Final Omnibus Rule was introduced in 2013.
The OCR works in tandem with the Department of Justice (DOJ) to investigate cases of non-compliance. If OCR finds out during the investigation that there is a possible criminal violation, it passes the findings to the DOJ.
Importance – As the Enforcement Rule ensures that the covered entities comply with HIPAA rules and regulations without fail, the individuals can rest assured that their health care provider will abide by HIPAA rules. Also, the rule defines the process of investigation and the actions to be taken if the covered entity or business associate is found guilty. Hence, the covered entities can expect a fair judgment and penalty if found non-compliant.
In this day and age, where the security of personal data is a priority, HIPAA ensures that the data you provide in full faith to your healthcare provider is kept secure. It also holds a check on all the covered entities so that they keep up to HIPAA standards.
Every covered entity must be HIPAA compliant, or a heavy penalty can be imposed on them.
ACE Managed Security Services offers a full suite of security solutions that ensure your organization is never behind on HIPAA compliance. ACE Managed EDR and SIEM to provide automated compliance and audit-ready reports.
Chat With A Solutions Consultant