HIPAA or the Health Insurance Portability and Accountability Act was enacted by Congress and President Bill Clinton in 1996. The purpose of this Act is to protect the private information of individuals that avail health care services or health insurance. HIPAA was initially enacted to protect the rights of employees while availing health insurance.
But as the years progressed, HIPAA included the rights that individuals are entitled to while availing health facilities and the rules that the health care providers are expected to follow.
The Office for Civil Rights (OCR) is the office-in-charge responsible for the enforcement of the HIPAA rules and penalize those who do not comply. Every organization that comes under HIPAA regulations is expected to have a HIPAA compliant officer employed.
Please refer to the following guide to understand the key terminologies and rules that are part of the HIPAA.
- What is PHI?
- Who should be HIPAA compliant?
- Privacy rule
- The Security Rule
- Breach Notification Rule
- Enforcement Rule
What is Protected Health Information (PHI)?
The information that is protected under HIPAA rules is called Protected Health Information, which may contain any detail that can be used to determine a person’s identity or his prevailing health condition. The covered entities should protect the PHI of the patient at any given time.
Some of the examples of PHI may include health reports, billing records, test results, etc.
Who should be HIPAA compliant?
a) Covered Entities – The HIPAA has defined certain professions and agencies as covered entities. All the covered entities must comply with the rules and regulations under the HIPAA or be subject to penalty. The covered entities are divided into three sections – A Health Care Provider, A Health Plan and A Healthcare Clearinghouse.
- Health Care Provider – These are the individuals or organizations that provide you with medical treatment. These can include Doctors, Clinics, Pharmacies, Dentists, Chiropractors, Nursing Homes, etc.
- Health Plan – It includes Health Insurance Companies, HMOs, Government Health Care Programs, Company Health Plans, etc.
- Healthcare Clearinghouse – This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
b) Business Associates – Business Associates are the individuals or agencies that help the covered entities in performing specific functions which involve the disclosure of PHI. For instance, an accounting firm that takes care of the healthcare provider’s finances and needs the access to protected health information.
The covered entities must have a written contract or arrangement with the business associates clearly stating its role in protecting the privacy of the PHI.
The privacy rule was implemented by the HHS’ Office of Civil Rights on 14 April 2003 in an effort to protect the Protected Health Information (PHI) of the individuals and establish guidelines on the roles and responsibilities of the covered entities and business associates.
Under the Privacy Rules, two basic rights are provided to the individuals – The “Right to Access” and the “Right to Privacy.” These rights empower the individuals to access their PHI and decide which establishment or people can have access to their PHI.
Right to Access
- You have the right to view and get copies of your health information in the desired format.
- If you find any discrepancy in the reports, you can report it to the healthcare provider and request for an amendment. The request is added to your medical records.
- The fee for the deliverance of PHI should be notified at the time of the request.
- The health care provider can charge a nominal fee to provide copies of the health information. However, the fee should be in accordance with the medium through which it is sent. For instance, if the PHI is sent by mail, only the postal and mail charges should be applied.
- If the health care provider uses an electronic medium like email or an online portal to provide you with your records, they cannot charge fees per page.
- No one can charge you for searching and retrieving your health information.
- Under the right, 30 calendar days is the time given to health care provider to provide you with the copies of your health information.
- You should not be asked to come to the office especially to fill out the health information request form. It should either be done online or at the time of making the request itself.
- You can be denied the access to your PHI under certain circumstances. However, the health care providers can’t deny you the information based on non-payment of fees.
Importance – The Right to Privacy enables you to access your PHI in the desired format and request to correct it if you find any irregularities. The right also instructs the health care providers to be fair in asking for fees to issue any copies of the PHI. It also defines a duration under which the health information should be delivered.
Right to Privacy
- Under the Right to Privacy, only you or any personal representatives authorized by you can view your PHI (Protected Health Information).
- You can also tell your health care provider to send your PHI to other people like friends or family.
- The healthcare provider can share your PHI with other healthcare providers for treatment purposes or to the insurance company for payment.
- The health care provider can also be instructed to send the health information to a mobile or computer application. In that case, the health care provider will guide you that once the info is sent to the application, the health care provider will not be responsible if the information is leaked.
- If you have paid for certain tests by yourself, you can ask the health care providers to keep the treatment secret from insurance companies.
- Your employer cannot directly ask for your medical records. However, a request can be made by the employer on the basis of compensation, leave, etc.
- Your PHI cannot be provided for sales and marketing purposes without your authorization.
- You can instruct the doctors not to share your health info with certain people and companies.
- It can be requested to send your PHI to an address other than home, like your office.
- The right instructs the health care providers to provide you with the Notice of Privacy Practices at the time of the first You are supposed to read the notice carefully and acknowledge that you have received the notice.
What does Notice of Privacy Practices contain?
This notice contains the information about all the procedures that your health care provider follows to protect the privacy of your PHI. It also states the conditions under which it is obliged to share your protected health information with an individual or certain institution.
It should list the full list of rights under the “Right to Privacy” and mention the contact details to make a complaint if your rights are being violated.
Importance – The “Right to Privacy” helps every individual to keep their protected health information private. If you don’t want certain people to access your PHI, they won’t be able to see it. If you want some of your family or friends to have access to your PHI in case of an emergency, you can choose them as your “personal representatives.”
In some cases, the healthcare provider shares your PHI with other companies. This law states that your PHI cannot be used for marketing and sales purposes without your consent.
This right gives freedom to individuals to deny certain people the access to their PHI and keep your treatment private from insurance companies if you have paid for the treatment from your pocket.
The Security Rule
The Security Rule was implemented on the 20 April 2005. Also known as The Security Standards for the Protection of Electronic Protected Health Information, the Security Rule aims to protect the privacy and integrity of the electronically transmitted Protected Health Information or e-PHI. According to the rule, the covered entities of the Security Rule should deploy safeguards to protect the e-PHI and prevent any unauthorized user from accessing it.
The covered entities under the Security Rule involve all the health care providers, health plans, and clearinghouses that transmit, receive or store PHI in an electronic form.
The Security Rule encourages the health care providers and health insurance companies to adopt new technologies and move to digital forms of storing and accessing the health records. However, the security and privacy of the individual’s protected health information should be kept in mind.
The rule instructs the covered entities to protect the confidentiality of the PHI by anticipated threats and ensure proper compliance by their employees.
Every organization complying to Security Rule should deploy safeguards to protect the e-PHI from any breach. These are termed as Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
a) Administrative Safeguards – Security policies and regulations should be maintained and implemented by the healthcare provider. Access to the health records should only be on a “need to know” basis. A security officer should be appointed to overlook all the regulations and procedures.
b) Technical Safeguards – Only concerned officers should be provided access to the portal where the PHI is stored. Provisions should be made for the proper monitoring of the employees that access the PHI along with the appropriate date and time.
c) Physical Safeguards – These include restricting access to any unauthorized person to enter the facilities by usage of access cards or fingerprint sensors. The covered entities should also secure the system through which the data is being transferred or received.
Importance – We are all aware of the digitalization taking place in the department of health services. The Security Rule ensures that the covered entities protect all the data that is stored, transferred and received electronically. It ensures that you can log in to a portal or receive emails without the without any apprehension.
Breach Notification Rule
HIPAA defines breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” The disclosure of PHI to any unauthorized person is considered as a breach until and unless the covered entity can prove that the chances of the PHI being compromised is very low. The covered entities have to do a risk assessment to evaluate the situation on the grounds of whether the health records were viewed or acquired, the type of PHI and its importance among other factors.
If the breach affects 500 individuals or more the covered entity must submit a notice to the Secretary without delay. You can submit the notice by clicking on the following link.
Importance – The Breach Notification Rule ensures that any breach in the PHI is immediately notified to the authorities so that they can deal with the issue. It also makes sure that proper risk assessment is done by the covered entities to evaluate the severity of the breach.
The Enforcement Rule, as the name suggests, was introduced as a part of the HIPAA to enforce the covered entities and business associates to comply with the HIPAA regulations and define the process to investigate the covered entities for non-compliance. It also sets the legal penalties that can be enforced if the covered entity is found guilty of non-compliance.
The Enforcement Rule has evolved through the years with notable amendments. On 17th April 2003, the Procedures for Investigations, Imposition of Penalties, and Hearings – Interim Final Rule was introduced. Since then changes were made in 2003,2004 and 2005 with the Final Enforcement Rule being introduced on 16th February 2006. An Act called as the HITECH ACT was introduced on 29th October 2009 that added some more features in the Enforcement Rule. Most recently, The Final Omnibus Rule was introduced in 2013.
The OCR works in tandem with the Department of Justice (DOJ) to investigate cases of non-compliance. If OCR finds out during the investigation that there is a possible criminal violation, it passes the findings to the DOJ.
Importance – As the Enforcement Rule ensures that the covered entities comply with HIPAA rules and regulations without fail, the individuals can rest assured that their health care provider will abide by HIPAA rules. Also, the rule also defines the process of investigation and the actions to be taken if the covered entity or business associate is found guilty. Hence, the covered entities can expect a fair judgment and penalty if found non-compliant.
In this day and age, where the security of personal data is a priority, HIPAA makes sure that the data provided by you in full faith to your healthcare provider is kept secure. It also holds a check on all the covered entities so that they keep up to the HIPAA standards.
It is essential for every covered entity to be HIPAA compliant or a heavy penalty can be imposed on them.