The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996, it has since created some of the most sweeping changes in healthcare reform at that time and for many years after. HIPAA was designed to eliminate discrimination by protecting and securing patients’ health data. This law has since grown into a government regulation with a much larger scope and focus on information technology as it relates to healthcare. HIPAA’s three primary functions are:
- Protect the privacy and provide security for Protected Health Information (PHI).
- Increase the efficiency and effectiveness of the healthcare system.
- Establish standards for accessing, sharing and transmitting PHI.
HIPAA was originally segmented into 3 primary components: the Privacy Rule, the Security Rule, and the Enforcement Rule. Several years later it was amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule.
The Privacy Rule
The Privacy Rule was designed to protect and keep private all of our Protected Health Information (PHI). PHI includes information such as a patient’s street address, city, birth date, email addresses, social security numbers or any type of identifiable information obtained in the process of receiving care. Individuals may be charged with either civil or criminal penalties for violating HIPAA privacy rules.
The primary goal is to protect individuals’ PHI while promoting an efficient “flow” of information. It applies to covered entities, which are defined as hospitals, doctor’s offices, insurance companies or any organization that accepts health insurance. It also applies to business associates; organizations that create, maintain or transmit PHI on behalf of a covered entity. These entities must protect any PHI transmitted in any form: electronic, oral or written.
The Privacy Rule also allows for an individual’s personal right to access, review and obtain copies of their PHI. In addition, it authorizes the right to amend or request restrictions on the use of their PHI. As a part of the Privacy Rule, covered entities and business associates are required to appoint a privacy officer, complete workforce training on HIPAA compliance and construct business associate agreements with any entity with whom you are disclosing or sharing information.
The Security Rule
The Security Rule sets standards for covered entities and business associates for the security of electronic health information.
The Security Rule has three primary components:
- Administrative safeguards– These begin the security management process by identifying a security officer and performing a risk assessment. The goal is to evaluate risk and make sure only authorized personnel can access PHI. Also, contingency and business continuity plans must be addressed and documented in the event of a disaster or disruption of business.
- Physical safeguards – These cover facility access controls (badges), alarms and locks. Any PHI data must be encrypted at rest and in motion and have adequate passwords. The use of tablets, phones, etc. must also be considered.
- Technical safeguards- These include audit controls (SSAE), which record and monitor transactions, password, pins or biometrics.
All security Information must be documented and accessible on demand. It is required to be updated and archived for 6 years.
The Enforcement Rule
The Enforcement Rule sets the standards for penalties in the event of a HIPAA violation or breach. Initially, there were very little violations reported or penalties assessed. Today, there are still not many penalties compared to the actual violations, which occur frequently.
Most common infractions include:
- Unauthorized disclosures of PHI
- Lack of protection of health information
- Inability of patients to access their health information
- Disclosing more than the minimum necessary protected health information
- Absence of safeguards for electronic protected health information
The following are the covered entities required to take corrective action to be in voluntary compliance according to HHS:
- Private practices
- Outpatient facilities
- Group plans such as insurance groups
(source: hhs.gov/enforcement, 2013)
HITECH and the Omnibus Rule
In 2009 Congress passed an amendment to HIPAA: the Health Information Technology for Economic and Clinical Health Act (HITECH). This amendment was designed to reduce cost and streamline healthcare through information technology. HITECH expanded HIPAA and implemented new requirements for the protection of PHI in Information Technology.
In 2013 HHS office of civil rights issued “the final rule” or Omnibus as a means of implementing the changes of HITECH. HITECH changes included:
- It allowed for changes requested to PHI by individuals and required direct approval before the sale of PHI.
- Business Associates became directly liable and are required to provide items such as workforce training, privacy officer and risk assessment. HITECH also assigned liabilities to subcontractors of business associates.
- All breaches to HIPAA must be reported to affected individuals as well as the secretary of HHS. An additional risk assessment must then be completed for each breach.
- HITECH introduced a tiered approach to breach penalties with recurring infractions in the same year totaling up to $1,500,000. It also gave the state Attorney General the power to enforce HIPAA violations.
HIPAA is one of the most sweeping and all-encompassing changes to ever impact the Healthcare industry. It has evolved to regulate the use of Information Technology within the scope of healthcare in addition to protecting the privacy of a patient’s PHI. Unfortunately, like most government regulations, it is vague and very difficult to enforce. In contrast, it has created valuable safeguards for the protection of our personal health records and it has encouraged improvements to the flow and integration of healthcare data.
If you need assistance with any current IT projects (Cincinnati or remote), or risk assessment for your practice please contact us at:
Jim Conwell (513) 227-4131 firstname.lastname@example.org www.twoearsonemouth.net