This article is written by Sanjana Rao, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
HIPAA commonly misspelt as HIPPO and misunderstood as regulation with a solitary purpose to burden and scam healthcare professionals are actually revolutionary legislation that regulates all aspects of the US Healthcare system, to keep up with digitalisation in the field of medicine. HIPAA stands for Health Insurance Portability and Accountability Act.
Passed in 1996, HIPAA is a comprehensive law of the United States, which merged the requirements of several other statutes, including the Public Health Service Act, the Employee Retirement Income Security Act, and the Health Information Technology for Economic and Clinical Health (HITECH) Act. It aims at improving the efficiency and effectiveness of the US healthcare system by giving patients more control over how their personal data is processed and stored, while also pushing healthcare organisations to adopt and shift to secure digital technology. It also contains a number of provisions pertaining to transferring health insurance policies between businesses and medical account tax rules. However, HIPAA serves as a floor law, which means that states can layer additional regulations and restrictions on top of it.
Objectives and purpose of HIPAA
- To enhance the portability of health insurance of citizens while switching jobs. Hence, P in HIPAA stands for “Portability”.
- To safeguard patient data, protect patients’ and health plan members’ privacy, and grant individuals control over their own healthcare information.
- Another objective of the HIPAA Privacy Rule was to make it easy for anyone to get access to their health information for a low, cost-based price. Individuals can obtain a copy of their own medical information to examine or share with others. They can check their records and call for rectification of errors.
- To ensure that electronically protected health information (ePHI) is appropriately protected, that access to ePHI is regulated, and that an auditable trail of PHI activity is kept.
- To notify individuals or concerned entities when there is a breach of data.
- To ensure interest on life insurance loans is taxed, group health insurance requirements are enforced, and to clarify that amount that individuals can put into a pre-tax medical savings account which is standardised.
It is imperative to know that HIPAA covers only the Personal Health Information of individuals. It applies only to covered entities as mentioned in the legislation and like most laws, has exceptions as in when health information can be disclosed without individual authentication. Data that is not individually identifiable is not covered and any health data an individual holds is not subjected to HIPAA. It is also worth mentioning that Health tracking apps do not come under the purview of HIPPA.
Important terms in the Act
Any data that may be used to identify, contact, or locate a specific person, whether alone or in combination with other widely available sources, is considered personally identifiable information (PII).In short, is any individually identifiable health information. Examples include the phone number, address social security, health records, payment history and so on.
Protected Health Information
Protected Health Information (PHI) comprises eighteen “Individually Identifiable Health Information” that, alone or in combination, could reveal a patient’s name, medical history, or payment history.
HIPAA defines “protected health information” as individually identifiable health information that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
Covered entities under the HIPAA
Any entity or individuals who come under the ambit of HIPAA are called “covered entities”. They include:
Health plans
Individual and group health insurance plans that provide or pay for medical care are considered covered entities. Health insurers, health maintenance organisations (HMOs), Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers, and long-term care insurers are all examples of health plans (excluding nursing home fixed-indemnity policies). Employer-sponsored group health plans, government and church-sponsored health plans, and multiemployer health plans are also included.
Health care providers
This includes doctors, psychologists, nurses, dentists, nursing homes provided they transmit any electronic data in conjunction with a transaction for which HHS has established a standard.
Health care clearinghouses
Organisations who convert nonstandard health information received from another entity into a standard (i.e., standard electronic format or data content) or vice versa. Clearinghouses can assist in the consolidation of numerous workflows into a single platform and services.
Business associates
Any contractor or service provider to a covered entity. Services like claims processing, data analysis, data utilization and billing of PHI undertaken by any organisation for any of the above entities, would fall under this category. Business associate agreements should be entered into between the organizations.
Five main components of HIPAA Regulations
HIPAA regulations focus on five main components:
- Privacy Rule: This sets limitations and conditions on the uses and disclosures of PHI on covered entities. It also covers various rights to patients over their health records.
- Security Rule: This is one of the most extensive rules which establishes a national set of security standards for protecting health information. It also provides technical and technical safeguards that covered entities must put in place to safeguard PHI.
- Enforcement Rule: This is a newer part of HITECH in 2009. It strengthens civil and criminal enforcement of HIPAA rules significantly by increasing monetary penalties for violations.
- Breach Notification Rule: This requires HIPAA covered entities and their business associates to notify the required parties when any sort of a breach occurs within a reasonable time.
Privacy and Security Rules of HIPAA
This article aims to focus on Privacy and Security Rules of HIPAA:
Privacy Rule
Enacted in 2002, the Privacy Rule aimed at safeguarding patient healthcare information confidentiality. Healthcare plans, healthcare clearinghouses, and Business Associates with access to Protected Health Information are all covered by the HIPAA Privacy Rule.
The Privacy Rule’s main purpose is to ensure that people’s health information is appropriately protected while permitting the flow of health data needed to provide and promote high-quality care and protect the public’s health and well-being. The Rule achieves to strike a balance between allowing vital uses of data while also preserving the privacy of persons seeking care and healing by establishing rules of disclosure for PH like mandatory, permissive and authorized disclosures.
Purpose and features of the Privacy Rule
- Photographs and videos containing any individually identifiable health information, along with PHI saved electronically come under the HIPAA Privacy Rule. This means that if a healthcare provider takes a photograph of a patient’s wound, and the patient’s identity can be recognised by any distinguishing feature – the patient’s identity can be determined and would be regarded as PHI.
- Minimum necessary rule: This guideline states that PHI must only be disclosed to the extent necessary for the indicated purpose. In the healthcare setting, when it may be necessary for a healthcare provider to access a patient’s complete medical history, there are exceptions to the rule. However, even when the patient has provided their consent for their medical records to be made available for research, marketing, or fundraising purposes, non-routine disclosure requests must be assessed on a case-by-case basis. Without a patient’s specific written authorization, a covered entity may disclose PHI to aid treatment, payment, or health care operations (TPO) under the HIPAA Privacy Rule.
- The Privacy and Security Rules of HIPAA require covered institutions to notify individuals of PHI usage. In addition, covered entities must maintain track of PHI releases and record their privacy policies and procedures. They are required to appoint a Privacy Officer and a point of contact for concerns, as well as train all members of their workplace on PHI practises. An individual who believes that HIPAA Privacy Rules are not being followed can file a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR). The reporting information must be included in the organization’s Notice of Privacy Practices, which is given to patients or posted in a prominent location such as a doctor’s waiting room.
- The HIPAA Privacy Rule protects a large amount of “Individually Identifiable Health Information.” Individually identifiable health information, which is frequently accessed by insurance providers and clearinghouses for billing purposes, comprises not only names, addresses, dates of birth, and Social Security numbers, but also credit card information and vehicle registration numbers.
- PHI can only be released to a third party with the patient’s permission unless it is related to the individual’s treatment, payment or healthcare-related operations. (apart from exceptions of law enforcement or public health-related activities). The HIPAA Privacy and Security Rules are one of the most crucial components of the law. Healthcare organisations must be extremely cautious in their attempts to preserve patient PHI.
Security Rule
The HIPAA Security Rule includes security measures for privacy, integrity, and availability of patients’ electronic protected health information (ePHI). Covered entities are expected to adopt reasonable and suitable security policies in order to comply with the Security Rule along with accessing the security concerns in the entity’s environment and developing appropriate solutions. What is reasonable and appropriate depends on the size, complexity, and resources of the organization. To keep ePHI safe in an ever-changing environment, one is required to examine and update procedures on a regular basis. The HIPAA Security Rule leaves it up to entities to determine what measures are required for their particular company.
All covered entities must do the following to comply with the HIPAA Security Rule:
- Ensure that all electronically protected health information is kept private, secure, and accessible.
- Detects and protects against any risks to the information’s security.
- Protect against potential unauthorised uses or disclosures.
- Certify compliance at the workplace.
However, the HIPAA Security Rule leaves it up to entities to determine what measures are required for their particular company.
Enforcement of Security Rule
The Department of Health and Human Services (HHS) has authorized the Center for Medicare and Medicaid Services (CMS) national authority to enforce the HIPAA Security Rule.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 holds both covered companies and business partners liable to the Department of Health and Human Services (HHS) and individuals for properly securing confidential patient information.
Components of the Security Rule
The HIPAA Security Rule was introduced in 1998, but the compliance swung into effect in 2005. The HIPAA Security Rule regulates the protection of electronically protected health information (PHI).
Three types of safeguards are required by the HIPAA Security Rule.
-
Technical safeguards
HIPAA-compliant organisations must develop policies and processes to ensure that electronically protected health information (ePHI) is protected when it is used, stored, or transmitted. Firewalls, encryption, and data backup are examples of technical safeguards. It is further classified into:
- Access: Sensitive and confidential information can only be accessed by authorised personnel. Covered entities and business associates should consider whether they have reasonable and appropriate access policies, controlled physical access to workstations, data, media, and equipment, and reasonable and appropriate technical access controls, such as secure passwords when evaluating their access controls.
- Audit: within the information systems, refers to actions for documenting and examining activities relating to ePHI.
- Authentication: The identity of the company or individual seeking access to the protected data must be verified.
- Integrity: requires rules and procedures to prevent data from being tampered with or destroyed without authorization.
-
Administrative safeguards
Administrative safeguards include procedures and policies which aid in protection against a breach in data. They decide on documentation procedures, roles and duties, training needs, and data maintenance rules, among other things. These safeguards necessitate the appointment of an ePHI privacy officer and security officer, as well as the definition of how to control the workforce. Risk analysis as a part of security management activity is one of the mandates of this safeguard. Administrative precautions account for more than half of HIPAA’s Security Rule.
The case of Cedar Springs Hospital in Colorado Springs is an example of crucial administrative precautions. As part of a survey, the hospital gave a storage device containing unencrypted PHI to a representative from the Colorado Department of Public Health and Environment in late 2020. Unfortunately, the officer misplaced the device, placing the information at risk of being misused. Because the data was not encrypted, the hospital was required to file a notification report.
-
Physical safeguards
Physical safeguards for computer equipment include things like doors, walls, locks, and guards. Access to hardware and data centres where electronic protected health records are kept or transmitted is restricted by physical measures. Ensuring signing in of visitors, verification of their ID’S, guarding of restricted areas is a part of physical safety measures. Another example of a physical safeguard for encryption keys is the use of biometrics.
How is HIPAA Privacy Rule different from HIPAA Security Rule?
Although the HIPAA Privacy and Security standards operate together to protect sensitive patient data, they are distinct and serve different goals. The Privacy Rule establishes the criteria for who may have access to PHI, while the Security Rule establishes the criteria for ensuring that only those who should have access to EPHI do so.
- The HIPAA Privacy Rule is all about the individual and their right to determine how their personal information is utilised. Medical organisations can use sensitive information for essential activities including operations, treatment, and payment. Aside from that, the information must be kept private. The Privacy Rule assures that all kinds of Protected Health Information (PHI), including physical copies, electronic copies, and information conveyed orally, are protected and kept private.
- The Privacy Rule covers all types of protected health information held by patients, whether electronic, written, or oral. The Security Rule, on the other hand, only applies to electronically protected health information that is created, received, stored or transmitted. Regular risk assessments and having policies in place to maintain the security of electronic data are some of the specific parts of the Security Rule. These policies should cover password management, change auditing, email handling, among other topics.
Significant case laws
Project Nightingale case
A business associate agreement was entered into between Ascension wherein Ascension wanted to migrate its healthcare data onto the Google cloud. This agreement, which was initially thought to be a breach of HIPAA, was concluded to be full HIPAA compliant and the relationship between the parties was found to be common and legal.
Maryland Hospitals case
Under HIPAA, two hospitals in Prince George’s County, Maryland, infringed on the rights of 41 patients to access their medical records. Patients can seek copies of their medical records under HIPAA, and healthcare providers must comply within 60 days without charging a fee. Each hospital refused in this case, culminating in a $3 million settlement as the first OCR penalty for Privacy Rule breaches. Their punishment was made worse by their refusal to cooperate, resulting in the maximum penalty for “willful neglect”.
Walgreens Pharmacists case
A Walgreens pharmacist broke the HIPAA statute in 2014 when she provided sensitive medical information about a customer who had previously dated her husband. This case shows that firms can now be held liable for their workers’ acts. This ended in a 1.4 million dollar award settlement.
CHSPSC case
In April 2014, admin credentials were hacked to gain access to the systems of CHSPSC LLC, a Tennessee-based management business that offers services to various Community Health Systems subsidiary hospital operator corporations and other affiliates. The hackers got access to the ePHI of 6,121,158 people. OCR conducted an investigation and discovered widespread noncompliance with the HIPAA Security Rule. CHSPSC had not conducted a comprehensive risk analysis, had not conducted information system activity checks, and had insufficient access restrictions and security incident response processes in place. It took CHSPSC two months to respond after the FBI informed them of the cyberattack. CHSPSC LLC paid a $2,300,000 penalty and adopted a corrective action plan to address all areas of noncompliance.
Conclusion
The HIPAA Privacy and Security Rules are one of the most crucial components of the law. Healthcare organisations must be extremely cautious in their attempts to preserve patient PHI. However, in spite of being comprehensive in nature, it is not completely devoid of shortcomings. This federal law has failed to regard the rising use of social media in healthcare, as well as the increased use of telemedicine and other innovative services. And its enforcement is another case of “easier said than done”. A revision of HIPAA, considering the current and probable changes in medicine and technology, would make it one of the most beneficial and powerful legislations of the US.
References
- https://privacyruleandresearch.nih.gov/pr_07.asp
- https://compliancy-group.com/what-is-a-hipaa-violation-lawyer/
- https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf
- https://digitalguardian.com/blog/what-hipaa-compliance
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: