This article is written by Michael Shriney from the Sathyabama Institute of Science and Technology. This article discusses HIPAA, its history, purpose, common HIPAA offences, prohibitions, and components. It contains privacy entities covered by this Act, what information is protected, and the procedures required to ensure HIPAA by the US Department of Health and Human Services. The Act also addresses penalties, permissible uses, disclosure of the act, and FAQs.
This article has been published by Sneha Mahawar.
Table of Contents
Introduction
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that is adopted as United States legislation that offers data privacy and security protections for protecting medical information. This Act has been implemented by cyber attacks on health insurers and providers, including several health data breaches and ransomware attacks. On August 21, 1996, President Bill Clinton signed the federal law. HIPAA overruled state laws governing the security of medical information, except when state law was judged harsher than HIPAA. This Act is important legislation in the United States healthcare business. It controls the privacy and security of health information. The government agency in charge of developing rules for implementation in the United States Department of Health and Human Services (HHS).
In other words, the goal of this act is to safeguard patients’ personal data from public access. The aim of this act is to help in the prevention of patients’ information from being misused. The Act has been amended several times since it was first enacted. The following are the HIPAA objectives:
- Privacy of health information
- Security of electronic records
- Administrative simplicity
- Insurance portability
Diagnoses, treatment information, medical test results, and prescription information, as well as national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact information, are considered to be protected health information under HIPAA. The Act preserves the confidentiality, integrity, and availability of Protected Health Information (PHI), but it also establishes restrictions on PHI disclosures. If any HIPAA provisions are violated, the violators will face financial penalties. This Act is also punishable by criminal penalties. It is not a valid defence to claim ignorance of the HIPAA breaches.
History of HIPAA
- The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. HIPAA is a medical privacy and security law that many people are aware of.
- However, HIPAA’s first goal was to set standards for transferring electronic health data and to enable people to transfer and maintain health insurance after changing or losing jobs. HIPAA did not have national privacy protections for medical information until 2003. All of the safeguards were based on state laws.
- The HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Enforcement Rule were issued and enacted by the US Department of Health and Human Services (HHS). Under HIPAA, the Department of Health and Human Services (HHS) released the first national data privacy and security rules in 2003.
- The security rule establishes guidelines for protecting electronic PHI. Individuals have rights to their protected health information under the Privacy Regulation Information (PHI). It explains how entities covered by HIPAA can be used and disclosed PHI.
- Compliance, investigations, and possible punishments for infringement of the HIPAA Privacy and Security Rules may be addressed by the enforcement rule. The HIPAA regulations are enforced by the Office for Civil Rights (OCR), which is part of the Department of Health and Human Services.
- In 2009, President Barack Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act into law. The HITECH Act is a part of the American Recovery and Reinvestment Act (AARA) under Title XIII. Medical privacy was under control between 2003 and 2009. Electronic medical records have begun to take the place of paper records.
- Patients began to communicate with their doctors through email and internet portals. Prescriptions are now being processed electronically at pharmacies. The HITECH Act provided financial incentives for healthcare providers and insurers to continue transferring to electronic medical records. It also addressed privacy and security concerns associated with the electronic transfer of health information, such as unauthorised access and data breaches.
- The HIPAA Omnibus Rule was released by the HHS Office for Civil Rights in 2013. The HIPAA privacy, security, and enforcement rules were significantly altered by the Omnibus Rule. Many parts of the HITECH Act had been implemented. The Breach Notification rule was modified and finalised. It also included modifications to the HIPAA Privacy Rule that were enforced by the Genetic Information Nondiscrimination Act of 2008 (GINA).
Purpose of HIPAA
- In 1996, the Act was first introduced. The law allows employees to keep their health insurance coverage even while they are between jobs.
- The Health Insurance Portability and Accountability Act (HIPAA) covers specific types of health information, not only health information.
- Examples of specific types of health information or records containing health information:
- Genetic information
- Health information in school records is identifiable information about individuals maintained by the federal government.
- Certain alcohol and drug substance abuse records, and
- Information relating to medical research.
- Because HIPAA establishes a set of criteria from which states might develop or create stricter regulations to safeguard health information, it also covers states that may adopt their own laws to protect health information.
- The law also obliged healthcare organizations to set up procedures to protect patient data in order to prevent healthcare fraud, but the rules for doing so took years to complete.
- HIPAA also established numerous new standards to increase healthcare efficiency, encouraging healthcare organizations to adopt the standards in order to decrease paperwork.
- HIPAA was necessary to employ code sets in connection with patient identities in order to facilitate the effective movement of healthcare data between healthcare organizations and insurers, as well as to streamline eligibility checks, billing, payments, and other healthcare activities.
- The act also prohibits interest on life insurance loans from being deducted from taxes, establishes group health insurance obligations, and standardizes the amount that can be saved in a pre-tax medical savings account.
- The Health Insurance Portability and Accountability Act (HIPAA) is also known as Public Law 104-191. Its main objective is to guarantee continuous health insurance coverage for people who leave or change employment.
- The Act must also reduce the cost of healthcare in the long run by establishing a standard for the electronic transmission of administrative and financial processes. Tackling misuse, fraud, and waste in health insurance and health care delivery, as well as enhancing access to long-term care services and health insurance, are among the other objectives.
What are the entities covered under HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) does not cover all health information. Neither applies to everyone who has access to or uses health data. Only covered entities and their business associates are entitled to HIPAA.
Covered entities
The Act describes three categories of covered entities:
This entity is compensated for providing health care. Providers include doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that offer health care for a fee. Only if they communicate health information electronically in accordance with covered transactions must they comply with HIPAA. As a result, HIPAA covers the vast majority of providers.
This entity is responsible for covering the cost of medical care. The following are some instances of HIPAA-covered health plans: Most other businesses include health insurance firms, health maintenance organizations, employer-sponsored group health plans, government-funded health plans such as Medicare and Medicaid, and most other businesses.
- Health care providers
This entity is compensated for providing health care. Providers include doctors, dentists, hospitals, nursing homes, pharmacies, urgent care clinics, and other entities that offer health care for a fee. Only if they communicate health information electronically in accordance with covered transactions, must they comply with HIPAA. To perform services such as processing claims and receiving payment, most providers provide information electronically. As a result, HIPAA covers the vast majority of providers.
- Health plans
This entity is responsible for covering the cost of medical care. The following are some instances of HIPAA-covered health plans: Most other businesses include health insurance firms, health maintenance organizations, employer-sponsored group health plans, government-funded health plans such as Medicare and Medicaid, and most other businesses.
- Health care clearing houses
This entity processes data so that it may be sent across covered entities in a standardized format. Clearinghouses frequently operate as a middleman between health care providers and insurance companies, which means they rarely interact directly with consumers. A clearing house, for example, may accept information from a doctor and convert it to a standard coded format that can be utilised for insurance purposes.
Business associates
Healthcare providers, healthcare plans, and healthcare clearinghouses are only a few of the industry’s entities. People and corporations are hired or contracted by covered entities to execute a variety of services. On behalf of a covered entity or another business associate acting as a subcontractor, a business associate develops, receives, stores, or transmits protected health information.
Legal, accounting, consulting, management, administrative accreditation, data analysis, data transfer, billing, benefits administration, practice management, repricing, and other services can be performed by business associates for a covered organization. Business associates do not interact with patients. They must abide by the terms of the contracts they enter into with covered entities. They are directly liable for HIPAA security rule violations and several HIPAA privacy rule provisions. It may be subject to audits and penalties by the Department of Health and Human Services.
Sub-contractors
Under HIPAA, a subcontractor that generates, stores, or transfers protected health information on behalf of a business associate bears the same legal obligations as the business associate. Subcontractors undertaking work for a business associate are subject to privacy and security-related legal obligations. In addition, rather than the covered entity, it would be bound by a contract with the business associate.
Hybrid entities
As part of its business, a hybrid company conducts both HIPAA-covered and non-covered activities. A major business that offers its employees a self-insured health plan may choose to be regarded as a hybrid organization. When a company chooses to be recognized as a hybrid entity, only the portion of the company that is a covered entity and has a health care component is entitled to a component. Hybrid companies must guarantee that the health care component does not disclose protected health care components to another non-covered component of the company. They must also keep digitally protected health information safe.
Information to be protected in HIPAA
The HIPAA Privacy Rule protects any individually identifiable health information that a covered organization or business associate holds or transmits. The information can be stored in any media, including digital, paper, or oral. PHI consists of, but is not limited to, the following:
- Name, address, birth date, social security number, biometric identifiers, and other personally identifiable information of a patient.
- A person’s past, current, or future physical or mental health situation.
- Any treatment supplied to an individual and information concerning the past, present, or future payment for the care provided to the individual that identifies the patient or information that may reasonably be used to identify the patient.
PHI does not include the following:
- Employment records, including educational information, and other records subject to or violated by the Family Educational Rights and Privacy Act (FERPA); and
- De-identified data, which means data that does not recognise or provide information that identifies an individual and has no restrictions on its use or disclosure.
Common violations of HIPAA
Any demographic information that may be used to identify a patient is considered to be protected health information (PHI). PHI includes information such as names, dates of birth, addresses, phone numbers, email addresses, social security numbers, insurance ID numbers, health care records, and full-face photographs. Data breaches are one of the most prevalent reasons, that can result in HIPAA violations and fines. Here are a few examples of data breaches and related HIPAA violations:
- The laptop has been stolen or lost.
- A phone that has been stolen or lost
- A USB device that has been stolen or misplaced
- Malware attack
- An assault with ransomware
- Hacking
- Breach of a business associate
- Breach of an electronic health record
- Workplace break-in transmitting protected health information to the inappropriate patient/contact communicating protected health information outside of the office.
- Posts on social media.
Uses and disclosures, inadequate security precautions, the minimum required rule, access restrictions, and notification of privacy practices are all typical HIPAA breaches.
When PHI is breached, the Department of Health and Human Services (HHS) requires a report to be made on the breach reporting portal. Individuals affected by the incident must also be informed in compliance with the regulatory guidelines, according to the HIPAA Breach Notification Rule. The above-mentioned violations could be linked to the loss of HIPAA-protected health information in some way (PHI).
Prohibiting HIPAA violations
The most essential thing to remember is that there are common HIPAA law violations that can be avoided by implementing an effective compliance program tailored to the needs of a company. Selecting a legal solution that is appropriate for that individual is not a simple check-the-box process. However, a person tailors a HIPAA compliance program to the needs of the specific organization to prevent the danger of these common HIPAA breaches and determine the program’s strength and protection.
Components of HIPAA
HIPAA is divided into five sections or titles:
- HIPAA Health Insurance Reform (Title I):
Individuals who leave or change employment have their health insurance coverage protected under Title I. It also makes it illegal for group health plans to refuse coverage to anyone who loses or changes employment. It also forbids corporate health plans from denying coverage to people with certain diseases or previous conditions, as well as imposing lifetime coverage limitations.
- HIPAA Administrative Simplification (Title II):
Title II requires that the US Department of Health and Human Services (HHS) develop national standards for the processing of electronic healthcare transactions. It also requires that healthcare organisations maintain highly secured access to patient data and comply with HHS privacy laws.
- HIPAA Tax-Related Health provisions (Title III):
Title III contains tax rules as well as medical care guidelines.
- Application and enforcement of Group Health Plan Requirements (Title IV):
Title IV goes into further detail on healthcare reform, including provisions for those with pre-existing conditions and those who want to keep their coverage.
- Revenue offsets (Title V):
Title V contains rules on company-owned life insurance and the income tax status of persons who renounce their US citizenship.
HIPAA Title II, often known as the Administrative Simplification provisions, pertains to HIPAA compliance. Title II covers the following compliance requirements:
- National Provider Identifier Standard
Individuals, businesses, health plans, and healthcare providers all require a 10-digit National Provider Identifier number or NPI.
- Transactions and Code Set Standard
To file and process insurance claims, healthcare organizations must use a standardized electronic data interchange (EDI) system.
- HIPAA Privacy Rule
This rule, formally known as the Standards for Privacy of Individually Identifiable Health Information, provides national standards for the protection of patient health information.
- HIPAA Security Rule
Patient data security is governed by the Security Standards for the Protection of Electronic Protected Health Information.
- HIPAA Enforcement Rule
This rule outlines the criteria for HIPAA compliance infraction investigations.
HIPAA is enforced by the HHS Office for Civil Rights, which conducts audits and can levy penalties for violations. Violations of the Act can be extremely expensive to healthcare organisations.
Privacy rule of HIPAA
- HIPAA’s Privacy of Individually Identifiable Health Information Guidelines, often known as the HIPAA Privacy Rule, were developed as the first national standards in the US to secure individuals’ personal or protected health information (PHI).
- The regulation was established by the Department of Health and Human Services to limit the use and disclosure of sensitive PHI.
- It aims to preserve patients’ privacy by forcing doctors to submit a record of all entities to whom they disclose PHI for billing and administrative purposes, while still enabling necessary health information to flow via the right channels.
- This rule ensures that people have the right to receive their personal PHI from HIPAA-covered healthcare providers upon request. Organizations that are designated HIPAA-covered enterprises are subject to the HIPAA privacy rule.
- It also necessitates the creation of a contract between protected businesses and HIPAA business associates that imposes specified protections on the PHI that the business associates use or disclose.
Uses and disclosures that are permitted under HIPAA
This regulation specifies when a covered entity may use or disclose an individual’s protected health information (PHI). There are two circumstances under which use or disclosure is permitted:
- If the privacy regulation expressly authorizes or demands it. If the covered entity uses the data or transmits it to another covered entity; and
- This regulation allows it, as long as the owner of the information grants written permission.
Privacy rule penalties
- Under this privacy rule, anybody who is a victim of a healthcare data breach and fails to offer patients access to their PHI faces a fine from the Office of Civil Rights. For various violations of HIPAA, there are four categories:
- Unknowingly breaching HIPAA is punishable by a fine of $100 per violation, with a maximum fine of $25,000 per year for repeat offences.
- The fine for breaching HIPAA without good cause is $1,000 per violation, with a maximum yearly fine of $100,000 for repeat offences.
- The penalty for willful HIPAA violations that are not addressed within a certain time period is $10,000 per violation, with a maximum yearly penalty of $250,000 for multiple offences.
- The penalty for willful disregard of HIPAA and failure to cure the violation is $50,000 per violation, with a maximum yearly penalty of $1.4 million for repeat violations.
- If a covered entity or individual obtains or discloses PHI in violation of the HIPAA Privacy rule on purpose, they can be fined up to $50,000 and sentenced to up to one year in prison.
- If the HIPAA Privacy rule is breached under false pretences, the penalty can be increased to $100,000 and up to ten years in prison.
Security rule of HIPAA
The security rule, also known as the security requirements for the protection of electronically protected health information, provides national criteria for safeguarding patient data that is kept or transferred electronically. It is based on the cyber security framework developed by the National Institute of Standards and Technology. The HIPAA security regulation is enforced by the OCR, and it aims to find a balance between patient security and the growth of health technology. The regulation specifies the installation of physical and technical measures to guarantee the secure transmission, storage, and receipt of PHI.
Omnibus rule of HIPAA
The HIPAA Omnibus rule updates the HIPAA privacy, security, and enforcement regulation in order to accommodate HITECH Act statutory amendments. The most significant changes to the HIPAA privacy and security regulation since it was initially adopted were made with this rule. The following are the modifications:
- It modifies the breach notification rule for unsecured PHI and establishes more objective standards for determining a health care provider’s liability after a data breach;
- It modifies the rule to strengthen the privacy protections for genetic information;
- It enhances the protection of Personal Health Information (PHI) in terms of privacy and security;
- It lays out OCR’s data privacy and security enforcement strategies, which have been updated for the electronic health record age and are required by the HITECH Act.
- It extends the breach notification rule to vendors of EHRs and EHR-related systems;
- It specifies that when patients pay cash, they can direct their provider not to share data about their treatment with their health plan;
- It establishes new limits on how data is used and disclosed for marketing and fundraising purposes; it prohibits the sale of an individual’s health information without their permission
- It makes it easier for parents and others to give permission to share information about their children’s health information.
- It simplifies an individual’s capacity to authorise the use of their health information for research purposes; and
- It enhances penalties for noncompliance based on the amount of carelessness, with a maximum penalty of $1.5 million per violation.
What are the requirements needed to enforce HIPAA by the U.S. Department of Health and Human Services (HHS)
- The HIPAA enforcement rule allows the United States Department of Health and Human Services and the Office for Civil Rights to investigate HIPAA violations and apply Civil Monetary Penalties (CMP).
- HIPAA rules can also be enforced by state attorneys general. Under HIPAA, people do not have a private right of action and cannot sue for an infringement.
- OCR begins the enforcement process by investigating suspected HIPAA Privacy or Security Rule breaches. They react to individual complaints, although many HIPAA violations are discovered through other means, including audits.
- Following an investigation, OCR can settle an issue by ruling that there is no violation and entering into a resolution agreement with the responsible party, or by determining that the party is in violation and applying sanctions.
- Any penalty money collected by HHS is transferred to the US Treasury. HIPAA prohibits individuals from suing. Under the Act, they do not have the right to sue. However, the Act does not prohibit states from enacting additional safeguards.
An inquiry by the Department of Health and Human Services investigating a complaint:
Individuals who are aware of a suspected HIPAA violation can submit a civil rights complaint with the HHS Office. A complaint must be filed by following the criteria as follows to consider an investigation:
- If the complaint is about a potential infringement of a privacy rule, the activity must have happened after April 2003. If the complaint is about a potential infringement of security regulations, the activity must have happened after April 2005.
- A person who is subject to HIPAA must register a complaint against a person, organization, or other entity. Something must be claimed in the complaint that would violate HIPAA guidelines.
- Individuals have 180 days from the time they become aware of a possible violation to register a complaint. A potential infringement of a privacy rule, the activity must have happened after April 2003. If the complaint is about a possible infringement of security regulations, the activity must have happened after April 2005.
- A person who is subject to HIPAA must register a complaint against a person, organization, or other entity. Something must be claimed in the complaint that would violate HIPAA guidelines.
- Individuals have 180 days from the time they become aware of a possible violation to register a complaint.
- If the officer’s civil rights feel the complaint has validity, the agency will contact both the complainant and the covered agency to try to reach a mutual agreement. Some cases may be submitted to an administrative law judge for a hearing.
Penalties covered under HIPAA
HHS sets fines for HIPAA violations based on the culpability of the perpetrator for violations that occurred after 2009. For breaches of the same HIPAA requirement, the minimum penalty varies, but the maximum penalty is $1.5 million per year.
The four tiers of civil penalties are as follows:
- Unknowing indicates that the covered entity was unaware of the offence and would not have been aware if reasonable diligence had been used. The penalty for an unknowing violation is $100-$50,000 for each violation. There is also a total civil monetary penalty of $1,500,000 for breaking an identical provision during a calendar year.
- The reasonable cause indicates that the covered entity would have known about the breach if it had exercised reasonable diligence. There is also a reasonable cause penalty of $1,000-$50,000. There is also a total civil monetary penalty of $1,500,000 for breaking an identical provision during a calendar year.
- Wilful neglect corrected indicates that the covered entity violated HIPAA on purpose or with reckless indifference but fixed the breach within 30 days of discovery. This is punished by a fine of $10,000 to $50,000 for each offence. A total civil monetary penalty of $1,500,000 is also imposed for violating an identical provision within a calendar year.
- Wilful Neglect-Uncorrected indicates that the covered entity willfully violated HIPAA or acted with reckless indifference but did not fix the violation within 30 days of discovery. This is punished by a fine of at least $50,000 per offence. A total civil monetary penalty of $1,500,000 is also imposed for violating an identical provision within a calendar year.
Conclusion
The Health Insurance Portability and Accountability Act is known as HIPAA. The Kennedy-Kassebaum Act was approved by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. This Act prevents the disclosure of sensitive or confidential patient information without the patient’s consent or knowledge. The HIPAA Privacy Rule was developed by the US Department of Health and Human Services to execute HIPAA’s obligations. A subset of information covered by the privacy regulation is protected under the HIPAA Security Rule. Covered business associates, subcontractors, and hybrid entities are some of the entities required by the Act. They assist in the development and implementation of processes that safeguard the privacy and security of protected health information. It is sent, received, processed, or shared. This restriction applies to all types of PHI, including written, oral, and electronic. Only the minimum standard of health information is required to be shared or utilised for business purposes.
FAQs
Why are there separate privacy and security rules?
The security rule is a subset of the privacy rule because the privacy rule specifies the situations in which it is permissible to reveal PHI, while the security rule specifies the procedures necessary to protect electronic PHI against unauthorized uses, modifications, and disclosures. It’s also important that the privacy regulation only applies to covered entities, and business associates must follow the security rules as well.
Why do patients want to access their health data?
Due to healthcare professionals’ heavy workloads, they are likely to make errors when updating patient records. Patients may take responsibility for their health and transfer their records to another provider if they want to avoid having to repeat tests to establish diagnoses that already exist by allowing them access to their health data and seeking corrections when data is wrong or missing. In cases of suspected Medicare fraud, patients may also want to consult a medicare fraud lawyer for legal advice.
What else does the patient benefit from HIPAA?
Under HIPAA, there are few safeguards to protect PHI. Data is frequently stolen in order to commit identity theft and insurance fraud, which has a financial impact on patients in the form of personal loss, higher insurance premiums, and higher taxes. Healthcare spending per capita increased by more than 10% each year during the 1980s and 1990s. However, partially as a result of the limits put in place to comply with HIPAA, annual growth in health care spending per capita is currently less than 5%.
References
- https://www.hipaajournal.com/purpose-of-hipaa/
- https://privacyrights.org/consumer-guides/health-privacy-hipaa-basics
- https://compliancy-group.com/common-hipaa-violations/
- https://www.techtarget.com/searchhealthit/definition/HIPAA#amp_tf=From%20%251%24s&aoh=16551941234254&referrer=https%3A%2F%2Fwww.google.com&share=https%3A%2F%2Fwww.techtarget.com%2Fsearchhealthit%2Fdefinition%2FHIPAA
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.