Understanding HIPAA for Dummies


HIPAA Simplified History

Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes.

In the two decades since its creation, HIPAA (via the HITECH Act) has also been responsible for encouraging the healthcare industry to computerize paper records. This led to concerns over unauthorized disclosures of “Protected Health Information” (PHI). In response to these potential threats, HIPAA has been updated with new privacy and security regulations, most recently in 2013. The regulations addressed technological advances in the healthcare industry since the original legislation was passed, and expanded responsibility for the integrity of PHI to Business Associates.

The HIPAA regulations are enforced by the U.S. Department of Health & Human Services´ Office for Civil Rights. State Attorney Generals can also act against parties discovered to be violating HIPAA. The Office for Civil Rights has the authority to impose fines on Covered Entities and Business Associates for breaches of PHI unless the offending party can demonstrate a low probability that patient health information was compromised.

Simplified HIPAA Overview

There has been some debate as to what constitutes as PHI. Below, there is a list of eighteen so-called “personal identifiers”. Any one of these items could be used to identify a which patient is connected to the PHI. If an unauthorised individual gets access to any of these identifies, then the integrity of the patient’s medical history or payment history is compromised.

Names or part of names Any other unique identifying characteristic
Geographical identifiers Dates directly related to an individual
Phone numbers Fax numbers
Email addresses Social Security numbers
Medical record numbers Health insurance beneficiary numbers
Account numbers Certificate or license numbers
Vehicle license plate numbers Device identifiers and serial numbers
Web URLs IP addresses
Fingerprints, retinal and voice prints Full face or any comparable photographic images

Who must comply with HIPAA?

Unless unique circumstances apply, all health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card are “HIPAA Covered Entities” under the Act. These entities regularly handle Protected Health Information, and must take care to comply with HIPAA.

“Business Associates” are also covered by HIPAA. These are entities who do not create, receive, maintain or transmit Protected Health Information in their primary occupation, but who provide third party services and activities for Covered Entities during which they will encounter PHI. Prior to undertaking a service or activity on behalf of a Covered Entity, a Business Associate must sign a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access.

Clarity is needed when considering self-insured single employer group health plans and employers who act as intermediaries between employees and health care providers. HIPAA states employers are not Covered Entities unless the nature of their business falls within the criteria to be a Covered Entity. For example, an organising employing at a Medical Center would be a Covered Entity. However, as self-insuring and intermediary employers handle PHI that is protected by the HIPAA Privacy Rule, they are considered “Virtual Entities” and subject to HIPAA compliance.

Changes to HIPAA Since 2013

The Final Omnibus Rule was enacted within HIPAA in 2013. This introduced new guidelines on how PHI must be accessed and communicated in a medical-related environment. The revised Act gives patients further rights to know and control how their health information is used. It also extends the controls on HIPAA-covered entities and Business Associates to how patient information is accessed and communicated.

HIPAA requires covered entities and Business Associates must implement mechanisms in their data handling to restrict the flow of information to within a private network, monitor activity on the network and take measures to prevent the unauthorized disclosure of PHI beyond the network´s boundaries. CEs are expected to conduct thorough risk assessments, and new reporting procedures have been developed to cover data breaches.

Revisions to the HIPAA Security Rule explicitly state that safeguards must be implemented for HIPAA-compliant storage and the communication of ePHI. These safeguards are described in the HIPAA Security Rule as either “required” or “addressable”. Despite this wording, all the safeguards are generally required for a CE to remain HIPAA compliant.

The Office for Civil Rights (OCR) conducts audits on HIPAA-covered entities to ensure they comply with the regulations. When avoidable breaches of ePHI are discovered, the OCR has the authority to impose financial penalties and bring criminal charges against the negligent entity. The fines are calculated per year, per violation and with consideration of how cooperative the CE is with the OCR.

HIPAA Safeguards Explained

One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Each safeguard is “required” unless there is a justifiable reason not to implement the safeguard. If the CE finds a reason not to implement a certain “required” safeguard, then appropriate alternative to the safeguard must be implemented that achieves the same objective.

A scenario in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – are only required to be encrypted if they are sent beyond a firewalled, internal server. However, if a healthcare organization only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to implement this addressable safeguard.

The decision not to implement email encryption will have to be supported by a risk assessment and documented in writing. Therefore, if there is a breach of PHI, then there is a trail of accountability. Other factors that must be considered is the organization´s risk mitigation strategy and other safeguards put in place to protect the integrity of PHI. In general, the encryption of PHI at rest and in transit is recommended.

HIPAA and Patients

The goal of HIPAA is for patient’s healthcare information to be treated more sensitively and to be readily accessed by their healthcare providers. Electronically stored health information is far more secure than paper records, and healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing an improved efficiency. Overall, as well as greatly increasing the security of PHI, there is a general higher standard of healthcare.

Along with these benefits, there are some disadvantages to ePHI. Alongside improving the standard of patient care, healthcare organizations are motivated to increase the services they can provide and improve patient safety through research. However, research is restricted by HIPAA and restricted access to PHI has the potential to slow down the rate at which improvements can be made in health care.

Healthcare organisations must invest resources into creating an improved data security system. The enactment of the Meaningful Use program provided financial incentives for healthcare providers to computerize paper records, implementing the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance has the potential to reduce the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare organizations furthers strains the limited resources available.

Explaining HIPAA to Patients

Healthcare providers are now required by law to give patients a notice of their Privacy Policy. Therefore, it is necessary explain HIPAA to patients in clear and concise manner. Patients must sign a copy of the policy to say they have received this information about their rights. The best way to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a synopsis of what the policy contains.

Key points to explain to the patient include:

  • They have the right to request their medical records whenever they like.
  • They have the right to request you amend their medical records when appropriate.
  • They have the right to limit who has access to their personal health information.
  • They have to right to choose how healthcare providers communicate with them.
  • They also have the right to complain about the unauthorized disclosure of their PHI.

Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain, false pretences or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could result in up to ten years´ imprisonment.

The Implications of HIPAA to Healthcare Organizations

The Office for Civil Rights can issue fines for non-compliance against organisations who violate HIPAA. Preventable data breaches are likely to see considerable financial penalties issued. Under the penalty structure introduced by HITECH, violations can result in fines up to $1.5 million being issued by the OCR. Furthermore, lawsuits can be filed by both attorney generals and the victims of data breaches.

Healthcare organizations have increasingly been the targets for cybercriminals. Each data breach comes with huge costs attached. To comply with HIPAA, CEs must issue breach notification letters, offer credit monitoring services and cover the OCR fines. Therefore, while the initial cost of investment in the necessary technical, physical and administrative safeguards to secure patient data may be high, the improvements can result in cost savings over time because of improved efficiency.

Organizations that have already implemented mechanisms to comply with HIPAA have seen their employee´s workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive allowing healthcare organizations to reinvest their savings and deliver a higher standard of healthcare to patients.

Explaining HIPAA to Employees

The employees of Covered Entities and Business Associates are required to know HIPAA legislation far more thoroughly than patients. Ignorance of HIPAA is not deemed an excuse if a breach were to occur. To comply with HIPAA, Covered Entities and Business Associates must compile privacy and security policies for their workforces, and a sanctions policy for employees who fail to comply with the requirements.

CEs are recommended to hold special compliance training sessions with their employees about HIPAA compliance. Although the HIPAA regulations state training should be provided annually, it is generally suggested, due to the complexity of HIPAA, that compliance training sessions should be short and frequent. Trying to explain HIPAA to employees in a four-hour training session will likely be unsuccessful.

Must of the training will revolve around maintaining the integrity of PHI, and how this is implemented. For example, employees will be unable to discuss patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare facilities implementing BYOD policies, this will mean employees must download secure communication apps to their personal mobile devices.

New Technology and HIPAA Privacy and Security Rules

There has been a push in recent years for technology to be developed to protect the integrity of PHI. Compliance with the HIPAA Privacy and Security Rules is becoming simple to implement due to innovations such as web filtering, secure email archiving and secure message solutions.

Web filtering is an excellent mechanism to mitigate the risks from malware – particularly surveillance malware that can record keystrokes to obtain usernames and passwords. Several recent data breaches that have targeted large healthcare firms have been the result of malware downloads. Had a web filtering mechanism been implemented, such breaches would not have occurred.

Secure email archiving is simple security measure which healthcare organizations can improve their online security posture. Maintaining many years of emails can create a storage problem. However, by using a third-party secure email archiving service, healthcare organizations release resources within their own IT structure while complying with the HIPAA Privacy and Security Rules.

Secure messaging solutions also provide a smart, simple-to-use and cost-effective way of maintaining the integrity of PHI. See our other technology-based articles for more information.