The purpose of the HIPAA Privacy Rules is to protect the confidentiality of patient healthcare and payment data in order to prevent abuse and fraud in the healthcare system. Published by the Department of Health and Human Services as the “Standards for Privacy of Individually Identifiable Health Information”, the HIPAA Privacy Rules stipulate the permissible uses and disclosures of protected health information (“PHI”) and apply regardless of the medium in which the information is maintained.
All health plans (with the exception of small employer health plans) and healthcare clearinghouses are required to comply with the HIPAA Privacy Rules, as are healthcare providers and – from 2013 – any Business Associates with whom PHI is shared. Failure to comply with the HIPAA Privacy Rules can incur penalties of up to $50,000 per violation – even if no unauthorized disclosure of PHI has occurred, or even when a reported breach of PHI may not have resulted in significant harm.
How the HIPAA Privacy Rules Safeguard PHI
The HIPAA Privacy Rules specify the permissible circumstances when PHI can be disclosed to a third party without the authorization of the individual to whom the information relates. These include when PHI is required for the provision of, or payment for, healthcare, or – when certain conditions are met – for the purposes of research. In all permissible circumstances, the disclosure of PHI must be limited to the minimum necessary for the intended purpose to be accomplished.
In order to demonstrate compliance with the “Standards for Privacy of Individually Identifiable Health Information”, Covered Entities must produce and distribute a Notice of Privacy Practices and conduct risk assessments to identify vulnerabilities in their existing systems that could result in an unauthorized disclosure of PHI. In addition to chronicling the results of risk assessments, Covered Entities must also prepare risk analyses and action plans to address the discovered vulnerabilities.
When the action plans are implemented, policies and procedures have to be reviewed to ensure they are appropriate with any changed working practices or new technology. Training must be provided for any employee of the Covered Entity who has access to PHI – including cleaning crews and employees providing unsupervised after-hours services – and the training must also be chronicled in order to be in compliance with the Rules.
Compliance with the HIPAA Privacy Rules is Not HIPAA Compliance
Compliance with the HIPAA Privacy Rules alone does not make a Covered Entity or Business Associate HIPAA compliant. A Covered Entities and Business Associates also have to comply with the HIPAA Security Rules and Breach Notification Rules to avoid a penalty for a violation of HIPAA, and there is one particular area in which the three Rules interconnect – responding to and reporting an unauthorized disclosure of PHI to the Department of Health and Human Services´ Office for Civil Rights.
The HIPAA Security Rules have been developed to safeguard PHI when it is created, used, stored or shared electronically. The Rules stipulate procedures have to be developed that facilitate a “rapid and adequate response” to any unauthorized disclosure of PHI in order to mitigate the consequences of the breach. To comply with this requirement, appropriate policies and procedures have to be developed and employees trained on their implementation.
The Breach Notification Rules require that a Covered Entity report any breaches of PHI affecting more than five hundred individuals to the HHS´ Office for Civil Rights within sixty days of the breach being discovered. Breaches affecting fewer than five hundred individuals can be reported annually, but it is considered to be a “best practice” to report them without delay. The HHS´ Office for Civil Rights will investigate each breach and take enforcement action as necessary.
Possible Enforcement Actions for Breaches of the HIPAA Privacy Rules
It was mentioned above that the failure to comply with the HIPAA Privacy Rules can incur penalties even when a reported breach of PHI may not have resulted in significant harm. This will depend on the efforts a Covered Entity has made to comply with the HIPAA Privacy and Security Rules and the circumstances of the unauthorized disclosure (which is why it is so important to chronicle everything from risk assessments to HIPAA training schedules).
When an appropriate compliance effort has been made, and the breach has occurred in circumstances that could not have been foreseen, the HHS´ Office for Civil Rights will agree that only “Corrective Action” is necessary. Often the HHS´ Office for Civil Rights will provide technical assistance to help the Covered Entity make the necessary changes to their privacy and security policies, procedures, training or safeguards.
When no attempt has been made to comply with the HIPAA Privacy Rules, the HHS´ Office for Civil Rights regards this as “willful neglect” and will impose the maximum penalties available – $50,000 per violation, up to a maximum penalty of $1.5 million per year. For this reason, it is in every Covered Entity´s best interests to comply with the HIPAA Privacy, Security and Breach Notification Rules in order to protect the confidentiality of patient healthcare and payment data.