Who Is Protected Under HIPAA?, Mandatory and Addressable Security measures Outlined, About HIPAA, Consequences on Patients
Our HIPAA Explained page discusses the Healthcare Insurance Portability and Accountability Act (HIPAA), including the most recent modifications to the Act in 2013, as well as how the Act’s regulations now impact patients, the healthcare sector as a whole, and the people who work in it.
The Healthcare Insurance Portability and Accountability Act (HIPAA) was implemented in 1996 with the goal of allowing employees to transfer over their healthcare insurance and rights from one employment to the next. Further objectives were added to the law during its passage through Congress, and the final draft contained five titles.
In terms of describing HIPAA, Title 2 (Preventing Health Care Fraud and Abuse, Administrative Simplification, and Medical Liability Reform) has the greatest influence on the healthcare and health insurance sectors. As a result of this Title of the Act, the United States Department of Health and Human Services (HHS) has published five sets of Rules to regulate how patient health information is safeguarded from theft, corruption, and unlawful deletion.
The Administrative Simplification Rules are six sets of rules that have been implemented in stages over the course of HIPAA as operations have changed, technology has improved, and other Acts of legislation have modified HIPAA, such as the Health Information and Technology for Economic and Clinical Health Act (HITECH) in 2009.
The HHS has merged the combined text of the HIPAA Administrative Simplification Rule into a single 115-page document, making it a hefty read. However, HIPAA can be summarized in a few phrases and explained in simple terms.
HIPAA’s Title 2 was Congress’ attempt to enhance healthcare efficiency, minimize waste, combat fraud, and ensure that health information that may be linked to an individual and used to recognize them is safeguarded and kept private and confidential.
Since then, the HHS has issued a set of guidelines for healthcare companies to follow in order to make sure that everyone is on the same page. To make health information transmission simpler, standard codes and IDs have been devised, and healthcare providers, insurers, and their business associates are expected to use the same codes for electronic transactions to guarantee data can be sent easily.
The Administrative Simplification Rules also specify the permissible uses and disclosures of health information, as well as who and under what circumstances can access health data. Citizens may now get copies of their health records, verify them for inaccuracies, and share them with whoever they choose, thanks to HIPAA. HIPAA also establishes rules for securing health data in order to make it more difficult for anyone who does not have the right to access it.
The abridged history of HIPAA displays the HIPAA timeline as well as the implementation dates of the Administration Simplification Rules. Since Congress had the option of passing separate privacy laws, there was a notable gap between the enactment of HIPAA and the implementation date of the Privacy Rule. Because of industry stakeholders’ concerns, the Privacy Rule took four years to build after the option expired.
The HITECH Act’s incorporation in September 2009 in the chronology is crucial. The Meaningful Use initiative, which incentivizes healthcare providers to digitize medical records, was born out of HITECH. HITECH and the repercussions of shifting large amounts of healthcare data from paper to EHRs and cloud-based systems were responsible for many of the provisions in the Final Omnibus Rule.
The Office for Civil Rights of the United States Department of Health and Human Services enforces HIPAA standards, although state Attorney Generals can also take measures against entities found to be in violation of HIPAA. Unless the aggrieved party can establish a minimal probability that health information has been breached, the Office for Civil Rights has the jurisdiction to punish Covered Entities and Business Associates for HIPAA violations and data breaches.
While it may seem severe to call a part of this piece “HIPAA for the Uninitiated”, some people still have no idea what “protected” patient health data is. To help explain what constitutes “Protected Health Information,” we’ve outlined the eighteen “personal identifiers” that, whether used alone or in combination with other personal identifiers, might disclose an individual’s identity, medical history, or payment history.
Prior to going into the details about HIPAA, it’s important to understand who is governed by the law. Under the Act, “HIPAA Covered Entities” includes virtually all health plans, health care intermediaries, health care providers, and recognized sponsors of the Medicare prescription drug savings card. These are usually firms that deal with PHI on a daily basis.
HIPAA also applies to “Business Associates.” These are organizations that do not originate, receive, keep, or transmit Protected Health Data as their core business, but offer third-party services and activities for Covered Entities during which they will come into contact with PHI. A Business Associate must sign a Business Associate Agreement before providing a service or activity on behalf of a Covered Entity, assuring the integrity of any PHI to which it has access.
When it comes to self-insured single-employer group health plans and enterprises that serve as mediators between employees and health-care providers, there is a gray area. Employers are not considered Covered Entities under HIPAA unless the nature of their business meets the requirements (i.e. an employing Medical Center would be a Covered Entity). Self-insuring and intermediate employers, on the other hand, are considered “Virtual Entities” and must comply with HIPAA since they handle PHI covered by the HIPAA Privacy Rule.
Since the release of the Final Omnibus Rule in 2013, which imposed new HIPAA laws, new instructions on how PHI must be accessed and transmitted in a medical environment have been issued. Patients now have more rights to know and control how their health data is used, and HIPAA-covered businesses and Business Associates now have more control over how patient information is accessed and conveyed.
HIPAA-covered companies and Business Associates must establish procedures to limit information flow inside a private network, monitor network activities, and prohibit unauthorized disclosure of PHI outside the network’s bounds. Risk evaluations must be given greater emphasis, and new reporting protocols for data breaches have been devised.
The HIPAA Security Rule has been updated to specify the parameters (“safeguards”) that must be in place for HIPAA-compliant ePHI storage and transmission. The HIPAA Security Rule defines several “safeguards” as either “mandatory” or “addressable.” In reality, as the next section demonstrates, all of the precautions are necessary regardless of how they are expressed.
To ensure that HIPAA-covered organizations are following the rules, the Office for Civil Rights audits them. When preventable ePHI breaches are found, the Office for Civil Rights has the power to levy financial fines and prosecute the negligent company.
The distinction between “required” and “addressable” protections has caused some misunderstanding in the HIPAA world. Every HIPAA safeguard is effectively “required” unless there is a compelling reason not to adopt it or a viable option that accomplishes the same goal is implemented.
The encryption of email is such a case in which the use of an addressable protection may be inessential. Emails with PHI in the body or as an attachment must be encrypted only if they are routed outside of a firewalled, internal server. There is no need to deploy this addressable protection if a healthcare firm solely utilizes email for internal communication – or if a patient has given the right to send their information unencrypted.
A risk assessment must have to be used to justify the decision of not using email encryption, and it must be documented in writing. Other considerations to evaluate include the organization’s risk alleviation plan and other security measures put in place to preserve the probity of PHI. Encryption of PHI at rest and in transit is suggested, as indicated in a note to this specific section of HIPAA.
The consequences of HIPAA for patients are that their healthcare information is treated more carefully and that their healthcare professionals can access it more efficiently. Electronically stored health information is now more secure than paper records, and healthcare institutions that have implemented HIPAA-compliant methods are seeing increased efficiency. As far as patients are concerned, this manifests as a better level of healthcare.
On the downside, healthcare organizations are not always focused on the quality of treatment they can serve to individual patients. Through research, healthcare institutions want to expand the services they can offer, enhance the quality of treatment, and improve patient safety. HIPAA, on the other hand, restricts research, and constrained access to PHI has the potential to slow down the rate at which health-care advancements could well be achieved.
There is a cost to enhanced data security, and while the Meaningful Use programme provides financial incentives for healthcare providers to computerize paper records, adopting the appropriate controls to safeguard ePHI can be quite expensive. Increasing compliance expenditure has the potential to lessen the level of patient care, whereas the administrative load that HIPAA compliance puts on healthcare institutions further strains the limited available resources.
The patient will not be able to bring a legal action against the negligent party until they have experienced medical or financial injury as a result of the unlawful disclosure of their PHI. The Office for Civil Rights will impose criminal penalties on Covered Entities and Business Associates that infringe HIPAA for personal gain, false pretences, or other personal benefit, which may result in up to 10 years in jail.
If data privacy and security are not maintained, the Office for Civil Rights has the authority to levy fines for noncompliance. Avoidable data breaches are likely to result in significant financial fines. Under the HITECH penalty system, noncompliance can result in fines of up to $1.5 million imposed by the OCR, while lawsuits can be filed by both attorney generals and – as previously stated – victims of data breaches.
The high likelihood of healthcare firms being targets for hackers, as well as the huge expense of dealing with data breaches — issuing breach notification letters, supplying credit monitoring services, and covering OCR fines – greatly outweigh the cost of complete compliance. However, while the initial cost of investing in the requisite technological, physical, and administrative measures to secure patient data may be significant, greater efficiency can result in cost savings over time.
Companies which have previously adopted HIPAA compliance methods have seen their employees’ processes simplified, less time spent playing “phone tag,” and a more productive workforce, allowing healthcare organizations to reinvest their savings and provide a greater level of medical care to patients.
Explaining HIPAA to personnel of Covered Entities and Business Associates takes a lot more time and effort than explaining it to patients. To comply with HIPAA, Covered Entities and Business Associates must create privacy and security policies for their workforces, as well as a penalties policy for personnel who refuse to obey the standards. As a result, employees must be given a more thorough explanation of HIPAA.
Special compliance training sessions are the best approach to help educate HIPAA to the personnel. Although the HIPAA guidelines require yearly training, we believe that as there is so much information for personnel to absorb on the security and privacy of personal health information, compliance training sessions should be brief and periodic. Attempting to explain to employees about HIPAA in a four-hour training program will almost certainly fail.
The majority of the discussion will be on safeguarding the integrity of PHI, but how this is handled will almost certainly have an influence on the workforce. Personnel, for example, won’t be permitted to discuss patient healthcare on their mobile device unless the conversations are encrypted. Employees will need to download secure communication software to their personal mobile devices as a result of the growing number of healthcare institutions embracing BYOD policies.
To safeguard the integrity of PHI, new technology is always being devised. Web filtering, secure email archiving, and secure messaging solutions are making compliance with the HIPAA Privacy and Security Rules easier every day.
Web filtering is an effective way to alleviate the threats of malware, especially surveillance malware that may capture keystrokes and use them to steal usernames and passwords. Malware downloads have been the cause of some recent data breaches, including those that would not have happened if a web filtering mechanism had been deployed.
Another area where healthcare firms may strengthen their internet security posture is through secure email archiving. Managing six years’ worth of emails might result into a storage issue. Healthcare firms, on the other hand, can free up resources inside their own IT structure while still adhering to the HIPAA Privacy and Security Rules by employing a third-party safe email archiving service.
Some of the most recent modifications to HIPAA constitute for the hazards posed by “Bring Your Own Device” regulations, as discussed earlier in this HIPAA Described article. By using secure messaging tools, several healthcare institutions have reduced the dangers. Authorized users can safely access and communicate ePHI from their own mobile devices using secure messaging applications with these solutions.
The liability is on the healthcare firm to ensure that the Business Associate is HIPAA-compliant, just as it is with other third-party service providers. As our HIPAA Explained infographic below outlines, the costs of failing to uphold compliance may be significant.
Install Canary, enable SecureSend and you’re all set for secure, HIPAA-compliant email.