The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
What is Protected Health Information?
Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.
PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI. ePHI is regulated by the HIPAA Security Rule, which was an addendum to HIPAA regulation enacted to account for changes in medical technology.
Who needs to be HIPAA compliant?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
What are the HIPAA Rules?
HIPAA regulation is made up of a number of different HIPAA Rules. The HIPAA Rules were all passed in the 20+ years that have come and gone since HIPAA was first enacted in 1996.
The HIPAA Rules that you should be aware of include:
HIPAA Privacy Rule: The HIPAA Privacy Rule sets national standards for patients’ rights to PHI. The HIPAA Privacy Rule only applies to covered entities, not business associates. Some of the standards outlined by the HIPAA Privacy Rule include: patients’ rights to access PHI, health care providers’ rights to deny access to PHI, the contents of Use and Disclosure HIPAA release forms and Notices of Privacy Practices, and more. The regulatory standards must be documented in the organization’s HIPAA Policies and Procedures. All employees must be trained on these Policies and Procedures annually, with documented attestation.
HIPAA Security Rule: The HIPAA Security Rule sets national standards for the secure maintenance, transmission, and handling of ePHI. The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of ePHI. The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any health care organization. Specifics of the regulation must be documented in the organization’s HIPAA Policies and Procedures. Staff must be trained on these Policies and Procedures annually, with documented attestation.
HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI or ePHI. The Rule lays out different requirements for breach reporting depending on the scope and size. Organizations are required to report all breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach. The specifics of the HIPAA Breach Notification Rule are outlined in the sections below.
HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an addendum to HIPAA regulation that was enacted in order to apply HIPAA to business associates, in addition to covered entities. The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant, and also outlines the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared. The details regarding BAAs are outlined in more depth in the sections below.
What are the HIPAA Penalties for a breach?
Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules. Minimum fine of $100 per violation up to $50,000
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules). Minimum fine of $1,000 per violation up to $50,000
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation. Minimum fine of $10,000 per violation up to $50,000
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation