What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act and enacted August 21, 1996 by the 104th US Congress and signed by President Bill Clinton.
The long title for the HIPAA Act specifies, “An Act To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes”.
Rights of Privacy HIPAA regulations provide rights of privacy for individuals, including those individuals aged 12 to 18. Under HIPAA regulations, health providers must have a signed disclosure from individuals before releasing any information related to their health care to anyone, including their parents. HIPAA applies to all health plans, healthcare clearinghouses, and healthcare providers that electronically transmit health information in connection with standard transactions. Standards for transactions are as defined under HIPAA by the Electronic Data Interchange (EDI) of administrative and financial healthcare transactions.
Protected Health Information (PHI)
HIPAA laws specify that health providers must take responsibility for the authorized disclosure of Protected Health Information (PHI), but it does specify that notice of a breach of such information be provided to the individuals whose information was breached.
To ensure that individuals are notified of security breaches of PHI, the Health Information Technology for Economic and Clinical Health (HITECH Act) was enacted in February 2009. HITECH was enacted as part of the 2009 American Recovery and Reinvestment Act (ARRA) to significantly change HIPAA Administrative Simplification provisions. Under HIPAA HITECH regulations, breaches must not only be disclosed to individuals, but when 500 or more individual’s information is breached, notice must also be sent to the DHHS and the media. In addition, HITECH increases the civil penalties for non-compliance and it provides for more enforcement.
The 1996 Health Insurance Portability and Accountability Act (HIPAA) was an attempt to reform health care and to balance the rights of individuals against the responsibility of healthcare providers. HIPAA incorporates a HIPAA Privacy Rule that protects the health information of individuals held by health plans, health care providers, state Medicaid agencies, health care clearinghouses and their business associates. HIPAA also incorporates a HIPAA Security Rule that establishes standards and safeguards that must be put in place to assure the integrity, confidentiality, and availability of electronic Protected Health Information (ePHI) relative to the access to stored information and the interception of transmitted information. The Department of Health and Human Services (DHHS) Office of Civil Rights has the responsibility for enforcing the HIPAA Privacy Rule and the HIPAA Security Rule. Through audits and investigations, the DHHS found that many healthcare providers willfully neglected to follow the rules established by the HIPAA or breached the Protected Health Information (PHI) that was held on individuals.
What does HITECH stand for?
HITECH stands for The Health Information Technology for Economic and Clinical Health (HITECH Act) and was signed into law as part of the 2009 economic stimulus bill, known as the American Recovery and Reinvestment Act (ARRA), to revise certain provisions of the HIPAA laws as they relate to privacy and security protections. HIPAA HITECH increases the scope of protections for individuals, increases penalties that may be levied against health providers for non-compliance and provides for more enforcement of established rules.
Scope of Protections under HIPAA
Under HIPAA regulations, individuals are granted specific rights with respect to the privacy of their identifiable health information, and HIPAA rules provides for the disclosure and sharing of that information with certain entities when they have a legitimate need to know.
The HIPAA HITECH Act revises parts of the Social Security Act to expand upon the privacy and security protections granted to individuals under the HIPAA. The HIPAA HITECH Act specifies that heath care providers must implement a system of Electronic Health Records (EHRs), and the act provides for monetary incentives to those healthcare providers who are able to show “meaningful use” of their established EHRs until the year 2015. After 2015, healthcare providers will be penalized for failing to show such use of their EHRs. HITECH also specifies that individuals, or specified third parties, be entitled to an electronic copy of all ePHI that pertains to them. HIPAA set guidelines for the disclosure of Protected Health Information (PHI), but it did not require disclosure to individuals when their personally identifiable information was breached. HITECH regulations require that breaches of health information be provided to impacted individuals via first class mail with an explanation of the breach and an indication of processes being put into place to resolve the breach. If a breach impacts 500 or more individuals, healthcare providers must notify those individuals and also the DHHS, the media and the State Privacy Officer.
Increased Penalties HIPAA HITECH establishes four categories of violations, associated penalties and maximum penalty amounts for violations of the law. The HITECH Act imposes penalties against health providers even in cases where they did not know or would not have known of a violation, and exempts them from penalties if a violation was not a result of willful neglect and it was corrected within 30 days.
Omnibus Final Rule The Omnibus Final Rule regulations went into effect on September 23, 2013 and made change to several aspects of the Privacy Rule. Listed below are highlights of the changes.
- The final rule expands patient rights by allowing them to ask for a copy of their electronic medical record in electronic form.
- Under the final rule, when patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan.
- If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, the provider must also restrict the disclosure of PHI regarding the service to Medicare.
- The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individuals’ health information without their permission.
- Penalties for noncompliance with the final rule are based on the level of negligence with a maximum penalty of $1.5 million per violation.
- The breach notification final rule was amended with a requirement to determine the breach’s “risk of compromise” rather than harm. “Compromise” was considered a more objective test than harm. Thus, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates a low probability that the PHI has been compromised.
- To determine whether there is a low probability that PHI has been compromised, the covered entity or business associate must conduct a risk assessment that considers at least each of the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated.
- The final rule changed what incidents are exceptions to the definition of “breach.” Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain
- The final rule changed what incidents are exceptions to the definition of “breach.” Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets — regardless of their content — must be handled like all other breaches of PHI.
- Providers and covered entities still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach — thereby triggering notification requirements of the HITECH Act — if the PHI disclosed is “unsecured.”
- Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the secretary through published guidance.
- Requirements for methods of breach notification remain unchanged. That is, providers and covered entities most provide notice to individuals, the media (if breach affects more than 500 residents of a state or smaller jurisdiction) and HHS (if breach affects more than 500 individuals regardless of location). Business associates, or people or organizations that conduct business with the covered entity that involves the use or disclosure of individually identifiable health information, must also provide notice to covered entities no later than 60 days after the discovery of a breach of unsecured PHI. (Read more about breach notification rules.)
- Covered entities’ Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPPs must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications.
- Business associate agreements and policies and procedures must address the prohibition on the sale of patients’ PHI without permission.
- Covered entities must modify and implement policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities.
- Covered entities’ business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI.