When patients see their doctors, one of the ways in which they’re vulnerable is in the copious amount of personal information that’s collected and stored in their patient chart. In an attempt to keep patients’ information safe, the Health Insurance Portability and Accountability Act (HIPAA) protects patients’ private medical information by federal law. Included in HIPAA is the Privacy Rule, which requires all healthcare entities dealing with a patient’s Protected Health Information (PHI) to protect the privacy and security of patient data against unauthorized purposes.
In this article, we detail HIPAA’s Privacy Rule, what’s required of business owners under this law, as well as guidance on setting up HIPAA compliance in your business or organization.
What is the HIPAA Privacy Rule?
First enacted in 2002, the “Standards for Privacy of Individually Identifiable Health Information,” more commonly known as the HIPAA Privacy Rule, establishes a national standard to protect an individual’s medical records and other individually identifiable health information. It regulates who can access someone’s PHI and to whom that information can be disclosed.
What is the main goal of the HIPAA Privacy Rule?
The HIPAA Privacy Rule’s main aim is to protect the privacy and confidentiality of patients. At the same time, doctors often need to share information with other entities, such as medical laboratories, testing facilities, hospitals, other doctor’s offices, and even the patient themselves. The HIPAA Privacy Rule is also in place to safely enable the exchange of information as needed for patient care.
Because compliance is mandatory across all HIPAA-covered entities, standards and goals for patient privacy are the same no matter where that information goes.
What agency is responsible for enforcing the HIPAA Privacy Rule?
The Department of Health and Human Services (HHS) enforces the HIPAA Privacy Rule. It does so through investigations and audits. Within HHS, the department responsible for these enforcement practices is the Office for Civil Rights (OCR).
Who Must Comply with the HIPAA Privacy Rule?
The HIPAA Privacy Rule not only applies to all healthcare organizations, but also to any entities that would ever have access to a patient’s PHI. Essentially, the HIPAA Privacy Rule applies to any entity that could, through the mishandling of a patient’s information, present a security risk to the patient´s PHI. Therefore, “covered entities” include health insurers, healthcare clearinghouses, employer-sponsored health plans, and third-party medical service providers.
What happens if you don’t comply with the HIPAA Privacy Rules?
All covered entities can be subject to penalties, either civil or criminal, as imposed by the OCR.
The most common penalty is a civil fine, an amount based on the severity of the violation and whether an entity has any previous violations. Civil monetary penalties for HIPAA violations can range from $100 to $50,000 per violation per calendar year.
In some cases, violations can also result in criminal prosecution. Criminal penalties include fines of up to $250,000 and imprisonment of up to ten years.
How will they know if you don’t comply with the HIPAA Privacy and Security Rules?
When the OCR investigates a HIPAA Privacy Rule violation, they look for evidence that the entity did not comply with one or more of the HIPAA Privacy Rules. This might include failing to implement appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, disclosure, alteration, or destruction. The OCR may also investigate if there was a criminal security breach.
If you’re concerned that your company may have violated the HIPAA Privacy Rules, an experienced regulatory advisor or healthcare attorney can answer your questions.
What Information is Protected by the HIPAA Privacy Law?
The HIPAA Privacy Rule applies to all PHI. It protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate. This transmission includes any form or media, whether electronic, paper, or oral.
Individually identifiable health information is information that ties medical or demographic information to an individual person. As in, any information that could, through the mishandling of a patient’s information, present a risk if it landed in the hands of someone trying to commit fraud against the patient.
What is protected health information (PHI)?
According to the HIPAA Privacy Rule, protected health information (PHI) is information created, stored, or shared that can be tied to an individual. Examples include, but are not limited to, a person’s:
- Name
- Address
- Phone number
- Email address
- Social security number
- Medical records and
- Health insurance information
The 6 Main Rules You Need to Know about the HIPAA Privacy Act
The HIPAA Privacy Rule encompasses a set of standards protecting patient privacy. It also establishes a set of standards for how covered entities handle PHI. There are five main rules that you need to know about when it comes to HIPAA compliance, and they are:
- Patients have the right to keep their PHI, including electronic protected health information (ePHI), private. You must take all reasonable security measures to protect the confidentiality of medical records, lab results, X-rays, and identifiable PHI/ePHI, including encrypted data and firewalls.
- Patients have the right to see their medical records. Upon request, you must provide a patient a copy of their own medical records.
- You can only share or disclose PHI with other entities in accordance with HIPAA Privacy Rules. You must obtain an individual’s written authorization before using or disclosing PHI for most purposes.
- Patients have the right to know how their information is protected. You must provide individuals a copy of your privacy policy and a notice of their rights under HIPAA.
- Patients are protected from retaliation. You may not retaliate against individuals who exercise their rights under HIPAA.
The six major components of the HIPAA Privacy Act—the Privacy Rule, Security Rule, Transactions Rule, Identifiers Rule, Enforcement Rule, and Breach Notification Rule—are detailed below.
Privacy Rule
The Privacy Rule applies to all PHI regardless of how it is created, used, stored, or disclosed. As a basic overview, the requirements to protect PHI are as follows. Covered entities must:
- First, develop and implement a HIPAA security plan for PHI/ePHI.
- Second, provide employees with training on HIPAA privacy and security rules.
- Third, have a HIPAA privacy policy in place to explain how employees will protect PHI/ePHI.
- Fourth, conduct risk assessments to identify potential threats and vulnerabilities to PHI/ePHI and implement safeguards to mitigate these risks.
Security Rule
Though the HIPAA Privacy Rule pertains to all PHI, including paper and electronic, the Security Rule deals specifically with ePHI. Though not a complete list, examples of the HIPAA rules and regulations for security specifications are as follows:
Administrative Safeguards
- Entities must provide internal written policies and procedures clearly showing how they will comply with HIPAA’s Privacy Rule, along with a designated privacy officer to oversee them.
- Only employees for whom it is part of their job function may access ePHI. Procedures should clearly identify employees or classes of employees who will have access.
- Entities must provide an appropriate ongoing training program regarding the handling of ePHI.
- Covered entities that out-source some of their business processes to a third party must ensure that their vendors also comply with HIPAA requirements.
- A contingency plan should be in place for emergencies, such as backing up data and disaster recovery. This includes instructions for addressing and responding to security breaches.
- Internal audits should be both routine and event-based.
Physical Safeguards
- Only authorized individuals may access protected data.
- Entities should carefully control and monitor access to equipment containing health information.
- Only properly authorized individuals may access hardware and software.
- Entities must address proper workstation use and facility security, such as maintenance records, and visitor sign-in and escorts.
Technical Safeguards
- Entities must protect access to computer systems and communications containing ePHI from being interception by anyone other than recipient.
- Entities must protect information systems housing or sending PHI with encryption. (Note: This is optional if within closed systems/networks.)
- Entities must maintain data integrity.
- Entities must authenticate entities with which they communicate. This can be achieved through password systems, two or three-way authentificaion, and similar systems.
- Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
- Information technology documentation should include a written record of all configuration settings, required risk analysis, and required risk management programs.
Transactions Rule
The HIPAA Transactions Rule requires covered entities to use standard formats when electronically transmitting certain health information based on electronic data interchange standards, which allow the electronic exchange of information from computer to computer without human involvement.
Identifiers Rule
HIPAA’s Identifiers Rule requires covered entities to use, disclose, and request only certain identifiers of individuals. The HIPAA Privacy Rule defines 18 identifiers. They include identifier fields like name, address, birthdate, dates of admission/discharge, and medical record numbers.
Enforcement Rule
Through HIPAA’s Enforcement Rule, entities not in compliance with the Privacy Rule face fines up to $50,000 per violation. This is a way to ensure that entities take HIPAA privacy seriously and protect the information of patients.
HIPAA also has criminal penalties for those who knowingly violate the HIPAA Privacy Rules, which can include imprisonment.
Breach Notification Rule
The HIPAA Breach Notification Rule requires organizations that experience a PHI breach to report the incident. Reporting requirements differ depending on the number of affected patients.
In the event of a breach affecting 500 or more patients, you must report the event to the HHS OCR, all affected patients, and the media. You must report the event within 60 days of discovery. Additionally, breaches of this nature are publicly displayed on the OCR breach portal.
In the event of a breach affecting less than 500 patients, you must report the event to HHS OCR and all affected patients. You must report the event within 60 days from the end of the calendar year in which the breach was discovered.
5 Most Common Violations to the HIPAA Privacy Rule
There are five common ways entities violate the HIPAA Privacy Rule, and they are:
- Failure to provide individuals with a copy of their privacy rights
- Failure to obtain individuals’ written authorization before the use and disclosure of their PHI
- Improper use or disclosure of PHI
- Lack of safeguards to protect ePHI
- Failure to report HIPAA privacy violations
HIPAA Privacy FAQs
To dispel some common misunderstandings about HIPAA, here are some items of note:
- HIPAA doesn’t prevent insurance companies or employers from seeing medical records. It only protects a patient’s medical information from unauthorized disclosure.
- HIPAA does not require written consent before discussing a patient’s condition with their family members. That is, as long as the patient does not object.
- HIPAA not require individuals to sign a waiver in order to release their health information, such as in cases of law enforcement officials obtaining access to a person’s medical records without their consent.
- HIPAA does not prohibit the use or disclosure of health information for marketing purposes, as long as the covered entity obtains the individual’s written authorization first.
To further dispel common misunderstandings about HIPAA, you can find some frequently asked questions regarding this law below.
Are there specific technologies that are HIPAA compliant?
Some common HIPAA-compliant technologies include:
- Firewalls
- Antivirus software
- Encryption
- Data loss prevention (DLP) tools
- Access controls
As these are just a few examples, be sure to do your research to find the best technology solutions that streamline operations and ensure HIPAA compliance.
What are some practical first steps to to comply with HIPAA privacy laws?
First, understand the HIPAA Privacy Rules and what they require of you. Then, develop a plan to implement those requirements in your organization. You should educate your employees on HIPAA privacy and security requirements, as well as develop policies and procedures to ensure that your organization is in compliance.
It’s a good idea to have a HIPAA compliance officer in place to help launch, monitor, and update your systems as needed. Conducting regular audits of your HIPAA policies and procedures will help ensure that your business stays compliant.
There are many resources available to help with HIPAA compliance, including the Department of Health and Human Services’ website.
Can I continue to use a patient sign-in sheet and comply with HIPAA privacy standards?
The answer to this question is maybe. The HIPAA Privacy Rule generally permits you to ask a patient for their name and date of birth. You may also ask the patient to write down why they have come to see you. However, you cannot ask the patient for any other information on the sign-in sheet, as doing so would violate the HIPAA Privacy Rule.
What kind of personally identifiable health information is protected by HIPAA Privacy Rule?
Personally identifiable health information protected by the HIPAA Privacy Rule is called “protected health information” (PHI). The HIPAA Privacy Rules apply to all forms of PHI. This information can be:
- An individual’s past, present, or future health, physical or mental
- Past, present, or future provision of healthcare provided to the individual
- Past, present, or future payment for the provision of healthcare to the individual
What types of businesses are not covered entities?
The types of businesses under HIPAA which are not covered entities are called HIPAA business associates. HIPAA business associates are people or organizations who perform certain functions on behalf of a covered entity, such as billing or collection services, legal services, and consulting. They are not subject to all HIPAA requirements, but HIPAA requires all HIPAA business associates to sign a contract indicating their understanding of the HIPAA regulations and their commitment to protecting patient privacy.
Why does HHS have to comply with the HIPAA Privacy Rule?
The HHS has to comply with the HIPAA Privacy Rule because it’s a federal law. According to the HIPAA Privacy Rule, entities must protect the privacy of an individual’s PHI. Otherwise, patients and entities are subject to risks, including fraud, identity theft, and blackmail.
When does state privacy law supersede the HIPAA Privacy Rules?
State privacy laws always supersede the HIPAA Privacy Rules in regards to protecting the privacy of state residents.
Another case where HIPAA does not apply is when the patient gives consent. For example, if a patient willingly shares their health information with a friend or family member, HIPPA would not apply.
What types of health records are subject to the HIPAA Privacy Rule?
A covered entity or business associate should protect all health information, patient histories, test results, and billing information when it includes one of the following identifiers:
- Names
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e., retinal scan, fingerprints)
- Any unique identifying number or code
Within HIPAA, how does security differ from privacy?
Under HIPAA, security and privacy are two different concepts. Security is the safeguarding of ePHI from accidental or unauthorized access, use, disclosure, alteration, or destruction. Privacy is the protection of PHI and ePHI.
HIPAA Privacy Rules Summary
The HIPAA Privacy Rule was created to protect the rights and privacy of patients. For all relevant healthcare providers, health insurance plans, and their business associates, compliance is mandatory.
As the healthcare industry continues to modernize itself, it’s of the utmost importance to ensure HIPAA compliance by utilizing secure online invoicing software and protected ePHI recordkeeping systems. Entities can streamline their systems to achieve greater effectiveness, all while following the letter of HIPAA laws.
Leave a Reply