For you to understand the basics about what HIPAA is, why its important and who has to follow the HIPAA rules.
HIPAA stands for the Health Insurance Portability and Accountability Act. The law governs the use of Protected Health Information (PHI). HIPAA compliance is a critical part of most healthcare system organizations.
The Big Topics in This Lesson
1- Understanding the Basics
Information under this topic will help you answer key questions like: What does the law cover? What does HIPAA compliance mean?
2- The Importance of HIPAA
Information under this topic focuses on protecting sensitive information and avoiding penalties.
3- Understanding Who Has to Follow HIPAA Rules
The information under this topic explains the various types of health system professionals subject to the law.
Lesson Q & A
Click on each question to learn more
HIPAA, short for the Health Insurance Portability and Accountability Act, is a law passed by Congress in 1996 during the Clinton administration. The desired outcomes were to address individual and family health care coverage concerns during times of job transition as well as ensure the confidential and ethical storage and use of large masses of sensitive health information that accumulates on individuals using the health systems.
HIPAA is comprised of five areas that are sectioned into two main titles. Title I is the portability component of the act, intended to protect the American worker and their families by making healthcare “portable” during job changes. This section is also important in dealing with cases of pre-existing conditions. Title II is referred to as the “Administrative Simplification” provision and it established national standards and guidelines for the handling of patient information in any format, as well as tax guidelines on pre-tax medical accounts, group plan guidelines, and regulations for company-owned life insurance policies.
In the healthcare industry, an increase in available information via electronic health records (EHR) creates greater capabilities for providers to improve health outcomes and industry decision makers to create informed spending decisions. This gives life to the push toward the ever-increasing use of EHR and the readily accessible information in the healthcare market.
The need for HIPAA becomes crucial in the role of patient trust and protection. HIPAA provides a platform that gives patients the ability to be more transparent with their providers as they are assured of the privacy of their sensitive information.
Certain types of health care organizations referred to as covered entities are required to be compliant to HIPAA. These entities include healthcare providers, plans and clearing houses. Entities also include “business associates” or third parties that handle patient information on behalf of any of the previously mentioned. Covered entities directly handle patient protected health information (PHI) or information that links to a patient’s health diagnoses.
For a covered entity to be considered compliant, they must protect both the privacy of the patient and the security of the health information. Under HIPAA, privacy is a protection of patient’s information from people no matter the format of the health information. Security is specific to EHR and ensuring that patient information in data format is shielded from hackers, electronic theft and other calamities.
Covered entities must incorporate three main components into their organizations to ensure protection compliances. They must provide HIPAA training and awareness to all employees with access to personal health information. They must establish and implement official documentation on the processes and controls to maintain PHI within the organization. They must also ensure there is a person of accountability for HIPAA within the organization.
When PHI is compromised as part of a HIPAA security breach, patients can be impacted in various ways. Of the most common stolen information are social security numbers, names and addresses. This information in the wrong hands can be used to open the patient up to years of financial headaches.
Other private information such as medical diagnosis and procedure codes can be stolen, causing mental stress and anguish on the part of the patient due to the unknown utilization of information.
Even when PHI breaches are unintentional, they can have a large impact on the patients. For example, in 2013, an HIV positive patient requested his medical records be faxed to a new provider. In error, an office manager used the employer fax number listed and transmitted medical records to the patient’s employer.
Stigmatized diseases such as HIV and mental health diagnoses, can increase patient anxiety over the security of their records. Distrust in provider’s protections processes and security systems can lead to decline in patient use of health care services and create an absence of care where it is much needed.
Several years after HIPAA was enacted, The Health Information and Technology for Economic and Clinical Health Act (HITECH Act) was passed in 2009. The HITECH Act mandates the audit of covered entities to ensure compliance to HIPAA regulations. State attorney generals could sue organizations and specified individuals within the organizations for mandatory penalties because of “willful neglect” of PHI. Several years later, in 2014, the Connecticut Supreme Court was the first to allow negligent claims to be filed directly by breach victims, thus creating opportunity for more suits and penalties.
Violation penalties under civil suits range from $100 per violation for unintentional breaches to upward of $1.5 million per violation per year for willful neglect. Criminal fines, thus by nature being an intentional breach, have penalties that include fines and imprisonment ranging from $50k and 1-year imprisonment up to $250k and 10 years.
The prosecution of covered entities and individuals increased with the HITECH Act and implemented costly penalties for breaches. In 2014, NY and Presbyterian Hospital/Columbia University was fined $4.8 million for a lack of a firewall and Concentra Health Services $1.7 million for theft of an unencrypted laptop. Each of these were preventable situations, exposing thousands and hitting the organization’s financial bottom line.
In 2015, Anthem Inc. had 80 million recipients exposed. Record penalties are expected. If there is a successful civil lawsuit per victim, Anthem would be billed $80 billion dollars. The cost of error can be catastrophic.
It is not a matter of how a HIPAA violation will occur for an organization, but when. The preparedness of an organization, expedition of communication of the breach, and resolve of internal failures is essential to the overall impact on the organization.
In one study of data breaches, stock prices dropped by 5%, approximately 30% of the consumers terminated the relationships after the breach, and 65% indicated a loss of trust in these organizations. This same study indicated that those companies that effectively and immediately responded to the breaches saw a decline in share value, but there was a quick return on average of 7 days. On the other hand, slow response impacted organizations for upward of 90 days.
The most common negative impacts impact to an organization that have incurred a security breach include loss of time and productivity, diminishment of reputation, reduction in patient relationship standings, and loss of revenue. Financial loss is projected to far exceed the fines and penalties required under HIPAA. Figures in the millions also include cost of breach notifications, detection and escalations, lost business cost, and a percentage of customer turnover.
In general, any organization dealing with health information that can linked to individuals must fulfill the requirements of HIPAA. If an organization is subject to the law, it is called a Covered Entity. There are broad categories for Covered Entities, including:
- Health Plans (almost all types of healthplans are covered entities)
- Healthcare Clearinghouses (organizations that deal with healthcare data and transactions)
- Healthcare Providers (doctors, nurses, hospitals, pharmacists, etc)
- Employers who provide self-funded or self-administered health benefits
Covered entities must also ensure that the companies they do business with (called Business Associates, discussed further later in the lesson) are compliant with the law as it relates to their interactions.
Earlier we learned that organizations subject to HIPAA rules are called Covered Entities. If a business does work on behalf of a Covered Entity, it is also subject to HIPAA rules for any work it does that is regulated by HIPAA. These vendor partners are referred to as Business Associates in the law. Most organizations have a standard Business Associate Agreement (BAA) with their partners to ensure the appropriate contractual arrangements are in place for HIPAA compliance.
- Training - Training programs and content should build awareness of all the different ways data is used and managed in the organization. A health plan has diverse and complicated business operations that may include many functions that don’t at first seem like they impact healthcare data but do.
- Key Roles- Health plans often employ administrative, clinical and technical staff. Each of these roles will need staff members who participate in the overall HIPAA strategy, in addition to any appropriate (or required security officers).
· Training - Training programs and content should focus on how to properly use tools to transmit and access data.
· Key Roles- Since data vendor organizations deal primarily with sensitive data, there will be a need to have role-based security. Ensuring people have the right access to information in keeping with the Minimum Necessary rule (discussed later) is key. A team of security staff who can help line-level staff understand how to handle different situations is also important.
· Training - Since healthcare providers deal with patients (and their medical information) directly, staff need to be trained on how to manage a variety of situations. This can include who to share information with directly (i.e., family members or other providers) as well as who should access technical systems containing patient information. Staff should also be trained on how to manage the Notice of Privacy Practices and Consent policies in use by the organization.
New Terms from this lesson:
- HIPAA: Health Insurance Portability and Accountability Act providing legislation to protect medical information and insurance coverage for individuals during times of transition.
- EHR: Electronic Health Record is a digital or electronic format of a patient’s record.
- PHI: Protected Health information or any identifying information in a patient’s medical record.
- Covered Entity (CE): Organization that directly handle patient personal health information (PHI) or information that links to a patient’s health diagnoses. These can be providers, plans, or clearing houses. Covered entities also include business associates.
- Business Associate (BA): Vendors who have access to or use PHI on behalf of a covered entity must meet the related standards of HIPAA.
- Notice of Privacy Practices (NPP) – Providers and Health Plans must have a Notice of Privacy Practices (NPP) to let patients know how their PHI is used and what situations don’t require patient authorization.
Ready for the Lesson Progress Quiz?
When you are ready to take the quiz, click the button below. You must pass the quiz to move onto the next lesson.