Talk to us

Subscribe for Newsletters

HIPAA Compliance Guide – Complete HIPAA Knowledge at One Place

It is strange that even healthcare professionals are not always aware of how critical HIPAA compliance is. Therefore, we bring to you the HIPAA Content Guide as a handholding support which will serve to clarify your most disturbing doubts.

Q: What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

There were two main aims which the federal government sought to safeguard when enacting HIPAA. The first was to protect the health insurance of workers who might lose a job, or change professional track. This was the portability angle. However, the aspect which concerns healthcare professionals more is the integrity, confidentiality, and availability (CIA) which they must ensure by protecting health data — the accountability angle. There was a third not-so-well publicized angle of preventing fraud in healthcare, "to combat waste, fraud, and abuse in health insurance and health care delivery."

Q: Who is covered under HIPAA?

Three categories are covered by HIPAA — individuals, organizations, and agencies who create, have access to, and transmit health data of individuals in an electronic format. These include the healthcare providers like doctors, dentists, clinicians like therapists and dieticians, psychologists, chiropractors, nursing homes, home healthcare agency nurses, and pharmacies, "but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard." Healthcare plans like health insurance companies, government healthcare plans like Medicare, Medicaid, workers' insurance plans, and company group health insurance plans; and clearinghouses also come under the HIPAA definition of a covered entity when they access and transmit health data electronically.

Q: What is an electronic health record (EHR)?

An electronic health record (EHR) is a digital version of a patient's paper chart. EHRs are real-time, patient-centered records that make information available securely, and without any hassles to authorized users.

Q: What is PHI? How is it different from ePHI?

Any "individually identifiable health information" of a patient is protected under the Privacy Rule. Therefore, it is called protected health information (PHI). It might be stored and transmitted as a paper record, in an electronic format or orally. When the same information is created, stored, and transmitted in an electronic format; i.e. as an EHR, it becomes electronic protected health information (ePHI).

Q: What is the Privacy Rule?

The Standards for Privacy of Individually Identifiable Health Information (also known as the Privacy Rule) created norms for protecting certain categories of health information. While the U.S. Department of Health and Human Services (HHS) recognized that some PHI and ePHI will need to be shared with other covered entities to provide the best possible patient care; it restricted providers from doing so unduly as that could jeopardize a patient's right to privacy.

You must have adequate safeguards — administrative, physical, and technical — to protect patient privacy without disrupting patient care. And, you must be able to demonstrate due diligence. This means that unless you have a written authorization, you must never disclose PHI, even if the request comes from a potential or current employer. The only exception to this would be when filling out a worker's compensation claim or otherwise required by law, as when ordered to do so by a federal judge.

The HIPAA Privacy Rule has been enforceable since 2003. Yet, some healthcare providers don't always take either the law or the privacy rule as seriously as they should. Apart from having policies and procedures to ensure patient privacy is protected, ensure all staff in your organization or facility are trained on the various ramifications of the rule. This means that you need to also check to see whether there are any open access points in the wireless network of the organization from which an unauthorized person can log into electronic health records (EHRs).

If there are any incidents of unauthorized access to PHI, you should have corrective actions planned. No healthcare provider or employee of a practice or facility may view medical records in any format without a valid, medically necessary reason. Health information exchanges between practices and facilities are normal when a patient has multiple health issues requiring the attention of different specialists. In such a situation, the potential threats to data integrity are manifold.

You may also need to take damage control measures, including notification in case of a major breach. HIPAA privacy protections are real and OCR enforces them vigorously. It would be better if you had in place measures to ensure that there is no inadvertent disclosure of PHI, such as discussing another patient who works in the same organization as the patient you are seeing. A physician should never reveal other patients' names or medical conditions. Other inadvertent disclosures could be made online, especially posts on social networking sites like Facebook.

Q: Who enforces the Privacy Rule?

The HHS Office for Civil Rights (OCR) is responsible for enforcing it. OCR oversees activities related to compliance with the Privacy Rule, and enforces civil monetary penalties (CMP) in case of non-compliance with the provisos of HIPAA, and its affiliated rules, and of HITECH, or in the event of a breach.

Q: What is HIPAA Security Rule?

The HHS Office for Civil Rights (OCR) is responsible for enforcing it. OCR oversees activities related to compliance with the Privacy Rule, and enforces civil monetary penalties (CMP) in case of non-compliance with the provisos of HIPAA, and its affiliated rules, and of HITECH, or in the event of a breach.

It was a requirement defined in the Health Insurance Portability and Accountability Act of 1996 that the Secretary of the U.S. Department of Health and Human Services (HHS) should develop certain standards and regulations to safeguard the identifiable individual health information (IIHI) in patients’ medical records. In accordance with that proviso, HHS developed the HIPAA Security and Privacy Rule.

Put simply, the HIPAA Security Rule sets out the guidelines for covered entities to institute safeguards, which would operationalize the right to privacy of the patients as set out in the HIPAA Privacy Rule.

The evolution of new technologies meant that not only healthcare providers and their patients, but also nosy individuals with or without criminal and/or malicious intent could peek into the health status of individuals. The matter was taken to another level when celebrities’ health secrets started being divulged for profit.

The physicians and other healthcare providers got caught in a situation where electronic medical records (EMRs) and electronic health records (EHRs) meant appropriate information was easily accessible to improve quality of care. However, the ease of access put the patient at risk of not just jeopardizing privacy, but also of the more dangerous menace of identity theft.

By setting up guidelines for creating administrative, physical, and technical safeguards to prevent unauthorized access, the HIPAA Security Rule compliance seeks to protect the patients and their healthcare providers.

It also defines what is meant by confidentiality, integrity, and availability (CIA) of EHRs.

Q: What does the HIPAA Security Rule apply to?

The HIPAA Security standards applies to any of the three categories of HIPAA covered entities; i.e. individuals, organizations, and agencies who create, have access to, and transmit health data of individuals in an electronic format. The emphasis is on authorized access. The guidance is to prevent any kind of unauthorized access or viewing of PHI security.

Specifically, covered entities must:
• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures; and
• Ensure compliance by their workforce.

For greater details, please see: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.

Q: What is the breach notification rule?

A: If there has been any breach of unsecured PHI, then in accordance with the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, all covered entities and their business associates (BAs) must notify OCR within a 60-day window of discovering the breach. Even if you're only a vendor of personal or electronic health records, the breach notification rule applies to you in accordance with "the provisions implemented and enforced by the Federal Trade Commission (FTC)."

Q: What is considered a breach of HIPAA?

A: Any "impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information" constitutes a breach, especially if it causes loss in terms of reputational, employment, financial, and other harm to the affected individual or individuals. Breaches caused by willful neglect attract the most stringent actions. These are when a covered entity has been found to have not drawn up a detailed set of policies and procedures to protect PHI; not undertaken a comprehensive risk analysis; not drawn up a risk management plan; not trained all those who handle PHI on the diverse requirements of HIPAA and its affiliated rules, or otherwise failed to display due diligence in safeguarding PHI.
However, there are three exceptions. For example, it won't constitute a breach if a doctor or nurse unintentionally, and/or accidentally views, acquires, accesses, or uses PHI without malicious intent.
"The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates," says the HHS guidance.
If the covered entity or BA believes in good faith that the individual to whom the inadvertent disclosure wouldn't be able to us it further or retain the information, then it won't constitute a breach.

Q: How is PHI protected from breaches?

A: Safeguarding PHI from breaches requires instituting administrative, technical, and physical safeguards within your organization to control access, viewing, use, and transmission of all health data created, stored, and transmitted by it. Of these, the technical safeguards and ensuring the physical security of all devices — removable or not — are critical.
This entails your identification of vulnerabilities in your HIPAA policies and procedures to take appropriate mitigatory action, including entering into HIPAA compliant business associate agreements. Take stock of the findings from a root cause analysis, evidence collection, chain of custody, as well as the breach notification and disclosure law and the actions you must take immediately after discovering a breach.

Q: What are the consequences of violating HIPAA?

A: HIPAA violations can lead to civil monetary penalties ranging from $50,000 per violation to maximum $1.5 million in a year. Criminal violations, that is acquiring PHI under false pretenses can attract a maximum of five-year jail term in addition to steep fines. It is estimated that in 2016 the HHS recovered more than $15 million in penalties and settlements of HIPAA violations.

Q: How do you report a HIPAA violation?

A: You must notify the affected individual or individuals under HIPAA Breach Notification Rule requirement, 45 CFR §§ 164.400-414 immediately upon discovering the breach, to enable them to take mitigatory action to protect themselves from potential and real harm. As a covered entity, you and your business associates are under an obligation to notify the Secretary by filling out and electronically submitting a breach report form on the HHS website. In case of a breach affecting more than 500 people within a state or other territorial jurisdiction, you must issue a press release or similar notification for broadcast through local media outlets. A breach is considered critical depending on whether, and how many individual identifiers were compromised.