I’m sure that each and every one of us has seen the inside of the doctor’s waiting room at least once in our lifetime. In fact, most of us are familiar with the mind-numbing boredom or anxiety experienced in the waiting room. It’s not necessarily a good thing but it is what it is. The healthcare industry is booming and shows no signs of slowing down. We trust our doctors implicitly and believe that they are doing the best that they can for us. The healthcare system is one of the largest in the world and has faced numerous changes over the years. One of the biggest ones has been the adoption of technology. Almost everything has been computerized and you seldom come across paper-based records anymore! This has made the entire system more efficient and structured but it has its drawbacks too. Hackers can gain access to sensitive patient data if it is not secured. Technology is a double-edged sword and organizations are realizing that (hopefully not through experience!). It is very important for healthcare professionals to retain the trust patients place in them. Keeping this in mind, the US government passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. It is mandatory for all healthcare providers, health plans, clearinghouses and anybody that has access to such health data to be HIPAA compliant.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) deals with the protection of sensitive patient data and insurance coverage. Before HIPAA there were no rules or guidelines that the healthcare industry had to abide by. HIPAA was passed in 1996 and is regulated by the U.S Department of Health and Human Services (HHS). The act is divided into five parts.
Title Ⅰ: This protects the individual’s insurance coverage when he/she loses or changes jobs. Under this provision, it is prohibited to exclude individuals from group health plans due to specific conditions and to set lifetime coverage limits.
Title Ⅱ: This sets the standards regarding the privacy and security of Protected Health Information (PHI or e-PHI). Title Ⅱ is what we usually focus on when we speak about HIPAA compliance. It is known as Administrative Simplification provisions.
Title Ⅲ: Deals with tax rules in healthcare treatment
Title Ⅳ: Further deals with the reform of insurance law, especially for people with pre-existing conditions.
Title Ⅴ: Focuses on regulations for companies that deal with life insurance policies.
WHO NEEDS TO BE HIPAA COMPLIANT?
Covered Entities: These include healthcare providers, health plans, and healthcare clearinghouses that possess, process and transmit electronic Protected Health Information (e-PHI). Covered Entities need to be HIPAA compliant and protect the privacy and security of sensitive health information.
Business Associates: The Covered Entity may enlist the help of a third party individual/ organization to aid it in its healthcare activities. Such individuals/ organizations are called Business Associates. They need to be compliant too as long as they have access to e-PHI. Examples include accountants, lawyers, consulting agencies, etc.
HIPAA PRIVACY RULE
The HIPAA Privacy Rule sets the standards regarding the patient’s right to their Protected Health Information (PHI) and to ensure that the e-PHI doesn’t fall into the wrong hands. Protected Health Information (PHI) is any information regarding the health status, payment or health plan possessed by the Covered Entity or Business Associate which if disclosed can be traced back to the concerned individual. The patients have the right to access their records and suggest changes if errors are found. The organization should take measures to ensure that only authorized personnel have access to such sensitive data and that the necessary precautions are in place. There are exceptions, such as when it is required by law enforcement or when it is disclosed to certain parties for treatment or payment of medical bills. Apart from these, the e-PHI cannot be disclosed without the patient’s consent. All disclosures, policies, and procedures followed by the organization must be documented. All the employees should be trained regarding the privacy policies. A HIPAA Privacy Officer is charged with the responsibility of ensuring that the organization is compliant with the Privacy Rule.
HIPAA Security Rule
The Security Rule established a set of standard rules to protect e-PHI. It seeks to ensure that the sensitive data is secure while enabling the organizations to adopt new technologies to improve the quality of care provided. The Security Rule is a little vague and flexible enough to allow organizations to implement the rules in accordance with the organization’s size, structure, and risks involved. The main purpose of these rules and guidelines is to prevent the data from falling into the wrong hands. The e-PHI should encrypted and protected by means of sophisticated technology to ensure that even if an unauthorized person has gained access, the information cannot be decoded and used. All the employees should be trained on the necessary security measures to be taken. The HIPAA Security Rule is divided into three categories.
Physical Safeguards: A covered entity must limit access to its facilities and data centres here the e-PHI is stored. Only authorized personnel should be allowed entry. It should also implement regulations about access to workstations and the use of electronic media. There should be clear policies regarding the disposal and re-use of electronic media.
Technical Safeguards: This deals with the technology that is used to secure the e-PHI. Only authorized personnel should be allowed to access the data through the use of unique user IDs and passwords. The system should be able to keep track of logins and other activities related to e-PHI. e-PHI must not be altered or destroyed and the organization must have an efficient recovery process in such cases.
Administrative Safeguards: A covered entity should take the initiative to identify and analyze the possible risks to e-PHI and implement the appropriate security measures accordingly. Appointing a HIPAA Security Officer goes a long way in ensuring that the organization is compliant with the HIPAA Security Rule. All the employees should be trained regarding the security policies and regulations of the organization. Periodic evaluations helps to determine if the organization meets the standards set forth by the Security Rule.
HIPAA OMNIBUS RULE
The HIPAA Omnibus Rule was introduced in 2013 to make amends and cover areas that had been previously overlooked. It amended definitions and clarified the policies. One of the significant changes was to include Business Associates in the list of entities that have to follow compliance. It introduced additional security measures that healthcare providers had to meet. The penalties for non-compliance were increased to further emphasize the importance of being compliant.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was formulated to encourage the use of technology in healthcare. It even provided incentives to organizations that adopted the use of electronic health records (EHR). It was meant to supplement HIPAA in that it raised the maximum penalty for non-compliance to $1.5 million.
HIPAA ENFORCEMENT RULE
Organizations are subjected to investigations when there is a breach in e-PHI due to non-compliance of HIPAA Privacy and Security Rules. The Enforcement Rule governs the investigations and the penalties imposed. The HIPAA Rules are enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR). The following is the list of penalties
- Tier 1 ($100- $50,000 per violation) – Unaware of the violation and could not have known about it even if reasonable diligence was exercised.
- Tier 2 ($1,000- $50,000 per violation) – Reasonable cause to assume that the entity knew or should have known about the violation by exercising diligence.
- Tier 3 ($10,000- $50,000 per violation) – Willful neglect of HIPAA and corrective measures were taken within 30 days of the discovery.
- Tier 4 ($50,000 per violation) – Willful neglect of HIPAA and no corrective actions were taken within 30 days of the discovery of the violation.
The maximum penalty is $1.5 million per year in each of the categories. The organizations can also be subjected to criminal charges in cases of willful neglect. Aside from the investigations conducted due to non-compliance, the organizations can face lawsuits from the patients whose e-PHI was breached.Being HIPAA compliant is absolutely necessary and needed in today’s world. You have nothing to lose and everything to gain by it. After all, trust once lost is lost forever. If you found this post helpful, please feel free to share your thoughts in the comment section below.