Sometimes we use words we closely understand but have no idea of their background and history. The same may happen with HIPAA. We all use it, we know what this is all about, but might have no idea of how it appeared and what it touches.
This article will help you find out more on wide famous Health Insurance Portability and Accountability Act, better recognized as HIPAA.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law enacted by the 104th US Congress and signed by President Bill Clinton on August 21, 1996. It aimed to update the healthcare information flow, stipulate how personally identifiable information maintained by the healthcare industries representatives should be protected from fraud and theft. The law required the creation of national standards to secure sensitive patient health information from being disclosed without the patient’s knowledge.
The act consists of five titles. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
HIPAA Privacy Rule
The Privacy Rule standards address the use and disclosure of individuals’ health information (protected health information) by entities subject to the Privacy Rule. Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few. The individuals and organizations are called “covered entities.”
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
To comply with the HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information.
- Detect and safeguard against anticipated threats to the security of the information.
- Protect against anticipated impermissible uses or disclosures.
- Certify compliance by their workforce.
Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.
The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:
- Healthcare providers: Each and every healthcare provider, regardless of the size of practice, electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. Plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. Mostly, healthcare clearinghouses will receive individually identifiable health information only when providing these processing services to a health plan as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires Covered Entities to notify patients when there is a breach of their PHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of PHI and issue a notice to the media if the breach affects more than five hundred patients.
There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted.
Breach notifications should include the following information:
- The nature of the PHI involved, including the types of personal identifiers exposed.
- The unauthorized person who accessed or used the PHI or to whom the disclosure was made (if known).
- Whether the PHI was actually acquired or viewed (if known).
- The extent to which the risk of damage has been mitigated.
Breach notifications must be made without unreasonable delay and in no case later than 60 days following the discovery of a breach. When notifying a patient of a breach, the Covered Entity must inform the individual of the steps they should take to protect themselves from potential harm. The information should include a brief description of what the covered entity is doing to investigate the breach, and the actions taken so far to prevent further breaches and security incidents.
The Importance of Data Encryption
The vast majority of ePHI breaches result from the loss or theft of mobile devices containing unencrypted data and the transmission of unsecured ePHI across open networks.
Breaches of this nature are easily avoidable if all ePHI is encrypted. Although the current HIPAA regulations do not demand encryption in every circumstance, it is a security measure that should be thoroughly evaluated and addressed. Suitable alternatives should be used if data encryption is not implemented. Data encryption renders stored and transmitted data unreadable and unusable in the event of theft.
Data is first converted to an unreadable format – termed ciphertext – which cannot be unlocked without a security key. This key converts the encrypted data back to its original format. If an encrypted device is lost (stolen) it will not result in a HIPAA breach for the exposure of patient data. Data encryption is also important on computer networks to prevent hackers from gaining unlawful access.
*Information in this article is taken from open sources