The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law to protect patients’ sensitive health data. HIPAA’s primary compliance goal is to secure people’s health information without undermining the free flow of information needed to provide patients quality health care.
Although the Act had taken effect since 1996, the US Department of Health and Human Services Office for Civil Rights continues to record cases of violation in their thousands. This article breaks down critical aspects of HIPAA and the Privacy Rule. The precautions you should take as a healthcare provider, health plan agency, or business associate to avoid sanctions.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
Twenty-four years ago, precisely August 21, 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (Public Law 104-191). The Kennedy-Kassebaum Act (another name for HIPAA) consists of five titles. Title I, III, IV, and V of HIPAA address health plans, insurance coverage, medical savings, and tax-related issues. But Title II of the HIPAA focuses on strengthening data security to prevent healthcare fraud and abuse of patients’ information. The Administration Simplification Rules, a subset of Title II, seems to be the most significant provision. It spells the guidelines for handling protected health information.
What is HIPAA Compliance Privacy Rule?
HIPAA Compliance Privacy Rule, also called “Standards for Privacy of Individually Identifiable Health Information”. HIPAA addresses individuals’ use and disclosure of health information by certain entities or organizations. Since the beginning of April 2003, entities mandate to demonstrate compliance to these rules. For this article, the term “covered entities” will refer to organizations and individuals that the rule addresses.
Similar to the General Data Protection Regulation (GDPR), HIPAA Privacy Rule contains requirements for individuals’ right to understand how their medical information is in use and control such usage. Covered entities may obtain and use health information judiciously but must not disclose or transfer such data without authorization.
What are the “Covered Entities” under HIPAA?
The Privacy Rule encompasses a selected category of individuals and organizations. These are:
- Healthcare providers: Regardless of its size of the operation, healthcare providers that transmit medical information digitally concerning specific transactions have the obligation to abide by the Privacy Rule. Such transactions include claims, inquiries of benefit eligibility, etc., and other transactions stated under the HIPAA Transaction Rule. Health care providers have institutional providers (such as hospitals) and non-institutional providers (including doctors, dentists, etc.).
- Health plan providers: Health plans are common commodities in today’s world. They are sometimes handled by health insurance companies or sponsored by the government. Employer-sponsored group health plans also fall under health plan providers. A health plan could be a vision, dental or general medical plan. For entities or organizations that provide for the cost of health care, the Health Insurance Portability and Accountability Act has laid down compliance guidelines to guide their use of patient’s health information within their reach. Meanwhile, there are certain exceptions to health plans covered by the rule. For instance, group health plans that do not have up to 50 participants fall out of this categorization. Some government-sponsored plans also do not fall under this category. They are:
– (a) Health plans that do not provide direct cost of health care, e.g., food stamp programs
– (b) Programs that directly provide health care, such as community health centers.
- Healthcare clearinghouses: are third-party agencies, public or private, that process non-standard transactions or data into standard data elements or transactions. More often than not, healthcare clearinghouses receive health data when rendering service to healthcare providers or health plans as a business associate. Billing services, community health management information systems, repricing companies, etc., are examples of healthcare clearinghouses.
When is data disclosure ‘required’?
Like the Communications and Video Accessibility Act (CVAA), the Health Insurance Portability and Accountability Act provides flexibility in its Privacy Rules. As much as it is forbidden for entities to disclose patients’ data, the HIPAA Privacy standards allow for two exceptions.
When disclosure of health data is necessary, the first occasion is when an individual possesses the data in question requests for their information. Should the Human Health Service request data information for compliance investigation or enforcement process, HIPAA requires divulging such information.
The general rule regarding health information is that health data is “permissible” in a responsible and authorized manner. However, to every general rule, there are exceptions. It follows, thus, that the Health Insurance Portability and Accountability Act permits entities to use and disclose sensitive health information without the individual’s permission in certain situations and for specific purposes, some of which include:
- Healthcare operations including treatment or treatment referral, payment or reimbursement for Healthcare service, etc.
- When public interest is involved, especially if it relates to any of the 12 national priority purposes (for law enforcement, court order, administrative or judicial proceedings, in the case of abuse, neglect or domestic violence, research purpose, and so on). Meanwhile, there are no restrictions on the disclosure or use of de-identified health information; that is, health information that does not provide any reasonable ground for identification. De-identification can occur through the removal of specific key identifiers of the individual. A trained statistician may be needed to determine the de-identification process.
HIPAA Compliance Checklist for websites
HIPAA Security Rule is a sister regulation to the Privacy Rule. The major difference between the two is that the Security Rule deals strictly with health information that covered entities create, receive, save or transmit electronically. The Security Rule refers to such data as “electronically protected health information (e—PHI). “As a general rule, covered entities must keep all electronically protected health information (e-PHI) confidential when creating, receiving, transmitting, or storing them.
In this time and age, data collection, processing, and gathering occur on the internet, and Healthcare data is not an exception. Healthcare systems employ electronic health records (EHR) and other clinical applications which come with potential security risks. If that is the case, healthcare institutions (hospitals and clearinghouses) and healthcare providers must protect “individually identifiable health information.”
Since the internet is the undisputed basic data access point, entities covered by the HIPAA. The HIPAA Privacy Rule must operate safe and secure websites. The following are worthwhile considerations on the HIPAA website compliance checklist.
HIPAA Compliance Checklist
- Get an SSL protection: Secure Sockets Layer (SSL) is a safe bet for e-commerce websites that collect users’ details. By relying on SSL encryption, covered entities can ensure that all data recorded and transmitted on their website remains secure and private. Besides, an SSL certificate will increase trust in you. As it establishes your identity while fastening security between networks or devices. A Secure Server Layer (SSL) certificate protects a wide range of information. It includes medical records, login credentials, identifiable personal information, name, home address, telephone number, and a credit card or bank information.
- Activate full data encryption: Encrypting stored data is a good way to ensure that unauthorized individuals do not interfere with sensitive client information.
- Frequently update login credentials: A good web security practice is to change login credentials as frequently as possible to tighten security frequently.
- Restrict access control to team members and, on necessary occasions, contractors. As a best practice, access to the master account should be confidential to an individual, whoever that may be.
- Update security software and firewalls
- Create a data breach protocol for any eventuality
- Ensure full data backup despite data encryption and firewall security.
How to comply with the Health Insurance Portability and Accountability Act
Complying with HIPAA is an ethical obligation. It not only saves the organization’s reputation but also averts exorbitant violation fines. Since enactment, the US Office of Civil Rights has imposed monetary penalties that are not less than 135 million USD. Interestingly, HIPAA compliance is not impossible, provided you are determined to do it.
- Create an in-house awareness: “A house divided against itself will not stand” is a relevant adage to complying with HIPAA’s Security Rule. Ensure that your organization’s effort to implement these guidelines comes through. Through orientation and ongoing education, your team will be better positioned to abide by all necessary regulations.
- Designate a Privacy Officer: A task for everyone may end up as a task for no one. Clients’ protected health information (PHI) is sensitive data that your agency should closely supervise. The best man for this job is a privacy officer who invests his time and resources in this sacred responsibility. In addition to overseeing customer data, the Privacy Officer must also develop and implement policies and procedures for protecting data privacy.
- Run periodic risk assessment: The Security Rule encourages concerned organizations to conduct a risk assessment to evaluate likely security threats on e-HPI. One good thing about periodic risk assessment is that it tightens security by letting you know of potential danger and protect against it. Prevention is better than cure.
The Health Insurance Portability and Accountability Act has laid down guidelines to protect patients’ medical data from fraud and abuse without undermining quality healthcare. Hence, concerned entities must demonstrate compliance to HIPAA’s various rules across administrative, technical, and physical levels for an effective outcome. Considering the increasing rate of cybercrime, healthcare providers, health plan institutions, and business associates must implement strong internet security practices. This includes SSL protection, data encryption, and providing a data breach protocol. Understand more important international guidelines and regulations in 2021, such as GDPR, CVAA and WCAG.