HIPPA sets industry standards for healthcare organizations and service vendors. As such, everyone who works in healthcare must be HIPAA compliant in some way. But what does it mean to bea HIPAA compliant organization or individual? This guide will address various aspects of the HIPPA law in healthcare and what it regulates.
What is HIPAA?
In 1996, the United States passed legislation in an attempt to preserve the privacy and security of the medical data of all individuals. In August of the same year, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) which contains five key parts known as titles:
HIPAA Title I
Title I gives protection for every individual who loses or changes their job so they can maintain health insurance coverage. It also forbids community programs from restricting coverage to people without pre-existing conditions and illnesses only, and prevents them from setting lifetime coverage limits.
HIPAA Title II
The second title specifies that the development of a national standard for the processing of electronic healthcare transactions is necessary. The U.S. Department of Health and Human Services is responsible for the formulation and implementation. Healthcare organizations also need to implement security measures for access to health data and respect privacy laws.
HIPAA Title III
HIPPA title III provides instructions on tax and medical care provisions.
HIPAA Title IV
Title IV of HIPPA specifies the health insurance reform in more detail and sets out the provisions for those seeking continued cover under the Act and the laws on individuals with pre-existing conditions.
HIPAA Title V
Thelast title lays down rules for persons who want to let go of their U.S. citizenship (expatriate) and theeffects it has on their income tax. It also lays down rules for life insurance policies that are owned by companies.
HIPAA History
On 21 August 1996 the Healthcare Insurance Portability and Accountability Act, commonly referred to as HIPAA, became law. The law aimed to improve the accountability and manageability of medical insurance for individuals who are searching for a different job. It was also intended to reduce abuse, scams, and waste in the healthcare and medical insurance industries.
HIPAA has language that promotes medical savings accounts by providing tax benefits, streamlining the way medical insurance is managed, and extending insurance coverage to pre-existing health-related employees. The procedure of streamlining the administration of medical insurance was a way to encourage the medical industry to turn medical records into electronic format.
In 2009, this section of HIPAA gave rise to the Health Information Technology for Economic and Clinical Health Act, also called HITECH. HITECH then lead to the implementation of the Meaningful Use Program, generally regarded by medical professionals as one of the most important pieces of healthcare legislation to be enacted in many decades.
Who Does HIPAA Cover
The HIPAA Privacy Rule refers to organizations deemed to be HIPAA-covered entities, including healthcare insurance insurers, clearinghouses, and providers. Additionally, the HIPAA Privacy Rule requires covered entities that work with a HIPAA business partner to produce a specific contract. This contract should impose specific safeguards on the Protected Health Information (PHI) that are used or disclosed by the business partner. Protected Health Information includes:
- Data on the reimbursement for the treatment given to the patient, or details on which there are fair grounds to conclude may be used to classify the patient.
- The birthdate, name, social security number, and address of the patient.
- All the care given to the person
- The mental or physical health condition of the patient.
HIPPA privacy rule does not normally include employment records, educational information, or other records that the Family Educational Rights and Privacy Act identifies as PHI. However, there are no restrictions on its use or disclosure for de-identified data. De-identified data does not identify a person or provide information that could identify them.
When a covered entity partners with another company or agency to create or manage healthcare requirements for their business, the other business partner must have a written HIPPA-compliant contract. The contract must specify that all business done with the business partner must meet HIPAA standards and rules as set out in the contract. This must include rules on the protection of the privacy of protected health information.
However, the business partner has the contract in place, and they are still directly responsible for compliance with certain provisions of the HIPAA rules.
Covered Entities include:
Providers
- Nursing homes
- Chiropractors
- Dentists
- Psychologists
- Doctors
- Clinics
- Pharmacies
Health Plans
- Health Ins Companies
- Company Health Plans
- HMOs
- Government Health Plans that pay for healthcare
Want to find out how we do it? Read on, or contact us for a quick chat.
HIPPA Privacy Rules
Introduction
For an individual protected by HIPAA, you should stay updated with all HIPAA legislation. Any future and even innocuous disclosure of confidential health details of a patient can make a doctor, hospital, or healthcare provider vulnerable to several serious civil and criminal penalties.
A violation or infringement of HIPAA arises when a healthcare provider impermissibly discloses or uses information that jeopardizes the confidentiality or privacy of PHI. A healthcare provider must have a detailed understanding of how to properly operate a company without violating HIPAA to survive on the market without being liable for penalties.
Medical Disclosure and Information Uses
HIPAA Privacy Rule gives people control over whether, how, and when protected health information is disclosed or used for marketing purposes. Under HIPAA, a covered entity should not disclose or use the protected health information of a patient for marketing purposes unless HIPAA authorizes it or the patient provides written authorization.
The law, however, is not as simple as it seems to be. The HIPAA law includes many restrictions, limits, exemptions, nuances, and allowances. A covered organization needs to recognize the distinctions between marketing communications and products, medication, and other healthcare services communications.
How is marketing done, then? HIPAA describes marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Generally, if the communication is marketing-based, the covered entity must obtain the authorization of the person.
When Can a Covered Entity Disclose or Use PHI Without Permission
A covered entity is not required to obtain an individual’s permission for face-to-face interactions (even though the contact may otherwise be called marketing) according to the law. For example, an insurance provider may sell a health insurance policy to a client in person, and may also advertise a life insurance policy for casualties. A healthcare provider, however, cannot provide the insurance agent with PHI.
Hence, they can call the customer on the phone and sell the insurance. Often, if the entity covered provides a nominal value promotional gift, they don’t need authorization. It’s a lot like when a healthcare provider is offering new parents free baby items. A covered entity, however, cannot reveal the address of the patient to an approved third party for sending new baby products to the parents. Therefore, refill notifications about the current prescription of a patient don’t need authorization because they’re not part of marketing.
Although, any payment the covered entity gets to send the communication to the patient must relate reasonably to the cost of sending the communication. Also, a covered entity can communicate with a patient without authorization to recommend alternatives to treatment. However, if they receive payment from a third party marketer, whether direct or indirect, the patient must give authorization. It’s important to be careful when dealing with advertisers from third parties.
The legality of how advertisers manipulate suppliers to take advantage of their goods and services remains a grey area.Lastly, coveredentities don’t need to seek patient authorizations given that they don’t accept payment in the following situations:
- Communication on alternatives to treatment for case management or coordination of care activities
- Communication with a patient about treatment including alternative treatment options, coordination of care rehabilitation, or care environment and case management.
- Communication with a patient to identify the service or product it provides orif benefit package offers are included.
When Does a Covered Entity Need Patient Authorization
A patient must give written authorization to a covered entity orhealthcare provider forthem to disclose or usePHI unless the Privacy Rule allows it. The rule allows disclosure or uses fortreatment, healthcare operations, andpayment.There are three particularly unique circumstances in which a covered identity must fully receive formal authorization:
- Usage and publication of Notes on Psychotherapy
- For the disclosure anduse of the PHI for marketing
- For any use of PHI as a sale
Also, recovery services for drug abuse are subject to the provision of HIPAA authorization if the service works as a covered entity. A treatment center is a coveredentity when it manages coordinates compensation, insurance plans, or asks about the coverage, compensation, or eligibility of a patient.It is important to remember that HIPAA does not discuss whether a patient needs authorizations to reveal identifiable information regarding sexually transmitted diseases or HIV. You can check the authorization regulations of your State to receive current authorization criteria laws.
What should be in an authorization?
An authorization should have the following:
- A declaration stating the right of the individual to waive the authorization in writing
- The person authorized or allowed to disclose or use the information.
- A statement that the provider cannot make treatment conditional on a patient signing an authorization
- A description of the information which the entity concerned wishes to disclose or use
- A summary of each use or disclosure intent requested
- An expiry date
- The person to whom the covered entity may give the information
- Signature of the patient (or personal representative who has demonstrated his/her authority to act on behalf of the individual) and date.
When Does a Covered Entity Need to Give Individuals a Chance to Consent
Accordingto the Privacy Rules, if a covered agency or hospital wants to publish protected information about a patient in a directory, it must give the individual achance to consent.A directory helps loved ones to identify a patient at the hospital. The loved ones could include colleagues, relatives, family members, attorneys, clergy,or anyone else who requests for the person by name. If the patient doesnot want this information to be revealed to the healthcare institution, they will not be able to notify the client that a loved one is present there, send flowers, or redirect calls.
The directory contains the protected health information for the patient, including the name, location, and sometimes general information about the condition and religion of the patient (The clergy of the patient is the only one with access to this). A patient may choose to reveal directory details when they are admitted to the hospital. The patient may then agree, disagree, or decide on what details to share.
A healthcare provider may also receive a patient’s verbal consent; however, if the patient wishes to prevent other people from accessing the directory information, it’s best to do it through writing. When an emergency occurs, and the patient cannot give verbal consent, then the physician or healthcare provider must make use of their best judgment.A covered entity may also share personal healthcare information with family, friends, or anyone else the patient allows.
They may disclose or use PHI to notify about the location, care, general condition, undeath to a family member, personal representative, or someone responsible for the patient. The United States Department of Health and Human Services (HHS) provides examples as follows:
- A doctor can give medical details to a friend driving the patient home from the hospital. The details should be related to the mobility limits of the patient.
- A hospital is allowed to discuss payment options for a patient with an adult child.
- When a roommate comes to pick the patient from the hospital, a doctor may inform them about the proper dosage of medication.
- In the presence of a friend, a physician may discuss the proposed healthcare plan with the patient when the patient brings the friend to a medical appointment and asks if the friend can stay in the treatment room.
When Can a Covered Identity Disclose or Use PHI for Fundraising
A covered entity may use or reveal protected health information about a patient to a business partner or an institutionally-related charity to raise funds for its gain. A business associate offers legal services, financial services, debt collection, and actuarial services to covered entities. The business partner, however, does not use or reveal PHI in any way that would violate the contract or HIPAA. Under HIPAA, the only details a covered entity can use are:
- Demographic information (name, age, address, gender, birth date, other contact data)
- Information about the department of service(e.g., radiology)
- Dates of medical attention given to the individual
- Outcome information
- Treating physician
- Status of health-insurance
A person can, however, opt-out of receiving contact on fundraising. Every time a covered entity or healthcare provider sends a fundraising email, it must have a clear opportunity to opt-out of getting any other communications. Anybody that gets this communication should be mindful enough to fully understand the opt-out option.
A covered entity has full discretion when determining the opt-out options. It decides whether the opt-out applies to a particular campaign or all general fundraising. Furthermore, the privacy notice of the covered entity must state clearly the right to contact the individual to raise funds for the covered entity; however, the person has the right to opt-out of receiving the communications.
How Does the HIPPA Privacy Rule Affect Disclosure and Use of Genetic Information
The Privacy Rule does not allow most health insurers to disclose genetic information for purposes of subscription, such as setting premium costs or determining eligibility. Genetic information includes the genetic test results of a patient or family member and records relating to the existence of a disease or condition in the patients’ family members.
It also includes all demands for or acceptance of genetic services as well as involvement by a family member or person in clinical research (including genetic testing).This ban also extends to corporate health benefits (employers), health insurance issues (HMOs and PPOs), and supplemental program issues in Medicare. It does not apply to long-term insurers, though.
HIPAA Security Rules
There’s no question that transition from a paper-based recording system to an electronic one would face some challenges. The more we start relying on electronic documents, the greaterthe chance that data would be accessed improperly. Hence, healthcare staff have to alert patients promptly if their data is stolen or lost.
Electronic Health Record
The electronic health records, also called EHRs, are digitally recorded medical records. Although records in paper charts were common in the past, the government encourages medical personnel to use electronic databases. The advancement will improve overall healthcare system performance and quality. Today, privacy is a major concern for patients who want to ensure that only approved individuals have access to their sensitive data. The information in an EHR is private, generally consisting of in-patient and electronic correspondence.
The best thing about electronic health records is that they enable quick sharing of information between physicians, specialists, emergency rooms, and other healthcare professionals. It not only increases the quality of treatment patients get, but also enhances productivity and reduces the costs associated with remaining healthy.
The HIPAA Protection Policy is designed to secure stored or electronically transmitted confidential health information. Such rules do not generally extend to documents on paper that you might find in a physical folder or cabinet. There are still some laws that are exclusive to paper documents. Like all types of safe health information, they are covered by HIPAA Privacy Laws. If paper records have been released to an unauthorized party, it also counts as a violation.
For situations where more than 500 people’s records are compromised, the HHS web site will report about the accident. Such accidents are usually the product of incompetent staff or security procedures with the documents. The U.S. Department of Health & Human Services generally handles the Security Rule and decides what action to take. Also, the Security Rule needs each organization to have a security plan well written in its records.
All proposals must provide administrative, physical, and technical safe guards. Administrative Safeguards: These are measures that can be applied in the workplace. For example, you can train staff on appropriate procedures as well as develop a program for recognizing possible risks to health. This form of protection is focused on the preparation and watchfulness of staff members. Physical Safeguards: This is the use of physical obstacles.
Those are the measures you take to avoid unauthorized access to areas of work, data, and computers. These measures may involve securing doors and cabinets. Technical Safeguards: They are the ones who make use of technology to monitor all record access. For example, you can put computer passwords or encryptions in place that don’t enable electronic transmission beyond the office network.
Breach Notification Rule
Any breach involving protected health information must result in HIPAA notification. It’s also necessary for the companies and organizations to contact the Office of Civil Rights, in addition to notifying the impacted persons. All security violations must be reported. The company or corporation might even need to inform the local media in exceptional cases.
How do you know when there is a data compromise or breach
HIPAA describes a breach as the unauthorized use, disclosure, or access of health information. A violation typically leads to a loss of security and privacy. It is important to remember that notification is not needed for every data breach. At the time of the attack, confidential health information has to have been unsecured or unencrypted.
Usually, an organization or company has the liberty to determine when data is compromised. These organizations use risk analysis to assess the type of violation and the nature of the leaked information. While the HIPAA guidelines cover national organizations, every State has its unique guidelines. Usually, organizations inform individuals via first-class postal mail or email, depending on patient preferences.
HIPPA Enforcement
The HIPAA Privacy Policy protects the privacy of patients concerning their medical history and other confidential health details which may have other agencies protected by the federal HIPAA regulations. Such protected institutions usually include insurance plans (both private and some government health plans), doctors, hospitals, healthcare providers, and clearing-houses for healthcare. Not only do HIPAA regulations ensure patients have access to their records and confidential health information, but they also set standards on how to administer or report those data.
How is HIPAA Enforced
How is HIPPA Enforced
The Office for Civil Rights (OCR) addresses HIPAA enforcement problems by reviewing complaints lodged with OCR and carrying out enforcement assessments of covered entities. Besides, OCR offers numerous training, outreach, and educational programs to educate covered healthcare providers about their HIPAA responsibilities and to promote compliance before anyone files a complaint.
When OCR receives a complaint or starts an investigation, they inform both the group who filed the complaint and the organization involved in writing. To finalize its investigation, OCR may ask for more information from the covered entity. They will communicate with the healthcare provider directly.
If OCR finds that a HIPAA violation has occurred, they will work with the agency to promote enforcement, request action to correct it, and sign a resolution agreement. If a settlement has been reached between the OCR and the individual affected, all parties involved in the complaint and inquiry willbe informed of the outcome in writing.
HIPAA Violation Penalties and Fines
The U.S. Office for Civil Rights refers to healthcare providers as insurance services, healthcare clearinghouses, and other covered organizations, as well as business partners of covered entities. Health and Human Services department enforces varying rates of fines and penalties on healthcare providers who fail to comply with HIPAA laws.
The fines and penalties have been revised to reflect the severity of such breaches, based on improvements made to the Health Information Technology for Economic and Clinical Health Act. The fines are meant not only to serve as a deterrent but also to keep violators responsible for their acts.
HIPAA Penalty Structures
Violation of category 1: is one in which a covered entity did not know about, and could not have avoided even with a little bit of precaution.
Violations of Category 2: is one that the covered entity should have known about, but could not have prevented with a reasonable level of care.
Violations of category 3: are considered to be the direct product of deliberate negligence by the covered entity.
Violations of category 4: are the most severe. HIPAA laws are deliberately broken in these cases, and no efforts were made to remedy the situation.
Cost of Penalty
The Office for Civil Rights will use its authority to impose financial penalties if breaches are found to have occurred. Some considerations which have been taken into account include:
- How many individuals were affected
- The organizationโs willingness to assist with the inquiry
- How long did the breach last
- What form of data was affected
Category 1: Offenses are charged at the cost of $100 per violation, up to $50,000 at maximum. Category 2: Offenses are each charged at $1,000, and could be up to $50,000.
Category 3: Offenses are charged at $10,000 and could go as high as $50,000.
Category 4: The minimum fine for all entities whose violations fall into this category is $50,000 per breach. Maximum caps on all fines are in place because the maximum penalty per category cannot exceed $1.5 million per year.
HIPAA Certification
People searching for HIPAA compliance certification might be surprised to findout that there is no single organizationto go with. A certifying company is quite close to any other provider who can give periodic evaluations. This is because although an individual might be accredited, a healthcare institution is unable to do so. A business compliant on one day could suddenly be in breach of new laws owing to changes introduced by HIPAA the next day, or just a pure lack of compliance within the firm.
In this way, the only thing that can be done as far as the HIPAA compliance process goes is to check the organization regularly and ensure that it is still compliant with current legislation. Such audits may be issued by vendors offering certification but recognize that passing the test once does not guarantee future, continuous compliance.
HIPPA and Telemedicine
When it comes to telemedicine-related HIPAA rules, it impacts any part of the medical profession and healthcare organization that wants to provide patients at their community centers with a remote service. A lot of people agree that electronic PHI contact is appropriate from a distance when communication is directly between the physician and the patient.
To remain under the umbrella of the HIPAA Privacy Law, the medium of communication would also be of interest to medical professionals. It must comply with the HIPAA guidelines relating to telemedicine. HIPPA security rule states that access to electronic PHI is only given to registered users. The organization or physician will also need a secure communication channel that keeps the integrity of the electronic PHI intact.
Surveillance of this program should require continuous monitoring as it protects from cybercriminals and breaches. The main aim is to prevent unauthorized parties from accessing data that could cause damage in the wrong hands. Unsecured communication channels include:
- SMS
- Skype
If physicians want to communicate electronic PHI from a distance, all three of these approaches should be avoided at all costs. Once it comes to the HIPAA requirements for telemedicine, all devices that communicate with electronic PHI from a distance must have protection in place which can track and delete the information as appropriate.
How to Communicate Electronic PHI
Most healthcare organizations are using a secure messaging solution that staysin line with telemedicine-related HIPAA requirements. People still enjoy the same speed and convenience with a protected messaging solution that they could find using a respectable system such as Skype, SMS, or email, but it remains compliant with the Security Rules found in the HIPAA guidelines.
HIPAA Compliance and Texting
Texting may be a quick and expedient way for healthcare workers to interact with employers, patients, and all parties concerned. Texting, however, may be a concern with HIPAA requirements. With the introduction of text messaging under the HIPAA umbrella, the importance of HIPAA enforcement in text messaging has become ever more significant.
Fortunately, texting applications compatible with the Health Insurance Portability and Accountability Act (HIPAA) can be downloaded to your phone or desktop computer to keep your texts secure. These apps preserve the protection of shared protected health information (PHI) between approved users to better adhere to HIPAA.
Conclusion
If you work in the healthcare sector, you must make efforts to remain HIPPA compliant. Failure to do this could have serious effects on your practice or organization as a whole. Using this guide, find out which areas or instances is of concern to you, and start taking the necessary steps to become HIPPA compliant.
