Complying with HIPAA: A Beginner's Guide
The Health Insurance Portability and Accountability Act, or HIPAA, is a data protection regulation for digitally stored healthcare data. Any company that deals with private health information must ensure they are HIPAA Compliant.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 is a major piece of legislation that covers many aspects of health care provision. The Act sets out rules on limitations of healthcare coverage, measures for protection from fraud and theft, as well as how Protected Health Information (PHI) should be handled by the health care and insurance industries.
HIPAA Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of personally identifiable medical information. Any company that obtains, stores or processes personally identifiable medical information as part of its operations in the United States has to be compliant.
Under HIPAA, personally identifiable medical information is referred to as Protected Health Information (PHI). It includes:
- An individual’s past, present or future physical or mental health or condition
- Information on the provision of health care to the individual
- An individual’s past, present, or future payment for the provision of health care.
The Basic Principle
The Basic Principle of the HIPAA Privacy Rule is that Protected Health Information cannot be used or disclosed to any third party without the explicit consent of the individual whose information it is. Third parties include family members and friends, as well as the parent organization, subsidiaries and business partners of your company.
Under normal conditions the consent of the individual should always be in written form along with specific information on the use or disclosure of the data to which the individual is agreeing to.
Use and disclosure of PHI
There are only a few situations in which PHI can be used without explicit consent from the individual whose information it is. These are mostly situations where it is reasonable for information to be disclosed due to legal reasons or implied consent.
Individually identifiable health information can be used or disclosed without consent from the individual:
- For your company’s own treatment, payment and health care operations (when the individual has already consented to your company holding their information)
- When the individual has been given the opportunity to object (i.e. informal consent - for example if the individual brings a family member to a health meeting)
- When required by law (for example a court order)
- When it’s in the public interest (for example to help a victim of domestic violence)
HIPAA Security Rule
The HIPAA Security Rule is concerned with the protection of Protected Health Information that is kept in electronic form. This information is referred to as Electronic Protected Health Information (ePHI).
The Security Rule consists of three sections:
- Technical safeguards
- Physical safeguards
- Administrative safeguards.
This course will set out best practice in these areas, but you should also refer to your own company’s policies as appropriate.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule stipulates how companies are required to deal with security breaches where PHI has potentially been exposed.
Any breach must be recorded and reported as part of annual HIPAA compliance reporting to the Department of Health and Human Services.
In addition, if the breach affects 500 or more records, both the individuals affected and the Department of Health and Human Services must be notified with the details of the breach with no undue delay and in all cases within 60 days of the breach taking place.
HIPAA Enforcement and Penalties
The Department of Health and Human Services enforces penalties on organisations that fail to comply with HIPAA. These can take the form of civil or criminal penalties depending on the nature and scale of the issue.
Penalties can be issued whether the individual breaching HIPAA was aware of the regulations or not.
Civil penalties of $100 per failure to comply with a Privacy Rule requirement can be issued by HHS.
Criminal penalties of $50,000 and up to a year of imprisonment can be applied to persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA. These penalties can go up to $250,000 and ten years of imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm.