A Guide to the HIPAA Laws
Most individuals and organizations in healthcare-related industries are aware they have to comply with the HIPAA laws. However, as the rules generally considered to be the HIPAA laws cover such a wide range of healthcare-related services, they are written in a manner that can – and has – led to some individuals and organizations being confused by them.
The aim of this guide to the HIPAA laws is to explain what they are, who they apply to, how they are enforced, and what the penalties are for failing to comply with HIPAA. Our guide is not intended to be a reference for every possible scenario in which the laws may apply, but it should help HIPAA-covered individuals and organizations better understand what their compliance obligations are.
What are the HIPAA Laws?
When originally enacted in 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) was a five-titled amendment to the Internal Revenue Code that also updated the Employee Retirement Income Security Act and Public Health Service Act. The objectives of the five titles were:
- To improve portability and continuity of health insurance coverage.
- To combat waste, fraud, and abuse in health insurance and healthcare delivery.
- To promote the use of medical savings accounts.
- To improve access to long-term care services and coverage.
- To simplify the administration of health insurance.
The second of the five titles was the most significant for individuals and organizations in healthcare-related industries. This included the “Administrative Simplification Rule” which required the Department of Health and Human Services (HHS) to increase the efficiency of the healthcare system by creating standards for the use and dissemination of healthcare information.
Per the requirements of the Administration Simplification Rule, the HHS developed five further sets of rules. Two of these – the “Transactions and Code Set Rules” and the “Unique Identifiers Rules” standardize the way in which health plans engage in healthcare transactions, and introduce a National Provider Identifier. The three other sets of rules – the “Privacy Rule”, the “Security Rule”, and the “Enforcement Rule” – are generally considered to be the HIPAA laws.
The HIPAA Privacy and Security Rules
The Privacy and Security Rules set the standards for how individually identifiable health information – also called Protected Health Information or PHI – should be created, used, stored and shared. The Privacy Rule stipulated the circumstances in which a patient´s PHI could be disclosed without the patient´s consent and introduced a complaints procedure for the unauthorized disclosure of PHI. It also introduced the Minimum Necessary Rule to limit the amount of PHI disclosed to the minimum required to accomplish the intended purpose of the use, disclosure or request.
Whereas the Privacy Rule relates to all PHI, the Security Rule deals specifically with any PHI that is created, used, stored or shared electronically. Regulations within the Security Rule include the administrative, physical and technical safeguards all HIPAA-covered individuals and organizations must implement in order to be in compliance with the HIPAA laws. What some individuals and organizations find confusing is that some safeguards are “required”, whereas other safeguards are “addressable”. In reality there is little distinction between the two.
A term “required” should need no explanation. The term “addressable” means the safeguard is required unless it can be shown by means of a risk assessment it is unnecessary to implement the safeguard because a) mechanisms or policies already exists that perform the same task as the safeguard, or b) there is no need to implement the safeguard because no risk exists. Only in very unique circumstances will there be justifiable reasons not to implement an “addressable” safeguard, and the reasons will come under close scrutiny if ever an unauthorized disclosure of PHI occurs.
Who Do the HIPAA Laws Apply To?
When the HIPAA Privacy and Security Rules were first enacted, they applied to “Covered Entities”. Covered Entities are defined by HHS as being healthcare providers, health plans, and healthcare clearinghouses – such as billing services and community health information systems. Certain exemptions are made for employers with self-insured health plans. If you fall into this category, you should seek professional guidance on what the requirements are in order to comply with the HIPAA laws.
In January 2013, the HIPAA laws were updated in the Final Omnibus Rule. Among several significant changes, the need to comply with the HIPAA laws was extended to “Business Associates” – individuals or organizations that perform a service for Covered Entities that involve the use, storage or disclosure of PHI. Employees of Covered Entities are not considered to be Business Associates, and – in certain circumstances – it is possible for a Covered Entity to be a Business Associate for another Covered Entity.
Other “HIPAA Laws” to be Aware Of
Whereas the Privacy, Security and Enforcement Rules are generally considered to be the HIPAA laws (the Enforcement Rule is discussed in greater detail below), there are other laws that can influence how HIPAA is applied. The need to comply with these laws may depend on the location of the HIPAA-covered individual or organization, and the nature of their business.
Most HIPAA-covered individuals or organizations are also subject to state privacy laws. Although the privacy standards stipulated by HIPAA preempt state privacy laws that are less protective, they leave in effect other state laws that are more privacy-protective – particularly those relating to obtaining patients´ consent before disclosing their PHI. Other “HIPAA laws” to be aware of include:
The Family Educational Rights and Privacy Act is a federal law enacted in 1974. It protects the rights of student education records (including health records) and gives students some rights over the disclosure of personally identifiable information. If the educational institution provides healthcare to non-students, it will qualify as a HIPAA Covered Entity.
The Genetic Information Nondiscrimination Act (GINA) was enacted in 2008 to protect individuals against discrimination in employment and in health coverage based on their genetics. As a result of GINA, the HIPAA Privacy Rule was modified to clarify that genetic information is PHI, and to stipulate its unauthorized use or disclosure was prohibited by HIPAA.
The Health Information Technology for Economic and Clinical Health (HITECH) was enacted in 2009. It was the launch pad for the Meaningful Use incentive program and introduced new safeguards to address privacy and security concerns when PHI was transmitted electronically. HITECH also introduced the Breach Notification Rule and new penalties for violating HIPAA.
Breach Notification Rule
The Breach Notification Rule stipulates that breaches of PHI affecting more than 500 individuals must be notified to HHS within sixty days of discovery of the breach. In addition, breach notification letters should be sent to the affected individuals, the breach must be reported to the local media and announced prominently on the individual´s or organization´s website.
The Final Omnibus Rule
It was mentioned above changes were made to the HIPAA Privacy and Security Rules by the Final Omnibus Rule in 2013. One of the more significant changes relates to how “significant harm” is defined. Previously, Covered Entities had refrained from reporting breaches of PHI on the grounds that no “significant harm” had occurred to an individual whose PHI had been disclosed without authorization. It was the role of HHS to prove there has been significant harm. Now Covered Entities have to prove no “significant harm” has occurred if they have failed to notify HHS of a breach of PHI.
How are the HIPAA Laws Enforced?
HITECH, the Breach Notification Rule and the Final Omnibus Rule support the HIPAA Enforcement Rule to give the HHS – through its Office for Civil Rights – the powers to enforce the HIPAA laws. In addition to investigating breaches reported by Covered Entities and Business Associates, and complaints made by the public, the Office for Civil Rights conducts audits on HIPAA-covered individuals and organizations to determine their compliance with the HIPAA laws. Compliance issues most frequently discovered include:
- The unauthorized use or disclosure of PHI.
- The failure to implement Security Rule safeguards.
- The failure to allow patient access to PHI.
- Incomplete or unenforced administrative safeguards.
- The disclosure of more than the minimum necessary PHI.
In cases where an accidental or unforeseeable breach has occurred, the Office for Civil Rights will agree a course of corrective action with the negligent Covered Entity. In more serious cases – in which a breach of PHI has resulted from “willful neglect” – the penalties can be much stiffer, and include a custodial sentence of up to ten years if the motive for the breach was personal gain or malicious intent.
What are the Penalties for Non-Compliance with HIPAA?
The penalties for non-compliance with HIPAA do not necessarily result from a breach of PHI. If a HIPAA-covered individual or organization is found to be willfully neglecting their compliance obligations by a HIPAA auditor, a financial penalty can be imposed – even when no breach of PHI has occurred. Fines are imposed within four bands according to the length of time non-compliance was allowed to persist, the number of individuals affected by an unauthorized disclosure, and the nature of the data exposed:
- Band 1: Minimum penalty of $100 per violation up to $50,000
- Band 2: Minimum penalty of $1,000 per violation up to $50,000
- Band 3: Minimum penalty of $10,000 per violation up to $50,000
- Band 4: Minimum penalty of $50,000 per violation up to $1.5 million per year.
It is important that each individual or organization operating in healthcare-related industries determines whether they are subject to HIPAA and, if so, establish what they need to do in order to comply with the HIPAA laws. Ignorance is not accepted as a justifiable excuse for non-compliance with HIPAA and, in addition to the fines imposed by the Office for Civil Rights, Attorneys General and members of the public can also take legal action to hold HIPAA-covered individuals and organizations accountable for the unauthorized exposure of PHI.