The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
The Health Insurance Portability and Accountability Act, commonly known as “HIPAA”, was enacted by the U.S. Congress in 1996 and became effective on April 14, 2003. Title I of HIPAA amends both the Employee Retirement Income Security Act and the Public Health Service Act, and regulates availability and scope of individual and group health plans. Title II, the Administrative Simplification provisions, require establishment of national standards with regard to electronic health care transactions and national identifiers for healthcare providers, health insurance plans, and employers and also address the issue of privacy and security of health data, thereby encouraging the use of electronic data transfer in the healthcare industry in order to increase the effectiveness and efficiency of the system.
The HIPAA Privacy Rule is intended to govern the use and disclosure of protected health information by Covered Entities. PHI is defined as individually identifiable health information that is created or received by a healthcare provider or insurance plan.
HIPAA identifies three categories of Covered Entities. They are health plans, healthcare clearinghouses, and any “healthcare provider who transmits any health information in electronic form” in connection with regulated healthcare claims administration and financial transactions with payors. 45 CFR §164.104. Covered Entities are required to establish guidelines and practices to safeguard PHI, provide individuals with Notice of Privacy Practices, establish policies and procedures to ensure compliance with HIPAA.
Healthcare Clearinghouse – public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice-versa. 42 USC §1301, et seq.
Health Plans – employee welfare benefits plans under ERISA, including insured and self-insured plans that have fifty (50) or more participants or which are administered by an entity other than the employer that establishes and maintains the plan. These also include health insurance issuers, HMOs, and the Medicare and Medicaid Programs, as well as insurers of long term care policies and any other individual or group plan. 42 USC §1301, et seq.
Business Associates – a Business Associate is generally a person (other than a member of the Covered Entity’s own workforce) that, on behalf of the Covered Entity, performs or assists in the performance of a function or activity involving the use or disclosure of “individually identifiable health information,” including claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management and repricing. It also includes a person that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative accreditation, or financial services to or for such Covered Entity “where the provision of the service involves the disclosure of individually identifiable health information from such Covered Entity to the person.” 45 CFR §160.103.
Individually Identifiable Health Information – information that is a subset of health information, including demographic information collected from an individual, and:
1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse, and
2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual: or the past, present, or future payment for the provision of health care to an individual: and i) That identifies the individual or ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 CFR §160.103.
Notice of Privacy Practices
Those providers which provide direct care to patients have to notify those patients of how PHI will be handled in the facility. This is done by a Notice of Privacy Practice which is given to all new patients and must be posted in an easily accessible location in the facility. For many offices, this easily accessible location is the waiting room.
Once the Notice of Privacy Practice is given to a patient, the provider must get written acknowledgement of receipt the Notice. There are times where this is not feasible such as in emergency or when a patient refuses to sign; however, the statute requires a good faith effort for the provider to be in compliance.
There are certain rights that must be contained in the Notice of Privacy Practice. They are as follows:
*Right to receive a Notice of Privacy Practices from a healthcare provider that outlines how the entity may use and/or disclose the patient’s personal health information
*Right to request to inspect and obtain a copy of health information such as medical or billing information
*Right to request amendment of health information
*Right to obtain an accounting of health information releases, except for those that are:
+authorized by the patient
+made to provide treatment, obtaining payment for services, or administrative or operational purposes
+made for national security
+certain releases made to correctional institutions or for specific law enforcement activities
+made prior to the privacy implementation deadline (April 14, 2003)
*Right to request restrictions on the use of health information for treatment, payment, or other healthcare operations
*Right to request confidential communications and to ensure confidentiality by specifying alternative delivery methods or locations
*Right to file a complaint regarding the use and/or disclosure of health information or the organization’s privacy policies and procedures.
Inspect and Copy Health Information
A patient has the right to inspect his or her own medical records and make a copy of this health information. The Notice of Privacy Practice should contain information for the patient regarding how this is done.
Request Amendment of Health Information
Every patient has the right to amend health information with which the patient does not agree. This request for amendment must be done in writing, and the provider has the right to refuse to amend if the provider does not agree with the amendment. Even if an amendment is done, the patient’s original information is never deleted. The amendment is merely added to the existing information. The Notice of Privacy Practice should outline how a health information amendment is obtained by the patient.
Right to Accounting of Release of Health Information
A patient may receive, free of charge, an accounting of PHI released by a Covered Entity over a six (6) year period preceding the date of the request. The request for this information must be in writing, except in an instance where information was released for treatment, payment, or health operations reasons. Again, the Notice of Privacy Practice should contain information regarding procedures a patient must follow in order to obtain this accounting.
Right to Request Restrictions
Another right created by HIPAA was the right for a patient to restrict how PHI is shared with others. A patient has the right to request that a provider restrict disclosure of PHI, including disclosure for uses of treatment, payment, or health care operations. The provider does not have to comply, but if the provider agrees to comply, it must comply unless the patient is given written notice. The Notice of Privacy Practice should include information regarding how a patient can request the restriction.
Right to Alternative Communications
A patient may request alternative means of communication, and the providers must honor this request if possible. The request for alternative communication must be in writing, and the provider must inform the patient as well as all Business Associates if it cannot accommodate the request.
Right to File Complaint
The Notice of Privacy Practice should inform the patient the procedure to follow in order to file a complaint. In addition, the Notice should contain the address of the pertinent Department of Health & Human Services for convenience of the patient. A patient’s complaint should not affect the care given that patient in any way. All complaints should be investigated by the practice and addressed as necessary.
One of the greatest modifications to HIPAA was the removal of consent from patient and replaced with authorization. An authorization is needed to release information if PHI is to be used for any reason other than treatment payment of health operations.
The statute is specific about what must be included in this authorization:
1) A description of the information to be used
2) Name or specific identification of the person or calls authorized to make the requested use or disclosure
3) The name or other ID of person, to whom the covered entity may make the requested use or disclosure
4) A description of the purpose requested
5) An expiration date ore expiration event
6) Signature of the individual and date.
7) Right to revoke authorization
8) Statement that information may be redisclosed
9) If executed by personal representative, a description of that person’s authority.
An entity may not condition treatment, payment, enrollment, or eligibility for benefits on whether or not an individual signs the authorization. 45 CFR §164.508.
Consent or authorization is not required for all uses or disclosures of information. Some of those uses and disclosures include:
1) Uses and Disclosures Required by Law
2) Public Health Acclivities
3) Child Abuse or Neglect
5) Communicable Diseases
6) Employer Medical Surveillance
7) Disclosures about Victims of Abuse, Neglect or Domestic Violence
8) Health Oversight Actives
9) Judicial and Administrative Proceedings
10) Law Enforcement Purposes
11) Coroners, Medical examiners and Funeral Directors
12) Cadaver organ, Eye, or Tissue Donations
14) Avert a Serious Threat to Health or Safety
15) Specialized Government Function
16) Workers’ Compensation
45 CFR §164.512, et seq.
Minimum Necessary Rule
The statute provides that a Covered Entity must make a “reasonable effort” to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”
There are some exceptions to the rule such as disclosure to healthcare provider for treatment. Disclosure to the individual and authorization requested by an individual. The last is Disclosure made to the Secretary of DHHS for compliance and uses and disclosure required by laws and for uses or disclosures required for compliance with privacy Standards. 45 CFR §164.502, et seq.
Covered Entity must follow certain administrative requirements in order to comply with the privacy standard. A privacy officer must be designated by the Covered Entity and is responsible for implementing a privacy program. There must also be a contact person who is designated to receive complaints and provide information. Employees must be provided training on all privacy policies and procedures, and documentation of the training must be documented. Appropriate and reasonable administrative, technical, and physical safeguards must be put into place to protect privacy of PHI.
A process must be in place to handle complaints concerning PHI and compliance. In addition, there must be a policy in place which establishes sanctions against employees who do not follow polices and procedures.
A Covered Entity must try to mitigate any known harm from disclosure of PHI in violation of regulations. The Covered Entity cannot intimate or threaten an individual or others for filing a complaint, testifying, or participating in an investigation or opposing any act or practice made unlawful by final regulations.
Individuals cannot be required to waive their right to complaint to DHHS.
A Covered Entity must maintain documentation of policies and procedures for six (6) years that shows compliance with HIPAA.
A Business Associate must protect PHI and implement safeguards to prevent intentional or unintentional disclosure. This is done by an agreement and policies adopted by the Business Associate.
The Business Associate Agreement must contain the following statements: 1) Business Associate will only use or disclose PHI as permitted under the agreement; 2) Business Associate will use appropriate safeguards to prevent use or disclosure except as permitted by the Agreement; 3) Business Associate will report any know misuse to Covered Entity; 4) Business Associate will impose the same requirements on subcontractors or agents; 5) Business Associate will make PHI accounting of disclosures available to individuals; and 6) Business Associate will make internal practices, books, and records available to DHHS.
A Business Associate Agreement allows a Covered Entity to terminate the agreement if there is a material breach in the agreement. The Covered Entity may also report the Business Associate to DHHS if needed. Upon termination of a Business Associate Agreement, PHI in the possession of the Business Associate must be destroyed if feasible. If not feasible, the Business Associate must continue to safeguard the PHI. 45 CFR §164.504.
HIPAA Security Standard
With increased automation in the healthcare industry comes concern regarding the security of the information being transmitted using those electronic means. The HIPAA Security Standard serves to alleviate that concern in the areas of use authentication, access controls, audit trails, and controls of external communication links as well as access, physical security, systems backup, and disaster recovery. Not to be confused with the term “privacy”, the term “security” in this case refers specifically to the physical, technical, and administrative safeguards that are instituted to protect the integrity, availability, and confidentiality of healthcare information.
The HIPAA security standard applies to all individual healthcare information, whether it is being stored or transmitted, whether those transmissions are done internally or externally by the healthcare provider, and includes all administrative and financial healthcare transactions covered by HIPAA. Transmissions of healthcare information orally or on paper are not covered by the security standard. Every healthcare provider, health plan, or healthcare information clearinghouse that uses electronic means to store or transmit healthcare information must comply with the security standard.
Threats to healthcare information security can come from outside or inside the system used by the provider. Some of those outside threats are:
*Breach of network firewalls
*Interception of transmitted information
*Fraudulent posing as “insiders” of an organization
Any of these threats has the potential of disrupting the flow of information by overloading, disrupting, or “crashing” a provider’s computer network server or compromising the integrity of healthcare information by corrupting the data being transmitted.
Even more likely than outside security threats are inside ones. Staff members who are careless or unaware of security issues are prone to inadvertently create an information security threat, and there are those staff members who are malicious or merely curious who take advantage of a system’s vulnerabilities to access and misuse patient information.
Entities covered by the HIPAA security standard are required, at a minimum, to take the following steps in order to address the vulnerability of their security protections:
*Assess potential security vulnerabilities
*Protect against threats to information security, integrity, and unauthorized
use or disclosure of information
*Implement and maintain appropriate security measures
*Ensure staff compliance with all security policies
Security protection measures mandated by the security standard are comprehensive, involving more than just a single policy or tool. These measures protect “data integrity, confidentiality and availability” of individual health information in the following ways:
*Administrative Procedures – documented procedures for managing the selection and implementation of security measures
*Physical Safeguards – protection of computer systems and related equipment, including buildings in which they are housed, from hazards and/or intrusion
*Technical Security Services – procedures for protection and monitoring of access to individual health information
*Technical Security Mechanisms – procedures for prevention of unauthorized access to network transmitted individual health information. Administrative policies and procedures must be implemented and maintained in the following areas:
*Certification – evaluation of compliance of the provider’s data systems through “pre-specified set of security requirements”
*Chain of Trust Partner Agreements – agreements between the covered entity and all other entities with which health information is shared that mandate all parties to “protect the integrity and confidentiality” of the data exchanged
*Contingency Plan – documented plan for maintenance of continuity of operations in the event of emergency or disaster, and to enable recovery of data following an emergency or disaster event
*Formal Mechanism for Processing Records – written policies and procedures for receipt, treatment, and disposal of health information
*Information Access Control – written policies and procedures for the granting of different levels of access to health information
*Internal Audit – written policies and procedures for period review of system of health information access
*Personnel Security – written policies and procedures for activities such as staff training and security clearances
*Security Configuration Management – written policies and procedures regarding coordination of the overall security effort
*Security Incident Procedures – written polices and procedures for reporting and response to security incidents
*Security Management Procedures – establishment of written procedures for ensuring “prevention, detection, containment and correction” of security breaches
*Termination Procedures – written policies and procedures to be followed when terminating employees in order to prevent unauthorized access to health information
*Training – provision for training all employees regarding security policies and procedures
Prevention of unauthorized access to health information is mandated by the security standard in the following physical access areas:
*Assigned Security Responsibility – each covered entity should designate a staff member to be officially responsible for information security
*Media Controls – written policies and procedures for maintaining and tracking hardware and software as well as for data backup, storage, and disposal
*Physical Access Controls – development of a security plan for the provider’s facilities, and development of policies and procedures for disaster recovery and emergency situations.
*Work Station Use – written policies and procedures for prevention of unauthorized access to workstations containing protected health information
*Security Awareness Training – training for all employees with regard to policies and procedures physical access to protected health information
The following areas are mandated with regard to security features of technology used by covered healthcare providers:
*Access Controls – technological features that limit access to health information to only those employees with proper authorization
*Audit Controls – maintain system features that monitor computer activity
*Authorization Controls – written policies and procedures for obtaining authorizations from patients with regard to use and disclosure of individual health information
*Data Authentication – written policies and procedures for ensuring that data is not altered, destroyed, or improperly disseminated
*Entity Authentication – implementation of features which identify authorized users and deny access to unauthorized users (PINs, automatic logoff)
Any entity that electronically transmits protected health information using open networks must take steps to prevent that information from being intercepted by unauthorized third parties. The security standard provides for the following controls:
*Integrity Controls – internal verification that transmitted or received data is authentic
*Message Authentication – internal verification that transmitted or received messages are authentic and unaltered
*Either Encryption or Access Controls – either the use of a secure dedicated communication line, or the ability to encrypt any data being transmitted
*Network Security – if a network is being used for receipt and transmission of data, protection devices must also include such things as alarms, audit trails, event reporting, and entity authentication
Penalties for Non-Compliance
The general penalty for failure to comply with HIPAA regulations is $100 for each violation with a maximum penalty of $25,000 for all violations of an identical requirement. Wrongful disclosure of individually identifiable health information carries the following penalties:
*$50,000, imprisonment of not more than one (1) year, or both for
*$100,000, imprisonment of not more than five (5) years, or both for
wrongful disclosure under false pretenses
*$250,000, imprisonment of not more than ten (10) years, or both for
wrongful disclosure with intent to sell information