HIPAA exists to help healthcare entities and healthcare providers improve how they handle and protect sensitive patient information and privacy.
The acronym, HIPAA, stands for Health Insurance Portability and Accountability Act. In brief, this legislation helps:
The Health Insurance Portability and Accountability Act was proposed and passed into law by Congress in 1996. This law helped set national standards and regulations for the protection of medical records and personal health information (PHI).
According to the law, “protected health information” is defined as health information that:
Protected information can include name, social security number, telephone number, email address, street address, medical history, and more.
Essentially, the legislation ensures that data privacy is protected as it relates to identifiable health information. HIPAA has two main goals: To limit the use of protected health information to only those who need to know and to penalize those who don’t comply with privacy regulations and confidentiality.
HIPAA consists of five sections, known as titles.
Title I of the Health Insurance Portability and Accountability Act protects health insurance coverage for individuals (and families) who change or lose their jobs. Essentially, it prevents group health coverage plans from limiting or denying coverage to those with pre-existing conditions.
Title I also allows individuals the opportunity to reduce the exclusion period by the amount of time they’ve had creditable coverage before enrolling in a new plan. It also requires health insurers to issue policies without excluding individuals leaving group health plans with creditable coverage.
Title II directs the U.S. Department of Health and Human Services (HHS) and provides it the power to develop national standards for the healthcare industry, specifically electronic healthcare transactions. It also establishes national identifiers for health insurance plans, employers, and providers.
Title II also outlines the potential offenses relating to health care and establishes the civil and criminal penalties for violations. Furthermore, it establishes programs meant to help control fraud and abuse within the health care system.
Title II requires that healthcare entities remain in HIPAA compliance with privacy regulations set by the HHS.
Title III provides guidelines for pre-tax medical spending accounts and other tax-related provisions and guidelines for medical care. It also provides changes for health insurance law as it relates to certain deductions for medical insurance.
Title IV of HIPAA defines the guidelines for group health plans. It specifies the conditions for group health plans as it relates to the coverage of individuals with pre-existing conditions. Furthermore, Title IV modifies the continuation of coverage requirements and makes clarifications for COBRA.
This title governs and provides provisions for company-owned life insurance policies. Also, it includes provisions for treating those without or those who lose their U.S. citizenship.
One of the most important aspects of HIPAA is found under Title II and is referred to as the Administration Simplification provisions. This deals largely with patient health data and overall compliance. It is also where most HIPAA violations occur.
In short, the Administration Simplification provisions help to ensure consistent electronic communication across the health care system in the U.S. It mandates the use of standard transactions, code sets, and identifiers.
Title II also sets forth provisions for the HIPAA Privacy Rule, which went into effect in April of 2003. The Privacy Rule established national standards and regulations to protect individual’s medical records and identifiable health information. It also sets regulations for the disclosure of protected health information (PHI).
The rule applies to health plans, health care clearinghouses, and all other healthcare providers that conduct health care transactions electronically. In effect, the rule puts safeguards in place to protect the privacy of individuals and give patients rights over their own health information.
This includes the right to examine and obtain a copy of their own medical records. This is known as the right of access.
The first and most important entity that the right of access affects is the patient. The patient has the right to access all their medical records. This applies to all patients regardless of medical history. But, they can grant access to other entities.
Representatives can also access PHI at the patient’s request. The most common example of this is a parent or guardian of a person under the age of 18. It can also be someone who is deemed power of attorney on behalf of a patient.
This also includes covered entities, which are discussed below.
The Security Rule also establishes national standards to protect individuals’ electronic PHI created, used, received, or maintained by any covered entity. It requires safeguards to be put into place to ensure confidentiality, integrity, and security of PHI. These safeguards can be both technical and physical.
The HIPAA Enforcement Rule outlines provisions and sets rules on how HIPAA is to be enforced as well as the consequences for non-compliance. This includes civil penalties for violations. The provisions were amended and updated by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 and the Omnibus HIPPA Rulemaking in 2013.
Organizations and individuals subject to the regulations set forth under the HIPAA law are considered covered entities. HIPAA regulations also apply to all business associates of covered entities.
Entities include:
This applies to all providers who electronically transmit personal health information, regardless of size or type of practice. This includes employees of health organizations exchanging electronic health records via mobile devices and any other electronic device with data storage.
This includes transactions of claims, benefits and eligibility inquiries, authorization requests.
This includes entities that provide or pay the cost of medical care, including health plans for medical, dental, vision, and prescription drug insurers. Health maintenance organizations (HMOs), Medicare, and Medicare supplement insurers also fall under this umbrella.
This applies to entities that process nonstandard information they receive from other entities. These basically act as middlemen between healthcare providers and insurance.
Business associates of covered entities must also comply with HIPAA regulations. This could include companies that help administer health plans, companies that store or destroy medical records, and billing companies.
Other third parties that involve PHI may include email encryption service providers and lawyers.
However, it is important to note that covered entities can disclose PHI to law enforcement officials for law enforcement purposes (e.g., court orders, subpoenas, etc.).
Through the Breach Notification Rule, HIPAA requires all covered entities to notify patients in the event of a data breach of personal information.
A HIPAA violation occurs when a covered entity does not put the proper safeguards (physical or technical) in place for preventing both intentional or unintentional disclosure of PHI.
The extent of the violation (and penalties) can vary. For example, reasonable cause means an act or omission in which an entity would have known the act violated the HIPAA provisions. However, willful neglect is much more serious. Per HIPAA (45 CFR 164.401), willful neglect is the “conscious, intentional failure or reckless indifference” to comply with the provisions.
Violations can be costly, sanctioning civil fines and penalties. Severe violations can even warrant criminal penalties, including imprisonment. Audits and compliance are mandated by the HITECH Act and conducted by the Office for Civil Rights.
Many covered entities mitigate risks through HIPAA training programs to avoid violations.
HIPAA stands for Health Insurance Portability and Accountability Act and is legislation signed into law in 1996. This law helps maintain industry standards in the medical field as it pertains to patient medical information.
It helps ensure that all health information is protected and handled confidentially and only disclosed to those who have the right of access.
Covered entities who fail to comply can be wrought with strict penalties for violations. Whether you are an individual or an entity, understanding your rights under HIPAA is important.