The Health Insurance Portability and Accountability Act, or HIPAA, has been around since 1996–right about the time the digital age rapidly advanced.
HIPAA is predominantly used to protect sensitive patient information by implementing data protection standards and guidelines. These data privacy regulations are rules with which healthcare facilities and other entities must comply.
All patients, whether admitted to a hospital or having themselves checked by a physician, are covered by HIPAA. But most of you may not know what compliance with this law means and how it can impact you as a patient. Read on to know more about the basics of this data privacy law.
What Is HIPAA?
HIPAA outlines which entities within the organization have access rights to specific personal information under set circumstances. Simply put, the law protects patients and clients against unlawful access to their sensitive data. The law also identifies activities considered as data breaches and how to properly handle these violations.
The law was said to have been established to ensure data availability for on-call and temporary workers who want insurance coverage. Being that information recording was done mostly on paper in those days, data issues and missing documentation were pervasive problems.
It wasn’t until later that the law evolved to protect sensitive personal data, also known as protected health information (PHI). This information is different from online medical information contained on health sites. That’s because these sites publish details about symptoms, prevention, and management of health conditions without divulging individual patient information.
What Is Protected Health Information?
Under HIPAA, PHI refers to any health data produced, stored, received, and shared by covered entities such as healthcare facilities and their business associates, which is considered necessary in healthcare service provision, operations, and payment.
In addition, the records involved could include information related to the past, present, and predicted conditions of a patient, including their personal information such as name and address, social security number, prescription medicines, prognosis and diagnosis, and other critical data. Medical histories, photos, and insurance information are likewise included in the list of information that needs to be secured.
HIPAA compliance means these organizations must safeguard PHI on both physical and electronic forms. The law applies to all protected information kept and transmitted through digital channels and all other forms of media. Overseeing HIPAA compliance is the Office for Civil Rights (OCR) under the Department of Health and Human Services.
In concrete terms, healthcare institutions must safeguard the following information and should be kept confidentially:
- Data from healthcare professionals, including nurses and doctors who provided care, are contained in a patient’s medical records.
- Notes and conversations among medical staff, mainly between doctors and nurses about the proper treatment plan.
- Personal information about you in your health insurer’s information system or your doctor’s clinic.
Once leaked, protected health data can result in serious offenses and potentially costly lawsuits. The elderly population is most often vulnerable to identity theft, mainly due to a lack of understanding about its damaging consequences.
Which Entities Need To Be Compliant With The HIPAA?
The law monitors the following institutions for HIPAA compliance regularly:
- Covered Entities: Refer to organizations that gather, produce, and exchange protected health information, especially through digital means. These include healthcare service providers, health insurance companies, and healthcare clearinghouses, which may include medical billing services and community health and management information systems operators.
- Business Associates: Describes companies that, due to the course and nature of their work, need to handle protected health information. These third-party firms are often contracted by covered entities to do the work for them. Practice management companies, billing entities, cloud and physical storage providers, and email hosting providers are included in specific HIPAA-covered rules.
What Are The Salient Points Of HIPAA?
Medical information privacy is said to have existed since the start of the medical profession. In fact, newly admitted doctors, in their Hippocratic oath, swear not to divulge any information about their medical practice, among other essential ethical standards.
The HIPAA standards reflect the main principles of doctor-patient confidentiality but also integrates other crucial rules such as the following:
- Privacy Rule: This element only applies to covered entities and lays out procedures, including patient’s access rights to their information, notices of privacy, information use, and disclosure. It’s imperative that all individuals working in covered entities undergo basic and updated orientation and training under HIPAA law yearly.
- Security Rule: The standards set forth under this HIPAA component relate to the national standards all entities, including business associated, must follow in the overall handling of PHI. These organizations must ensure secure data handling procedures in storing and transmitting sensitive information, especially in digital forms.
- Omnibus Rule: This set of legal guidelines is the enabling law that urges the inclusion of business associates in complying with the HIPAA rules. The HIPAA Omnibus Rules likewise outlines their responsibilities, including the cornerstone rules for Business Associate Agreements–legal documents between and among covered entities and business associates that lay out the rules for handling all types of protected health information.
What Should Be Done In Case of Breaches To HIPAA?
Both covered entities and business associates are mandated to establish policies and practices on how to tackle information breaches, known as the Breach Notification Rule. HIPAA violations are divided into two categories:
- Minor Data Breaches: A data impacting less than 500 patients in single jurisdiction refers to a minor data breach. When this happens, the entity is required to report to the Office for Civil Rights (OCR) under the Department of Health and Human Services within two months after the breach. Similarly, affected individuals must also be informed of the said violation.
- Meaningful Data Breaches: On the other hand, a violation that affects more than 500 patients in a single jurisdiction is categorized as a meaningful breach. The policy remains the same, with the addition of notifications to law enforcement entities and local media to present widespread information about the breach.
What Does It Mean To Be HIPAA Compliant?
Covered entities and business associates need to comply with the following activities to be declared HIPAA compliant:
- Establishment of Internal Guidelines: All entities must create their own internal guidelines and processes concerning HIPAA rules. These rules must be reviewed at least annually and amended based on updated HIPAA standards or internal changes. A core component of these guidelines includes yearly training for all employees to ensure they understand their responsibilities under the law.
- Information Protection: Covered entities must implement stringent rules to secure protected health information, preventing unauthorized access and improper data handling which exposes the data to risks. Business associates should do the same.
- Security Risk Assessments: Organizations mandated to comply with HIPAA rules must conduct regular self-assessments to ensure the soundness of the safeguards and guidelines in place. This includes examining all aspects of the company involved in implementing HIPAA rules.
- Remediation Policies: If vulnerabilities are discovered during the assessment, entities are expected to institute correcting measures to minimize risks and prevent further problems down the road.
- Proper Documentation: Organizations must keep all records of any incidences and efforts made to ensure compliance. This is especially crucial during OCR investigations in case of a breach.
In this relation, business associates must periodically review the agreements to ensure compliance with HIPAA rules, whether amended or not.
What Does HIPAA Compliance Mean To Patients?
Under the law, patient information should be protected at all times. It should never be shared without the patient’s permission and must be free from unauthorized access.
Under HIPAA, patients have the following rights to their own health records:
- Request for a copy of your health records. Rules may not be as lenient for psychotherapy records. Similarly, a covered entity may refuse requests done by a patient in a correctional facility.
- Check for discrepancies and ask entities to make the necessary amendments to your health information.
- Request for a copy of health records and forwarded to specific third parties such as relatives, other doctors, and attorneys. Covered entities and business associates must provide the health records within 30 days from the date of request.
- Receive notifications on how your health information may be used, stored, and shared. This can be done during an individual’s initial visit to a facility. In the case of most business associates, it can be done via mail and included in the policies and guidelines. In HIPAA jargon, this is called the “notice of privacy practices.”
- CEs and BAs must seek permission from you before sharing any information and using it for a certain purpose.
- Be informed on when and why your health data was shared.
- File a formal complaint before any covered entity or business associate in case of a data breach.
Ultimately, HIPAA-compliant entities must ensure patient records are protected from HIPAA violations and breaches that compromise health records or subject them to unauthorized access.
Violations and breaches could lead to major problems spurred by hacking and cyberattacks such as identify theft, malware and ransomware attacks, phishing, among many other issues.
The Bottom Line
The types of information covered and protected by the HIPAA–names, addresses, insurance details, social security numbers, photos, and biometrics–can all be used by persons with malicious intent. Hackers collect personal and financial information and sell them to the black market, sometimes for an insane amount of cash. In some cases, unauthorized data access may lead to identity and credit card theft.
With the rate of cyberattacks happening daily, it’s only a matter of time when these forms of data fall into the wrong hands. By protecting confidential health information, HIPAA-compliant organizations not only prevent data breaches from occurring. It also helps avoid them from paying hefty fines per incident and boosts their reputation by gaining public trust.