The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a law that was proposed to improve the efficiency of the health care system. The law sought to standardize the way in which health care transactions were performed electronically.
Another concern of the law was that of privacy. Because of advancing and ever-complicating technology, Congress acknowledged that health privacy might be at threat. The law imposed a deadline of August 21, 1999 to implement standards of privacy for medical records. When the deadline was missed, the Department of Health and Human Services issued final regulations on December 20, 2000, in accordance with HIPAA.
These regulations reflected five basic principles:
1) Boundaries: Health care information should be used for health purposes only. For example, health records should not be used without the patient’s consent to determine whether the patient can be hired.
2) Consumer Control: New rights for patients over the control of their medical records.
3) Accountability: Specific penalties shall be applied if a patient’s privacy is violated.
4) Public Responsibility: Standards for how, and under what conditions, health privacy can be breached for the purposes of public health—for instance, in the event of an infectious disease epidemic.
5) Security: Standardized rules for protecting the security of medical records.
Afterwards, there were some modifications in the law to the rules about privacy and security in the early 2000s, as well as occasional tweaks to the language and regulations, in view of increasing efficiency and improving security standards. During health crises such as Hurricane Katrina, the Department of Health and Human Services released guidelines on best practices for preserving security while also attempting to find medical records that were lost or inaccessible. Overall, the law has been considered a success and a necessary step towards ensuring medical privacy in an advancing technological age.
Important HIPAA Rules
This rule establishes national standards for the protection, use, and disclosure of protected health information. It also elaborates individual privacy rights to control how their health information is used. It explains, among other things, the situations in which entities covered by the law must disclose their privacy policies, which should also be available to patients by request.
The Privacy Rule also establishes the conditions under which protected health information can be used without disclosure to the patient. For example, health information can be disclosed without the patient’s consent when it is necessary for treatment, when it is needed to ensure public health, and when it is needed to prevent imminent threat.
Conversely, consent is needed for using protected health information for marketing purposes, for sale and licensing, or for research.
This rule prescribes comprehensive minimum security standards for electronic protected health information. Put simply, it requires administrative and physical safeguards to defend against privacy threats.
Administrative safeguards are administrative policies that help prevent, detect, and contain security breaches. A security risk analysis is required to figure out which potential channels of access need more containment and protection than others. Physical safeguards are simple: they are policies and procedures that protect hardware containing private electronic information.
Breach Notification Rule:
When private health information is impermissibly used (under the Privacy Rule), thereby compromising the privacy of private health information, the responsible entity must notify the affected individuals, the Department of Health and Human Services, and, sometimes—for instance, when the entity has insufficient or out-of-date contact information for ten or more of the individuals whose data have been compromised—the local media.
If, however, entities covered by the law can demonstrate (through a risk assessment) that the breach has likely not compromised protected health records, then they are exempt from the disclosure requirement.
This rule establishes the rules governing compliance, investigations, and the levying of penalties for violations. It isn’t one rule but in fact a complex list of standards and practices for enforcing HIPAA.
Perhaps most importantly, it imposes a penalty structure based on culpability, knowledge, and responsibility of those charged with protecting medical data. For instance, an entity that has experienced a breach through willful neglect will be charged with a much steeper fine than one that has demonstrated a relative lack of culpability.
Who and What is Covered by HIPAA
HIPAA protects specific electronic data that is specified as “Protected Health Information,” or PHI. The definition of PHI is “Any information held by a covered entity [meaning covered by the law] which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” It is classified specifically by reference to eighteen personal identifiers, from names to medical record numbers to IP addresses.
Those who are in charge of that information—from health care providers to their business associates—are deemed “Covered Entities” (CEs), which means that they are the entities held responsible for protecting PHI and that must comply to HIPAA. A covered entity can be an organization that maintains patient health care or one that would be expected to come into contact with PHI in the course of their daily job. Examples of covered entities include health care providers or clearinghouses, health plans, or the business associates of these entities.
HIPAA has standardized and made more efficient the ways in which electronic medical data is processed and transferred. There are obvious benefits to reducing paper in health care, standardizing data, and doing away with plan-specific requirements for filing and reporting in favor of common practices integrated across health care entities.
One of the impetuses for HIPAA was that individual entities in the health care industry had unnecessarily complicated, uncoordinated practices for disseminating medical data. HIPAA’s effect has been positive in this respect, and one unintended consequence has been to save the health industry money by eliminating unnecessarily complicated procedures.
To learn to speak the language of health law and distinguish your role as a leader with specialized health care compliance expertise, look to pursue a Master in Health Law and Policy from Hofstra Law.