What is HIPAA?
What Is the Health Insurance Portability and Accountability Act (HIPAA)?
First enacted in 1996, the Health Insurance Portability and Accountability Act or HIPAA is a federal law that sets privacy standards to protect your health plans, medical records, and other private health information (PHI). As technology has changed and information has become more accessible, there have been many revisions to HIPAA, including Privacy and Security Rules to prevent PHI theft and tampering. Regulation and protection of your protected health information, health plans, and medical transactions are key to ensuring patients get the healthcare they need and deserve.
There are several reasons why the Health Insurance Portability and Accountability Act is important, but it all comes down to privacy and confidentiality of protected health information. Since more of our health information is being stored online, HIPAA privacy rules provides a framework that safeguards who has access to that data, while also restricting who it can be shared with. Any organization dealing with PHI must have security measures in place to be compliant.
Having a basic understanding of HIPAA Privacy Rules can be relevant to many careers鈥攊ncluding information technology, data security, nursing, health information management, and more鈥攁s it forms the basis for how many organizations hold, transfer, and maintain sensitive information.
What are the HIPAA Titles?
HIPAA is divided into five sections, also known as titles, that address the requirements and basic protections patients and organizations are afforded under the law.聽
Title I: HIPAA Health Insurance Reform
Title I contains requirements that help people keep their health insurance when they lose or change jobs so they don't have a lapse in coverage.
Title II: HIPAA Administrative Simplification
This title includes the Privacy Rule, which sets standards for the use and disclosure of an individual鈥檚 PHI, such as health status, treatment, and payment for healthcare. This applies to all forms of PHI, including paper copies and electronic data. It also sets strict penalties for violations against the HIPAA requirements.聽
Title III: HIPAA Tax Related Health Provisions
Title III provides for certain deductions for medical insurance and makes other changes to health insurance law.
Title IV: Application and Enforcement of Group Health Plan Requirements
Title IV applies to health insurance companies and addresses issues such as how they have to treat pre-existing conditions.聽
Title V: Revenue Offsets
This title covers HIPAA provisions related to company-owned life insurance and treatment of individuals who lose U.S. citizenship for income tax purposes, and repeals the financial institution rule to interest allocation rules.
What is a Covered Entity under HIPAA?
Nearly all healthcare providers, health plans, and healthcare clearinghouses are considered to be (CEs). Normally, these are organizations that come into contact with PHI on a regular basis.
Examples of CEs include doctors, nurses, psychiatrists, nurses clinics, pharmacies, and certain healthcare providers鈥攂ut only if they transmit PHI electronically.
What is HIPAA Compliance?
HIPAA Compliance requires adherence to a set of security measures regulated by HHS and enforced by the Office for Civil Rights (OCR). Companies that handle PHI must have these security measures in place and follow them to ensure HIPAA compliance.
There are two primary groups responsible for complying with HIPAA: Covered Entities and Business Associates. Most CEs have direct contact with patients, while Business Associates don鈥檛 have direct contact with patients but do have access to their PHI. Some examples of Business Associates include collections agencies, IT consultants, billing companies, and web hosts.
HIPAA Compliance Requirements
HIPAA outlines the following compliance categories, also known as rules, for CEs and Business Associates:聽 聽
The Privacy Rule: establishes national standards for the protection of certain health information and makes sure any individually identifiable information is safe.聽
The Security Rule: mandates the security of electronic medical records (EMR). Unlike the Privacy Rule, the Security Rule addresses the technical aspects of protecting EHI.聽
Transactions and Code Sets Standards: requires organizations to follow a standard mechanism of electronic data interchange (EDI) when processing or submitting insurance claims.
Unique Identifiers Rule: requires every healthcare entity to have a unique identifier code for communications and transactions.聽
When it comes to the rules above, IT professionals, such as health information managers or security specialists, can play a significant role in performing HIPAA compliance functions to ensure their organizations are in adherence to the rules.聽
What is a HIPAA Violation?
Any breach in an organization鈥檚 compliance program that compromises PHI is considered a HIPAA violation. Some examples include:聽
- Sending PHI to the wrong patient
- A cyberattack or hack, including malware incidents or ransomware attacks聽
- Stolen smartphones, laptops, or USB devices
- An office break-in where medical records are stolen聽
- A breach of electronic health records聽
HIPAA violations can be extremely expensive, ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year. They can also carry criminal charges that result in jail time.聽
Who Enforces HIPAA?
While the HHS regulates compliance, the Office for Civil Rights (OCR) enforces compliance. However, different entities can assist OCR in the enforcement of HIPAA, including the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), and the Federal Communications Commission (FCC).
The OCR investigates all data breaches reported by Covered Entities and Business Associates if they impact more than 500 individuals. Based on their investigation, they decide if the Covered Entity or the Business Associate of a covered entity was in compliance with the HIPAA security and privacy rule. If the organization is in violation, the OCR can then decide whether to take corrective action and/or a resolution agreement.聽 聽
Organizations can help lower their risk of HIPAA violations by having the right professionals in place to ensure healthcare data is secure and accessible. Cybersecurity analysts, ethical hackers, health information managers鈥攁ll of these jobs play an important role in an organization鈥檚 security and enforcing HIPAA rules and regulations.
If you鈥檙e interested in exploring any of these career paths, 黑料传送门鈥檚 online degree programs in information technology management and health information management programs are a great place to start.聽聽