What is the HIPAA Law?

To fully understand “What HIPAA Stands For” and “What is the HIPAA Law” it is important to know some of the history behind the rule. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the Health Insurance Portability and Accountability Act of 1996 also known as HIPAA. HIPAA was created to “improve the portability and accountability of health insurance coverage” for employees between jobs. Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. This Privacy Rule was enacted in 2003 and was later followed by the HIPAA Security Rule in 2005 and eventually by the HITECH-Breach Notification Rule.

This rule was initially a benign law with few consequences until the later changes took place. HHS analyzed existent breaches at that time and found that half occurred in healthcare either due to cyber-attack, theft or incidental disclosure of Protected Health Information (PHI). The federal government decided then to address this issue and become much more aggressive in the enforcement and penalties. It was then that HIPAA become much more important for healthcare providers. Essentially HIPAA stands for increased security of protected health information.

What we cover:

• What does HIPAA stand for
• HIPAA Privacy Rule
• HIPAA Security Rule
• HITECH Act – Breach Notification Rule
• HIPAA Terminology
• Who must comply with HIPAA
• Enforcement
• Right of Access to PHI
• What is HIPAA Compliance
• HIPAA Compliance is a multi-step process

So what is HIPAA Law?  The Privacy Rule addresses the use and disclosure of individuals’ health information (protected health information) by organizations subject to the Privacy Rule.  These are known as covered entities, which are individuals, organizations, or corporations that directly handle PHI.  These include healthcare providers, insurance companies, pharmacies, clearinghouses

The Privacy Rule went into effect in 2003 and it established standards for individuals’ privacy rights so patients may understand and control how their health information is used. In addition it emphasized the concept of “minimum necessary” in relation to data sharing.  It specified that patient’s authorization for disclosure of PHI is not required for treatment, payment, and health care operations.  Finally the Privacy Rule does not restrict the use of de-identified health information.

The Privacy Rule protects Protected Health Information (PHI) held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes any identifiable health information that can be used directly or indirectly to identify an individual. It

includes the following identifiers.

• Common identifiers, such as name, address, birth date, and Social Security number
• The individual’s past, present, or future physical or mental health or condition
• The type of healthcare given to the individual
• The past, present, or future payment for the healthcare given to the individual

The HIPAA Privacy Rule establishes standards to protect PHI held by the following covered entities and their business associates:

• Health Plans – Entities that provide or pay the cost of medical care. First are health plans which include health, dental, vision, and prescription drug insurers; second are health maintenance organizations (HMOs); then, Medicare, Medicaid, and Medicare supplement insurers; and finally, long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.
• Health care clearinghouses – Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
• Health care providers – Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule

The following types of individuals and organizations are subject to the Privacy Rule and are considered business associates:

• Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.
• These functions, activities, or services include claims processing, medical records copy companies, lawyers, accountants, data analysis, utilization review, and billing.

The Privacy Rule gives individuals important rights with respect to their protected PHI, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. This has become an important topic due to the Right to Access Initiative.

The HIPAA covered entity is required to:

• Notify patients about their privacy rights and how you use their information
• Adopt privacy procedures and train employees to follow them
• Assign an individual (Privacy Officer) to make sure you’re adopting and following privacy procedures
• Secure patient records containing PHI so they aren’t readily available to those who don’t need to see them

A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

• Disclosure to the individual
• Treatment, payment, and healthcare operations
• Opportunity to agree or object to the disclosure of PHI

Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for the following reasons:

• When required by law
• Public health activities
• Victims of abuse or neglect or domestic violence
• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement
• Functions concerning deceased persons
• Cadaveric organ, eye, or tissue donation
• Research, under certain conditions
• To prevent or lessen a serious threat to health or safety
• Essential government functions
• Workers compensation

The Privacy Rule also permits the use and disclosure of health information needed for patient care and other important purposes.

• It is possible to share information with doctors, hospitals, and ambulances for treatment, payment, and health care operations, even without a signed consent form from the patient.
• One may share information about an incapacitated patient if you believe it’s in your patient’s best interest
• It is possible to share health information for research purposes
• A provider may use email, telephone, or fax machines to communicate with other healthcare professionals and with patients, as long as you use safeguards

The Privacy Rule allows sharing with family members unless a patient objects as follows:

• Give information to a patient’s family, friends, or anyone else identified by the patient as involved in their care
• Give information about the patient’s general condition or location to a patient’s family member or anyone responsible for the patient’s care
• Include basic information in a hospital directory, such as the patient’s phone and room number
• Give information about a patient’s religious affiliation to members of the clergy

Learn more about the HIPAA Law and get a certificate of completion.

The HIPAA Privacy Rule requires you to have policies that protect and limit how you use and disclose PHI. The Rule does not expect you to guarantee the privacy of PHI against all risks. Sometimes, you can’t reasonably prevent limited disclosures, even when you’re following HIPAA requirements. It is important that you take reasonable precautions.

The use of mobile devices and PHI can be fraught with potential violations of the Privacy Rule if precautions are not taken. All covered entities and business associates are expected to use one or more of the following if they use PHI on their mobile devices.

• Use a password or other user authentication
• Install and enable encryption
• Install and activate remote wiping or remote disabling
• Disable and don’t install or use file sharing applications
• Install and enable a firewall
• Install and enable security software
• Keep your security software up to date
• Research mobile applications (apps) before downloading
• Maintain physical control
• Use adequate security to send or receive health information over public Wi-Fi networks
• Delete all stored health information before discarding or reusing the mobile device

The Security Rule became effective in 2005. It established a set of standards to protect electronic Protected Health Information confidentiality, integrity, and availability. There are several types of safeguards and requirements which are necessary for this to take place.

Covered entities and business associates must develop and implement reasonable and appropriate security measures through policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. Each entity must analyze the risks to ePHI and create solutions appropriate for its own situation. What is reasonable and appropriate depends on the nature of the entity’s business as well as its size, complexity, and resources.

The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.

HHS enacted a Final Omnibus Rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.

To be effective a covered entity must:

• Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit
• Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI
• Protect against impermissible uses or disclosures
• Ensure compliance by their workforce

When developing and implementing Security Rule Safeguards, covered entities and their business associates may consider all of the following as you develop the regulations:

• Size of the organization, complexity, and capabilities
• Technical, hardware, and software infrastructure
• The costs of security measures
• The likelihood and possible impact of risks to ePHI

Covered entities must review and modify security measures to continue protecting ePHI in a changing environment.  There are four major safeguards to consider in creating a HIPAA Compliant plan.  The following safeguards must be in place to effectively protect ePHI.

Administrative Safeguards  are actions, policies and procedures to prevent, detect, contain and correct security violations.  The intended goal of these measures is to protect ePHI.  One of the key features is the performance of a risk security analysis.

Physical safeguards are physical measures, policies and procedures that help protect electronic information systems and the related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

Technical Safeguards consists of the technology and policy and procedures that protect electronic protected health information and control access to it.  A covered entity must use security measures that allows it to reasonably and appropriately to implement the necessary standards.

Organizational Requirements and Policies and Procedures are standards that require a covered entity to have contracts or other arrangements with Business Associates that will have access to the covered entity’s ePHI.  The standard provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates.  They require a covered entity to adapt reasonable and appropriated policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain written security policies and procedures in addition to records of required actions, activities or assessments.

The HITECH Act-Breach Notification Rule when enacted resulted in privacy and security provisions that increased enforcement and set stiffer penalties for non-compliance and breaches.  It held health care organizations accountable for disclosing breaches but in addition also held business associates and service providers accountable.  It also compels Business Associates to comply with HIPAA in the same manner as covered entities.

It requires that HHS be notified of breaches according to certain guidelines.  The HIPAA Breach Notification Rule requires covered entities to notify affected individuals; HHS;  and, in some cases, the media, of a breach of unsecured PHI. Normally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

The impermissible use or disclosure of PHI is presumed to be a breach unless you demonstrate there is a low probability the PHI has been compromised based on a risk assessment of at least the following factors:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
• The unauthorized person who used the PHI or to whom the disclosure was made
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated.

Most notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

Protected Health Information (PHI)- identifiable health information that can be used to directly or indirectly to identify an individual.

Examples of patient identifiers include address, social security number, telephone number, birthday, e-mail address, account or medical record number, photographic image, etc.

Examples of diagnostic/clinical identifiers include health condition, illness, diagnosis, payment for treatment, etc.

Electronic Protected Health Information (ePHI)- refers to PHI that is stored electronically

Covered Entity– individual, organization, or corporation that directly handles PHI and transmits any health information in electronic form.  HIPAA covered entities include healthcare providers, insurance companies, pharmacies, clearinghouses

Business Associate– individual or entity who creates, receives, maintains, or stores PHI on behalf of a Covered Entity.  These would include answering services, medical transcription, IT groups, shredding services, cleaning services, building maintenance workers

Breach– refers to an impermissible use or disclosure under the Privacy Rule that compromises the privacy or security of PHI

Notice of Privacy– written information related to the patient’s privacy, must be given to each patient. Information must include the covered entities’ responsibilities and legal obligations as well as the patients’ rights as they pertain to their PHI

De-identifiable Health Information– neither identifies nor provides a reasonable basis to identify an individual. Two de-indefinable methods include formal determination by a qualified expert and removal of all individual identifiers

Risk Security Analysis– requires entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by covered entity or business associate

Cyber-attack– unauthorized use against a computer system and its information

Covered entities and business associates must follow HIPAA rules. If you don’t meet the definition of a covered entity or business associate, you don’t have to comply with the HIPAA rules.

• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing Homes
• Pharmacies

Health Plan: Any individual or group plan that provides or pays the cost of health care, such as:

• Health insurance companies
• Health maintenance organizations
• Company health plans
• Government programs that pay for health care

Health Care Clearinghouse: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa, such as:

• Billing services
• Community health management information systems
• Repricing companies
• Value-added networks

Business Associates

A business associate is a person or organization, other than a workforce member of a covered entity, that performs functions on behalf of or provides services to a covered entity that involve PHI access. Business associates also include subcontractors responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate.

Business associates provide services to covered entities that include:

• Accreditation
• Billing
• Claims processing
• Consulting
• Data analysis
• Financial services
• Legal services
• Management administration
• Utilization review

Business Associate Agreement

If you work with a business associate, a written contract or other arrangement between you must:

• Detail PHI uses and disclosures the business associate may make
• Require the business associate protect PHI

If you or your organization are unsure if you are a covered entity or business associate please follow the next link for more information on this topic.

For more information on Covered Entities and Business Associates follow this link.

The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules.  Violations may result in civil monetary penalties. In some cases, U.S. Department of Justice enforced criminal penalties may apply. Common violations include:

• Impermissible use and disclosure of PHI
• Use or disclosure of more than theminimum necessary PHI
• Lack of PHI safeguards
• Lack of administrative, technical, or physical ePHI safeguards
• Lack of individuals’ access to their PHI

The Privacy Rule requires HIPAA covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI. The individual may also direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity. This access is regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

A covered entity must provide access to the PHI requested, no later than 30 calendar days from receiving the individual’s request. Covered entities are encouraged to respond as soon as possible. Today with the advent of electronic medical records, a covered entity may have the capacity to provide individuals with almost instantaneous or very prompt electronic access to the PHI requested through personal health records, web portals, or similar electronic means.

If a covered entity is unable to provide access within 30 calendar days, the covered entity may extend the time by no more than an additional 30 days. To extend the time, the covered entity must inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Only one extension is permitted per access request.

Right of access has become a hot topic of great interest to the OCR. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has recently announced the resolution of its twentieth investigation in its HIPAA Right of Access Initiative. OCR created this initiative to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. This initiative affects small and large healthcare organizations alike. All organization must take this seriously to prevent citations and fines.

There are several steps one must consider to become fully HIPAA compliant and to create a functional HIPAA compliance plan.  These include implementation of HIPAA documentation such as policies and procedures, completion of HIPAA training with annual updates and the conduct of a Security Risk Analysis,

Policies and procedures help establish rules that help employees carry out their roles that ensure compliance with federal health care program guidelines.  An organization must create the policies and procedures necessary to satisfy the requirements of the OCR.  In a well-crafted program it will be necessary to create Privacy Policies, Administrative Safeguards, Physical Safeguards and Technical Safeguards. The policies that are created are written rules that refer to the HIPAA regulations they are meant to support.  These are written with both the organizations structure and the HIPAA Privacy Rule in mind.  In some situations checklists can be helpful to document compliance and to ensure that procedures are followed.

The policies and procedures you need:

• Privacy Policies
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards

Policy and procedure templates such as those HIPAA-Associates offers may be purchased and modified to satisfy the organization’s needs.

The compliance officer is responsible with operating and monitoring the compliance program. The compliance officer will often work with a committee that  includes key members that have functions within the organization that can assist the compliance officer, such as legal, information technology, and privacy.  The responsibilities of a compliance officer are to develop and implement an effective compliance program.  The officer will create internal controls and monitor adherence to them.  The officer will proactively audit practices and procedures to identify weaknesses.  In addition, the compliance officer will be responsible for the education and training of employees on the HIPAA Privacy Rule.  The officer will respond to all HIPAA privacy complaints from internal and external sources.

They key feature:

• Designate a compliance officer
• Create a compliance committee

It is expected that all employees, physicians, and board members should receive training on fraud and abuse laws, as well as the compliance program.  Periodic updates of the regulations are also expected.  A good training program will cover all of the general key features of HIPAA such that the employee will feel comfortable handling protected health information. Some of the main topics should be HIPAA Regulations and why they are important.  The training will discuss the patient’s right under HIPAA and your organization’s responsibilities and the permissible uses and disclosure of health information.  We have trained thousands of employees and now have a practical online training program for teams and individuals who want to learn HIPAA.

What you must do:

• Create or obtain HIPAA Privacy training for your organization
• Arrange for annual reviews of HIPAA and your plan

Employees must have avenues available to them for reporting concerns internally.  An organization should have multiple reporting methods such as the compliance officer and an anonymous hotline. All organizations must take reports seriously, and conduct a thorough follow-up of each report. This is a very important function within all organizations.  We have seen multiple situations in which there was not an effective way of reporting internally and this resulted in whistle blower going directly to the government.  This creates a difficult situation for any organization.

Important Points:

• Assure the compliance officer is available to all employees for complaints
• Establish a hotline for anonymous complaints.

A well-functioning program will have an ongoing process that evaluates and assess the organization to detect inappropriate behavior.  This will also help to ensure effectiveness of education and corrective action. The compliance program should in addition monitor compliance with privacy and provide a risk assessment of potential privacy issues.  A formal risk assessment is  a critical part of monitoring and auditing a privacy compliance program.

Internal staff or an external contractor should conduct an audit of the overall programs at least annually.  The findings should be made available to the Chief Compliance Officer and/or the Chief Operating Officer.

Recently the OCR has enacted an audit program of covered entities and their business associates.  It is important that your organization perform a full audit to deal with any issues before you are faced with an OCR audit.

Key Elements:

• Perform a yearly audit of your privacy plan
• Report all audit findings to the compliance officer and the board of your organization
• Conduct a Security Risk Analysis

Through this process an organization will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. This can also be stated as the process of identifying potential security risks and determining the probability of occurrence and magnitude of risks.

This can be done by office staff but it is usually necessary to involve security specialists such as IT groups to perform this task. Depending on the size and budget of the organization an outside independent security specialist may be more appropriate. This will Risk Analysis will consist of a two-part – risk assessment and an IT assessment. The summary of the assessment should outline the identified problems and how to fix them.

The Office of National Coordinator for Health Information Technology (ONC) has a tool available to help small practices to deal with this process.

It is important for all organizations who handle PHI to prepare by performing a Risk Analysis to determine the risks to Protected Health Information (PHI) in their organization. In many situations an organization may start by performing a HIPAA Gap Analysis. By doing so they can prepare to address any vulnerabilities. The Security Rule provides guidance in this matter and should be addressed by all interested Privacy Officers.

To comply with the HIPAA Security Rule, all covered entities must do the following:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information
• Detect and safeguard against anticipated threats to the security of the information
• Protect against anticipated impermissible uses or disclosures
• Certify compliance by their workforce

The Privacy Rule’s safeguards standard assures the privacy of PHI by requiring covered entities to reasonably safeguard PHI from any intentional or unintentional use or disclosure in violation of the Privacy Rule. The safeguards requirement establishes protections for PHI in all forms: paper, electronic, and oral. Safeguards include such actions and practices as securing locations and equipment; implementing technical solutions to mitigate risks; and workforce training.

It is important that an organization have well published standards of conduct.  These must  outline an organization’s rules, responsibilities, proper practices, and/or expectations of its employees. A compliance plan should clearly state the implications and penalties of violating the standards of conduct. The use of disciplinary guideline are important as they will encourage employees to observe the HIPAA Privacy Rule.  If you are audited or have to report a breach you will be asked by the OCR what disciplinary actions have been taken. The organization should review the disciplinary guidelines at least annually with all employees.  These guidelines should be available to all employees so that they may be aware of expectations.

Key Points:

• Establish standards early and make sure your employees are made aware.
• Responding promptly to detected offenses and undertaking corrective action.

It is imperative for an organization to ensure timely and effective remedial action for offenses.  Lack of a response may create additional exposure for the organization.  As mentioned earlier it is important to have reasonable disciplinary guidelines that are followed.  The types of disciplinary actions might be staff education, termination of the employee or fines.  In addition, every time there is a breach or an incident it is mandatory the compliance officer investigate and offer a corrective plan to prevent future issues.

Key Points:

• Maintain a record of all remedial action for offenses.
• Review disciplinary guidelines annually.

Many organizations believe that HIPAA Compliance is accomplished by taking a HIPAA certification course and acquiring a HIPAA Compliant logo for their webpage. That is not what the term implies. To be HIPAA Compliant an organization must fulfill the requirements of the Health Insurance Portability and Accountability Act and the HITECH act. This is not a one-time process but an ongoing resolve to continuously abide by its regulations. An organization must continuously monitor its activities and confirm the rules are constantly obeyed.

The information we provide to our readers originates directly from the CMS.gov. We invite you to visit their website for more information on these important topics. Please read more from the Medicare Learning Network.