Understanding HIPAA

Understanding HIPAA

Health Insurance Portability and Accountability Act

A US legislation that provides data privacy and security provisions for safeguarding medical information
The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.
The act, which was signed into law by President Bill Clinton on Aug. 21, 1996, contains five sections, or titles.
Title I: HIPAA Health Insurance Reform
Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and pre-existing conditions, and from setting lifetime coverage limits.
Title II: HIPAA Administrative Simplification
Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
Title III: HIPAA Tax-Related Health Provisions
Title III includes tax-related provisions and guidelines for medical care.
Title IV: Application and Enforcement of Group Health Plan Requirements
Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
Title V: Revenue Offsets
Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.
In healthcare circles, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:
  • National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
  • Transactions and Code Sets Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
  • HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
  • HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
  • HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.

What is the purpose of HIPAA?

HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery and improving access to long-term care services and health insurance.
HHS expanded the act when it put the HIPAA omnibus rule in place in 2013 to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These guidelines concern the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
The HHS Office for Civil Rights (OCR), which enforces HIPAA, issued guidance in 2016 clarifying that cloud service providers and other business associates of healthcare organizations are covered by the HIPAA privacy, security and breach notification rules. HIPAA violations can prove quite costly for healthcare organizations.
The HIPAA Breach Notification Rule within the omnibus set of regulations requires covered entities and any affected business associates to notify patients following a data breach.
In addition to the notification costs, healthcare organizations can encounter fines after HIPAA audits mandated by the HITECH Act and conducted by the Office for Civil Rights. Providers could also face criminal penalties stemming from violations of the HIPAA privacy and security rules.
In 2010, the Federal Trade Commission extended the breach notification rule and its enforcement to healthcare organizations not covered by HIPAA, including vendors of electronic health records (EHRs) and EHR-related systems.
OCR undertook its first round of HIPAA audits of healthcare organizations in 2012 and 2013. Those pilot audits carried no fines or penalties.
A considerably wider, formal round of desk and in-person audits of about 200 healthcare-covered entities and business associates began in 2016 and continued into 2017. These audits were expected to carry fines or corrective plans.
OCR further strengthened the HIPAA security rule in 2016 by releasing a crosswalk between aspects of the National Institute of Standards and Technology's Cybersecurity Framework to identify cybersecurity gaps and align HIPAA with national cybersecurity standards.
Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR has six educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs, as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization's current HIPAA privacy and security policies, the HITECH Act, mobile device management processes and other applicable guidelines.
While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.

HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients' personal or protected health information. 

The Privacy Rule, which is a Federal law, gives a patient right’s over their health information and sets rules and limits on who can look at and receive their health information. This rule applies to all forms of individuals protected health information, whether written, or, or electronic.


Who is covered by and must follow HIPAA?

The HIPAA Privacy Rule applies to organizations that are considered HIPAA-covered entities, including health plans, healthcare clearinghouses and healthcare providers. In addition, the HIPAA Privacy Rule requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.

What information is protected?

The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a business associate. This information can be held in any form, including digitalpaper or oral. This individually identifiable health information is also known as PHI under the Privacy Rule.

What is considered protected health information under HIPAA?

PHI includes:
  • a patient's name, address, birth date and Social Security number;
  • an individual's physical or mental health condition;
  • any care provided to an individual; or
  • information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe could be used to identify the patient.

HIPAA penalties

Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from OCR.
The minimum penalty for:
  • Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
  • Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  • Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  • Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.

HIPAA omnibus rule

The HIPAA omnibus rule, in a health information technology context, is a rule enacted by OCR to modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under the HITECH Act. 
The HIPAA omnibus rule marked the most extensive changes to the HIPAA Privacy and Security Rules since they were first implemented. Changes include the following:
  • Strengthening the privacy and security protection for individuals' PHI.
  • Modifying the Breach Notification Rule for unsecured PHI, and putting in place more objective standards for assessing a healthcare provider's liability following a data breach.
  • Modifying the HIPAA Privacy Rule to strengthen the privacy protections for genetic information.
  • Outlining OCR's data privacy and security enforcement strategies, as updated for the EHR era and as mandated by the HITECH Act.
  • Holding HIPAA business associates to the same standards for protecting PHI as covered entities, including subcontractors of business associates, in the compliance sense.
  • Stipulating that, when patients pay by cash, they can instruct their provider not to share information about their treatment with their health plan.
  • Setting new limits on how information is used and disclosed for marketing and fundraising purposes.
  • Prohibiting the sale of an individual's health information without their permission.
  • Making it easier for parents and others to give permission to share proof of a child's immunization with a school.
  • Streamlining an individual's ability to authorize the use of his health information for research purposes.
  • Increasing penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
  • Guaranteeing that organizations can operate with certainty that their privacy and security policies comply with all the applicable regulations.
The 563-page rule, released Jan. 17, 2013, went into effect March 26, 2013.