The Health Insurance Portability and Accountability Act (HIPAA) is a United States law that regulates the processing of protected health information (PHI) by covered entities. HIPAA sets the standard for privacy compliance and establishes guidelines for collecting, protecting, and sharing patient information across all states.
HIPAA comprises two important rules: the Privacy Rule and the Security Rule. The Privacy Rule governs the use, disclosure, and operational safeguards for PHI, while the Security Rule specifically addresses electronic protected health information (ePHI). These rules outline the necessary controls to ensure the confidentiality, integrity, and availability of patient data.
Who Needs to Comply with HIPAA?
Entities that must comply with HIPAA regulations are known as "covered entities". They include:
- Health Plans: This category encompasses health insurance companies, health maintenance organizations (HMOs), Medicare, Medicaid, and other similar programs.
- Health Care Providers: Most health care providers who conduct electronic transactions for billing purposes fall under this category. Examples include doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses: These entities process and convert PHI from one format to another, ensuring standardization for electronic transactions.
HIPAA also covers "business associates" who process ePHI on behalf of covered entities, providing services such as consultation, administrative support, or data collection. Business associates, including contractors and subcontractors, must adhere to HIPAA regulations. Contracts are required between covered entities and business associates to ensure the proper processing and safeguarding of ePHI.
Breakdown of HIPAA Privacy Rights
The full details of these rights can be found here.
- Authorized Uses and Disclosures: Covered entities must obtain written approval from individuals before processing their protected health information.
- Confidential Communications Requirements: Health care providers and plans must accommodate individuals' requests for alternative communication methods.
- Limiting Uses and Disclosures at Minimum: Covered entities must make reasonable efforts to process protected health information using only the minimum necessary for the intended purpose.
- Privacy Policies and Procedures: Covered entities must establish and implement privacy policies consistent with the Privacy Rule.
- Privacy Practices Notice: Covered entities must prepare and distribute a notice of privacy practices, specifying certain requirements under the Privacy Rule.
- Privacy Personnel: Covered entities must assign a privacy official responsible for establishing policies, handling complaints, and providing necessary information.
- Access: Individuals generally have the right to access and inspect their protected health information for any errors.
- Workforce Training and Management: All employees, volunteers, and contracted personnel must be trained on privacy policies and procedures, with appropriate sanctions for violations.
- Amendment: Individuals have the right to request amendments to their protected health information if errors are found.
- Mitigation: Covered entities must ensure mitigation of risks and damages resulting from breaches or violations of privacy policies or the Privacy Rule.
- Disclosure Accounting: Individuals have the right to receive an accounting of disclosures of their protected health information.
- Data Safeguards: Covered entities must implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of ePHI.
- Restriction Request: Individuals have the right to request restrictions on the use or disclosure of their protected health information.
- Complaints: Covered entities must have a process in place to handle complaints related to compliance, privacy policies, and adherence to the Privacy Rule.
- Documentation and Record Retention: Covered entities must maintain records of privacy practices, procedures, complaints, and privacy notices for six years.
- Retaliation and Waiver: Covered entities cannot retaliate against individuals for participating in investigations or exercising their rights under the Privacy Rule
Breakdown of HIPAA Privacy Safeguards
Administrative Safeguards
The full regulations for these safeguards can be found here.
|
Security Management Process |
Covered entities must establish policies and procedures to manage security risks, detect incidents, and implement breach containment and correction measures. |
|
Assigned Security Responsibility |
Designated individuals within covered entities are responsible for security-related tasks and ensuring compliance with policies and procedures. |
| Workforce Security | Policies and procedures must be in place to grant appropriate access to ePHI, prevent unauthorized access, and manage staff authorization, clearance, and termination. |
| Information Access Management | Policies and procedures must govern the authorization and access to ePHI, including isolating health care clearinghouse functions and managing access establishment and modification. |
| Security Awareness and Training | Covered entities must provide awareness and training programs for management and staff, including updates on security, malware prevention, monitoring login attempts, and password management. |
| Security Incident Procedures | Policies and strategies must be established to respond to and report security incidents. |
| Contingency Plan | Covered entities must develop procedures and policies to address emergencies, system failures, and natural disasters, including data backup plans, disaster recovery plans, and testing procedures. |
| Evaluation | Technical and non-technical evaluations must be conducted to assess changes and events related to ePHI security policies and procedures. |
| Business Associate Contracts and Other Arrangements | Covered entities must have written contracts with business associates to ensure compliance and proper safeguarding of ePHI. |
Physical Safeguards
The full regulations for these safeguards can be found here.
| Facility Access Controls | Access to facilities where electronic information systems are stored must be restricted and protected from unauthorized access. Records and documentation related to security access and modifications must be retained. |
| Workstation Use | Workstations used to process ePHI must be appropriately maintained to ensure the secure privacy of information. |
| Workstation Security | Access control measures must be implemented for workstations to prevent unauthorized access to ePHI. |
| Device and Media Controls | Procedures must be in place to transfer, dispose, and backup electronic media containing ePHI. Records must be maintained for actions involving devices and media controls. |
Technical Safeguards
The full regulations for these safeguards can be found here.
| Access Control | Covered entities must implement technical measures to restrict access to ePHI and ensure only authorized individuals have access. |
| Audit Controls | Covered entities must implement hardware, software, and procedural mechanisms to record and examine activity related to ePHI. |
| Integrity Controls | Covered entities must implement measures to ensure the integrity of ePHI and protect against unauthorized modifications. |
| Person or Entity Authentication | Procedures must be in place to verify the identity of individuals accessing ePHI. |
| Transmission Security | Covered entities must implement safeguards to protect ePHI during transmission, including encryption and integrity controls. |
Policies & Procedures and Documentation Requirements
In accordance with HIPAA's Security Standards: General rules, covered entities and business associates must establish appropriate procedures and policies to comply with the associated requirements outlined in the previous sections. These policies and procedures can be modified by the entities as needed, but any changes must be documented and aligned with the requirements of the relevant subparts. This includes maintaining written records, documentation, and conducting regular assessments.
Implementation of these specifications includes the following aspects:
- Time Limit for Documentation: Covered entities and business associates are required to retain documentation for a period of six years from the date of creation.
- Availability of Documentation: Necessary individuals responsible for implementing procedures should have access to the documentation.
- Periodic Update and Review: Procedures and policies should be periodically reviewed and updated to ensure compliance with HIPAA requirements.
Enforcement of HIPAA
The Office for Civil Rights (OCR) is the primary federal agency responsible for promoting awareness and enforcing health information privacy rights. Regulators can find more information about the OCR's work on their website, which is linked at the bottom of this article. The OCR enforces the Privacy and Security Rules through the investigation of complaints, compliance reviews, and educational outreach campaigns to promote compliance.
The Department of Justice (DOJ) also plays a role in addressing criminal violations of HIPAA.
Fines Associated with HIPAA
More details about the fines and penalties can be found in the National Archives and Records Administration Federal Register PDF, which outlines HIPAA Violations and Penalties under the Final Rule.
Complaints are processed through the Office for Civil Rights (OCR), which reviews each case and determines potential criminal violations in partnership with the DOJ. If a resolution cannot be reached with the OCR, the Secretary of the Department of Health and Human Services (HHS) can impose civil monetary penalties on covered entities that fail to comply with HIPAA requirements. There are four tiers of HIPAA violations:
- Tier 1: Fines range from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million for each calendar year. This tier applies when the entity is unaware of the violation.
- Tier 2: Fines range from $1,000 to $50,000 per violation, with a maximum annual penalty of $1.5 million for each calendar year. This tier applies when the violation occurs due to reasonable cause but lacks willful neglect.
- Tier 3: Fines range from $10,000 to $50,000 per violation, with a maximum annual penalty of $1.5 million for each calendar year. This tier applies when the violation is due to willful neglect, but the entity corrects it within 30 days after discovery.
- Tier 4: The fine for violations involving willful neglect without timely correction is $50,000 per violation, with a maximum annual penalty of $1.5 million for each calendar year.
In addition to these fines, criminal penalties and potential jail sentences can be imposed depending on the outcome of investigations conducted by the OCR and the Department of Justice.
Content found within this document is based on Carbide’s understanding of and the information provided by the official websites and documentations of the HIPAA regulation provided throughout.