The Health Insurance Portability and Accountability Act (HIPAA) was first signed into law in 1996. Its primary goal was to help ensure that employees would receive health insurance when they were between or changing jobs. The law also required healthcare organizations to implement some control measures to help secure private patient healthcare data to reduce the risk of fraud.
However, the law has been greatly expanded in the following decades, as it is now known for protecting the privacy of patients and ensuring that patient protected health information (PHI) is properly safeguarded. These expansions are primarily due to the following rules:
The Privacy Rule
The Privacy Rule was passed in 2003 to set restrictions and standards for how PHI can be shared, including what PHI is shared, when it is shared, and under circumstances, it can be used or disclosed.
The primary goal of the Privacy Rule is to guarantee that an individual’s PHI is held in a system that allows it to flow between parties such as doctors or insurance companies who need access to it in order to achieve the best healthcare outcomes for the patient while simultaneously protecting the data. Additionally, the Privacy Rule states that patients should have access to the same information about their healthcare that their doctors do and they should have a measure of authority over where that information goes and who can access it.
When it was originally enacted, the Privacy Rule only applied to Covered Entities, but following addendums to the HIPAA law have expanded its standards and regulations to business associates and subcontractors of business associates.
The Security Rule
Whereas the Privacy Rule deals with the overall integrity and privacy of PHI, the Security Rule deals with electronic Protected Health Information (ePHI). The Security Rule requires the implementation of three types of safeguards:
1.) Administrative Safeguards: These safeguards outline documentation processes, roles and responsibilities, training requirements, and data maintenance. Typically Administrative Safeguards are used to define and ensure the following two safeguards are implemented properly.
2.) Physical Safeguards: Physical Safeguards are meant to ensure data is physically protected. This can include security systems, access control systems, as well as policies concerning accessing ePHI from mobile devices or other hardware that can be moved.
3.) Technical Safeguards: These are the technologies and policies that ensure the integrity of PHI from unauthorized access.
The goal of these safeguards is to ensure that ePHI is properly secured against all forms of unauthorized access, regardless of whether the data is at rest or in transit. The rule was designed to be flexible to cover all aspects of security without requiring specific technologies or procedures to be implemented. Companies are required to conduct frequent risk assessments in order to identify potential threats to PHI and then adopt appropriate procedures.
While this flexibility was intended to allow organizations to assess what their security needs are and to implement appropriate policies and procedures based upon their particular needs and resources, the lack of clear guidance has led to confusion and frustration.
The Breach Notification Rule
The Breach Notification Rule was a significant expansion to HIPAA in 2009 that updated and modified several aspects of HIPAA.
First, the rule defined a breach as any unauthorized use or sharing of PHI that could potentially jeopardize the security and privacy of an individual’s personal healthcare data. The rule also required covered entities and their business associates to notify all affected individuals within 60 days of the event of a breach. Additionally, the rule required that they notify the Department of Health and Human Services, and in some cases the media, if the breach is of a particular severity.
The HITECH Act
In the first two decades of HIPAA, compliance with the law was fairly easy, primarily because the threat of an audit was low and the penalties for breaches were relatively mild. All of that changed following the passage of the HITECH act.
The “Health Information Technology for Economic and Clinical Health” (HITECH) Act was signed into law in February 2009 as part of the American Recovery and Reinvestment Act by President Obama with the primary purpose of encouraging healthcare providers to adopt Electronic Healthcare Records and supporting technology. More importantly to PHI, the act also clarified and strengthened the enforcement of HIPAA by increasing penalties for noncompliance and mandated the Privacy and Security rules apply to business associates as well as covered entities. The rule also created a four-tier system for violations of HIPAA:
- First Tier: The covered entity did not know and could not reasonably know of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
- Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
- Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30-day period of the breach. Penalties for the third tier can range from $10,000 - $50,000 per incident up to $1.5 million.
- Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.
Due to these changes, the HITECH act has often been called “HIPAA on steroids”.
The Omnibus Rule
The HIPAA Omnibus Rule, which was passed in 2012, edited and updated all of the previously passed rules with the intention to create one single, exhaustive document that detailed all the requirements for complying with HIPAA and HITECH.
The key updates included:
Business Associates are now liable for their own compliance with HIPAA. While the HITECH act first mentioned this, it was the Omnibus rule that authorized the Office for Civil Rights (OCR) to begin enforcing compliance on business associates. The Omnibus Rule also required that any unauthorized use or sharing of PHI should be presumed to be a breach, which has led to a significantly higher number of reported data breaches each year.
HIPAA is complex. Accountable makes it simple
As you can see, HIPAA has a lot of moving parts and compliance can feel like it is a moving target.
It’s important to remember that as easy as it is to violate HIPAA, implementing training and policies to safeguard PHI and your organization is easier. That is why we created Accountable: a complete solution designed to help you achieve and maintain your organization’s HIPAA Compliance. We give you the tools you need to train your employees, manage your vendors, and identify risk within your organization.
Oh, and it’s free to get started.