The HIPAA Privacy Rule
The Health Information Portability and Accountability Act was formed as a broad healthcare reform attempt that looked to ensure better protection of protected health information and help people keep their healthcare insurance during job changes. However, they quickly realized that the initial law was not broad or strict enough to make a significant difference.
Throughout HIPAA's history since it was passed in 1996, there have been plenty of changes and rule additions that have transformed it into the law that we know today. The purpose of HIPAA has always been to make the healthcare industry more efficient while still protecting each person’s protected health information.
The first two rules that were proposed and eventually passed to HIPAA are the Privacy Rule and Security Rule and. There is some overlap between these rules as they both seek to protect identifiable health information, yet they have different purposes in doing so.
What is the HIPAA Privacy Rule?
The Privacy Rule was passed in 2003 to set restrictions and details for how protected health information (PHI) can be shared. This includes what, when and under what circumstances PHI can be used or disclosed. When this same type of information is kept or shared electronically, then the information is referred to as “ePHI.”
The main goal of this rule is to guarantee that an individual’s health information is well protected, but within a system that still lets the information flow between the parties that need PHI in order to provide the best quality of healthcare to the patient. The Privacy Rule also says that patients should have access to the same information about themselves that their doctors do, and they should get some level of authority over where that information goes and who has access to it.
What Information Is Protected under the Privacy Rule?
The Privacy Rule covers any individually identifiable health information that is disclosed in any format whether electronically, on paper or verbally. This type of information is called “protected health information” or PHI. The Privacy Rule specifically lays out 18 identifiers that specify the information as protected health information.
Here are the 18 types of information that are considered protected health information (PHI) under HIPAA:
- Address (Including any information more localized than state)
- Any dates (except years) related to the individual, including birthdays, date of death, date of admission/discharge, etc.
- Telephone Number
- Fax Number
- Email addresses
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers (serial numbers, license plate numbers)
- Device identifiers/serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos or other identifiable photographs
- Other identifying numbers, characteristics or codes
HIPAA Minimum Necessary Standard
The Privacy Rule does not only establish what is considered PHI, the rule also determines when and how that information should be disclosed, aside from the few exceptions we’ll address below. With the exceptions of disclosure for the purpose of healthcare operations (treatment, payment, etc.), any PHI relating to a patient past, present, or future physical or mental health or payment for healthcare can only be disclosed without consent from the patient or their legal representatives
- When disclosure is required by law
- When it is in the patients or the public interest
- To another covered entity when a relationship exists
In short, covered entities must abide by the Minimum Necessary Standard. This means that employees working for a covered entity should have access to the very minimum amount of PHI that allows them to do their job. Rather than having access to a full file of an individual’s health information, they should only be given what is truly needed at that time. Exceptions to the rule exist in matters of providing healthcare to a patient, for example, it may be necessary for a healthcare provider to review a patient's complete medical history, but non-routine disclosure requests must be reviewed on a case-by-case basis
Who does the Privacy Rule apply to?
The Privacy Rule applies to all covered entities (CE) and in 2013 the rule was also extended to their business associates (BA). A covered entity is any party that is directly involved with the treatment, healthcare operations or payment process for those healthcare services. On the other hand, a BA is a vendor that is hired by a CE to do one of those actions for them.
There are three main types of covered entities under HIPAA: Healthcare Providers, Health Plans and Healthcare Clearinghouses.
- Healthcare Providers are the entities that we all think of when we think of HIPAA. They are your doctors, clinics, pharmacies, dentists and any other similar provider that uses or discloses PHI in any way.
- Health plans are insurance plans, whether group or individual, that provide or pay for healthcare or treatment. (https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html) Government, church and employer-sponsored group health plans are included in this.
- Healthcare clearinghouse may seem like a strange term, but it really just refers to organizations that send and receive electronic claim information that is typically managed by software. Clearinghouses take on the role of being a hub of electronic patient information between the healthcare practices and insurance carriers. Due to the high volume of information that they process yearly, it is vital that these organizations are HIPAA compliant.
Business Associate Defined
Any person or organization that does not work for a covered entity, yet provides some level of service or function for or with a covered entity that requires them to use or disclose personally identifiable health information. If a covered entity will be sharing any PHI with a business associate, then HIPAA requires a business associate agreement to have been signed between the two organizations prior to the passing of information.
Simply put, if your organization has the ability to and may access PHI at any point, then the Privacy Rule and HIPAA apply to you. If your organization is one that must be HIPAA compliant, the steps may seem confusing or overwhelming but Accountable HQ is here to simplify HIPAA and walk you through all the steps to becoming HIPAA compliant.
Privacy Rule Compliance
In order to be HIPAA compliant under the Privacy Rule, there are many steps that organizations must regularly take to maintain compliance. Some of these requirements affect the daily operations for covered entities and their business associates.
Covered entities are affected by the Privacy Rule in that they must implement certain PHI privacy procedures like the following:
- Designating a privacy officer
- Signing business associate agreements with organizations they work with
- Training employees on Privacy Rule requirements
- Giving patients written Notice of Privacy Practices (NPP)
- Providing patients with access to their medical records with the ability to modify the records and request restrictions to the usage and sharing of their PHI
- Establishing a patient complaint filing system and investigation process for those complaints
- Taking any other methods necessary to make sure that PHI is not used in any way that compromises compliance
HIPAA compliance has been a dreaded requirement for these organizations due to the vague regulations and extra work time that was needed to stay compliant. That was all true before Accountable made a platform that makes managing HIPAA compliance as simple as possible.
Penalties for Noncompliance
When the Enforcement Rule was added to HIPAA in 2005, the Department of Health and Human Services, Office for Civil Rights (OCR) became the ones in charge of enforcing the Privacy Rule and the other HIPAA rules. OCR is able to hear complaints, conduct investigations and review organizations compliance.
The OCR has the power to give levy financial penalties against covered entities for their failure to comply with the Privacy Rule requirements. The extent of the penalty varies greatly depending on the organization’s level of knowledge of their noncompliance, the date of the violation and whether there was any amount of willful neglect that led to their failure to comply. Essentially, if they had any idea that they were acting in a way that was noncompliant, the punishment will be far more severe. There is a yearly cap of $1,500,000 that penalties cannot not exceed for an individual organization.
Before a penalty is imposed, the OCR will notify the covered entity and give them the chance to offer written evidence that would stop or reduce the penalty within 30 days of the notice they are given. Covered entities are also given the opportunity to request an administrative hearing about their proposed penalty.
Any individual or organization who knowingly receives or shares protected health information (PHI) in a way that violates the Privacy Rule are eligible to face criminal penalties of up to $50,000 or one year in prison. There can be more more costly criminal penalties of $100,000 and up to 5 years in prison that can be given if they can determine if the act was done with the intent of deceiving someone.
The highest level of penalty for Privacy Rule violations are given to those who were noncompliant with the intent to sell or use PHI for their own personal gain, commercial advantage or malicious harm. This tier of penalties are up to $250,000 in fines and up to 10 years imprisonment.
Proposed Updates to the HIPAA Privacy Rule
In December of 2020, the HHS Office of Civil Rights issued an NPRM (Notice of Proposed Rule-making) regarding certain changes that may be upcoming to HIPAA. The central goal and intent behind the proposed updates to the HIPAA Privacy Rule are to increase the efficiency and effectiveness of the healthcare system by improving the process of patients accessing their own health information upon request, without providing additional strain or weight on the healthcare professionals themselves.
These potential changes are part of a new initiative that aims to take steps towards removing any unnecessary barriers to providing care or managing the administrative aspects of the healthcare industry. Details of these changes include a shortened covered entity response window time, viewable fee chart for PHI access requests, and a streamlined request completion process for all parties. Complete details on these proposed changes can be found here.
We know that understanding and complying with HIPAA and the Privacy Rule may be time-consuming and intimidating, and that the cost of noncompliance is just too high. Luckily, Accountable exists to simplify HIPAA and help you and your organization take all the steps needed to be HIPAA compliant. Let us help make this complicated process as simple as possible, plus it's free to get started!