This is the first of a three-part series on the Health Insurance Portability and Accountability Act, better known as HIPAA. To help reduce some of the dread HIPAA compliance can prompt, we’ll look at the basics of HIPAA, current security enforcement efforts, and then wrap up by offering some projections about the future of enforcement in light of the recent HHS-OCR leadership changes.
So let’s go back to the basics…
HIPAA, which was enacted in 1996, was intended by lawmakers to accomplish a number of objectives, including making the administration of health insurance plans easier. But with the lightning-quick advances in technology just around the corner, HIPAA soon became the regulatory mechanism for getting the health care industry to computerize patient medical records. This brought a whole new dimension to HIPAA and health care information as we knew it will never be the same.
The two big rules implementing HIPAA that we’re concerned about are known as the “Privacy Rule” and the “Security Rule,” both of which address the central issue of “protected health information,” or PHI, and the electronic version, e-PHI. The Privacy Rule defined PHI, which is essentially any information that can be used to identify a patient, including everything from driver’s license numbers to birth dates to phone numbers. That’s a lot of data to protect, and so to help out, HHS laid out in the Security Rule some basic safeguards specifically for e-PHI that need to be implemented to be in compliance with the law. These include coming up with a set of policies and procedures to identify and reduce risks and making sure only the right people have access to e-PHI, whether in a physical workspace or in cyberspace. And once this is done, you can’t just sit back and admire your handiwork –periodic risk reassessment is also required. If you’re not in compliance and a data breach occurs, the Breach Notification Rule kicks in, and even if there hasn’t been a breach, HHS has ramped up its auditing activities significantly in the past several years, so compliance is critical.
And speaking of pointing fingers, who needs to be in compliance? Anyone who is a “covered entity” under the law. This means health care providers, health care plans, and health care clearinghouses – essentially, if you have anything to do with electronic patient medical records, this probably means you. And with the HiTech Act of 2009, HIPAA compliance obligations were extended to cover business associates and certain third-party suppliers. In other words, if you’re in the club, then it’s a good idea to brush up on your responsibilities because if you don’t, you’ll quickly become familiar with HIPAA’s Enforcement Rule. This rule enables HHS to impose monetary fines for noncompliance or data breaches, and the penalties were substantially increased under the Final 2013 Omnibus Rule. HHS has enforced breaches resulting in some multi-million dollar settlements. Individuals may also have a civil cause of action to sue for HIPAA violations under state law. But, this isn’t just about money. Stealing PHI can also be a criminal offense, and in those cases, the U.S. Department of Justice gets involved. Yikes.
Breathe in…breathe out…while HIPAA compliance is more critical than ever, the basics aren’t that difficult, and it takes just a little perseverance and willingness to be thorough. So it’s time to get past your HIPAA fears, review the basics, and think of HIPAA as a friend rather than a four letter word.
Stay tuned for our next installment on how HIPAA applies to the latest tech trends. (Hint: how many of your employees use a Fitbit?)