Learning goals
- Gain an understanding of the purpose and origins of the Health Insurance Portability and Accountability Act (HIPAA)
- Learn about Protected Health Information (PHI) and the digital form of PHI, known as ePHI
- Explore the different personal identifiers that, when linked with health data, create PHI or ePHI
- Familiarize yourself with the policies, procedures, protections, and protocols that are in place to ensure the safety of PHI
- Identify the actions that most frequently lead to HIPAA rule violations and the exposure of PHI
- Learn which entities and individuals fall under HIPAA regulations
- Review the five primary sections that make up HIPAA rules
- Examine typical HIPAA violations and the corresponding penalties
- Become knowledgeable about the security measures essential for protecting PHI
- Understand the requirements for reporting HIPAA violations
- Learn about patients' rights regarding access to and correction of their PHI
Overview of HIPAA Regulations
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. Initially, its objectives included:
- Safeguarding patient healthcare information against fraud, theft, and misuse
- Enhancing the accessibility and transfer of patient healthcare records and information
- Regulating the storage and protection of identifiable patient data by healthcare providers and insurance companies
- Preventing limitations on healthcare coverage for patients due to portability issues (such as changes in employment or geographic location) and pre-existing conditions
Since its inception, HIPAA regulations have evolved to adapt to technological advancements and concerns about personal privacy, particularly regarding the internet and electronic data transmission. In 1996, for example, smartphones did not exist, nor had social media platforms been created; both innovations significantly increased the potential for data breaches and improper handling of healthcare information. The scope of the Act has broadened to define numerous covered entities and now includes specific business associates—third parties that access patient records while providing services related to insurance coverage, data processing, security, payments, and other healthcare business operations.
Oversight and enforcement of HIPAA regulations fall under the jurisdiction of the U.S. Department of Health & Human Services (HHS), specifically the Office for Civil Rights (OCR). This general oversight is complemented by cooperation with U.S. State Attorneys General, who can prosecute and impose fines on covered entities and business associates that violate HIPAA rules. In cases where there is a conflict between federal HIPAA regulations and state protections, the more stringent regulations take precedence.
HIPAA aims to protect patient healthcare records by preventing sensitive medical information from being directly associated with individual patients. It secures Protected Health Information (PHI), which includes health data linked to a “personal identifier” that enables others to connect specific patients to their medical records. Personal identifiers encompass:
- Medical record numbers
- Patient names or parts of names
- Addresses
- Phone numbers
- Email addresses
- Dates related to the individual (e.g., birthdates)
- Health insurance beneficiary names and numbers
- License numbers
- Facial photographs
- Fingerprints or retinal scans
- Website addresses (URLs)
- FAX numbers
The development of HIPAA aimed to disassociate these personal identifiers from sensitive healthcare information to ensure patient privacy and mitigate discrimination related to pre-existing conditions. With the rise of internet connectivity and widespread use of smartphones and digital devices, healthcare data is frequently transmitted electronically. This electronic form of Protected Health Information is referred to as ePHI.
Healthcare entities and their business associates are now responsible for implementing and maintaining adequate safeguards to protect both PHI and ePHI. Even in the absence of a breach, those tasked with the security of PHI can be held liable if they lack sufficient policies and procedures to prevent data breaches. Ignorance is not considered a valid defense if PHI is inadvertently disclosed or accessed. For instance, accidentally leaving files open for public or unauthorized viewing can constitute a data breach under OCR enforcement guidelines.
Entities Subject to HIPAA Compliance
HIPAA regulations are applicable to any “covered entity” (CE), which includes:
- Pharmacies
- Hospitals
- Health plans and insurers
- Surgical centers
- Healthcare data clearinghouses
- Offices of physicians, dentists, and other healthcare providers
- Sponsors of Medicare prescription drug plans
These covered entities are responsible for developing comprehensive plans to safeguard PHI and ePHI in accordance with HIPAA regulations. Common causes of HIPAA violations within these entities consist of:
- Inadequate risk analysis
- Improper disposal of PHI
- Theft of electronic devices
- Data breaches not reported within specified timeframes
- Non-enforcement of the Minimum Necessary Rule
- Inadequate encryption security for PHI
- Inadequate Business Associate agreements
- Inadequate staff and employee training
- Improper or accidental disclosures of PHI
- Failure to implement appropriate safeguards
In addition to covered entities, HIPAA also oversees the activities of “Business Associates” (BA) who do not create, manage, or transmit PHI but are granted access to patient PHI to perform services on behalf of covered entities. These may include individuals or companies that healthcare entities outsource to handle various healthcare service duties. When a BA is employed to provide services that require access to PHI, a Business Associate Agreement must be established between the CE and the BA. This legally binding document ensures that the BA will:
- Prevent unauthorized disclosure of the PHI
- Provide appropriate and adequate safeguards for the PHI
- Not alter the PHI in any way
- Monitor and restrict access to the PHI
Key HIPAA Regulations
HIPAA statutes are encapsulated within five core rules that outline the requirements for covered entities (CEs) and business associates (BAs) regarding HIPAA compliance:
- Privacy Rule
- Enforcement Rule
- Security Rule
- Breach Notification Rule
- Omnibus Rule
The HIPAA Privacy Rule specifies the conditions under which PHI can be used or disclosed. Since 2013, this rule has applied to both CEs and BAs. Without explicit patient preauthorization for disclosure, the use of their PHI is restricted. The Privacy Rule grants patients and their authorized representatives the right to access, inspect, and request corrections to errors in their PHI. This legislation aims to protect patient privacy while enhancing patients' ability to verify the accuracy of their healthcare records. Furthermore, it mandates that CEs provide requested copies of PHI to patients within a 30-day timeframe.
The HIPAA Security Rule establishes the standards for safeguarding PHI. Any CE or BA must evaluate, supervise, and adequately train all staff members who may create, view, access, alter, share, or transmit PHI and ePHI. Security measures should be implemented at multiple levels within a CE or BA organization, including:
- Develop a risk management policy
- Produce security risk assessments
- Provide administrative safeguards (assign a Security Officer and a Privacy Officer to conduct regular risk assessments and security audits)
- Limit security risks associated with PHI stored on various digital devices, including laptops and smartphones that may leave the premises
- Implement measures to restrict the flow of PHI within the CE or BA's private network and monitor staff activity
- Utilize technical safeguards (e.g., maintain computer firewalls, apply suitable encryption for electronic communications)
- Implement physical safeguards (secure workstations and restrict unauthorized viewing)
- Enforce appropriate security measures to protect electronic devices, including passwords, access credentials, and automatic sign-off applications
The HIPAA Breach Notification Rule obligates CEs and BAs to inform the HHS within 60 days if a data breach involving PHI affects 500 or more patients. For breaches impacting fewer than 500 patients, notification to the HHS must occur within 60 days of the end of the calendar year in which the breach happened. Additionally, patients whose PHI was compromised must be notified within 60 days of the breach. If a data breach affects more than 500 patients within a specific jurisdiction, a press release detailing the incident must be issued to major news agencies in that area. Reports of data breaches should encompass the following details:
- A description of the breach
- The type of data compromised
- Measures taken to contain the breach and prevent future incidents
- Actions patients can take to mitigate their potential harm
- Information regarding support or relief provided by the CE or BA
In all data breach situations, CEs and BAs must inform patients and the relevant authorities “without unnecessary delay.”
The HIPAA Omnibus Rule expanded regulations to mandate that BAs adhere to PHI protection standards and prevent the misuse of PHI for fundraising and marketing purposes without explicit patient consent. This rule established penalty levels for HIPAA violations and coordinated efforts with the Health Information Technology for Economic and Clinical Health Act (HITECH), which promoted the adoption of a standardized Electronic Health Record (EHR) system among healthcare providers. Key goals of HITECH included enhancing the quality, safety, efficiency, and coordination of patient care while increasing the privacy and security of PHI.
Understanding Required vs. Addressable Security Measures
Confusion often arises from the classification of certain recommended HIPAA security measures as either “required” or “addressable.” Ultimately, any measure deemed a “best practice” in the industry will be considered “required” if a data breach investigation occurs. Therefore, it is prudent for covered entities (CEs) and business associates (BAs) to implement appropriate safeguards for PHI, regardless of their designation. If a “required” measure is not implemented, the CE or BA must have an alternative safeguard in place that is considered equally effective for securing PHI.
One of the fundamental HIPAA recommendations for PHI security is employing data encryption for all ePHI transmissions. This is particularly important when PHI is taken outside the healthcare setting on devices such as laptops, smartphones, or tablets. Encryption makes PHI unreadable without an encryption key, even if the device is lost or stolen. According to the National Institute of Standards and Technology (NIST), the current industry standard for PHI encryption is Advanced Encryption Standard (AES) with 128, 192, or 256-bit encryption.
Another essential measure for securing PHI on electronic devices is the use of strong passwords. HIPAA mandates that CEs and BAs implement procedures for creating, changing, and safeguarding passwords. Internal policies should be established to ensure compliance with current NIST standards for password protection. However, long and complex passwords can be challenging for employees to memorize, often leading them to write down their passwords, which can be lost or stolen. NIST recommends using long, familiar phrases that are hard for others to guess but easy for individuals to remember. General recommendations for passwords include:
- A minimum length of 8 characters, up to a maximum of 64 characters
- Utilizing a passphrase familiar to the individual
- Avoiding written notes or hints that could lead to guessing the password
- Not using common password strings, such as “12345678” or “password”
- Avoiding frequent password changes, except in the case of a data breach
- Implementing multi-factor authentication (e.g., a code sent to a cell phone) when accessing electronic devices
Common HIPAA Violations
Investigations by the HHS-OCR have highlighted several frequent areas of HIPAA violations that CEs and BAs should be vigilant about:
- Failing to conduct regular and documented risk management analyses
- Compromising PHI stored on laptops, smartphones, tablets, and other electronic devices (these devices often leave the CE’s or BA’s physical premises and are susceptible to theft or loss)
- Improper disposal of PHI (physical paper records should be shredded or burned, while electronic media must be erased, degaussed, or properly destroyed to ensure that all PHI is “unreadable, indecipherable, and otherwise cannot be reconstructed”)
- Inadequate training for staff regarding security and the implementation of PHI safeguards (training should be regular, ongoing, and documented)
- Failing to document adequate Business Associate agreements
- Not providing patients with timely access to their PHI records upon request (within 30 days)
- Not enforcing the Minimum Necessary Standard (allowing unauthorized staff access to PHI beyond the scope of their employment; failing to restrict access properly)
- Failing to inform patients, HHS, and the media about data breaches in a timely manner
Impact of HIPAA on Healthcare Practices
HIPAA regulations have led to significant changes in the creation, security, privacy, and transmission of patient health records. While the effectiveness of HIPAA in improving the accuracy, secure communication, and availability of health records is still debated, studies indicate that HIPAA has enhanced the security of PHI, particularly through a greater reliance on electronic media over traditional paper records. However, these improvements come with substantial compliance costs for CEs and BAs, including increased administrative burdens, staffing needs, regulatory compliance measures, investments in electronic hardware and software, ongoing staff training, and extensive documentation.
HIPAA documentation rules require that patients receive formal documentation outlining the CE's privacy practices. CEs must also obtain the patient’s signature confirming receipt of this document. Although the costs of HIPAA compliance—such as payroll, hardware, software, and infrastructure enhancements—are high, the financial repercussions of fines for noncompliance, particularly when healthcare organizations are targeted by cybercriminals, can be even more significant. Criminals covet PHI records for identity theft, leading to increased rates of cyberattacks on healthcare databases.
Noncompliance with HIPAA regulations can result in investigations by the HHS OCR and substantial fines. Under the HITECH Act, noncompliance can incur penalties of up to $50,000 per violation, with a maximum of $1.5 million per year. Additionally, state attorneys general can impose fines of up to $250,000 per violation, with further financial penalties possible if patients file separate lawsuits against CEs and BAs.
The gravity of protecting PHI is underscored by the HHS OCR's authority to press criminal charges against CEs, BAs, and their employees who intentionally compromise or breach PHI for personal financial gain. Such actions can result in penalties of $250,000 and up to ten years of imprisonment.
HIPAA regulations mandate annual staff training on PHI security, which should be delivered in a formal setting with regular follow-up and reinforcement, as penalties for noncompliance are strict. Even healthcare facilities (CEs), such as traditional dental offices that do not transmit ePHI during regular operations and maintain paper records, must adhere to many aspects of HIPAA. The rules establish a general standard for privacy rights and PHI security, making it imperative for all healthcare providers to implement HIPAA standards to protect both patient rights and their own interests.
Quiz For HIPAA
