Overview of the Health Insurance Portability and Accountability Act of 1996 - Module 1 of 5

First, it sought to ensure that an employee can keep her health insurance coverage when changing employment. Second, HIPAA was meant to control healthcare costs by preventing healthcare provider fraud and abuse, such as billing for services not provided or duplicate billing. The National Health Care Anti-Fraud Association estimates that as much as 10 percent of total healthcare costs are lost to fraudulent and abusive practices by healthcare providers, amounting to $230 billion annually.[1] Congress also found that the burden of paperwork associated with medical records increased the costs of medical care.[2] The bill therefore sought to control healthcare costs in a variety of ways.

In this module, we will explore HIPAA and present an overview of the law by defining key terms and rules such as the Privacy Rule, Security Rule, Enforcement Rule and Omnibus Rule.

The Privacy Rule

The Department of Health and Human Services is the agency responsible for implementing HIPAA. Not only has the HHS adopted national standards for electronic healthcare transactions and code sets, unique health identifiers, and security, it has also adopted the Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, which provides national standards for the protection of certain health information.[3]

The Privacy Rule balances privacy against the need for the free exchange of health information necessary for providing high quality healthcare. For example, several different entities may process a person’s health insurance claim after he receives medical care, including the medical professional and the patient’s insurance company. The claimant’s private information, such as his health history, vitals, and other medical information passes through numerous hands and there’s always a possibility that this data could be compromised.

The Privacy Rule applies to “covered entities” which are health plans, healthcare clearinghouses, and to any healthcare provider who transmits a person’s health information in electronic form.[4]

A health plan is defined as an individual or group plan that pays the cost of medical care or provides medical care.[5] It can be employer-sponsored, government-sponsored, or a multi-employer group health plan. It can also cover a wide array of medical services other than healthcare, including dental, vision, and prescription drug costs.

A healthcare clearinghouse processes nonstandard health data information into standard data elements. Examples of these include billing services companies, community health management information systems, and value-added networks that provide healthcare providers with secure ways to send and share data with counterparts.

The Privacy Rule applies to most healthcare providers. Every healthcare provider, regardless of size, that electronically transmits health information in connection with certain transactions, is a covered entity. Since health information is nearly always electronically transmitted, it applies to nearly every physician, dentist, nurse, pharmacist, and psychologist, as well as hospital, laboratory, and pharmacy, in the United States.[6]

The Privacy Rule protects most patient information from disclosure, including:[7]

· demographic and other information relating to the past, present, or future physical or mental health or condition;

· the past, present, or future payment of healthcare to the healthcare plan;

· information traceable to a patient by one or more of 18 identifiers that include an individual’s name, date of birth, date of admission, discharge date, death date, address, phone number, email address, facial photographs, Social Security number, medical record number, and medical device identifiers; and

· genetic health information

Despite its broad reach, the Privacy Rule excludes certain employment records from classification as protected health information. Health information in employment records that a covered entity maintains in its capacity as an employer is not considered protected health information under HIPAA. For example, drug screening test results are initially protected health information when the provider administers the test to the employee, but test results lose their protected health information status when the employee signs an agreement authorizing the provider to give an employer the results so that they can be placed in the employee’s employment record. Like drug screening test results, the results of fitness for duty exams are protected health information when the provider administers the test. The fitness for duty exam loses its protected status when the results of the exam are turned over to an employer if the employee consents.[8] In other words, test results are protected health information, but when they become part of the employment record with the employee’s consent, they are not.

A “business associate” of a covered entity must also comply with the Privacy Rule if any covered entity engages it to carry out healthcare activities and functions. For example, a third-party administrator that assists a health plan with processing claims or an accounting firm whose accounting services to healthcare providers involve access to protected health information are also subject to the regulations.

The Health Information Technology for Economic and Clinical Health Act

In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act, or HITECH, which significantly increased the number of entities subject to HIPAA. HITECH expanded HIPAA’s definition of “business associate” to include any subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.[9]

Examples of business associates that have gained importance in the last few years are cloud services providers such as IBM Cloud, Rackspace, and GoDaddy, which facilitate sharing of a patient’s health information. All cloud services providers have had to enter into written contracts, called business associate agreements, to ensure Privacy Rule compliance.[10] The agreements spell out that any agent or subcontractor that receives protected health information from the business associate must also protect the information.[11]

The Privacy Rule covers many organizations and people, but it does not prevent people from cooperating with law enforcement, such as police or prosecutors.[12] If a covered entity, such as an EMS professional, has medical evidence that a person to whom he provided medical care may have committed a crime, he can tell an investigating police officer what he knows without violating the Privacy Rule.

There are several types of entities that are not covered by the Privacy Rule. First, an employer-sponsored group health plan with fewer than 50 participants is not a covered entity. Second, a program, like a community health center, that directly provides healthcare, or provides grants to fund the direct provision of healthcare, isn’t subject to the regulations. Third, certain insurance entities, including those providing only workers’ compensation, automobile insurance, and property and casualty insurance, are not required to comply with the Privacy Rule.

Special rules exist for health information when a public school is a student’s healthcare provider. Since public schools receive funding from the Department of Education, they’re not required to comply with HIPAA’s Privacy Rule, but instead must comply with the Family Educational Rights and Privacy Act of 1974. FERPA is the primary federal law governing public school records and it protects the privacy of student education records.

FERPA classifies a public school’s students’ health information as “education records” and not health records. Even though a public elementary or secondary school may employ a school nurse or other health care provider that may bill a government program such as Medicaid for services provided to a student, the school is not a HIPAA-covered entity because it does not engage in any other covered transactions, such as billing a health plan. Instead, the school must comply with FERPA’s privacy requirements for education records, including the requirement to obtain parental consent to bill a government program such as Medicaid.[13] Private and religious elementary and secondary schools, however, are HIPAA-covered entities because they do not receive funding from the Department of Education, and so are not subject to FERPA.

With HIPAA, Congress also addressed creation and use of de-identified health information so that it is removed from the scope of federal regulation.[14] De-identified medical information, which is health data stripped of all identifiers such as the patient’s name, telephone number, email address, Social Security number and medical record numbers, is integral to certain types of research or comparative medical studies.[15] Once medical information is de-identified, there are no restrictions on the use or disclosure of it, or on its usage for research for similar purposes.[16]

The Security Rule

Another important HIPAA component is the Security Rule, which is a subset of the Privacy Rule. It establishes national standards to protect a person’s electronic personal health information. The Security Rule requires a covered entity to follow appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.[17]

Much of HIPAA’s Security Rule focuses on administrative safeguards a covered entity must implement. Examples of these include conducting a risk analysis and implementing a risk management plan, developing procedures for identifying incidents that compromise electronic personal health information, as well as designating a security official responsible for developing and implementing policies and procedures.

Physical safeguards are physical measures, policies and procedures that relate to protecting equipment and buildings from natural and environmental hazards and unwanted intrusion.[18] These may be facility access controls or a facility access plan.

Finally, technical safeguards are meant to allow only authorized persons to access electronic protected health information. A covered entity must use any security measures that allow it to reasonably and appropriately implement the necessary standards for protection. Moreover, a covered entity must determine which security measures and specific technologies are reasonable and appropriate.[19] A covered entity implements technical safeguards when it creates mechanisms that record and examine activities pertaining to electronic personal health information.

The Enforcement Rule

The Enforcement Rule component of HIPAA sets out how the Department of Health and Human Services’ Office for Civil Rights will administer and enforce HIPAA standards.[20] The OCR may conduct complaint investigations and compliance reviews. The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil monetary penalties for violations of the HIPAA, and procedures for hearings. OCR enforces the Privacy and Security Rules by investigating complaints, conducting compliance reviews, and performing education and outreach to foster compliance.

Under the Enforcement Rule, business associates and their subcontractors are liable for HIPAA violations caused by their own noncompliance as well as violations caused by their subcontractors. The Enforcement Rule provides for a civil penalty of up to $1.5 million per year for each HIPAA violation due to willful neglect that is not promptly corrected within a required time. Civil penalties can also be as high as $50,000 per individual violation. This number can also substantially increase based on the number of people affected and the number of violations.[21]

Along with civil penalties, the Office for Civil Rights also works with the U.S. Department of Justice to prosecute potential criminal violations of HIPAA. Violations under HIPAA can result in severe criminal penalties. A covered entity that “knowingly" obtains or discloses individually identifiable health information, in violation of the law, will face a fine of up to $50,000, as well as imprisonment of one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years imprisonment.[22]

Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm can be punished by fines of $250,000 and imprisonment up to 10 years. The Office for Civil Rights may also choose to provide technical assistance for violations or require a specific corrective action plan such as more training for employees and monitoring.

When determining penalties, the Office for Civil Rights evaluates the length of time a violation persisted, the number of people affected, the nature of the personal health information exposed, and the covered entity’s willingness (or unwillingness) to assist with the investigation. In one matter, for example, the OCR fined a 12-physician pediatric and adult dermatology practice group $150,000 for HIPAA violations arising out of a lost, unencrypted flash drive containing protected health information and required the group to implement a corrective action plan. Since the violation affected many patients and the lost flash drive contained Social Security numbers as well as payment information, the fine was on the higher end of the scale.

The 2013 Omnibus Rule and HITECH Act

In 2013, four years after Congress passed the HITECH Act to strengthen privacy security protections, the Department of Health and Human Services adopted the Omnibus Rule to modify HITECH.

The Omnibus Rule set out to accomplish several objectives. First, it reaffirms that in the case of an impermissible use or disclosure of personal health information, the covered entity or the business associate carries the burden of demonstrating that all notifications were provided or that the use or disclosure wasn’t a breach. The covered entity and the business associate must maintain documentation as necessary to meet this burden.[23] Second, a covered entity still has a safe harbor, which provides that an unauthorized disclosure only rises to the level of a breach if the patient’s personal health information disclosed is unsecured, meaning that unauthorized individuals that access it can use or read it. Finally, the Omnibus Rule expands a patient’s rights by allowing him to ask for a copy of his medical record in electronic form and giving him the ability to instruct his provider to refrain from sharing information about his treatment with his health plan if he pays for medical services out of pocket.[24]

In the next module, we will look more closely at what disclosures are authorized and unauthorized before we move on to discussing enforcement actions for unauthorized disclosures, the rules of state laws and medical record retention practices required by federal law.