April 15, 2020
A March 3, 2020 press release by the US Department of Health and Human Services (HHS) mentions that Dr. Steven A. Porter's medical practice will have to pay US$100,000 to the Office for Civil Rights (OCR) for HIPAA compliance failure. Dr. Porter, a gastroenterologist based in Utah, also has to take corrective actions to ensure no further HIPAA violation. His practice will remain under monitoring for two years to check his compliance with the corrective action plan. The OCR investigation started after a breach complaint lodged by a business associate of Dr. Porter. The OCR determined that Dr. Porter had not conducted a proper and rigorous risk assessment when the breach got reported. Considerable technical assistance was available to Dr. Porter during the investigation. However, he failed to take advantage of that to execute a thorough risk assessment and incorporate corrective measures during the investigation.
It is imperative that you ensure HIPAA compliance if you have anything to do with healthcare in the U.S. Whether yours is an individual service or a healthcare service delivery organization, you are within the purview of HIPAA. Yours may be a company that has little to do with healthcare apart from offering healthcare plans to employees. Even then, you need to know about HIPAA compliance and implement the necessary measures. The same applies to health insurance agencies. This article will help you fully understand the actions you need to execute for HIPAA compliance with reference to the HIPAA Privacy Rule. It makes poor business sense to end up paying a hefty fine for failing to grasp what a law implies in practical terms.
The origin of HIPAA lies in the 1996 law that allows workers to carry forward their insurance and healthcare rights when they change jobs. HIPAA has since evolved to be a far more comprehensive law.
After the latest amendments in 2013, HIPAA has become a law that impacts the entire healthcare industry in the US. It applies to both individuals and organizations, and on both sides: those who deliver it and those who receive it. HIPAA, thus, has implications for healthcare delivery agencies, individual healthcare professionals, and patients. It also applies to other related agencies such as insurance companies and firms that offer healthcare plans to their employees.
According to the online HIPAA Journal, the main objectives of HIPAA are to:
The two key actionable points for the US government with reference to HIPAA relate to the privacy and security of health information. This law makes the Secretary, HHS, responsible for developing standardized regulations to protect the privacy and security of specific health information.
The Secretary, HHS, has accordingly issued nationalized standards. These are contained in the documents popularly known as the HIPAA Privacy Rule and the HIPAA Security Rule. This article gives a simplified but thorough exposure to what the HIPAA Privacy Rule is all about, with action points clearly enlisted.
The formal name for the national standards relating to the privacy of health information under HIPAA is: Standards for Privacy of Individually Identifiable Health Information. These are the first standards ever formulated at the national level for protecting the specified health data of individuals.
These standards define the extent to which organizations can use and disclose "protected health data" of individuals. They draw from the individual right to privacy enshrined in the U.S. Constitution. The standards also assist individuals to understand and control their health information. On the one hand, free flow health-related information is necessary for quality healthcare delivery. On the other hand, individuals have a right to privacy. The standards aim to maintain a balance between these two.
The Privacy Rule of HIPAA marks all "individually identifiable health information" as "protected health information" (PHI). PHI includes, but is not limited to, the following:
Employment record preserved by an employee is beyond the scope of PHI. So is educational data as permitted by the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
No restrictions apply to de-identified health data. Health information that does not in any way identifies an individual, nor supplies any reasonable basis for identification, qualifies as de-identified.
There are two ways of de-identifying health information. A qualified statistician may determine whether health information is de-identified or not. The other means is to remove particular identifiers of individuals, members of their households, and employers.
HIPAA refers to items, individuals, and organizations within the scope of the Privacy Rule as "covered entities." We provide a list of covered entities below:
Health Plans: individual or group health plans that provide healthcare or pays for it are within the scope of the HIPAA Privacy Rule. Health plans include:
Exceptions to the above:
Healthcare Providers: Any healthcare provider transmitting information electronically about particular transactions is a covered entity. The size of the healthcare-providing institution or individual practice does not matter.
Healthcare providers include organizations like hospitals, and individuals like physicians, and other healthcare practitioners. Whether the healthcare provider executes the transactions directly or through a billing service does not make a difference. The HIPAA Transactions Rule enlists the types of transactions to which the privacy rule applies. Standard transactions include:
Covered entities under HIPAA who transmit any of the above transactions electronically must use an ASC X12N standard form or the NCPDP for specified pharmacy transactions.
Healthcare Clearinghouses: These are agencies that receive non-standardized data from another entity and transforms them into the relevant standardized format. The reverse is also true. Clearinghouse functions typically include billing services, community health management information services, and repricing functions. Healthcare clearinghouses become covered entities if they handle PHI.
Business Associates: A business associate is an individual or an organization that is not on the salary roll of a covered entity, but performs certain functions for a covered entity. An agency helping a healthcare provider to gain accreditation, for example. A business associate becomes a covered entity only if the services they provide expose them to any PHI item. In such a situation, the covered entity needs to include non-disclosure clauses in their contract with the business associate.
The basic principle guiding the HIPAA Privacy Rule is to enable an individual to have control over the use and disclosure of PHI by a covered entity. A covered entity may disclose or use information not covered under PHI.
A covered entity may disclose or use any PHI item only if the concerned individual has expressed consent in writing. However, the HIPAA Privacy Rule defines two situations where a covered entity requires to disclose PHI.
If an individual or their authorized representative asks for access to any PHI item, a covered entity requires to facilitate such access. A covered entity also requires to disclose PHI when the HHS needs such access to investigate compliance or review enforcement. When law enforcement or judicial inquiry needs PHI disclosure, a covered entity has to abide by that. A covered entity also has to disclose PHI to facilitate legal proceedings for victims of abuse and trauma. You may have reasonable doubt in certain situations that non-disclosure of PHI may lead to some serious harm to any individual, the patient included, or to the public. You are obligated to disclose it to the relevant authority.
The HIPAA Privacy Rule also lays down situations where a covered entity may disclose and use PHI. Such situations do not obligate a covered entity to disclose, as in the case of the above two required situations.
A covered entity has permission to reveal PHI to the individual whose PHI it is. A covered entity also has permission to disclose and use PHI for treatment, payment, and healthcare operations.
When more than one healthcare providers need to consult for effective treatment of an individual, a covered entity may disclose and use PHI. The same applies when a covered entity needs to refer a patient to another covered entity. A covered entity has permission to disclose and use PHI for claiming reimbursement for treatment carried out under a health plan. The same applies when PHI use is necessary for premium payment, or to determine the full scope of insurance coverage and its benefits.
Healthcare operations in this context refer to the following:
PHI disclosure and use need written consent from the patient unless it is a medical emergency where the patient lacks the capacity to give consent. An individual has the full right to object to the disclosure and use of PHI.
Exceptions to obtaining written consent are as follows:
A personal representative such as a legal representative authorized by an individual is equal to the authorizing individual. A covered entity has to allow the representative all rights granted to an individual user under the HIPAA Privacy Law.
For minors, all rights granted to an individual user transfer to the minor's parents, or the legal guardian in case the parents are not alive or functional.
Penalty For Non-Compliance
The Office for Civil Rights (OCR), HHS, is responsible for enforcing HIPAA Privacy Rule compliance. The OCR is also responsible to review compliance and address complaints of non-compliance through conducting investigations.
All covered entities should have implemented all the standards required by the Privacy Rule no later than April 14, 2003. Only small health plans had an extension up to April 14, 2004, for compliance.
Hopefully, therefore, if you are a covered entity reading this piece, you have everything in place already. In case you've identified any gap, address that immediately. Non-compliance may attract monetary fines.
The OCR has the right to levy civil money penalties as detailed below:
In case the violation was not because of willful negligence and got addressed within 30 days or less of receiving the complaint, there will be no penalty. The OCR has sole discretion in determining whether the violation was due to willful negligence. The OCR must submit a notice to the covered entity about its intention to levy a monetary penalty. The covered entity has the right to submit written evidence that may lessen or cancel the penalty within 30 days of receiving the notice. A covered party may also request an administrative hearing.
If the Privacy Rule violation happens not because of willful neglect, but due to deliberate action, it will attract criminal penalties. The U.S. Department of Justice is responsible to conduct all criminal proceedings for Privacy Rule violations.
The penalty details are as enlisted below:
If you are a covered entity reading this piece, double-check your privacy compliance arrangements. Celebrate if you are sure there is no gap anywhere.
Celebrate also if you are an individual user of healthcare services. Now you know exactly what your rights are under the HIPAA Privacy Rule!
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|