As the healthcare system today is relying more on digital systems, patient data shared across healthcare providers, insurers, and clearinghouses has become more vulnerable to data leakage. This data is shared among healthcare providers during every hospital visit or insurance claim. It includes personal information like diagnosis, payment records, insurance details, etc., known as PHI. This PHI is vital for proper and effective medical care. As important as it is, it can also be misused. This can threaten patient security and trust. HIPAA was enacted to safeguard this data while enabling quality care.
The HIPAA Privacy Rule handles such risks by outlining conditions for using and disclosing PHI. It balances the necessary flow of PHI with patient privacy. This rule is just one of the many legislative efforts to protect patient data under HIPAA in the USA. In order to understand it fully, let’s take a closer look at HIPAA first.
HIPAA in Brief
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed by the U.S. Congress in 1996. Its main purpose was to set strong rules for keeping patients’ medical and personal details private and secure. HIPAA also gave employees a way to hold on to their health insurance when changing jobs and pushed healthcare organizations toward more efficient, digital systems.
Since its introduction, HIPAA has been updated several times to match the fast-changing healthcare landscape. Over the years, these revisions have brought in some major changes, such as:
- HIPAA Privacy Rule governs how protected health information is used and disclosed.
- The Security Rule helps protect the electronic protected health information (ePHI) of patients.
- The HITECH Act promotes the use of electronic health records (EHR) by covered entities and mandates breach notification; and
- The Omnibus Rule expands patients’ privacy rights to access and extends HIPAA obligations to business associates.
Within these changes, the privacy rule became the foundation of safeguarding patient privacy.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule sets standards for how individuals’ protected health information (PHI) can be utilized. It sets clear rules on when the information can be shared and the measures organizations must put in place to keep it safe. All covered entities, which include health plans, healthcare providers, and healthcare clearinghouses, must abide by this rule. This also includes their business associates, who use PHI on their behalf.
The protected health information covered under this rule includes:
- All demographic data
- Identifying details such as name, address, social security number, etc.
- Information about an individual’s physical or mental health
- Records of medical treatment and health services received
- Details of all payments made or to be made for those healthcare services
The Privacy Rule does not apply to de-identified health information. It applies only to data that either directly identifies an individual or can reasonably be used to identify them. The Rule further includes:
- Protection of sensitive individual health information from unauthorized use and disclosure.
- How PHI must be handled, stored, and shared by covered entities and their associates.
- Gives Rights to individuals to be in charge of their personal health information. This includes having various rights like the right to request access, amend, etc.
- Lastly, it promotes transparent practices and requires healthcare providers to inform individuals how their data will be used.
General Principles for PHI Usage and Disclosure
A covered entity is free to disclose and use information that is not a part of PHI. However, certain principles are required to be followed by the covered entities for using and disclosing PHI. They must put in efforts to limit the use and disclosure of PHI as much as possible. The PHI should only be used and disclosed for legitimate purposes. This keeps the PHI confidential and secure. The Privacy Rule outlines three categories: required disclosures, permitted disclosures (without individual consent), and disclosures that require the individual's written authorization.
Required Disclosures
There are only two cases where the covered entity is required to and must disclose PHI:
- To the individual: Covered entities must share PHI with the person it belongs to (or their authorized representative) if they ask for access or a record of how their information has been shared.
- To the HHS (US Department of Health & Human Services): Covered entities are also required to provide PHI to the HHS if it's needed for a compliance review, audit, or enforcement action.
Permitted Uses & PHI Disclosures
A covered entity is not required to, but is permitted to, use and disclose PHI in the following cases:
- To the Individual to whom the PHI belongs: A covered entity may disclose the PHI to the concerned individual, excluding cases of request for access or an accounting of disclosures.
- For Treatment, Healthcare Operations and Payment Processes: A covered entity may disclose the PHI to health care providers for treatment of the concerned individual and payment activities. A covered entity can also disclose PHI to another covered entity for specific health operations, like quality checks and fraud prevention. This is only allowed if the information concerns the individual with whom both entities are dealing.
- Public Interest and Benefit Activities: A covered entity may disclose PHI to legal public authorities, FDA-regulated entities, employers, and to notify individuals who may have been exposed to a communicable disease, as authorized by law. The PHI may also be disclosed for organ donation, research purposes, essential government functions, etc.
- Limited Data Sets: It is the PHI that has had specific identifiers removed. It may not contain any information that reveals the identity of the individual, his/her family members, or their employer. This data can then be used for research, public benefit, etc., only when the recipient signs a data use agreement.
Authorized Disclosures
A covered entity is required to get written permission from the individual for the following PHI disclosures and uses:
- Psychotherapy Notes: A covered entity needs written permission of the individual to use or disclose psychotherapy notes, except when they are taken for treatment purposes or for its own defense in a legal case, its training, HHS for measuring compliance of the covered entity, etc.
- Marketing: A covered entity needs written permission from the individual to use and disclose PHI for marketing activities. Exceptions include face-to-face marketing conversations between a covered entity and an individual, or the distribution of low-value promotional items by the covered entity.
Once the general principles for uses and disclosures are understood, covered entities can now take steps to ensure that they comply with the Privacy Rule in practice.
Ensuring Privacy Rule Compliance: A Checklist for Covered Entities
The Privacy Rule applies to all kinds of covered entities, whether small clinics or large health insurance companies. The rule offers flexibility to help covered entities adopt safeguards that fit them best according to their size and resources.
The following are certain administrative requirements under this rule for organizational compliance:
- Privacy Policies and Procedures: A covered entity must develop and enforce its own written internal privacy policies along with necessary procedures that align with the Privacy Rule.
- Privacy Personnel: Each covered entity must designate a privacy officer for developing and implementing its privacy policies and procedures. Additionally, a contact person or office must be assigned to handle complaints and respond to individual enquiries regarding privacy practices.
- Workforce Training: The whole workforce, including employees, volunteers, trainees, and others whose actions are directly overseen by the covered entity, should be trained regarding the entity’s privacy policy and procedures. Due action must also be taken against workforce members who violate the covered entity’s privacy policies and procedures.
- Risk Mitigation: A covered entity must ensure that it takes necessary precautions to mitigate potential risks. It must also take reasonable steps to reduce or address the impact of any harm resulting from improper use and disclosure of PHI by the staff or business associates.
- Data Protection: A HIPAA-covered entity must implement administrative, physical, and technical safety measures in order to protect PHI. These measures help ensure the protection of data against unauthorized access that can lead to data breaches. These measures include, but are not limited to, restricting access to files, ensuring irretrievability of deleted PHI using data wiping solutions that follow NIST media sanitization guidelines, shredding documents before disposal, etc.
- Notice of Privacy Practices (NPP): Every covered entity is required to explain its uses and disclosure practices, along with individual rights, in its Notice of Privacy Practices. This must be written in plain language and provided to every concerned individual.
- Non-Retaliation and Waiver Protections: Every covered entity must respect individual rights as mentioned in the Privacy Rule. It must not retaliate when individuals practice their rights, participate in investigations conducted by the HHS or legal authorities, and challenge practices believed to violate the Privacy Rule. This does not in any way mean that the entity can ask the individual to waive any of their rights as a condition for receiving treatment, eligible benefits, and/or payment receipts.
- Maintaining Records and Documentation: Organization under the ambit of HIPAA must retain their privacy policies, procedures, notices of privacy practices, etc., for at least six years from the date they were created or last updated.
Penalties for Non-Compliance with the HIPAA Privacy Rule
All covered entities in the USA must comply with the rule to continue their operations. Non-compliance with it can invite serious legal and financial trouble. Fines and even criminal charges can be levied by the Office of Civil Rights (OCR), depending on which type of violation has occurred.
The OCR has the right to levy civil penalties as detailed below:
- A tier 1 penalty is levied when the covered entity was unaware and didn’t have reasonable knowledge of the violation. Tier 1 penalties range between $100 to $50,000 per violation and with an annual cap of $25,000. These penalties are levied when the covered entity is unaware of and didn’t have any reasonable knowledge of the violation committed.
- A tier 2 penalty is imposed when the violation was due to a reasonable cause and not without willful neglect. The penalty for this ranges from $1,000 to $50,000 per violation and has an annual maximum of $100,000.
- A tier 3 penalty is imposed for a violation due to willful neglect and was corrected within 30 days. The penalty for this ranges from $10,000 to $50,000 per violation and has an annual cap of $250,000.
- A tier 4 penalty is quite heavy. This penalty is levied when the violation was due to willful neglect and wasn't corrected within 30 days. The penalty for this is $50,000 per violation and an annual maximum of $1,500,000.
If the violation wasn’t due to willful neglect and was corrected within 30 days (unless an extension is granted by the OCR) after the entity came to know of it, no civil penalty may be imposed.
The OCR can also impose criminal penalties as detailed below:
- Basic Violations: If the violation is committed knowingly, the criminal penalty can include 1 year of imprisonment along with a fine of up to $50,000.
- Under False Pretenses: If someone accesses PHI deceitfully, like pretending to be someone else, etc., the penalty can go up to 5 years in prison and a fine of up to $100,000.
- Personal Gain or Malicious Harm: If the PHI is accessed or shared to commit fraud, make a profit, or cause harm, an imprisonment of 10 years is imposed along with a fine of up to $250,000.
Conclusion
The healthcare system has become extremely data-driven. It's also casting some ominous shadows that threaten to obscure the way for several individuals whose privacy is at stake. The HIPAA Privacy Rule safeguards the sensitive healthcare data of individuals. It has acted as a legal guide for handling PHI and allows individuals to have greater control over their private data.
+1-844-775-0101
