The United States’ Health Insurance Portability and Accountability Act is touted as one of the most stringent healthcare legislations in the world. And with good reason. It standardizes the best practices to protect patient information and vests individuals with legal rights to enforce them, making the healthcare industry accountable.
It, therefore, becomes imperative for cloud-hosted businesses with customers who create, use or transmit protected health information to become HIPAA compliant. Noncompliance can lead to penalties, data theft, reputation damage, financial loss, and, worse, a risk to patient safety.
So, if you are looking for ways to navigate the HIPAA maze, this article is a must-read. Read on as we take you through the nuances of why HIPAA is important, what it means to you and how you can comply.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that standardizes the best practices to protect patient data (such as medical records) and other personal health information.
The law applies to healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically (referred to as covered entities). HIPAA also applies to business associates, subcontractors, researchers and hybrid entities that perform functions on behalf of HIPAA-covered entities that give them access to protected health information (PHI). PHI is any health information that identifies an individual (such as name, address, and health conditions), and is maintained or exchanged electronically or in hard copy. Such information is protected under HIPAA from being disclosed without the patient’s consent or knowledge.
So, in short, HIPAA mandates health organizations to protect patient information and levies heavy financial penalties for violations.
Interestingly, when HIPAA was introduced in 1996, the intention was to improve the health insurance system and healthcare administration alone. The law has since expanded in scope to include patient privacy, uses and disclosures of health data, and data security to become what it is today – a critical piece of legislation in the healthcare industry.
While HIPAA is regulated by the Department of Health and Human Services (HHS), the Act’s provisions are enforced by the Office for Civil Rights (OCR).
Why is HIPAA important to Patients and Industries?
HIPAA brings a paradigm shift in how the healthcare industry uses, shares and maintains patients’ health information. It vests a number of legally enforceable rights to the patients and stipulates that the covered entities and business associates comply with them.
Patient Rights towards Medical Information
From the patients’ perspective, HIPAA is important because it directs all the covered entities to protect their sensitive information and keep it private and confidential. HIPAA’s Privacy Rule gives patients a host of rights that covered entities must comply with to meet the framework requirements. Here are the four key aspects of HIPAA that make it important for patients.
Right to Access Patient’s Data
Under HIPAA, patients have the legal and enforceable right to ask to see and/or procure a copy of their health records upon request. This right is known as the HIPAA Right of Access.
Individuals can choose how to receive it – on paper or electronically- and have their medical records sent to an alternate healthcare provider or designated individuals. The Privacy Rule allows patients to select individuals who are permitted to obtain their health data on their behalf (such as friends, family, or caregivers). If patients need a copy, they must submit their request in writing and pay for the cost of copying and mailing.
Covered entities must comply with patient requests to access their medical records within 30 days or offer a written explanation of their inability to do so. However, they must do so only after verifying the identity of the individual requesting access to PHI and reviewing the information being released.
Right to Make Corrections
HIPAA law gives patients the right to amend PHI if they believe their medical records to be inaccurate or incomplete. For instance, if the patient and the hospital agree that the patient file has the wrong result for a test, the hospital must change it. And if the hospital doesn’t agree, then they must do so with an explanation to the patient on the reason(s) for it and give details of how to submit a written statement of disagreement and file a complaint to the Secretary of Health and Human Services (HHS).
Patients also have the right to have their disagreements noted in their files. Typically, the covered entity must update the files within 60 days.
There, however, are some circumstances in which covered entities may not be able to comply with such requests:
According to the HHS, designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.
Need to take Patients’ Consent before sharing data with any Third Party
The HIPAA Privacy Rule requires that patients give written authorization before a covered entity may use or disclose their PHI with any third party. For instance, the use and disclosure of genetic information for underwriting purposes, the sale of PHI, and the disclosure of psychotherapy notes; all require explicit patient consent.
Covered entities typically seek consent through a HIPAA release form, whose copy is shared with the patient after collecting signatures. They must obtain patient consent or allow patients to object to their information being released or shared. However, the covered entities needn’t obtain consent for the purposes of standard treatment, healthcare operations, and patient payment plans.
Right to File a Complaint if Data is Misused or Shared without Consent
HIPAA also allows for filing complaints if and when the patient’s data is misused, or shared without consent or if there is contention regarding violation of patient rights with the covered entities or their business associate(s).
Patients have the right to file a complaint with the OCR. OCR then investigates complaints against covered entities and their business associates.
According to HHS, complaints must:
- Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
- Name the covered entity or business associate involved, and describe the acts or omissions, believed to have been violated
- Be filed within 180 days of knowing that the act or the omission complained of occurred. OCR may extend the 180 days if you can show ‘good cause’
To further protect patient rights, HIPAA prohibits the covered entity from retaliating against the patients for filing complaints.
HIPAA and Industry Rights
HIPAA has streamlined administrative functions within the healthcare industry to ensure the security of vital health information. With the risks of noncompliance by way of sanctions, and the looming loss of trust to reckon with, healthcare providers and their partners must take the necessary steps to ensure the security and privacy of PHI to remain compliant.
Covered entities and business associates must follow HIPAA security and privacy rules and prove that they’ve been proactive about preventing violations by creating privacy and security policies. Note that these policies must be documented, communicated to staff, and updated regularly.
Training the Employees
Healthcare entities must train their staff on HIPAA policies during orientation and at least once a year. Staff must attest (in writing) that they have understood all HIPAA policies and procedures. Organizations must ensure that the training content is regularly updated.
Informing Patients of their Rights
Organizations must also create and share a Notice of Privacy Practices (NPP) that outlines their privacy policies, how PHI is handled, and notify patients of their right to access their medical records. This form must be made available for the patients to review and sign.
Assigning the Responsibility of Data Security
HIPAA’s Security Rule requires covered entities to designate a Privacy Compliance Officer. This person is responsible for overseeing the crafting of privacy policies, ensuring their implementation and annual updation. The HIPAA Privacy Officer must also maintain NPPs.
Covered entities must also designate a HIPAA Security Officer to establish and ensure that policies and procedures prevent, detect, protect the information, and respond to ePHI data breaches. They must also conduct risk assessments to ascertain the effectiveness of the said measures.
Securing the Medical Records of Patients
The HIPAA Security Rule requires three kinds of safeguards: administrative, physical, and technical, to ensure holistic protection of patient’s PHI.
This entails organizations documenting their security management process, analyzing risks to ePHI and implementing security measures to mitigate the risks. Staff training, implementation of Information Access Management to control access to health records, and contingency response plans to emergencies are some of the other measures.
Organizations must be able to control who has access to physical facilities where ePHI is stored. They must also secure all workstations and devices that store or transmit ePHI. These safeguards pertain to access to physical facilities for ePHI storage, such as office and computer systems.
Some examples include facility access controls, workstation security measures (such as privacy filters, cable locks), and policies for access and use of workstations.
Organizations must also implement technical safeguards that include hardware, software, and other technology to limit access to e-PHI.
Access controls to secure information in electronic health record systems (EHR) and other databases, integrity controls to prevent improper e-PHI alteration or deletion, audit controls for all hardware and software that manage or transmit ePHI, data encryption at rest and during transit are some of the examples.
Limiting the Disclosure of Information
The Privacy Rule centres around the principle of ‘minimum necessary’ use and disclosure. This limits the disclosure of patient information to the minimum such that the intended purpose is served. This means the covered entities must make efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish its intended outcome.
How to protect yourself from breaking HIPAA rules?
The only way to protect yourself from breaking HIPAA rules is to understand the spirit and the letter of the law, and ensure its implementation organization-wide.
Aside from these, some other ways to protect yourself from breaking the HIPAA rules are to:
- Ensure you have written consent from the patient before the use or disclosure of information but for exceptions (such as treatment, payment, and others).
- Double-check the authorization requirements before providing information to staff, business associates, and other covered entities.
- Discuss patient information only in designated areas. Make efforts to control the environment to reduce the risk of HIPAA violations.
- Ensure tech-enabled controls, such as access control, password managers, multi-factor authentication, data encryption, and antivirus.
- Don’t befriend/follow patients or their caregivers on social media.
What Penalties are imposed for not following HIPAA rules?
HIPAA penalties are issued by the offices of HHS and US State Attorneys General. Aside from financial penalties for violations, covered entities must also incorporate a corrective action plan to bring their policies and procedures up to the standards demanded by HIPAA.
A violation occurs when a covered entity or business associate fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.
Depending on the severity of the violations, the OCR may either resolve them using non-punitive measures (such as issuing technical guidance) or levying appropriate financial penalties. The HIPAA penalty structure is tiered.
Certain violations also attract criminal penalties.
Who doesn’t have to follow the HIPAA rules?
Many organizations possess patient health information but aren’t mandated to follow the HIPAA Privacy and Security Rules. Here are some examples:
- Term & life insurance companies
- Gyms and fitness studios
- Health and mobile fitness applications
- Wearables such as Fitbit
- Law enforcement firms
- State agencies like Child Protective Services
- Certain US government departments
- Workers’ compensation insurance companies
- Providers who don’t have any records in electronic forms, such as some counselors
Find out how Sprinto can get you HIPAA compliant
If you are a cloud-hosted business that collects personally identifiable data of US citizens that may be shared with healthcare professionals, or if your customers create, use or transmit PHI through your services, you are subject to HIPAA compliance. You may need to execute a Business Associate Agreement with selected clients.
Sprinto’s automated compliance platform can help you get HIPAA compliant quickly and error-free. With in-app features to monitor your HIPAA safeguards, manage vendors and business associates with PHI access, and conduct staff training, Sprinto can help you become and stay HIPAA compliant effortlessly.
Talk to us today to learn about how to automate your compliance with HIPAA.
What is the most important part of HIPAA?
The most important part of HIPAA is the protection of the privacy and security of patient health information.
How do you explain HIPAA to a patient?
Why is health information so important?
Health information is important because it can save lives. Also, when stolen, it can lead to identity theft, security breaches, and much more. Case in point: stolen medical records sell for over $1,000 each on the dark web (according to credit rating agency Experian). On the other hand, credit card numbers sell for around $5 each, while Social Security numbers were available for as little as $1 each.
Who needs to follow HIPAA rules?
The HIPAA rules apply to individuals, healthcare organizations, and cloud-hosted companies that meet its definition of a covered entity. HIPAA also applies to business associates, subcontractors, researchers and hybrid entities that perform functions on behalf of HIPAA-covered entities, giving them access to protected health information (PHI).
Does HIPAA apply to everyone?
No, HIPAA doesn’t apply to everyone.