HIPAA is the acronym for Health Insurance Portability and Accountability Act Act that makes it mandatory for healthcare facilities in the US to take steps to ensure the protection and integrity of patient data, called the Protected Health Information (PHI). PHI is any information found in an individual’s medical record which was recorded or used during the healthcare process that can be used to personally identify that individual.
When a healthcare facility outsources a service, that means sharing confidential data at some point or another. This makes it crucial that the service provider be HIPAA compliant as well so that the partnership can ensure data security and safety. At UControlBilling we know the perils of data breaches and the importance of safeguarding personally identifiable information, by staying HIPAA compliant.
What is HIPAA Law?
The Health Insurance Portability and Accountability Act defines the rules and standards to protect patient data from being misused. According to the act, organizations that process Protected Health Information are required to have physical, technical, and administrative safeguards in place to be HIPAA compliant.
There are generally two kinds of groups that need to meet HIPAA compliance: first, the covered entities that are providing payment, operations, and treatment in the healthcare sector and secondly the business associates who provide support in the operations and have access to the patient information. Any other party, such as third-party service providers and subcontractors who have access to patient information are also liable to follow the guidelines set forth by HIPAA.
The Health Insurance Portability and Accountability Act was formally signed in 1996, accepted by the U.S Congress under President Bill Clinton. The purpose was to improve the accountability and portability of the medical insurance and billing process when Protected Health Information was involved. HIPAA also aimed to eradicate fraud, waste, and abuse in health insurance and to streamline all the processes involved. Below is a short timeline depicting how HIPAA has evolved over the years:
1998: HIPAA Security rule was proposed to provide better protection of patient information that was shared among health providers and other involved entities. It was not until 2005 that the Security rule went into effect.
1999: The HHS proposed the HIPAA Privacy rule that describes the standards to maintain integrity when it came to private health information and also specified the data which was covered by the law. The Privacy Rule also gave people the right to access their own collected personally identifiable data. The rule was implemented in 2003.
2005: In order to make entities comply with the Privacy and Security rules, the HHS introduced the Enforcement Law.
2009: The Breach Notification Rule came into effect which presented disclosure notification rules in case an entity’s system gets hacked.
2013: The HIPAA Omnibus Rule was issued that made some minor changes in the existing rules and extended to include business associates in covered entities.
What are the HIPAA Rules?
HIPAA consists of a number of rules which we mentioned briefly in the previous section. The rules have been introduced periodically in the 20+ years since the HIPAA was enacted. Following are the major ones that you should be aware of:
HIPAA Privacy Rule: The Privacy rule applies only to covered entities and excludes the business associates. The rule describes standards for patients’ rights for Protected Health Information, as well as the contents of Use and Disclosure of the information.
HIPAA Security Rule: The Security rule was introduced to set the standards to make secure the handling, transferring and maintenance of ePHI. Since ePHI can be shared with business associates, the Security rule applies to both covered entities and business associates.
HIPAA Omnibus Rule: The Omnibus rule further adds to the HIPAA regulation to include business associates as well as the covered entities. It mandates that business associates must be HIPAA compliant before there is any sharing of PHI or ePHI.
What is HIPAA Compliance?
The HIPAA regulation sets forth national standards that all business associates and covered entities are liable to. These include:
Policies and Procedures: Business associates and covered entities should develop set of procedures and policies that correspond to the standards set by the HIPAA rules. These policies should be implemented throughout the organization and should be updated regularly to reflect changes in the organization.
Staff Training: To create awareness among the employees and to keep them updated on the HIPAA compliant policies and procedures, it is necessary for organizations to arrange trainings on the subject at least once a year.
Self-Audits: As per HIPAA requirements, business associates and covered entities should conduct annual audits to identify the possible gaps that the organization may have in compliance with HIPAA standards.
Remediation Plans: After the organization identifies the gaps and risks through self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
Documentation: It is essential that organizations document each and every step that they have taken on the journey to become HIPAA compliant, to serve as a proof of the efforts in case of a HIPAA investigation.
What is a HIPAA Violation?
Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from OCR.
Privacy rule penalties vary depending on the severity of the infraction. They are split into four categories:
1. Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
2. Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
3. Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
4. Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.
Organizations can lower their risk of regulatory action through HIPAA compliance training programs. OCR offers guidance through educational programs on complying with privacy and security rules. A number of consultancies and training groups offer programs as well. Healthcare providers may also choose to create their own training programs, which often encompass each organization’s current HIPAA privacy and security policies, the HITECH Act, mobile device management (MDM) processes, and other applicable guidelines.
While there is no official HIPAA compliance certification program, training companies offer certification credentials to indicate an understanding of the guidelines and regulations specified by the act.