The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act) consists of 5 Titles.
- Title I: Protects health insurance coverage for workers and their families who change or lose their jobs. It limits new health plans' ability to deny coverage due to a pre-existing condition.
- Title II: Prevents Health Care Fraud and Abuse; Medical Liability Reform; Administrative Simplification that requires the establishment of national standards for electronic health care transactions and national identifiers for providers, employers, and health insurance plans.
- Title III: Guidelines for pre-tax medical spending accounts. It provides changes to health insurance law and deductions for medical insurance.
- Title IV: Guidelines for group health plans. It provides modifications for health coverage.
- Title V: Governs company-owned life insurance policies. Makes provisions for treating people without United States Citizenship and repealed financial institution rule to interest allocation rules.
Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
- The focus of the statute is to create confidentiality systems within and beyond healthcare facilities.
- The goal of keeping protected health information private.
Whom does HIPAA cover?
- All persons working in a healthcare facility or private office
- Non-patient care employees
- Health plans (e.g., insurance companies)
- Billing companies
- Electronic medical record companies
What are basic HIPAA goals?
- To limit the use of protected health information to those with a “need to know.”
- To penalize those who do not comply with confidentiality regulations.
What health information is protected?
- Any health care information with an identifier that links a specific patient to healthcare information (name, social security number, telephone number, email address, street address, among others)
Differentiate between HIPAA privacy rules, use, and disclosure of information?
- Use: How information is used within a healthcare facility
- Disclosure: How information is shared outside a health care facility
- Privacy rules: Patients must give signed consent for the use of their personal information or disclosure
What are the legal exceptions when health care professionals can breach confidentiality without permission?
- Gunshot wound
- Stab wound
- Injuries sustained in a crime
- Child/Elderly abuse
- Infectious, communicable, or reportable diseases
What types of data does HIPAA protect?
- Written, paper, spoken, or electronic data
- Transmission of data within and outside a health care facility
- Applies to anyone or any institution involved with the use of healthcare-related data
- Data size does not matter
What types of electronic devices must facility security systems protect?
- Both hardware and software
- Unauthorized access to health care data or devices such as a user attempting to change passwords at defined intervals
What is the job of a HIPAA security officer?
- IT background
- Document and maintain security policies and procedures
- Audit the systems
- Risk assessments and compliance with policies/procedures
What does a security risk assessment entail?
- Should be undertaken at all healthcare facilities
- Assess the risk of virus infection and hackers
- Create safeguards against risks
What are physical safeguards?
- Secure printers, fax machines, and computers
- Locks on computer and record rooms
- Destroy sensitive information
What type of employee training for HIPAA is necessary?
- Ideally under the supervision of the security officer
- The level of access increases with responsibility
- Annual HIPAA training with updates mandatory for all employees
What type of reminder policies should be in place?
- E-mail alert, posters
- Log-on, log-off computer notices
How should a sanctions policy for HIPAA violations be written?
- Clear, non-ambiguous plain English policy
- Apply equally to all employees and contractors
- Sale of information results in termination
- Repeat offense increases the punishment
What discussions regarding patient information may be conducted in public locations?
- Conversational information is covered by confidentiality/HIPAA
- Do not talk about patients or protected health information in public locations
How do you protect electronic information?
- Point computer screens away from public
- Use privacy sliding doors at the reception desk
- Never leave protected health information unattended
- Log off workstations when leaving an area
How do you ensure password protection?
- Do not share the password
- Do not write down the password
- Do not verbalize password
- Do not email your password
How do you select a safe password?
- Do not select consecutive digits
- Do not select information that can be easily guessed
- Choose something that can be remembered but not guessed
What is the function of HIPAA?
In passing the law for HIPAA, Congress required the establishment of Federal standards to guarantee electronic protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual’s health information while also granting access for health care providers, clearinghouses, and health plans for continued medical care. 
- Standards for security were needed because of the growth in exchange of protected health information between covered entities and non-covered entities. These standards guarantee availability, integrity, and confidentiality of e-PHI. Also, there are State laws with strict guidelines that apply and overrules Federal security guidelines.
- The standards mandated in the Federal Security Rule protect individual's health information while permitting appropriate access to that information by health care providers, clearinghouses, and health insurance plans. The Security Rule establishes Federal standards to ensure the availability, confidentiality, and integrity of electronic protected health information. Also, state laws also provide more stringent standards that apply over and above Federal security standards.
- Health care providers, health plans, and business associates have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records locked in cabinets is not enough anymore. With information broadly held and transmitted electronically, the rule provides clear national standards for the protection of electronic health information.
Issues of Concern
There are 5 HIPAA sections of the act, known as titles.
Title I: Focus on Health Care Access, Portability, and Renewability
- Regulates the availability of group and individual health insurance policies: Title I modified the Employee Retirement Income Security Act along with the Public Health Service Act and the Internal Revenue Code
- Requires the coverage of and limits the restrictions that a group health plan places on benefits for preexisting conditions. Group health coverage may only refuse benefits that relate to preexisting conditions for 12 months after enrollment or 18 months for late enrollment.
- Enables individuals to limit the exclusion period taking into account how long they were covered before enrolling in the new plan after any periods of a break in coverage.
- Covers "creditable coverage" which includes nearly all group and individual health plans, Medicare, and Medicaid.
- Explains a "significant break" as any 63-day period that an individual goes without creditable coverage. It allows premiums to be tied to avoiding tobacco use, or body mass index.
- Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months, and renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market without exclusion regardless of health condition.
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Establishes policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses, and creates civil and criminal penalties for violations.
- Creates programs to control fraud and abuse and Administrative Simplification rules.
- Requires the Department of Health and Human Services (HHS) to increase the efficiency of the health care system by creating standards.
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.
- Covered entities may disclose PHI to law enforcement if requested to do so by court orders, court-ordered warrants, subpoenas, and administrative requests.
- A covered entity may reveal PHI to facilitate treatment, payment, or health care operations without a patient's written authorization.
- Any other disclosures of PHI require the covered entity to obtain prior written authorization.
- When a covered entity discloses PHI, it must make a reasonable effort to share only the minimum necessary information.
- The Privacy Rule gives individuals the right to demand that a covered entity correct any inaccurate PHI and take reasonable steps to ensure the confidentiality of communications with individuals.
- The Privacy Rule requires covered entities to notify individuals of PHI use, keep track of disclosures, and document privacy policies and procedures.
2013 Omnibus Rule Update
- The revised definition of "significant harm" to an individual in the analysis of a breach provides more investigation to cover entities with the intent of disclosing breaches that were previously not reported.
- Protection of PHI was changed from indefinite to 50 years after death.
- The HIPAA Privacy rule may be waived during a natural disaster.
Right to Access
The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. An individual may request the information in electronic form or hard copy.
- Individuals have the right to access all health-related information (except psychotherapy notes of a provider, and information gathered by a provider to defend against a lawsuit).
- Providers may charge a reasonable amount for copying costs. However, no charge is allowable when providing data electronically from a certified electronic health record (EHR) using the "view, download, and transfer."
- An individual may authorize the delivery of information using either encrypted or unencrypted email, media, direct messaging, or other methods. When using unencrypted delivery, an individual must understand and accept the risks of data transfer.
- An individual may request in writing that their PHI be delivered to a third party.
- An individual may request in writing that their provider send PHI to a designated service used to collect or manage their records, such as a Personal Health Record application.
Hospitals may not reveal information over the phone to relatives of admitted patients.
- This has impeded the location of missing persons, as seen after airline crashes, hospitals are reluctant to disclose the identities of passengers being treated, making it difficult for relatives to locate them.
Transactions and Code Sets Rule
HIPAA was created to improve health care system efficiency by standardizing health care transactions. HIPAA added a new Part C titled "Administrative Simplification" that simplifies healthcare transactions by requiring health plans to standardize health care transactions.
- For example, medical providers who file for reimbursements electronically have to file their electronic claims using HIPAA standards to be paid.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information, the Security Rule is limited to Electronic Protected Health Information. It lays out 3 types of security safeguards: administrative, physical, and technical.
Policies and procedures are designed to show clearly how the entity will comply with the act.
- Covered entities must adopt a written set of privacy procedures and designate a privacy officer for developing and implementing required policies and procedures.
- Procedures must identify classes of employees who have access to electronic protected health information and restrict it to only those employees who need it to complete their job function.
- The procedures must address access authorization, establishment, modification, and termination.
- Entities must show appropriate ongoing training for handling PHI.
- Covered entities must back up their data and have disaster recovery procedures.
- Internal audits are required to review operations with the goal of identifying security violations.
- Procedures should document instructions for addressing and responding to security breaches.
- Control physical access to protected data.
- Control the introduction and removal of hardware and software from the network and make it limited to authorized individuals.
- Access to equipment containing health information must be controlled and monitored.
- Require proper workstation use, and keep monitor screens out of not direct public view.
- If the covered entities utilize contractors or agents, they too must be thoroughly trained on PHI.
Technical safeguards include controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks.
- Information systems housing PHI must be protected from intrusion.
- Data within a system must not be changed or erased in an unauthorized manner.
- Data corroboration, including the use of a checksum, double-keying, message authentication, and digital signature must be used to ensure data integrity and authenticate entities with which they communicate.
- Entities must make documentation of their HIPAA practices available to the government.
- Information technology documentation should include a written record of all configuration settings on the components of the network.
- Documented risk analysis and risk management programs are required.
Unique Identifiers Rule (National Provider Identifier, NPI)
HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.
The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "sub-parts" such as a free-standing surgery or wound care center.
- The Enforcement Rule sets civil financial money penalties for violating HIPAA rules.
- It establishes procedures for investigations and hearings for HIPAA violations.
- The US Dept. of Health and Human Resources has investigated over 20,000 cases resolved by requiring changes in privacy practice or by corrective action.
- If noncompliance is determined, entities must apply corrective measures.
- Complaints have been investigated against pharmacy chains, major health care centers, insurance groups, hospital chains, and small providers.
According to the HHS, the following issues have been reported according to frequency:
- Misuse and disclosures of PHI
- No protection in place for health information
- Patients unable to access their health information
- Using or disclosing more than the minimum necessary protected health information
- No safeguards of electronic protected health information
The most common entities required to take corrective action according to HHS are listed below by frequency:
- Private Practices
- Outpatient Facilities
- Group insurance plans
Title III: Tax-related health provisions governing medical savings accounts
- Standardizes the amount that may be saved per person in a pre-tax medical savings account.
- Makes medical savings accounts available to employees covered under an employer-sponsored high deductible plan for a small employer and self-employed individuals.
Title IV: Application and enforcement of group health insurance requirements
Title IV specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements. It clarifies continuation coverage requirements and includes COBRA clarification.
Title V: Revenue offset governing tax deductions for employers
- Provisions for company-owned life insurance for employers providing company-owned life insurance premiums, prohibiting the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.
- Repeals the financial institution rule to interest allocation rules.
- Amends provisions of law relating to people who give up United States citizenship or permanent residence, expanding the expatriation tax to be assessed against those deemed to be giving up their US status for tax reasons
- Makes former citizens' names part of the public record through the creation of the Quarterly Publication of Individuals Who Have Chosen to Expatriate.
HIPAA Privacy and Security Rules have substantially changed the way medical institutions and health providers function. The complex legalities and severe civil and financial penalties, as well as the increase in paperwork and implementation costs, have substantially impacted health care. All health professionals must be trained in HIPAA and have an understanding of the potential pitfalls and acts that can lead to a violation.
Clinical Care Effects
HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that health care providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they have a full appreciation of when protected health information can be legally released.
Education and Training Effects
Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Effective training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule.
HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.
- HIPAA Privacy rules have resulted in as much as a 95% drop in follow-up surveys completed by patients being followed long-term.
- Recruitment of patients for cancer studies has led to a more than 70% decrease in patient accrual and a tripling of time spent recruiting patients and mean recruitment costs.
- Significant legal language required for research studies is now extensive due to the need to protect participants' health information. While such information is important, a lengthy legalistic section may make these complex documents less user-friendly for those who are asked to read and sign them.
Many researchers believe that the HIPAA privacy laws have a negative impact on the cost and quality of medical research.
HIPAA Privacy and Security Acts require all medical centers and medical practices to get into and stay in compliance. The costs of developing and revamping systems and practices and an increase in paperwork and staff education time have impacted the finances of medical centers and practices at a time when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial, that scarce resources must be devoted to making sure an institution is compliant, and its employees understand the statutory rules.
HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most violations are momentary lapses that result in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training is crucial, as well as designing and maintaining systems that minimize human mistakes.
Violations of HIPAA
- For an individual who unknowingly violates HIPAA: $100 fine per violation with an annual maximum of $25,000 for those who repeat violation. There is also $50,000 per violation and an annual maximum of $1.5 million.
- For a violation that is due to reasonable cause and not due to willful neglect: There is a $1000 charge per violation, an annual maximum of $100,000 for those who repeatedly violates. There is also a $50,000 penalty per violation and an annual maximum of $1.5 million.
- For HIPAA violation due to willful neglect, with violation corrected within the required time period. There is a $10,000 penalty per violation, an annual maximum of $250,000 for repeat violations. There is a $50,000 penalty per violation with an annual maximum of $1.5 million.
- For HIPAA violation due to willful neglect and not corrected. There is a penalty of $50,000 per violation, an annual maximum of $1,000,000, $50,000 per violation, and an annual maximum of $1.5 million.
- For entities that are covered and specified individuals who obtain or disclose individually identifiable health information willfully and knowingly: The penalty is up to $50,000 and imprisonment up to 1 year.
- For offenses committed under false pretenses, the penalty is up to $100,000 with imprisonment of up to 5 years.
- For offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the penalty is up to $250,000 with imprisonment up to 10 years.
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.
Examples of HIPAA violations and breaches include:
- Hospital staff disclosed HIV testing concerning a patient in the waiting room, staff were required to take regular HIPAA training, and computer monitors were repositioned.
- An office manager accidentally faxed confidential medical records to an employer rather than a urologist's office, resulting in a stern warning letter and a mandate for regular HIPAA training for all employees.
- A surgeon was fired after illegally accessing personal records of celebrities, was fined $2000, and sentenced to 4 months in jail.
- Private practice lost an unencrypted flash drive containing protected health information, was fined $150,000, and was required to install a corrective action plan.
- Private physician license suspended for submitting a patient's bill to collection firms with CPT codes that revealed the patient diagnosis.
- Texas hospital employees received an 18-month jail term for wrongful disclosure of private patient medical information.
- Walgreen's pharmacist violated HIPAA and shared confidential information concerning a customer who dated her husband resulted in a $1.4 million HIPAA award.
- Virginia employees were fired for logging into medical files without legitimate medical need.
- Employee fired for speaking out loud in the back office of a medical clinic after she revealed a pregnancy test result.
- A sales executive was fined $10,000 for filling out prior authorization forms and putting them directly in patient charts.
- Six doctors and 13 employees were fired at UCLA for viewing Britney Spears' medical records when they had no legitimate reason to do so.
- Cardiac monitor vendor fined $2.5 million when a laptop containing hundreds of patient medical records was stolen from a car.
- Washington State Medical Center employee fired for improperly accessing over 600 confidential patient health records.
- An employee of the hospital posted on Facebook concerning the death of a patient stating she "should have worn her seatbelt."
- A hospital was fined $2.2 million for allowing an ABC film crew to film two patients without their consent.
- Cardiology group fined $200,000 for posting surgical and clinical appointments on a public, internet-accessed calendar.
- Tricare Management of Virginia exposed confidential data of nearly 5 million people.
- Cignet Health of Maryland fined $4.3 million for ignoring patient requests to obtain copies of their own records and ignoring federal officials' inquiries.
- Virginia physician prosecuted for sharing information with a patient's employer under false pretenses.