Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
Whom does HIPAA cover?
What are basic HIPAA goals?
What health information is protected?
Differentiate between HIPAA privacy rules, use and disclosure of information?
What are the legal exceptions when health care professionals can breach confidentiality without permission?
What types of data does HIPAA protect?
What types of electronic devices must facility security systems protect?
What is the job of a HIPAA security officer?
What does a security risk assessment entail?
What are physical safeguards?
What type of employee training for HIPAA is necessary?
What type of reminder policies should be in place?
How should a sanctions policy for HIPAA violations be written?
What discussions regarding patient information may be conducted in public locations?
How do you protect electronic information?
How do you ensure password protection?
How do you select a safe password?
What is the function of HIPAA?
In passing the law for HIPAA, Congress required the establishment of Federal standards to guarantee electronic protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual’s health information while also granting access for health care providers, clearinghouses, and health plans for continued medical care. 
Title I: Focus on Health Care Access, Portability, and Renewability.
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform.
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.
2013 Omnibus Rule Update
Right to access
The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. An individual may request the information in electronic form or hard-copy.
Hospitals may not reveal information over the phone to relatives of admitted patients.
Transactions and Code Sets Rule
HIPAA was created to improve health care system efficiency by standardizing health care transactions. HIPAA added a new Part C titled "Administrative Simplification" that simplifies healthcare transactions by requiring health plans to standardize health care transactions.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information, the Security Rule is limited to Electronic Protected Health Information. It lays out 3 types of security safeguards: administrative, physical, and technical.
Policies and procedures designed to show clearly how the entity will comply with the act.
Technical safeguards include controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks.
Unique Identifiers Rule (National Provider Identifier, NPI)
HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.
The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "sub-parts" such as a free-standing surgery or wound care center.
According to the HHS, the following issues have been reported according to frequency:
The most common entities required to take corrective action according to HHS are listed below by frequency:
Title III: Tax-related health provisions governing medical savings accounts
Title IV: Application and enforcement of group health insurance requirements
Title IV specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements. It clarifies continuation coverage requirements and includes COBRA clarification.
Title V: Revenue offset governing tax deductions for employers
HIPAA Privacy and Security Rules have substantially changed the way medical institutions and health providers function. The complex legalities and severe civil and financial penalties, as well as the increase in paperwork and implementation costs, have substantially impacted health care. All health professional must be trained in HIPAA and have an understanding of the potential pitfalls and acts that can lead to a violation.
Clinical Care Effects
HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that health care providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they have a full appreciation of when protected health information can be legally released.
Education and Training Effects
Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Effective training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule.
HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.
Many researchers believe that the HIPAA privacy laws have a negative impact on the cost and quality of medical research.
HIPAA Privacy and Security Acts require all medical centers and medical practices to get into and stay in compliance. The costs of developing and revamping systems and practices and an increase in paperwork and staff education time have impacted the finances of medical centers and practices at a time when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial, that scarce resources must be devoted to making sure an institution is compliant, and its employees understand the statutory rules.
HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most violations are momentary lapses that result in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training is crucial, as well as designing and maintaining systems that minimize human mistakes.
Violations of HIPAA
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.
Examples of HIPAA violations and breaches include:
|||Tariq RA,Hackert PB, Patient Confidentiality 2019 Jan; [PubMed PMID: 30137825]|
|||Mermelstein HT,Wallack JJ, Confidentiality in the age of HIPAA: a challenge for psychosomatic medicine. Psychosomatics. 2008 Mar-Apr; [PubMed PMID: 18354061]|
|||Kessler SR,Pindek S,Kleinman G,Andel SA,Spector PE, Information security climate and the assessment of information security risk among healthcare employees. Health informatics journal. 2019 Mar 14; [PubMed PMID: 30866704]|
|||Iyiewuare PO,Coulter ID,Whitley MD,Herman PM, Researching the Appropriateness of Care in the Complementary and Integrative Health Professions Part 2: What Every Researcher and Practitioner Should Know About the Health Insurance Portability and Accountability Act and Practice-based Research in the United States. Journal of manipulative and physiological therapeutics. 2018 Nov - Dec; [PubMed PMID: 30755332]|
|||Liu X,Sutton PR,McKenna R,Sinanan MN,Fellner BJ,Leu MG,Ewell C, Evaluation of Secure Messaging Applications for a Health Care System: A Case Study. Applied clinical informatics. 2019 Jan; [PubMed PMID: 30812040]|
|||Berry MD, Healthcare Reform. Enforcement and Compliance. Issue brief (Health Policy Tracking Service). 2018 Dec 24; [PubMed PMID: 30681783]|
|||Berry MD, Business of Health. Business of Healthcare. Issue brief (Health Policy Tracking Service). 2018 Dec 24; [PubMed PMID: 30681304]|
|||Lam JS,Simpson BK,Lau FH, Health Insurance Portability and Accountability Act Noncompliance in Patient Photograph Management in Plastic Surgery. Annals of plastic surgery. 2019 May; [PubMed PMID: 30648996]|
|||Reynolds RA,Stack LB,Bonfield CM, Medical photography with a mobile phone: useful techniques, and what neurosurgeons need to know about HIPAA compliance. Journal of neurosurgery. 2019 Jan 4; [PubMed PMID: 30611147]|
|||Kels CG,Kels LH, Potential Harms of HIPAA. JAMA. 2018 Dec 11; [PubMed PMID: 30535213]|
|||Mattioli M, Security Incidents Targeting Your Medical Practice. MD advisor : a journal for New Jersey medical community. 2018 Summer; [PubMed PMID: 30570893]|
|||Baker FX,Merz JF, What gives them the right? Legal privilege and waivers of consent for research. Clinical trials (London, England). 2018 Dec; [PubMed PMID: 30280910]|
|||Sims MH,Hodges Shaw M,Gilbertson S,Storch J,Halterman MW, Legal and ethical issues surrounding the use of crowdsourcing among healthcare providers. Health informatics journal. 2018 Sep 7; [PubMed PMID: 30192688]|
|||Kloss LL,Brodnik MS,Rinehart-Thompson LA, Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018. Yearbook of medical informatics. 2018 Aug; [PubMed PMID: 30157506]|
|||Bradley D, HIPAA compliance efforts. Pediatric emergency care. 2004 Jan; [PubMed PMID: 14716172]|
|||Butler M, Top HITECH-HIPPA compliance obstacles emerge. Journal of AHIMA. 2014 Apr; [PubMed PMID: 24834549]|
|||White JM, HIPPA compliance for vendors and suppliers. Journal of healthcare protection management : publication of the International Association for Hospital Security. 2014; [PubMed PMID: 24707761]|
|||McMahon EB,Lee-Huber T, HIPPA privacy regulations: practical information for physicians. Pain physician. 2001 Jul; [PubMed PMID: 16900255]|
|||Bilimoria NM, HIPPA security rule compliance for physicians: better late than never. The Journal of medical practice management : MPM. 2005 Jul-Aug; [PubMed PMID: 16206804]|