The Health Insurance Portability and Accountability Act (HIPAA) is one of the most well-known pieces of legislation in health care and related industries. But what exactly does it say, and more importantly, what does it say about data protections and use cases for patients’ protected health information (PHI)?
Let’s dissect the core purpose behind the monumental health data act and some of the key factors related to data regulations and compliance.
The Health Insurance Portability and Accountability Act (HIPAA)
- The purpose behind HIPAA
- HIPAA and data compliance
- HIPAA enforcement
HIPAA originated in 1996 to address a combination of patient convenience and health insurance-related efficiencies. The first idea behind the act was to hold health insurers accountable for the portability of patients’ health insurance when they transition to a new workplace. A secondary goal behind the act was to make the transference and storage of medical data more efficient and secure, eliminating much of the need for paper medical records that are more susceptible to fraud and waste.
The act focuses on protecting the privacy and security of protected health information, preventing covered organizations from using or disclosing patient data in unauthorized exchanges or procedures. Some common types of PHI covered by HIPAA include information about health status or current conditions, health treatments, and any method of payment used for health care.
HIPAA requirements apply to two core groups that work with patient data: covered entities and business associates.
- Covered entities are any organizations that directly deal with patient health insurance in electronic health care transactions. The most common types of covered entities outlined in the act include health plans, health care clearinghouses, and health care providers. But these three types of organizations are only covered by HIPAA if they accept health insurance as payment.
- Business associates are third-party vendors or organizations that partner with covered entities and have direct access to patient PHI as a result of that partnership. Although some enforcement and consequences are different, business associates are required to comply with HIPAA just like covered entities. Common business associates include billing companies, cloud storage providers, and law firms.
HIPAA enforces many policies and procedures regarding patient data privacy and security on its own. But several rules promulgated pursuant to the act have developed to increase protections over the years, with the Privacy Rule and Security Rule being the most prominent. Other rules have detailed what needs to happen if a data breach occurs.
The Privacy Rule was first published on December 28, 2000, and modifications were added and finalized by August 14, 2002. HIPAA covered entities were required to comply with the Privacy Rule no later than April 14, 2003.
This regulation constitutes a wide-ranging definition of the responsibilities that covered entities and business associates have to protect the privacy of patient data. Some of the core areas of focus within the Privacy Rule include appropriate uses and disclosures, patients’ individual rights, and administrative requirements for privacy protection.
Uses and disclosures
The uses and disclosures portion of the Privacy Rule delineates how covered entities are allowed to use and disclose patient data. As a general rule, patient data cannot be disclosed unless it is directed to or authorized by the patient or meets one of the following conditions: it pertains to treatment, payment, or operations within a health care entity; it is a limited and privatized data set used for research; or the Office for Civil Rights in the Department of Health and Human Services (HHS OCR) steps in and requests the data in an audit or investigation. The HHS website provides extensive details about other use and disclosure possibilities. A best practice is to only use or disclose the minimum necessary data.
It’s important to note that uses and disclosures, as well as all other HIPAA regulations, only pertain to covered entities and business associates. No other businesses are held to HIPAA or related protection standards in the ways that they use consumer data.
Attorney Iliana Peters, CISSP — a shareholder at the law firm Polsinelli and former acting deputy for HIPAA and senior advisor for enforcement at HHS OCR — further illustrated how people are misunderstanding the uses and disclosures clause of the Privacy Rule in the wake of COVID-19 vaccinations:
“A common misconception right now is related to whether or not businesses are violating HIPAA when they ask customers for proof of vaccination,” Peters said. “The short answer here is no. There is no rule against asking people about their health information.”
“And outside of covered entities and business associates, all other businesses, like grocery stores and restaurants, are not covered by HIPAA rules and regulations. Only covered entities and business associates are covered by HIPAA and required to protect PHI, and that’s less focused on asking for patient information and more focused on how these organizations use and disclose patient data.”
Patients’ individual rights
The Privacy Rule highlights a patient’s right to know how their data can be used as well as the right to access and request adjustments to their filed personal data. Covered entities are required to share a privacy practices notice with all patients, clearly detailing how their PHI can be used by the organization and how patients should respond if they feel their privacy is violated. Once a patient begins working with a covered entity, they can exercise their rights to access, amend, restrict, and request an account of disclosures on their personal data.
The HIPAA Privacy Rule provides several expectations for administrative protections on patient data. Some of the most prominent administrative requirements include:
- Developing and actively using privacy policies and procedures
- Designating a privacy official and a means of contact for when patients have questions or complaints regarding their data privacy
- Workforce training on all privacy policies and procedures
- Advancing effective mitigation and complaint procedures
- Creating administrative, technical, and physical data safeguards
Perhaps the most significant regulation related to electronic personal data arrived when the Security Rule was enacted on February 20, 2003, requiring organizations to be compliant by April 20, 2006.
The Security Rule focuses on what covered entities and business associates must do to protect and secure the integrity, confidentiality, and availability of electronic PHI (e-PHI). The three main categories of the Security Rule focus on administrative controls, physical controls, and technical controls that need to be implemented to protect patient data in these settings.
More on securing data: What is Data Segmentation?
Administrative controls for compliance
In order to comply with the Security Rule, covered entities and business associates must establish several administrative controls for data security. Some of the administrative controls that help organizations comply with the Security Rule include:
- Developing a security management process to address potential security risks and vulnerabilities
- Selecting an organizational security official to create and enforce security policy and procedure
- Limiting data access to minimum necessary needs via role-based access controls
- Providing appropriate training and oversight for employees who engage with e-PHI
- Evaluating the efficacy of security controls on a regular basis
- Performing risk analysis and developing a risk management plan
Risk analysis is one of the most crucial and misinterpreted pieces of the Security Rule. When an organization misunderstands the risk analysis regulation, the time wasted, financial loss, and compliance risks can be severe.
Peters highlighted the incredible opportunity cost of getting risk analysis wrong:
“Risk analysis is an area of the Security Rule that a lot of businesses get wrong,” Peters said. “There’s some confusion about the term, with many businesses thinking that an audit or gap analysis is what’s needed. This is one of the most frustrating and costly mistakes for covered entities and for firms like ours that work with them.”
“They are often small businesses working with a smaller budget, but they spend $10,000, $20,000, even $50,000 to get a third-party consultant to conduct an audit or gap analysis related to their HIPAA compliance and policies. This is helpful information for the business to know, but it does not constitute the risk analysis that HIPAA requires them to do related to their data.”
Peters went on to compare a true risk analysis to what other business sectors call an enterprise risk assessment. When done correctly, a risk analysis involves locating and inventorying all relevant e-PHI, mapping out additional locations and users who might have access, explaining security restrictions in place, and analyzing any recent security incidents and other metrics of security efficacy. Risk analysis is an ongoing process that should inform a risk management plan and the steps to increase security safeguards in areas where they are lacking.
Physical controls for compliance
Part of the Security Rule is making sure that physical safeguards are in place to protect data. Some of the physical controls that HHS highlights include:
- Limiting and controlling physical access to facilities where e-PHI is stored
- Enforcing workstation and device security policies for all users who work with e-PHI
Technical controls for compliance
Technical compliance controls involve software and other security measures implemented on network technology that accesses e-PHI. Some of the most common technical controls that covered entities use for data security include anti-malware software, firewalls and next-generation firewalls (NGFWs), multi-factor authentication, and end-to-end encryption.
Read Next: What is a Virtual Data Room?
Whether it’s two or 2,000 people affected, a covered entity has to let affected individuals know when a breach involving their data has occurred in that organization or with one of their business associates. They also need to inform HHS and will incur different penalties based on the severity of the breach and if it affected more than or less than 500 people. If 500 or more people were affected, the covered entity is required to notify the media. There’s also the potential for criminal penalties resulting in hefty fines or jail time, depending on the severity and intent behind a HIPAA breach.
It’s important to first recognize the distinct difference between a security incident and a breach. Security incidents are any events that violate a company’s security policies and procedures, whereas breaches are any security incidents that have escalated to compromise and expose PHI or e-PHI. Not all security incidents become breaches, so covered entities should complete incident risk assessments to determine if their organization needs to report a breach to HHS and patients.
Enforcement of HIPAA and the Privacy and Security rules is primarily handled at the federal government level by the Office for Civil Rights in the Department of Health and Human Services. The office sets the guidelines for HIPAA, makes any necessary adjustments or clarifications over time, and decides if an organization’s actions are compliant.
Peters emphasized that companies should stay away from any so-called “HIPAA-compliant” solutions that vendors or consultants offer, as no organization other than HHS can ensure a decision is HIPAA compliant.
Some of the main actions that OCR takes in relation to HIPAA include investigating HIPAA violation complaints, reviewing the compliance of covered entities via audits, and offering educational resources to assist organizations with their HIPAA compliance.
If a breach incurs criminal penalties or otherwise moves beyond the jurisdiction of the department, OCR also refers potential criminal HIPAA breaches to the Department of Justice (DOJ) for further investigation.
It’s important for all data professionals at covered entities or business associates, as defined by HIPAA, to understand the act’s regulations and compliance features.
There are consequences for patient privacy and health care entities when a HIPAA breach occurs. HIPAA does, however, provide benchmarks for establishing security parameters for consumer information, and HHS offers recommendations for data compliance.
Many of the protections involve adding the right data security safeguards and working with experts to address holes in HIPAA compliance. Law firms specializing in HIPAA regulations can help get policies, procedures, in-house training, and incident response in working order. There are also third-party vendors that assist with penetration and vulnerability testing to help identify potential HIPAA breach threats — before they become costly issues.
More security solutions for your business: Best Threat Intelligence Platforms for 2021