The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the federal law that created national standards for protecting sensitive patient health information from being disclosed without the patient’s knowledge or consent. Read more about this US regulation and find out how to comply.
The Health Insurance Portability and Accountability Act (HIPAA) was primarily about solving insurance coverage for individuals that are between jobs. Without this law, employees would have faced the risk of losing their insurance coverage for the period between jobs.
Another goal was to ensure that all data is properly secured and no unauthorized individuals can access healthcare data.
HIPAA applies in the United States and is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR).
HIPAA was created in order to modernize the flow of healthcare information and to make sure that personally identifiable information gathered in healthcare and insurance companies is protected against fraud and theft and cannot be disclosed without consent.
Patients' healthcare information is treated more sensitively and can be quickly accessed by various healthcare providers. HIPAA regulations require that records are better secured and protected against leakage. HIPAA Journal, a great source for HIPAA regulations and compliance info, has a comprehensive checklist for companies during their journey for compliance.
Any company or individual that works with Protected Health Information (PHI) needs to be compliant with HIPAA. PHI is created when any health data is combined with personally identifiable information, such as the following:
When PHI is stored electronically, it’s called ePHI.
There are several entities that regularly work with Protected Health Information and therefore must follow the Health Insurance Portability and Accountability Act:
HIPAA consists of the following rules:
HIPAA Privacy Rule
The Privacy Rule defines how, when and under what circumstances PHI can be used and disclosed. Without a patient’s prior consent, the use of information about the patient is limited. Patients and their representatives are allowed to obtain a copy of their health records and request corrections in case of errors.
HIPAA Security Rule
The Security Rule sets standards to protect ePHI. The Security Rule must be followed by anyone who works with ePHI. Security Officers and Privacy Officers must perform risk assessments and audits to identify any threats to PHI integrity.
Breach Notification Rule
The Department of Health and Human Services must be notified in case of a data breach, as must the affected individuals. If more than five hundred patients in a particular jurisdiction are affected, a press release must be issued in a news outlet covering the area.
Omnibus Rule
The Omnibus Rule is a part of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) that came into force in 2009 and was created to encourage the use of electronic health records by healthcare providers.
The Omnibus Rule prohibits the use of PHI for marketing or fundraising purposes without authorization.
Enforcement Rule
The Enforcement Rule is about determining the appropriate fine when a breach occurs. A fine can be lower in case of negligence; however, if the violation happens due to willful neglect it can be much higher.
Within the HIPAA Privacy Rule, individuals have the legal right to see and receive copies of medical information.
Individuals have the right to:
Even though patients have the right to access their records, some types of information are excluded from the Right to Access. The following information is excluded:
Excluded information is the following:
A HIPAA violation occurs when a HIPAA entity or a business associate fails to comply with any of the HIPAA Rules. Penalties for HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. HIPAA uses four categories of penalties:
The covered entity or business associate did not know and could not have reasonably known that they violated HIPAA; therefore, it could not have been avoided. The penalty per such violation is $137—$68,928 with an annual cap of $2,067,813 per identical provision violated.
Violation occurred due to a known but reasonable cause, not due to willful neglect. The penalty per such violation is $1,41—$71,162 with an annual cap of $35,581 (per OCR enforcement discretion).
Violation results from willful neglect, but the issue was corrected promptly (within 30 days). The penalty per such violation is $14,232 – $71,162 with an annual cap of $355,808.
Violation results from willful neglect and remains uncorrected beyond 30 days. The penalty per such violation is $71,162 – $2,134,831 with an annual cap of $2,134,831.
Keeping unsecured records
Employees leave sensitive documents at their desks or don’t use passwords to access digital data. Make sure that the workspace is secured, and passwords are used at your company.
Unencrypted data
Encryption of your data is not mandatory by HIPAA, but it is highly recommended. Even if data is leaked, when it is encrypted it can’t be accessed without authorization.
Hacking or phishing campaigns
Keep your anti-virus software up to date, regularly change passwords and use a DLP solution to protect your data against leakage.
Loss or Theft of Devices
Valuable devices can be lost in the blink of an eye. Encrypt your data, so even if a device is lost, no one unauthorized can access it.
Sharing PHI
Always keep in mind that people like to talk. Very often employees don’t even realize that they have been sharing sensitive information with each other. Educate them about sensitive data handling, and make sure that only authorized individuals can access the data.
Lack of employee training
Employees might not even realize that they have been working with PHI and the violation can be harmful to both the company and patients. Educate them regularly and make sure they understand what PHI and HIPAA are, as well as the consequences of violation.
Unauthorized Access
Employees who are not authorized to process sensitive information can still access it and go through the documents. Set the proper security policies and make sure your employees are aware of them.
As you can see above, violations often stem from mistakes made by employees, whether they lose a device, click on a phishing campaign, or just talk with their colleagues about patients. HIPAA violations can happen easily. Insider threats can be either unintentional or malicious. However, 56% of insider threat incidents are caused by negligent employees.
And according to Ponemon Institute, the average total cost of a data breach for healthcare companies jumped 29% to $9.23 million. Health and pharmaceuticals are among the industries with the highest annual insider threat costs, at over $10M per year (Ponemon Institute, 2022).
Read more about insider threats here.
How Safetica Secures Your Data For HIPAA Compliance?
Gyncentrum Clinic protects their clients' sensitive data with Safetica. Read more here.
Our staff, both administrative and medical, has access to our patients’ sensitive data on a daily basis. These are personal and medical information, examination results and psychological evaluations. Thanks to Safetica, I can, as the person responsible for data protection in the clinic, decide who has access, how data is processed and whether it can be shared with third parties or not. Employees’ activities are reported, and patients’ data protected.
Says Paweł Czerwiński, Owner of Gyncentrum.