Introduction
Protected health information breaches have impacted over 176 million patients in the United States from 2009 to 2020. Most of these breaches have occurred due to the carelessness of employees and failure to comply with HIPAA rules versus external hackers.[1]
The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act) consists of 5 Titles.[2][3][4]
- Title I: Protects health insurance coverage for workers and their families who change or lose jobs. It limits new health plans' ability to deny coverage due to a pre-existing condition.
- Title II: Prevents healthcare fraud and abuse; medical liability reform; administrative simplification that requires establishing national standards for electronic healthcare transactions and national identifiers for providers, employers, and health insurance plans.
- Title III: Guidelines for pre-tax medical spending accounts. It provides changes to health insurance law and deductions for medical insurance.
- Title IV: Guidelines for group health plans. It provides modifications for health coverage.
- Title V: Governs company-owned life insurance policies. Makes provisions for treating people without United States citizenship and repealed financial institution rules to interest allocation rules.
Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
- The statute focuses on creating confidentiality systems within and beyond healthcare facilities.
- The goal is to keep protected health information private.
Whom does HIPAA cover?
- All persons working in a healthcare facility or private office
- Students
- Non-patient care employees
- Health plans (e.g., insurance companies)
- Billing companies
- Electronic medical record companies
What are the primary HIPAA goals?
- To limit the use of protected health information to those with a “need to know”
- To penalize those who do not comply with confidentiality regulations
What health information is protected?
- Any healthcare information with an identifier that links a specific patient to healthcare information (name, social security number, telephone number, email address, street address, among others)
Differentiate between HIPAA privacy rules, use, and disclosure of information.
- Use: How information is used within a healthcare facility
- Disclosure: How information is shared outside a healthcare facility
- Privacy rules: Patients must give signed consent for the use of their personal information or disclosure
What are the legal exceptions when healthcare professionals can breach confidentiality without permission?
- Gunshot wound
- Stab wound
- Injuries sustained in a crime
- Child/Elderly abuse
- Infectious, communicable, or reportable diseases
What types of data does HIPAA protect?[5]
- Written, paper, spoken, or electronic data
- Transmission of data within and outside a healthcare facility
- This applies to anyone or any institution involved with the use of healthcare-related data
- Data size does not matter
What types of electronic devices must facility security systems protect?
- Both hardware and software
- Unauthorized access to healthcare data or devices, such as a user attempting to change passwords at defined intervals
What are the qualifications and jobs of a HIPAA security officer?
- IT background
- Document and maintain security policies and procedures
- Audit the systems
- Risk assessments and compliance with policies/procedures
What does a security risk assessment entail?
- Should be undertaken at all healthcare facilities
- Assess the risk of virus infection and hackers
- Create safeguards against risks
What are physical safeguards?
- Secure printers, fax machines, and computers
- Locks on computer and record rooms
- Destroy sensitive information
What type of employee training for HIPAA is necessary?
- Ideally, under the supervision of the security officer
- The level of access increases with responsibility
- Annual HIPAA training with updates mandatory for all employees
What type of reminder policies should be in place?
- E-mail alert, posters
- Log-on, log-off computer notices
How should a sanctions policy for HIPAA violations be written?
- Clear, non-ambiguous, plain English policy
- Apply equally to all employees and contractors
- Sale of information results in termination
- Repeat offense increases the punishment
What discussions regarding patient information may be conducted in public locations?
- None
- Conversational information is covered by confidentiality/HIPAA
- Do not talk about patients or protected health information in public locations
How do you protect electronic information?
- Point computer screens away from public
- Use privacy sliding doors at the reception desk
- Never leave protected health information unattended
- Log off workstations when leaving an area
How do you ensure password protection?
- Do not share the password
- Do not write down the password
- Do not verbalize the password
- Do not email your password
How do you select a safe password?
- Do not select consecutive digits
- Do not select the information that can be easily guessed
- Choose something that can be remembered but not guessed
Function
What is the function of HIPAA?
In passing the law for HIPAA, Congress required the establishment of federal standards to guarantee electronically protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual's health information while also granting access to healthcare providers, clearinghouses, and health plans for continued medical care.[6][7][8]
- Standards for security were needed because of the growth in the exchange of protected health information between covered and non-covered entities. These standards guarantee the availability, integrity, and confidentiality of Electronic Protected Health Information (ePHI). Also, there are State laws with strict guidelines that apply and overrule federal security guidelines.
- The standards mandated in the Federal Security Rule protect individuals' health information while permitting appropriate access to that information by healthcare providers, clearinghouses, and health insurance plans. The Federal Security Rule establishes federal standards to ensure the availability, confidentiality, and integrity of ePHI. Also, state laws provide more stringent standards that apply over and above federal security standards.
- Healthcare providers, health plans, and business associates have a strong tradition of safeguarding private health information. However, the old system of paper records locked in cabinets is not enough in today's world anymore. With information broadly held and transmitted electronically, the rule provides clear national standards for protecting electronic health information.[9][10]
Issues of Concern
There are 5 HIPAA sections of the act, known as titles.[11][12][13][14]
Title I. Focus on Healthcare Access, Portability, and Renewability
- Regulates the availability of group and individual health insurance policies. Title I modified the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.
- Requires the coverage of and limits the restrictions that a group health plan places on benefits for preexisting conditions. Group health coverage may only refuse benefits related to preexisting conditions for 12 months after enrollment or 18 months for late enrollment.
- Enables individuals to limit the exclusion period, considering how long they were covered before enrolling in the new plan after any periods of a break in coverage.
- Includes "creditable coverage," which applies to nearly all group and individual health plans, Medicare, and Medicaid.
- Explains a "significant break" as any 63 consecutive days an individual goes without creditable coverage. It allows premiums to be tied to body mass index or avoiding tobacco use.
- Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months. They also renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market without exclusion, regardless of health condition.
Title II. Preventing Healthcare Fraud and Abuse; Administrative Simplification; Medical Liability Reform
- Establishes policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses, and creates civil and criminal penalties for violations.
- Creates programs to control fraud and abuse and Administrative Simplification rules.
- Requires the Department of Health and Human Services (HHS) to increase the efficiency of the healthcare system by creating standards.
HHS initiated five rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include healthcare clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. In addition, entities mentioned earlier must provide and disclose PHI as required by law enforcement to investigate suspected child abuse.
- Covered entities may disclose PHI to law enforcement if requested by court orders, subpoenas, and administrative requests.
- A covered entity may reveal PHI to facilitate treatment, payment, or healthcare operations without a patient's written authorization.
- Any other disclosures of PHI require the covered entity to obtain prior written authorization.
- When a covered entity discloses PHI, it must make a reasonable effort to share only the minimum necessary information.
- The Privacy Rule gives individuals the right to demand that a covered entity correct any inaccurate PHI and take reasonable steps to ensure the confidentiality of communications with individuals.
- The Privacy Rule requires covered entities to notify individuals of PHI use, keep track of disclosures, and document privacy policies and procedures.
2013 Omnibus Rule update: The revised definition of "significant harm" to an individual in the analysis of a breach provides more investigation to cover entities intending to disclose breaches that were previously not reported. Protection of PHI was changed from indefinite to 50 years after death. The HIPAA Privacy rule may be waived during a natural disaster.
Right to access: The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. After that, an individual may request the information in electronic form or hard copy.
- Individuals have the right to access all health-related information (except psychotherapy notes of a provider and information gathered by a provider to defend against a lawsuit).
- Providers may charge a reasonable amount for copying costs. However, no charge is allowable when providing data electronically from a certified electronic health record (EHR) using the "view, download, and transfer."
- Individuals may use encrypted or unencrypted email, media, direct messaging, or other methods to authorize information delivery. An individual must understand and accept data transfer risks when using unencrypted delivery.
- Individuals may request their PHI be delivered to a third party in writing.
- Individuals may request in writing that their provider send PHI to a designated service used to collect or manage their records, such as a Personal Health Record application.
Relative disclosure: Hospitals may not reveal information over the phone to relatives of admitted patients. This has impeded the location of missing persons; as seen after airline crashes, hospitals are reluctant to disclose the identities of passengers being treated, making it difficult for relatives to locate them.
Transactions and Code Sets Rule
HIPAA was created to improve healthcare system efficiency by standardizing healthcare transactions. HIPAA added a new Part C titled "Administrative Simplification" that simplifies healthcare transactions by requiring health plans to standardize healthcare transactions.
- For example, medical providers who file for reimbursements must file electronic claims using HIPAA standards to be paid.
Security Rule
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI, the Security Rule is limited to ePHI. It lays out three security safeguards: administrative, physical, and technical.
Administrative safeguards: Policies and procedures are designed to show clearly how the entity will comply with the act. Covered entities must adopt a written set of privacy procedures and designate a privacy officer to develop and implement required policies and procedures. Procedures must identify classes of employees with access to ePHI and restrict it to only those who need it to complete their job function. The procedures must address access authorization, establishment, modification, and termination. Entities must show appropriate ongoing training for handling PHI. Covered entities must back up their data and have disaster recovery procedures. Internal audits are required to review operations to identify security violations. Procedures should document instructions for addressing and responding to security breaches.
Physical safeguards: Procedures must control physical access to protected data by introducing and removing hardware and software from the network and limiting it to authorized individuals. Procedures must also control and monitor access to equipment containing PHI. Workstations must be set up properly, ensuring monitor screens are out of direct public view. If the covered entities utilize contractors or agents, they, too, must be thoroughly trained on PHI.
Technical safeguards: Safeguards include controlling access to computer systems and enabling covered entities to protect communications containing ePHI over open networks.
- Information systems housing PHI must be protected from intrusion.
- Data within a system must not be changed or erased unauthorizedly.
- Data corroboration, including using a checksum, double-keying, message authentication, and digital signature, must ensure data integrity and authenticate the entities they communicate with.
- Entities must make documentation of their HIPAA practices available to the government.
- Information technology documentation should include a written record of all configuration settings on the network components.
- Documented risk analysis and risk management programs are required.
Unique identifiers rule (National Provider Identifier, NPI)
HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.
The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider's DEA, state license, or tax identification numbers. The NPI is ten digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "sub-parts," such as a free-standing surgery or wound care center.
Enforcement Rule
- The Enforcement Rule sets civil financial money penalties for violating HIPAA rules.
- It establishes procedures for investigations and hearings for HIPAA violations.
- The US Department of Health and Human Resources has investigated over 20,000 cases resolved by requiring changes in privacy practice or corrective action.
- If noncompliance is determined, entities must apply corrective measures.
- Complaints have been investigated against pharmacy chains, major healthcare centers, insurance groups, hospital chains, and small providers.
According to the HHS, the following issues have been reported according to frequency:
- Misuse and disclosures of PHI
- No protection in place for health information
- Patients unable to access their health information
- Using or disclosing more than the minimum necessary PHI
- No safeguards of ePHI
The most common entities required to take corrective action according to HHS are listed below by frequency:
- Private Practices
- Hospitals
- Outpatient Facilities
- Group insurance plans
- Pharmacies
Title III. Tax-Related Health Provisions Governing Medical Savings Accounts
- Standardizes the amount that may be saved per person in a pre-tax medical savings account.
- Makes medical savings accounts available to employees covered under an employer-sponsored high deductible plan for small employers and self-employed individuals.
Title IV. Application and Enforcement of Group Health Insurance Requirements
Title IV specifies conditions for group health plans regarding coverage of persons with preexisting conditions and modifies continuation of coverage requirements. In addition, it clarifies continuation coverage requirements and includes COBRA clarification.
Title V. Revenue Offset Governing Tax Deductions for Employers
- Provisions for company-owned life insurance for employers providing company-owned life insurance premiums, prohibiting the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.
- It repeals the financial institution rule to interest allocation rules.
- It amends provisions of law relating to people who give up United States citizenship or permanent residence, expanding the expatriation tax to be assessed against those deemed to be giving up their US status for tax reasons.
- It produces former citizens' names as part of the public record by creating the Quarterly Publication of Individuals Who Have Chosen to Expatriate.
Clinical Significance
HIPAA Privacy and Security Rules have substantially changed how medical institutions and health providers function. The complex legalities, severe civil and financial penalties, and increased paperwork and implementation costs have substantially impacted health care. All health professionals must be trained in HIPAA and understand the potential pitfalls and acts that can lead to a violation.[15][16]
Clinical Care Effects
HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that healthcare providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they fully appreciate when PHI can be legally released.
Education and Training Effects
Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Practical training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule.
Research Effects
HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.[12][17]
- HIPAA Privacy rules have resulted in as much as a 95% drop in follow-up surveys completed by patients being followed long-term.
- Recruitment of patients for cancer studies has led to a more than 70% decrease in patient accrual and a tripling of time spent recruiting patients and mean recruitment costs.
- The legal language required for research studies is now extensive due to the need to protect participants' health information. While such information is important, a lengthy legalistic section may make these complex documents less user-friendly for those asked to read and sign them.
Many researchers believe that HIPAA privacy laws harm the cost and quality of medical research.[8]
Costs
HIPAA Privacy and Security Acts require all medical centers and medical practices to enter and comply. The costs of developing and revamping systems and practices and increasing paperwork and staff education time have impacted the finances of medical centers and practices when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial that scarce resources must be devoted to ensuring an institution is compliant and its employees understand the statutory rules.
Conclusions
HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most are momentary lapses resulting in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training are crucial, as well as designing and maintaining systems that minimize human mistakes.[18][19][20]
Other Issues
Violations of HIPAA
Civil
- For an individual who unknowingly violates HIPAA, a $100 fine per violation with an annual maximum of $25,000 for those who repeat violation.
- For a violation due to reasonable cause and not to willful neglect: There is a $1,000 charge per violation, an annual maximum of $100,000 for those who repeatedly violate.
- For HIPAA violation due to willful neglect, with violation corrected within the required period. There is a $10,000 penalty per violation and an annual maximum of $250,000 for repeat violations.
- For HIPAA violation due to willful neglect and not corrected. There is a penalty of $50,000 per violation, an annual maximum of $1,000,000, $50,000 per violation, and an annual maximum of $1.5 million.
Criminal
- For entities covered and specified individuals who obtain or disclose individually identifiable health information willfully and knowingly, the penalty is up to $50,000 and imprisonment up to 1 year.
- For offenses committed under pretenses, the penalty is up to $100,000 with imprisonment of up to 5 years.
- For offenses committed intending to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the penalty is up to $250,000, with imprisonment of up to 10 years.
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.
Examples of HIPAA violations and breaches include:
- Hospital staff disclosed HIV testing concerning a patient in the waiting room, staff was required to take regular HIPAA training, and computer monitors were repositioned.
- An office manager accidentally faxed confidential medical records to an employer rather than a urologist's office. This resulted in a stern warning letter and mandatory HIPAA training for all employees.
- A surgeon was fired after illegally accessing personal records of celebrities, was fined $2,000, and sentenced to 4 months in jail.
- Private practice lost an unencrypted flash drive containing PHI, was fined $150,000, and was required to install a corrective action plan.
- Private physician licenses were suspended for submitting a patient's bill to collection firms with CPT codes that revealed the patient's diagnosis.
- Texas hospital employees received an 18-month jail term for wrongful disclosure of private patient medical information.
- Walgreens's pharmacist violated HIPAA and shared confidential information concerning a customer who dated her husband, resulting in a $1.4 million HIPAA award.
- Virginia employees were fired for logging into medical files without legitimate medical need.
- Employee fired for speaking out loud in the back office of a medical clinic after she revealed a pregnancy test result.
- A sales executive was fined $10,000 for filling out prior authorization forms and putting them in patient charts.
- Six doctors and 13 employees were fired at UCLA for viewing Britney Spears' medical records when they had no legitimate reason to do so.
- A cardiac monitor vendor was fined $2.5 million when a laptop containing hundreds of patient medical records was stolen from a car.
- Washington State Medical Center employee fired for improperly accessing over 600 confidential patient health records.
- An employee of the hospital posted on Facebook concerning the death of a patient, stating she "should have worn her seatbelt."
- A hospital was fined $2.2 million for allowing an ABC film crew to film two patients without their consent.
- Cardiology group fined $200,000 for posting surgical and clinical appointments on a public, internet-accessed calendar.
- Tricare Management of Virginia exposed the confidential data of nearly 5 million people.
- Cignet Health of Maryland was fined $4.3 million for ignoring patient requests to obtain copies of their records and ignoring federal officials' inquiries.
- Virginia physician prosecuted for sharing information with a patient's employer under pretenses.