The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act) consists of 5 Titles.
Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
Whom does HIPAA cover?
What are basic HIPAA goals?
What health information is protected?
Differentiate between HIPAA privacy rules, use and disclosure of information?
What are the legal exceptions when health care professionals can breach confidentiality without permission?
What types of data does HIPAA protect?
What types of electronic devices must facility security systems protect?
What is the job of a HIPAA security officer?
What does a security risk assessment entail?
What are physical safeguards?
What type of employee training for HIPAA is necessary?
What type of reminder policies should be in place?
How should a sanctions policy for HIPAA violations be written?
What discussions regarding patient information may be conducted in public locations?
How do you protect electronic information?
How do you ensure password protection?
How do you select a safe password?
What is the function of HIPAA?
In passing the law for HIPAA, Congress required the establishment of Federal standards to guarantee electronic protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual’s health information while also granting access for health care providers, clearinghouses, and health plans for continued medical care.
There are 5 HIPAA sections of the act, known as titles.
Title I: Focus on Health Care Access, Portability, and Renewability
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.
2013 Omnibus Rule Update
Right to access
The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. An individual may request the information in electronic form or hard-copy.
Hospitals may not reveal information over the phone to relatives of admitted patients.
Transactions and Code Sets Rule
HIPAA was created to improve health care system efficiency by standardizing health care transactions. HIPAA added a new Part C titled "Administrative Simplification" that simplifies healthcare transactions by requiring health plans to standardize health care transactions.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information, the Security Rule is limited to Electronic Protected Health Information. It lays out 3 types of security safeguards: administrative, physical, and technical.
Policies and procedures designed to show clearly how the entity will comply with the act.
Technical safeguards include controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks.
Unique Identifiers Rule (National Provider Identifier, NPI)
HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.
The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "sub-parts" such as a free-standing surgery or wound care center.
According to the HHS, the following issues have been reported according to frequency:
The most common entities required to take corrective action according to HHS are listed below by frequency:
Title III: Tax-related health provisions governing medical savings accounts
Title IV: Application and enforcement of group health insurance requirements
Title IV specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements. It clarifies continuation coverage requirements and includes COBRA clarification.
Title V: Revenue offset governing tax deductions for employers
HIPAA Privacy and Security Rules have substantially changed the way medical institutions and health providers function. The complex legalities and severe civil and financial penalties, as well as the increase in paperwork and implementation costs, have substantially impacted health care. All health professional must be trained in HIPAA and have an understanding of the potential pitfalls and acts that can lead to a violation.
Clinical Care Effects
HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that health care providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they have a full appreciation of when protected health information can be legally released.
Education and Training Effects
Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Effective training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule.
HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.
Many researchers believe that the HIPAA privacy laws have a negative impact on the cost and quality of medical research.
HIPAA Privacy and Security Acts require all medical centers and medical practices to get into and stay in compliance. The costs of developing and revamping systems and practices and an increase in paperwork and staff education time have impacted the finances of medical centers and practices at a time when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial, that scarce resources must be devoted to making sure an institution is compliant, and its employees understand the statutory rules.
HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most violations are momentary lapses that result in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training is crucial, as well as designing and maintaining systems that minimize human mistakes.
Violations of HIPAA
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution.
Examples of HIPAA violations and breaches include:
|Government Cloud Computing Policies: Potential Opportunities for Advancing Military Biomedical Research., Lebeda FJ,Zalatoris JJ,Scheerer JB,, Military medicine, 2018 Feb 7 [PubMed PMID: 29425378]|
|Pagers, Smartphones, and HIPAA: Finding the Best Solution for Electronic Communication of Protected Health Information., Freundlich RE,Freundlich KL,Drolet BC,, Journal of medical systems, 2017 Nov 25 [PubMed PMID: 29177600]|
|Communicating Radiology Test Results: Are Our Phone Calls Excessive, Just Right, or Not Enough?, Bhatti ZS,Brown RKJ,Kazerooni EA,Davenport MS,, Academic radiology, 2017 Nov 23 [PubMed PMID: 29174190]|
|Collaboration, confidentiality, and care., Moss LS,, Psychological services, 2017 Nov [PubMed PMID: 29120202]|
|Use of Short Message Service and Smartphone Applications in the Management of Surgical Patients: A Systematic Review., Lu K,Marino NE,Russell D,Singareddy A,Zhang D,Hardi A,Kaar S,Puri V,, Telemedicine journal and e-health : the official journal of the American Telemedicine Association, 2017 Nov 7 [PubMed PMID: 29111887]|
|Lessons Learned From HIPAA Enforcement.,, Journal of the California Dental Association, 2016 Nov [PubMed PMID: 29039900]|
|Patient Privacy in the Era of Big Data., Kayaalp M,, Balkan medical journal, 2018 Jan 20 [PubMed PMID: 28903886]|
|Prevalence of Sharing Access Credentials in Electronic Medical Records., Hassidim A,Korach T,Shreberk-Hassidim R,Thomaidou E,Uzefovsky F,Ayal S,Ariely D,, Healthcare informatics research, 2017 Jul [PubMed PMID: 28875052]|
|The HIPAA Privacy Rule and the EU GDPR: Illustrative Comparisons., Tovino SA,, Seton Hall law review, 2017 [PubMed PMID: 28820562]|
|Privacy and Security in Multi-User Health Kiosks., Takyi H,Watzlaf V,Matthews JT,Zhou L,Dealmeida D,, International journal of telerehabilitation, 2017 Spring [PubMed PMID: 28814990]|
|Optimizing the Use of Electronic Health Records to Identify High-Risk Psychosocial Determinants of Health., Oreskovic NM,Maniates J,Weilburg J,Choy G,, JMIR medical informatics, 2017 Aug 14 [PubMed PMID: 28807893]|
|HIPAA Privacy Tips and Reminders.,, Journal of the California Dental Association, 2016 Sep [PubMed PMID: 28742300]|
|Telehealth and eHealth in nurse practitioner training: current perspectives., Rutledge CM,Kott K,Schweickert PA,Poston R,Fowler C,Haney TS,, Advances in medical education and practice, 2017 [PubMed PMID: 28721113]|
|Commentary on "Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance"., Carlson SF,Mandel JR,, The Journal of hand surgery, 2017 Jun [PubMed PMID: 28578768]|
|Electronic Communication of Protected Health Information: Privacy, Security, and HIPAA Compliance., Drolet BC,Marwaha JS,Hyatt B,Blazar PE,Lifchez SD,, The Journal of hand surgery, 2017 Jun [PubMed PMID: 28578767]|
|Undermining Genetic Privacy? Employee Wellness Programs and the Law., Hudson KL,Pollitz K,, The New England journal of medicine, 2017 Jul 6 [PubMed PMID: 28537794]|
|Text Messaging and Protected Health Information: What Is Permitted?, Drolet BC,, JAMA, 2017 Jun 20 [PubMed PMID: 28492922]|
|Mitigating Cybersecurity Risks., Rose RV,Kass JS,, Continuum (Minneapolis, Minn.), 2017 Apr [PubMed PMID: 28375918]|
|The HIPAA Security Rule: Are You in Compliance?, Shay DF,, Family practice management, 2017 Mar/Apr [PubMed PMID: 28291311]|
|Infectious Diseases Society of America Position Statement on Telehealth and Telemedicine as Applied to the Practice of Infectious Diseases., Siddiqui J,Herchline T,Kahlon S,Moyer KJ,Scott JD,Wood BR,Young J,, Clinical infectious diseases : an official publication of the Infectious Diseases Society of America, 2017 Feb 1 [PubMed PMID: 28096274]|
|A Clinician's Guide to Privacy and Communication in the ICU., Francis L,Vorwaller MA,Aboumatar H,Frosch DL,Halamka J,Rozenblum R,Rubin E,Lee BS,Sugarman J,Turner K,Brown SM,, Critical care medicine, 2017 Mar [PubMed PMID: 27922454]|
|The Law of Unintended Consequences., Haber AD,, Annals of internal medicine, 2016 Dec 6 [PubMed PMID: 27919093]|
|Health Information Technology: The Need to Know vs. Data Security.,, The Consultant pharmacist : the journal of the American Society of Consultant Pharmacists, 2016 Sep [PubMed PMID: 27636871]|
|Culture of Respect. Misuse of patient images isn't just about the law., Wirth SR,, JEMS : a journal of emergency medical services, 2016 Sep [PubMed PMID: 29182226]|
|Public Figures, Professional Ethics, and the Media., Fowler DR,, AMA journal of ethics, 2016 Aug 1 [PubMed PMID: 27550569]|
|A Patient's Right to Access Records Q-and-A., CDA Practice Support Staff,, Journal of the California Dental Association, 2016 Jul [PubMed PMID: 27514158]|
|Is it time for a HIPAA for physicians?, Gebauer S,Petersen T,Steele E,, Healthcare (Amsterdam, Netherlands), 2016 Dec [PubMed PMID: 27497520]|
|Take a step-by-step approach to HIPAA compliance., Triffletti L,, Medical economics, 2016 Jun 10 [PubMed PMID: 27483677]|
|Don't skip your security risk assessment., Gross A,, Medical economics, 2016 May 25 [PubMed PMID: 27483598]|
|What to Expect When Phase 2 HIPAA Audits Begin., Rose A,, Journal of AHIMA, 2016 Jun [PubMed PMID: 27476215]|