Last week, I completed a short course on Understanding HIPAA Compliance. This blog summarizes my learnings from the course.
The US Health Insurance Portability and Accountability Act or HIPAA was signed into law on August 21, 1996, by then President Bill Clinton. Overall, it outlines a set of national standards to be abided by the healthcare organizations to maintain the security and confidentiality of sensitive patient information. It covers any type of health-related data, be it physical or electronic. HIPAA gives control to patients over their health-related information and penalties have also been defined in the case of violation.
Initially, HIPAA was introduced to reduce the cost, maintain the privacy of the patient's health-related information, and simplify the administrative processes. Over time, the objectives of HIPAA has changed. Now, HIPAA assures portability ensuring that individuals can maintain health insurance during the job, at the time of job change, or while unemployed. Furthermore, HIPAA assures accountability while maintaining or transmitting health-related information.
Anyone dealing with handling, processing, and transmitting health-related data including, health care providers (doctors or nurses), clearinghouses (public or private), and health plans.
HIPAA deals with maintaining the security and integrity of PHI, also known as Protected Health Information or Personal Health Information. Simply put, any information that can lead to identifying an individual is called PHI. This information is used, stored, transferred, processed, maintained by health care providers, insurers, and their business partners. It includes information such as the patient's name, date of birth, demographics, medical history, health conditions, insurance information, email address, invoices, treatment details, medical test results, biometric identifiers, etc. These data can be either written, verbal, audio, video, image, or stored in an electronic device.
Unauthorized access, use, distortion, destruction, and sharing of PHI without the consent of the patient is PHI misuse. There is a high risk of PHI misuse. Hence, protected PHI fuels the willingness of the patient to share their information.
- It streamlines the administrative functions.
- It ensures PHI confidentiality, availability, and integrity.
- It ensures the common data format is followed.
- It keeps a check on violations and refrains organizations and individuals from sharing sensitive information intentionally or unintentionally.
- It gives patients the right to monitor their health information.
- It ensures that the patients get a copy of their health information in case they want to approach a new health care provider.
- Use: PHI should be used within an organization and only for the reason it has been collected.
- Disclosure: PHI can only be disclosed after an individual authorizes or in exceptional situations when required by law or for treatment.
- Incidental disclosure: Some amount of information about the patient may be disclosed to the people nearby when the patient is being attended to.
- Minimum necessary: Only the information required to satisfy the intended purpose should be disclosed.
- Role-based access: The access to PHI is given based on the role. For example, a doctor has a different level of access than the front-desk officer.
- Covered entity: Covered entity can be anyone providing the health care treatment, managing health care services, or carrying out operational activities, and have access to the PHI. The covered entity should strictly abide by the HIPAA rules.
- Business associates: Business associates access or provide service to the covered entities. The business associate must have a contract with the covered entities to fully access and use PHI, ensuring confidentiality, privacy, and protection. For example, a data storage company that maintains PHI on behalf of a covered entity.
- Electronic data interchange rule: This rule came into existence in 2002. In the earlier days, all the transactions were documented physically. After the advent of technology, the billing, coding of health-related data, and administrative processes were handled digitally.
Hence, a set of rules were standardized to handle the digital exchange of a patient's health information. The transaction and code set standards aided in maintaining the same software and data structure across the industry maintaining PHI, ultimately increasing the efficiency.
Privacy Rules: This rule came into effect in 2003. It was introduced to safeguard and maintain the privacy of PHI. It defines that a patient has the right to know about their health and how the health information is being used. It is applicable to covered entities and their business associates or anyone who stores, processes, or transmits the information in any form. Patients rights under HIPAA's privacy rules are as follows:
Control or restrict the use and communication of information
Request for disclosure history
Access and review the information and can request corrections
Request a copy of a medical record
Request the notice of privacy practices
Furthermore, health care providers must follow the following business practices to ensure the disclosure of minimum information:
- Only minimum information can be shared.
- The internal protection of PHI must be ensured.
- The employees must be trained to protect PHI.
- The client should be informed about the business procedure.
- Written consent should be obtained from the client to use and disclose the PHI.
- Maintain the confidentiality and security of PHI.
To safeguard the PHI, the patient must make sure not to disclose any information unless needed through verbal, written, or electronic means of communication.
- Verbal: The patient must not discuss the PHI in public and make sure the information is not overheard.
- Written: The patient must securely shred all the documents and must not leave any documents for public access.
- Electronic means of communication: The patient must securely dispose of the electronic means of communication and log off the computers when not in use.
PHI can only be disclosed when required by law or government, when it is shared with the patient, for the payment or reimbursement of services, in the case of organ donation, etc.
- Security Rule: This rule came into effect in 2005. It focuses on confidentiality, access, and storage of PHI or ePHI. Confidentiality ensures that information is secured from unauthorized disclosure, and in the case of need, only required information is shared. It also includes validation of communication address when the information is to be shared. Integrity ensures that the mode of transmission is secured when the information is communicated. A firewall is a mandate to secure your network in the case you are communicating the information. It will keep a check on suspicious events securing your system and data. Availability ensures that information is made available to the authorized personnel.
The security rules enforce the following to securely transfer and store information:
Administrative procedure: It ensures implementation and maintenance of workforce security on security training and procedures, documenting privacy procedures, identifying employees with access to ePHI, and reporting and addressing security incidents.
Physical safeguards: It ensures all the physical devices are in place to protect the data from unauthorized access and hazards including, CCTV monitoring, biometric, proper door locking system, etc.
Technical safeguards: It ensures the PHI being transferred electronically is accessible and securely transmitted.
Other: Some other procedures include: availability of a complaint filing and handling mechanism, chosen security officer to address any violations, enforcing penalties, training workforce on securing of sensitive information, etc.
American Recovery or Reinvestment Act (ARRA): ARRA was introduced in 2009 to strengthen PHI's privacy and security. As a part of the ARRA, Health Information Technology for Economic and Clinical Act (HITECH) was introduced in 2009. This act encourages the use of electronic health-related information, provides funds to maintain a digital form of records, and strengthens the PHI privacy and security rules. Business associates must agree with HITECH to safeguard PHI and unnecessary disclosure. In 2013, the HIPAA Omnibus Final Rule created a final modification of the HIPAA privacy and security rule. The central purpose was to facilitate the implementation of HITECH mandates. Interestingly, Genetic Information Non-discriminatory Act was introduced, which is a law that protects a patient from being discriminated by health insurers or employers based on their genetic information.
A breach is an unauthorized ingress, use, or disclosure of PHI compromising security and privacy. A breach can happen in any form, like accessing data more than the minimum necessary, leaving sensitive documents in a workplace, sharing confidential information, discussing a patient's health in public, sharing PHI with the wrong person unintentionally, or sharing PHI for personal gain. When a breach is encountered, it should be notified without any delay no later than 60 days from the discovery of the breach. Reporting a HIPAA breach aids in its investigation, documentation, and management. It ensures to reduce the damage caused and prevent the occurrence of the same incidents.
To ensure HIPAA Implementation:
- Conduct HIPAA awareness training for security officials and employers of an organization.
- Draft and maintain a HIPAA Compliance manual.
- Implement the safeguard measures to protect data.
- Perform regular audits and records the gaps and their remediation methods.
Finally, to maintain HIPAA Compliance:
- Shred all the unrequired documents safely.
- Don't disclose sensitive information.
- Lock the system when not in use.
- Ensure minimum necessary information is shared.
- Beware with whom you are sharing the information.
- Report the breach immediately.
- Don't leave an important document unattended.