HIPAA compliance is an attribute of an organization or system that follows the parameters of the Health Insurance Portability and Accountability Act, legislation that specifies the protection of patient files through its security and privacy rules.
Enacted in 1996, there were two main components of the HIPAA legislation – the first involved protected health coverage for employees when they change or lose their jobs, and the second involves the aforementioned security and protection of electronic health care records and patient files.
We’ll be focusing only on the second part for the purposes of this article, and specifically how covered entities (essentially anyone who offers treatment, services, or payments related to health care) must adhere to a strict set of rules to be considered HIPAA compliant.
- What is HIPAA Compliance?
- Not Just Data Privacy: The 5 HIPAA Titles
- HIPAA Title II Highlights
- What Can Go Wrong? [Stats]
- HIPAA Compliant Hosting Requirements
What is HIPAA Compliance?
HIPAA compliance is adherence to the laws outlined in the Health Insurance Portability and Accountability Act, US federal healthcare legislation that notably contains rules for security and privacy of patient records.
Not Just Data Privacy: The 5 HIPAA Titles
As with many pieces of federal legislation, it’s a lengthy work of text with seemingly endless sections, but we’ll be focusing on five specific sections that related to compliance. These five sections – called titles – deal with the following areas:
- HIPAA Title I – This section makes it possible for people to maintain their health insurance if their livelihood changes or is lost. “It also prohibits group health plans from denying coverage to individuals with specific diseases and pre-existing conditions,” explained IT knowledge expert Margaret Rouse, “and from setting lifetime coverage limits.” It also details how insurers must issues policies for individuals leaving group health plans for 18 months or more, as well as which plans are exempt from these requirements (such as long term plans or supplemental vision/dental plans).
- HIPAA Title II – This part of the healthcare law mandates that the federal Department of Health and Human Services (HHS) must create standardized expectations related to handling patient records (both physical and virtual). Additionally, it instructs healthcare providers, plans, and clearinghouses to use reasonable, industry-accepted security mechanisms and to follow all HHS privacy code. For most average people who are not in the health care industry, the privacy aspect of HIPAA is all they know, and the Privacy Rule is under Title II. Put into effect in April of 2003, we’ll dive into the Privacy Rule more in depth below.
- HIPAA Title III – This section contains new tax rules for healthcare companies and standardizes the amount of money that each person can save in a pre-tax medical savings account (MSA) or health savings account (HSA). Since 1997, MSAs have been an option for employees who are covered under a group plan with an employer-offered, high deductible plan, or for small business employees and the self-employed.
- HIPAA Title IV – This part creates additional expectations for health insurance, such as new protections for anyone who has a “pre-existing” illness or wants to keep their plan active. It also mandates how coverage is continued for gaps in employment, and includes clarification on how it works with the Consolidated Omnibus Budget Reconciliation Act of 1985, or COBRA.
- HIPAA Title V – This section provides rules for life insurance policies owned by businesses and the effect of expatriation or deportation on income tax. In addition, Title V repeals the financial institution rule regarding how interest is allocated, as well as deals with the health coverage legalities regarding Americans who have given up their citizenship for tax benefits and makes those names available for the public record.
HIPAA Title II Highlights
As we mentioned above, the layman’s understanding of HIPAA almost certainly is related to the privacy portion of a patient’s medical records – which is the crux of the Privacy Rule of Title II. It’s also one of the most critical components for business associates of health care companies – businesses that offer supplementary services such as web hosting or payment processing services for a health care organization. Typically when a healthcare provider or IT company uses the term HIPAA compliant, they are referencing HIPAA Title II. That part of the act, which is sometimes called the Administrative Simplification guidelines, contains these particularly important rules:
- National Provider Identifier Standard – Every player in a healthcare scenario, from patient to workplace to insurance provider to medical practice, will be assigned a specific national provider identifier (NPI) composed of 10 numerical digits so that HIPAA health is structured and organized. Obviously, no two NPI numbers are identical, and they also contain no hidden information (like your 16 digit credit card being linked to your name, address, etc.) – they are purely an identification number. They can never be reused, and only large institutions with multiple elements (like a hospital with a separate oncology wing, for example) can receive multiple NPIs.
- Transactions and Code Sets Standards – Both providers and insurance companies must use standardized electronic data interchange (EDI) protocols to maintain HIPAA data compliance when filing transactions. Transactions in this case can be generally defined as any electronic exchange of information between two parties, and applies to covered entities, clearing houses, health care providers, as well as insurers.
- HIPAA Privacy Rule – “Officially known as the Standards for Privacy of Individually Identifiable Health Information,” Rouse said, “this rule establishes national standards to protect patient health information.” Known in the industry as PHI, Protected Health Information is a wide-sweeping term that refers to any piece of information that could possibly give away a patient’s identity. This of course covers the obvious PHI examples of name and address, but also information about the patient’s health status, previous conditions or injuries, any part of their medical history whatsoever, as well as their payment information and payment history used to pay for care. Covered Entities are required by law to disclose any use of a patient’s PHI (for example, if law enforcement officials have a court-ordered warrant), as well as keep a detailed log of any time a patient’s PHI has been used. The privacy rule also stipulates that if a patient feels their PHI has been incorrectly utilized, or any portion of Title II’s Privacy Rule isn’t being followed properly by a health care employee, they can file an official complaint with Health and Human Services (HHS). Although the vast majority of complaints (around 80%) are closed due to lacking merit, a confirmed violation of the HIPAA Privacy Rule can be exceptionally costly.
- HIPAA Security Rule – This part of Title II is specifically of concern to IT teams and digital providers. Named “The Security Standards for the Protection of Electronic Protected Health Information,” it is a set of guidelines to secure electronic records. The Security Rule is meant to act in concert with the Privacy Rule. According to the HHS’s own description, the HIPAA Security Rule “operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called ‘covered entities’ must put in place to secure individuals’ ‘electronic protected health information’ (e-PHI).”
- HIPAA Breach Notification Rule – This rule stipulates the manner in which “covered entities” (healthcare companies) must let affected parties know when a data breach occurs. If a breach does occur, Covered Entities must give a notice to: each and every individual whose PHI was compromised or in any way utilized incorrectly within a minimum of 60 days with a description of the breach and how it occurred; to the area’s prominent media outlets (typically in the form of a press release) if the breach affected more 500 people; and to the Secretary of the HHS. If the breach is deemed to be the fault of one of the Business Associates of a Covered Entity, the Associate must issue the same notification of the breach to the Entity within 60 days and describe it in detail.
- HIPAA Enforcement Rule – Since this new law was intended to change the way that businesses operate, it couldn’t just create rules but also had to establish methods by which to uphold them. Thus, this rule lists parameters for random audits and investigations arising from complaints. It also stipulates the amount of monetary penalties that Entities must pay in the event of HIPAA rule violations and dictates how the investigation of PHI breaches and/or rule violations will be carried out.
What Can Go Wrong? [Stats]
Bad news is often more compelling than good news. It makes sense: we want to study failure in order to better understand success. And this is absolutely the case when it comes to HIPAA – most of the news we hear regarding it is centered around violations, specifically of the Privacy Rule, which as mentioned above is the gist of the layman’s understanding of HIPAA.
All the latest gaffes by healthcare companies that resulted in violations are blasted across the Internet. The HHS even posts that information itself, on a page that has become known as the HIPAA Wall of Shame.
Certainly public humiliation is effective, and we all have a right to know if a company isn’t prioritizing these data security parameters. However, the focus on individual companies is not always as substantive or enlightening as the general stats.
Between April 2003 and March 2015, 112,785 grievances have been filed with the HHS Office for Civil Rights (the agency designated for oversight). Over that same period, 1,208 random audits were performed. The OCR has closed 94% of those investigations.
The types of violations that most often result in HIPAA investigations are as follows:
- Using or transferring protected health information (PHI) in ways that are not permitted by patients
- Failure to adopt data security mechanisms
- Inability of patients to obtain PHI
- Insufficient administrative protocols for electronic data
- Using or transferring HIPAA PHI with additional data beyond what’s needed for the situation
There are many headlines about breaches and other security problems that occur at hospital systems and health insurance companies. However, private practices top the list of organizations that most often have to willingly adjust to fulfill HIPAA requirements, as requested by HHS:
- Private practices
- Outpatient clinics
- Health insurance and plans
When HIPAA was originally written, there was a stronger delineation between covered entities (doctors, hospitals, insurance companies) and business associates (hosting providers, developers, shredders). However, that changed in 2013 with the HIPAA Omnibus Rule, which provided that business associates must follow the security and privacy rules as well.
In other words, in order to offer HIPAA Compliant Hosting, companies must truly have mechanisms in place that will protect the data as described by federal law.
What is HIPAA compliance? It’s embodied by the healthcare systems of Atlantic.Net with our 100 percent uptime and super fast Cloud Servers.