What Is the Health Insurance Portability and Accountability Act (HIPAA)?
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), primarily aimed at helping Americans gain and retain health insurance. However, tucked inside Subtitle F of the bill (titled, “Administrative Simplification”) were several provisions that would change the course of health information regulation and become the centerpiece of the health care industry’s current interactions with the law.
The Administrative Simplification provisions require the Department of Health and Human Services (HHS) to establish national standards for the electronic transmission of certain health information. Standards are aimed at improving the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data in health care.
Privacy Rule
HHS issued the Privacy final rule, “Standards for Privacy of Individually Identifiable Health Information” (colloquially known as the Privacy Rule) in December 2000. The Privacy Rule set forth many of the definitions and standards that are most closely associated with HIPAA today. It gave a definition to protected health information (PHI) and outlined the allowed uses and disclosures of PHI by “covered entities” (providers, health plans, clearinghouses, and health-related business associates). It also enumerated new patient’s rights regarding the ability to review and obtain copies of their own PHI.
Security Rule
HHS issued the Security final rule, “Health Insurance Reform: Security Standards” (colloquially known as the Security Rule) in February 2003. The Security Rule focuses on electronic PHI (ePHI) and provides new standards in three areas of information security: administrative, physical, and technical safeguards. Administrative safeguards include security management processes, dedicated security personnel and workforce training and management. Physical safeguards cover limiting physical access to facilities where ePHI is stored, and maintaining device security so that only authorized personnel can physically access areas holding devices with protected ePHI. Technical safeguards include ensuring proper transmission of ePHI, regularly auditing information systems, and providing integrity controls such that ePHI is not improperly altered or destroyed.
Enforcement
The Office for Civil Rights (OCR) is the HHS subagency responsible for implementing and enforcing HIPAA regulations. OCR enforces the HIPAA Privacy and Security Rules in two primary ways: investigating formal complaints filed with the agency and conducting periodic compliance reviews of covered agencies. If an organization is found to be in violation of HIPAA for any reason, OCR enters a resolution process that can end with the entity voluntarily moving into compliance, the entity taking corrective action or OCR and the entity reaching some manner of resolution agreement. There is one additional mechanism through which OCR monitors ePHI security: breach notification.
Breach Notification
Per Section 13402 of the HITECH Act, HIPAA covered entities are required to notify any individuals (i.e., patients) whose PHI has been, or is reasonably believed to have been accessed, acquired, or disclosed as the result of an “breach”. HHS defines “breach” as any “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy” of PHI. Covered entities are required to notify individuals of a breach no later than 60 days following the discovery of the breach and must also give individuals additional resources such as what types of information were involved, what steps the affected individuals might take to protect themselves, and what the covered entity is doing “to investigate the breach, mitigate the harm and prevent further breaches.”
Covered entities must keep a log of all breaches affecting less than 500 individuals and submit that log to the HHS Secretary and OCR by the end of the calendar year. For breaches involving more than 500 individuals a covered entity must notify the HHS Secretary and OCR immediately (and absolutely no later than 60 days) following the discovery of the breach. OCR publishes a list of all active breach investigations and past breaches at https://ocrportal.hhs.gov/ocr/breach.
Additional information about HIPAA can be found on the US Department of Health & Human Services' website.