The Health Insurance Portability and Accountability Act (HIPAA) was an amendment to the Internal Revenue Code of 1986. And while it was enacted primarily to ensure portability and continuity of health insurance coverage and improving the exchange of health information electronically, it also was intended to protect a patient’s protected health information (PHI) which includes health status or condition, medical history, insurance coverage, payment for health care, and other data that a healthcare provider or other covered entities collect in order to provide the proper care.
Signed into law in 1996 by President Bill Clinton, the act contains five key sections that cover: policies for health insurance coverage (Title I), compliance requirements for processing electronic healthcare transactions and implementing secure access to data (Title II), guidelines for taxation and medical care (Title III), rules for defining health insurance reforms (Title IV), and provisions for life insurance policies owned by companies (Title V).
For health care providers, insurance companies, and businesses that support health systems and providers, HIPAA compliance largely pertains to adhering to the standards and guidelines defined in Title II. This post focuses on understanding the basics of HIPAA compliance and how to reduce the burden of complying with the guidelines defined in Title II.
HIPAA Isn’t Only for Doctors and their Patients
HIPAA and the US Department of Health and Human Services (HHS) provide a clear definition of covered entities and business associates that need to comply with HIPAA rules. HIPAA defines a covered entity as one of the following:
- A Health Care Provider including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, medical laboratories or pharmacies that are transmitting patients’ PHI electronically.
- A Health Plan Provider such as health insurance companies, health maintenance organizations (HMO), companies providing health plans, and government entities paying for health care.
- A Health Care Clearinghouse that processes nonstandard PHI into standardized electronic formats or vice versa.
Business associates are individuals or entities that assist covered entities in carrying out healthcare functions and activities. Vendors that transmit, process and/or store PHI on behalf of a covered entity or business associate are also bound to abide by HIPAA rules.
Understanding HIPAA Rules
Title II of HIPAA includes five key rules or standards which covered entities and business associates are required to comply with:
Privacy Rule. The Privacy Rule aims to protect patients’ rights to their PHI. These rights include allowing patients to examine, obtain copies of, and request corrections of their PHI. The Privacy Rule also requires covered entities to establish safeguards to protect patients’ PHI and also sets guidelines on when PHI may be used or disclosed without the patients’ authorization. Other administrative requirements laid out by the Privacy Rule includes appointing a privacy official at a covered entity, training employees on privacy policies and procedures, establishing and maintaining technical and physical safeguards to protect PHI, and creating processes that will handle patient complaints. Finally, the Privacy Rule establishes the penalties that covered entities will incur in case of a data breach.
Security Rule. The Security Rule specifies the required safeguards that need to be in place to protect patients’ electronic protected health information (ePHI). It requires covered entities and business associates to establish administrative, technical, and physical safeguards to maintain the integrity, confidentiality, and security of ePHI. Specifically, covered entities and business associates must: identify the sources of ePHI and PHI, including those that they create, receive, process, transmit, or maintain; perform regular risk assessments related to the protection of ePHI; and ensure organizational compliance through administrative safeguards. Like the Privacy Rule, the Security Rule also aims to protect patients from unauthorized, unreasonable, and impermissible use of their ePHI and PHI. While the Security Rule does not lay out specific guidelines on technical specifications, costs, and complexity of security measures, it requires covered entities and business associates to take them into consideration. Finally, the Security Rule requires covered entities and business associates to regularly review and adapt their security measures to evolving risks.
Enforcement Rule. This rule sets out the authority of the Health and Human Services (HHS) Office for Civil Rights (OCR) to enforce the Privacy and Security rules and to impose penalties in cases of violations or noncompliance. The OCR follows a three-step Enforcement Process: investigation of complaints, conducting compliance reviews, and fostering compliance through education and outreach programs. See the HHS website, where the OCR lists the most common and frequent compliance issues investigated since 2003. They include: impermissible uses and disclosures of PHI; lack of safeguards of PHI; lack of patient access to their PHI; use or disclosure of more than the minimum necessary PHI; and lack of administrative safeguards of ePHI.
Breach Notification Rule. HIPAA requires covered entities and business associates to notify affected individuals, the HHS, and the media, in more severe cases, following a breach of unsecured PHI. A breach is defined as an impermissible use or disclosure of PHI. Under the rule, covered entities and business associates must provide notifications to individuals affected by the breach without unreasonable delay and no later than 60 days from the discovery of the breach. Individual notifications must include a description of the breach and descriptions of the medical information compromised, the suggested actions individuals should take to prevent further harm, the steps the covered entity are taking to investigate the breach, minimize adverse effects, and prevent further breaches, and how individuals can contact the covered entities. For breaches involving over 500 individuals in a jurisdiction, covered entities are also required to notify prominent media outlets in the jurisdiction.
Omnibus Rule of 2013. In 2013, the HHS created the HIPAA Omnibus Rule to implement modifications to HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Omnibus Rule implemented extensive changes to HIPAA, including: requirements to strengthen the privacy and security of PHI; introducing objective guidelines for a covered entity’s liability in case of a breach; defining the steps in enforcing the Security and Privacy Rules for the OCR; holding business associates to higher standards as covered entities; and increasing the penalties for violations and/or noncompliance of the HIPAA, up to a maximum of $1.5 million per violation.
Reducing the Burden of HIPAA Compliance
The scope of HIPAA is extensive and compliance can be overwhelming for covered entities and business associates. Not only do covered entities face huge upfront costs to assess and meet governing compliance standards, but business associates and vendors supporting them need to factor this into their budgets as well.
As in most budget planning efforts, upfront costs are usually anticipated and forecasted, but many organizations underestimate the cost of maintaining compliance, which can reach hundreds of thousands or even millions of dollars as enterprises struggle to keep up with ever-changing regulations and technologthat require ongoing investments.
Considering the huge cost of compliance (and non-compliance), forward thinking organizations align as many data initiatives as possible in support of compliance. If data integration operations are managed in-house, then all the compliance costs, burdens, and liabilities mentioned above also fall squarely the covered entity or business association, or even their vendors. Every new application, EMR platform, or change in data configuration must be accounted for the compliance strategy—no easy feat when both the amount of data and number of applications organizations must deal with are growing exponentially.
An alternative that can reduce some of this burden is data integration and management as a managed service through a third-party integration provider that follows a Trust Framework. Now the burdens of compliance, along with the growing integration complexities and staffing challenges, are being managed by a trusted partner. As new data sources are added and integrated, that same level of compliance and security is applied to all. Leveraging a cloud-based managed services platform, offloads much of the people, processes and technology compliance to the third-party.
Vendors and HIPAA Compliance
Vendors supporting covered entities and business associates, must take HIPAA compliance seriously. As more applications, operations and PHI data move to cloud-based software and platforms, entities that are bound by HIPAA rules need to be sure they are entrusting their business operations and PHI to business partners that are continuously compliant. Cloud-based platforms that offer complex integration, data transformation and harmonization in a managed services model not only offer healthcare customers the ability to scale, integration expertise, and efficiency that compliments their IT operations, but they also supplement compliance by ensuring the people, processes, and technologies are adhering to these requirements.
How are you managing the compliance burden?