The Health Insurance Portability and Accountability Act (HIPAA) enables the Secretary of the U.S. Department of Health and Human Services (HHS) to create and publicize national standards regarding privacy, electronic exchange, and security of individual health care information. The law is officially called Public Law 104 – 191 – Health Insurance Portability and Accountability Act of 1996.
What Is HIPAA?
HIPAA stands for The Health Insurance Portability and Accountability Act. The law permits health care providers to access patients’ medical records while keeping the personal, patient-specific health information secure. This information is called Personal Health Information (PHI). HIPAA was designed to keep your personal and private health information data secure and only allow those who are authorized to see it.
What Exactly Is Protected?
According to HHS.gov, “The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, written, or verbal. The Privacy Rule calls this information “protected health information (PHI).” It goes on to say that it covers, “the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual.”
HIPAA rules were enacted in 2002 to further protect the confidentiality of patient health care information without handicapping the flow of information needed by the health care providers. The rules control who has access to PHI, how it can be used, and with whom it can be shared.
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). Additional information can be found at https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
HIPAA Privacy Rule
This rule covers the use and disclosure of PHI and the standards that must be used for individuals to control how organizations use their information. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
HIPAA Security Rule
This is the rule that sets the standards for protecting electronic PHI or ePHI, such as health records, that are stored or transferred electronically. Physical safeguards, technical safeguards, and administrative safeguards must be used to protect this data.
HIPAA Enforcement Rule
The enforcement rules detail what will happen if there are HIPAA infringements and what will happen if non-compliance occurs.
HIPAA violations can be quite expensive for health care organizations. A violation occurs when an organization’s safeguards for protecting an individual’s PHI fail, whether through intentional or unintentional means.
Costs include notifying the affected parties of the security breach, as well as fines issued by the Office for Civil Rights (OCR) after the violations have been reviewed. Fines can be up to $50,000 daily, up to $1.5 million yearly, and may include jail time if there are criminal charges.
HIPAA compliance training is one way to help avoid fines and fees related to HIPAA infringements. Consulting organizations can also be helpful by reviewing the environment and verifying the organization is HIPAA compliant.