Signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) provides security provisions and data privacy for patients’ health information safety. In more recent years, preventive measures were added to the act for dealing with digital health data breaches due to cyberattacks on health insurers and health care providers.
The HIPAA regulations consist of five sections or titles, as follows:
Title I: HIPAA Health Insurance Reform
Protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases or pre-existing conditions, and from setting lifetime coverage limits.
Title II: HIPAA Administrative Simplification
Directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. This section also requires the implementation of secure electronic access to health data by healthcare organizations as well as maintaining compliance with privacy regulations imposed by HHS.
Title III: HIPAA Tax-Related Health Provisions
This section provides for certain deductions for medical insurance and includes tax-related plans and rules for medical care.
Title IV: Application and Enforcement of Group Health Plan Requirements
Further defines health insurance reform and includes provisions that apply to individuals with pre-existing conditions as well as those seeking continued coverage.
Title V: Revenue Offsets
Applies to company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax reasons.
HIPAA compliance often refers to the provisions under Title II. Title II is broken into 5 rules:
- The Unique Identifiers Rule (National Provider Identifier) requires health care entities such as employers, individuals, health care providers and health plans to have a unique 10-digit provider identifier code.
- The HIPAA Privacy Rule establishes the first national standards to protect patient health information and ensure individually identifiable health information is safe. This rule limits the use and disclosure of protected health information (PHI) to protect the privacy of patients by requiring doctors to tell patients of PHI disclosures for billing and administrative purposes while maintaining the necessary flow of pertinent health information.
- The HIPAA Privacy Rule applies to HIPAA-covered entities such as health plans, healthcare clearinghouses, and healthcare providers. Plus, it requires covered entities working with a business associate to produce a contract imposing safeguards on the PHI used or disclosed to that business associate. The administrative requirements of the Privacy Rule designate that appropriate administrative, technical, and physical safeguards be maintained to protect the privacy of PHI in a covered entity.
- Transactions and Code Sets Rule designate the use of electronic data interchange (EDI) when processing or submitting insurance claims.
- The HIPAA Security Rule sets national standards for securing patient data that is stored or transferred electronically. The rule requires that both physical and electronic safeguards be in place, ensuring secure passage, maintenance, and reception of electronic protected health information (ePHI).
- The Enforcement Rule establishes guidelines for investigating HIPAA violations and sets civil money penalties for violating HIPAA rules.
HIPAA Omnibus Rule
In 2009, guidelines were established by HHS concerning the responsibilities of business associates of covered entities. These rules are contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act. This act was modified and expanded in 2013 as the HIPAA omnibus rule. Penalties range from $10,000 per violation to $50,000 per violation based on a tiered structure. The annual maximum penalty is $1.5 million.
Office of Civil Rights Enforcement
The Office of Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules in several ways:
- by investigating complaints filed with it,
- conducting compliance reviews to determine if covered entities and business associates are in compliance, and
- performing education and outreach to foster compliance with the Rules’ requirements.
OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.