Health Insurance Portability and Accountability Act (HIPAA)

Protecting the medical records of patients is the responsibility of the healthcare sector. To address this issue, the U.S. government in 1996 passed a federal law known as HIPAA to protect patient data from being used without their consent to ensure privacy and security.

What is the HIPAA Law?

The HIPAA regulation was created with the purpose of protecting the healthcare data of patients. Issued by the Department of Health and Human Services (HHS), the act states two important rules; the Privacy Rule, and the Security Rule. It plays a key role in mitigating medical identity theft which can lead to serious consequences, if not stopped. 

What does the HIPAA Privacy Rule mean?

The privacy standards described in the HIPAA state rules and regulations on the use and disclosure of patient’s data – also termed as ‘protected health information’. The Privacy Rule is applicable to individuals and organizations operating in the healthcare sector which are also defined in the “covered entities” section of the rule. HIPAA defines a set of requirements which are useful to understand and regulate the sharing of health information and protect the rights of patients.

The main purpose of the HIPAA Privacy Rule is to provide high-quality health services to the public while ensuring proper protection of health information. This ensures a balance between sharing of important information and privacy protection while providing healthcare benefits to individuals.   

Which Entities are covered?

Healthcare Providers

Professionals working in the healthcare sector such as doctors, medical practitioners, nurses, pharmacists, and specialists which acquire electronic health information to process transactions. The standards established by the HIPAA Transaction Rule covers transactions like health insurance claims, eligibility inquiries for medical benefits, and requests for referral authorization, etc.

Health Programmes 

Another type of entity covered under the Privacy Rule is health plans and programmes, either by the government or private institutions. The entities either provide or pay medical care expenses and may include:

• Health, dental and prescription drug insurers
• Medicare and Medicaid insurers
• Health Maintenance Organizations (HMOs)
• Insurers for long-term care services
• Health plans sponsored by the government or employer

Healthcare Clearing-houses

A clearing-house in healthcare is an intermediary between the insurer and the healthcare service provider. According to HIPAA, they are entities which process non-standard information into a defined format, such as medical records available on online databases. Clearing-houses provide processing services to healthcare providers or to a health plan by acting as a business associate.

Business Associates

Any entity (a person or organization) which uses health information related to an identifiable individual to carry out its operations and deliver services to a “covered entity” is a business associate. Some activities by these organizations include processing claims, analysing data, billing, managing benefit information and quality assurance. 

What is the HIPAA Security Rule?

The Security Rule under HIPAA is an extension to the protection laws stated in the Privacy Rule. It is concerned with a subset of the protected health information (PHI) mentioned in the privacy standards. The subset consists of all kinds of individually identifiable health information which covered entities manage, create and transmit over electronic means. The HIPAA Security Rule deals with e-PHI, Electronic Protected Health Information, and is not subject to health information transmitted orally or in a written text on paper.  

Covered entities need to take the following measures to comply with the Security Rule under HIPAA:

• Make sure the accessibility, integrity and confidentiality of the e-PHI
• Develop a mechanism to safeguard against security threats to the health information 
• Ensure that the identifiable health information is not used or disclosed without proper consent 
• Take appropriate measures to certify compliance across all levels

What is a HIPAA Violation?

When a covered entity or business associate defined under the Act fails to comply with one of the provisions, it counts as a violation. HIPAA non-compliance penalties are quite expensive and depend upon the perceived level of negligence. The structure of violations and their respective penalties are listed below:

Tier 1 ($100 – $50,000 per violation)

$25,000 per year  – This is applicable when the entity is unaware that a HIPAA violation has occurred, and can prevent it by executing proper Due Diligence procedures within the organization.  

Tier 2 ($1000 – $50,000 per violation)

$100,000 per year – When the entity was possibly aware of HIPAA guidelines or should have known about the Due Diligence standards they had to meet. 

Tier 3 ($10,000 – $50,000 per violation)

$250,000 per year – Intentional negligence towards HIPAA rules, but corrected within a span of 30 days or less. 

Tier 4 ($50,000 per violation)

$1.5 million per year – Continued negligence in meeting HIPAA standards and no effort made to incur the loss within 30 days.