What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. This U.S. law was passed in 1996 to ensure the protection of personal health data, including hard copies and information shared verbally or digitally.
Why Was HIPAA Enacted?
HIPAA's purpose was to establish confidentiality systems that restrict the use of protected information to only those who need access to it. HIPAA covers health care facilities, billing companies, health plans, electronic medical record companies, non-patient care employees, and students. HIPAA consists of five major sections:
- Title I: Health insurance coverage for employees and their families with changes in employment status
- Title II: Health care abuse and fraud; medical liability reforms; administrative simplification establishing standards for electronic health records (EHRs) and national identifiers
- Title III: Rules for pretax medical spending accounts
- Title IV: Stipulations for group health plans
- Title V: Guidelines for company-owned life insurance policies
What Is Administrative Simplification?
HIPAA's Title II calls for Administrative Simplification standards to regulate the electronic exchange, privacy, and security of health information. To enforce these standards, the U.S. Department of Health and Human Services (HHS) implemented five rules.
The Standards for Privacy of Individually Identifiable Health Information set forth federal guidelines for protecting certain health information. This Privacy Rule addresses how protected health information (PHI) is used and shared by organizations subject to the rule: the "covered entities" and "business associates." It also details individuals' privacy rights to know and control how their health information is used.
PHI is any health-related data in any form — verbal, paper, or digital — that can be traced to a particular person, including demographic data. PHI refers to identifiers such as:
- Name, birth date, street or email address, telephone or Social Security number
- Type of health care administered to a person
- A person's past, current, or future physical and/or mental condition
- Past, current, or future payment for providing healthcare to a person
The Privacy Rule's aim is to facilitate the flow of health information required for overall public welfare and high-quality health care while ensuring data protection. It is meant to be flexible enough to cover the plethora of potential uses and disclosures. A covered entity cannot use PHI outside of the Privacy Rule's stipulations or what the individual or their representative permits in writing.
Transactions and Code Sets Rule
HIPAA was enacted to increase efficiency in processing health care transactions. Under the Transactions and Code Sets Rule, health plans must standardize such transactions using HIPAA standards. For instance, providers must file electronic claims according to HIPAA guidelines to be reimbursed.
The Privacy Rule relates to all PHI, but the Security Rule pertains to ePHI, which is electronic Protected Health Information. It outlines three security safeguards: administrative, physical, and technical.
- Administrative: Covered entities must design administrative safeguards that clearly articulate how the entity will maintain HIPAA compliance.
- Physical: Covered entities must supervise and monitor access to equipment containing PHI and ensure that contractors or agents with access to PHI are properly trained in HIPAA compliance.
- Technical: Covered entities must guard access to computer systems and communications containing PHI sent over open networks.
Unique Identifiers Rule
Covered entities are required to use the National Provider Identifier (NPI) exclusively to identify covered health care providers. The NPI replaces any other identifier used by a health plan in standard transactions. However, it does not replace an employee identification number, DEA number, or state license number.
The Enforcement Rule determines monetary penalties for HIPAA violations. It sets forth procedures for investigating and assessing these violations. If an organization is found to be noncompliant, it must take corrective actions.
What Are Some Common HIPAA Violations?
The HHS reports that many organizations are operating in violation of HIPAA or at great risk of violating the law. Noncompliance issues typically have to do with uses and disclosures, inadequate security safeguards, access controls, the HHS's Minimum Necessary Rule, and the Notice of Privacy Practices. Violations stem from intentional or inadvertent data breaches including:
- No protective measures for PHI or ePHI in place
- Patient unable to access their information
- Using or disclosing more than necessary PHI
- Lost or stolen smartphone, PC, or USB device
- Ransomware or malware incident
- Sharing PHI outside of the office
- Sending PHI to the wrong contact
- Social media posts
- Business associate breach
How Does HITECH Pertain to HIPAA?
The Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in 2009, was devised to encourage and expand health information technology, particularly the use of electronic health records. This act bolstered HIPAA's requirements to ensure compliance from business associates of HIPAA-covered entities and mandated that notifications be sent to affected people when their PHI was compromised. HITECH provided substantial financial incentives for adopting EHRs and raised penalties for HIPAA violations. Legislators combined the requirements of this act with HIPAA in the Final Omnibus Rule, which was published in 2013.
How Does HIPAA Work With Cloud Computing?
Cloud computing solutions come in many forms depending on the user's needs. Provisions range from simple data storage to a complete software solution, such as an electronic medical record system or computing infrastructure for deploying and testing programs. Under HIPAA, cloud services providers (CSP) are business associates of covered entities.
When a covered entity procures the services of a CSP to develop, receive, upkeep, or transmit ePHI on its behalf, both parties must enter into a business associate agreement (BAA). Also, the CSP becomes contractually liable for meeting the agreement's terms and directly responsible for complying with applicable HIPAA rules. It is a violation of HIPAA rules for a covered entity or business associate to use a CSP for processing ePHI without a prior BAA.
According to Gartner researchers, a few things driving the growing demand for cloud services include the ongoing expansion of health IT system and support requirements, IT staffing concerns, and tight budgets. At the same time, the health industry is becoming more comfortable with the cloud's compliance and security capabilities. Public cloud service providers will likely be handling more than 35% of healthcare IT workloads by 2021.
Connecting to the cloud is easier than ever and renders a wealth of benefits for companies that wish to implement remote access measures for its employees. It can provide an optimal, decentralized user experience in applications and desktop virtualization. Organizations can reduce their data center footprints, saving on data storage expenses. Another advantage is the opportunity to eliminate legacy equipment and move to a more efficient, cost-effective infrastructure in a HIPAA-compliant manner.
What If a CSP Can't See Protected Health Information?
Even if a CSP only stores encrypted ePHI, does not have a decryption key, and cannot view the ePHI, it is considered a business associate. Encryption may lower the risk of unauthorized access to sensitive data, but it lacks sufficient administrative and physical safeguards for servers and systems that house the ePHI. However, the rule's terms are flexible to take into consideration the no-view nature of the CSP's services.
Are Cloud Service Providers Required to Disclose Their Security Protocols?
HIPAA does not explicitly instruct CSPs that are business associates to allow auditing or provide evidence of their security practices. However, customers are expected to obtain satisfactory documentation of protective measures in the BAA. The CSP is directly liable if it fails to protect ePHI in accordance with the Security Rule or for prohibited uses of the PHI.
Even if a CSP supports or claims HIPAA compliance, it must undergo a risk analysis before it can be used for maintaining ePHI. A covered entity must then formulate risk management policies regarding the service. The entity has to manage and mitigate any identified risks to a reasonable level.
What Type of HIPAA Training Does the Law Require?
Annual HIPAA training for employees is a requirement under the law. The stipulations are flexible to accommodate the many different kinds of covered entities and business associates. The HIPAA Privacy Rule stipulates that employers provide training as needful and relevant for employees to perform their duties. The HIPAA Security Rule states that covered entities and business associates must implement a training program, but the rule does not offer specific conditions.
Covered entities and business associates can overcome the ambiguity of HIPAA's training requirements by referring to their risk analyses. Ideally, the analyses detail the role of each employee who may have access to PHI or ePHI. Thus, training can be developed based on each worker's function.