Under the Affordable Care Act, every United States citizen must be signed up for healthcare coverage. This also means that another, earlier piece of legislation is also important to know about: HIPAA. It pertains to the way health insurance is provided and transferred. If you, your employer, a healthcare company or a third-party involved with carrying out transactions violates any part of HIPAA, they could find themselves in serious trouble. Fortunately, the following should help make it easier to understand this expansive piece of legislation.
What Is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. It is sometimes – though rarely – referred to as the Kennedy-Kassebaum Act, a reference to two of its leading sponsors.
The simple explanation of HIPAA is that it protects the privacy of employees’ health care information, especially when they change jobs, and outlines the steps necessary for doing so. HIPAA also put into place national standards that all employers had to institute and follow so that these protections become uniform from one company to another.
Title I of HIPAA
There are two titles under HIPAA and both are important to understand. We’ll start with Title I which is “Health Care Access, Portability and Renewability.” Title I regulates the availability of group health plans and some individual policies as well as what each must provide. Specifically, this part of the act mandates group health plans for employees and limits what restrictions can be placed on benefits for those with preexisting conditions. Essentially, companies can reuse benefits that relate to preexisting conditions for up to a year after an employee enrolls or 18 months if the worker enrolled late.
Insurance companies must also provide policies to those who are leaving a group health plan with credible coverage exceeding an 18-month-period without exclusion. Individual policies must be renewed for as long as they are provided. If an insurance plan is discontinued, the insurer has to offer an alternative for as long as they remain in the given market.
Amongst other things, Title I worked as an amendment to the Internal Revenue Code, The Public Health Service Act and the Employee Retirement Income Security Act.
There are some exceptions to Title I’s broad requirements. For example, long-term and limited-scope plans – like vision and dental – that are offered separate from general health plans are exempt from the above demands.
The other half of HIPAA is Title II, which is concerned with “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform.” In other words, Title II requires companies and health insurance providers to follow certain rules so that employees’ health care information is kept private and safe from prying eyes. As such, this part of HIPAA also outlines what civil and criminal penalties will be enforced for various violations. Furthermore, Title II created a number of programs aimed at curtailing fraud and abuse occurring within the health care system.
However, the biggest impact Title II has had is in making the Department of Health and Human Services (DHHS) more efficient. Standards were put in place for using and disseminating health care information via the Administrative Simplification provisions.
Over the years, Title II has also given way to five important rules. These are:
The Privacy Rule
Since April 14, 2003, the Privacy Rule has been in place (with some exceptions). This rule regulates how Protected Health Information (PHI) is used and disclosed by “covered entities.” For the most part, this means health insurers, employer-sponsored health plans, health care clearinghouses and medical service providers. Any information that pertains to health status, payment for healthcare services or provision of health care falls under PHI. A very broad interpretation is accommodated under the law though, so basically anything to do with someone’s medical record or their payment history is generally considered to be PHI and therefore must be handled as this rule requires.
The Transactions and Code Sets Rule
As we mentioned above, a major goal of HIPAA was to make healthcare transactions more efficient. One way it did this was by adding Part C – “Administrative Simplification” – to Title XI of the Social Security Act. In essence, it standardized how companies handled healthcare transactions. This part of HIPAA has actually changed numerous times since the act was passed. However, today, any HIPAA-covered health care plan must use standard HIPAA electronic transactions.
The Security Rule
On February 20, 2003, the Security Rule was issued, though it would be years before it required every plan and covered entity to actually enforce it. While the Privacy Rule is aimed at all PHI – both electronic and paper – the Security Rule is concerned solely with EPHI (Electronic Protected Health Information). It outlines three different kinds of security safeguards: technical, administrative and physical.
The Unique Identifiers Rule
As of May 2006 (and 2006 for smaller health care plans), all covered entities that use electronic methods of communication must use a new, standardized National Provider Identifier (NPI). It is 10 alphanumeric digits with the last being a checksum. NPIs can never be changed and only institutions can have more than one for “sub-parts” like free-standing facilities.
The Enforcement Rule
The final Health Insurance Portability and Accountability Act was issued on February 16th, 2006. It took effect on March 16th, 2006. This rule sets forth the civil money penalties that will be assessed for any violation of HIPAA. The Enforcement Rule also established procedures for investigations and hearings related to violations of the act. Since its enactment, the most common infractions investigated by the DHHS are:
- Lack of safeguards for EPHI
- Disclosing or using PHI beyond what was necessary for a given task
- Patients being unable to access their own PHI
- Lack of protection for PHI
- Misuse or disclosure of PHI
The most common entities found in violation are private practices, hospitals, pharmacies, group plans and outpatient facilities.
What Changes Are Happening with HIPAA?
As the above probably made clear, the Health Insurance Portability and Accountability Act has been modified numerous times to keep up with other laws and threats that have evolved alongside the digital age.
However, one of the most recent changes has more to do with a much older problem: gun violence. At the beginning of the year, the Obama Administration modified HIPAA to strengthen the steps involved with the background checks required before someone can own a firearm.
In short, these modifications should better enable the reporting of individuals who have specific mental health problems that would preclude them from purchasing a firearm under federal law. At the same time, under preexisting HIPAA rules, these individuals would still have their privacy interests served.
Therefore, states will be granted more flexibility to make sure they are reporting accurate – but limited – data to the National Instant Criminal Background Check System (NICS). At the same time, the Privacy Rule is still in place to keep individuals’ PHI safe from unauthorized parties.
Mainly, the PHI of interest regards those who have been involuntarily committed to a mental institution or have otherwise been classified as a danger to themselves or others or are mentally incapable of handling their own affairs by a lawful authority.
While this new regulation may have originated from the best of intentions, some are skeptical about how it will affect the patient-provider relationship and worry it may keep people in need from seeking the voluntary treatment they require. Fortunately, most Americans with mental health conditions don’t present a risk to themselves or others, so while it’s still in the early days, hopefully, this new provision shouldn’t cause too many problems.
Expect more changes to HIPAA to take place in the years to come. The Department of Health and Human Service’s Office of Civil Rights is responsible for auditing compliance and will soon be undertaking their second such protocol.
While no date has been announced, it’s expected that the audit will take place before the end of the year. There are also some startling reports that suggest it couldn’t happen soon enough.
The results of a recent survey that was administered by NueMD found that workers in the health care industry were extremely lacking in knowledge regarding the Health Insurance Portability and Accountability Act.
- 36% of respondents who worked in medical practices didn’t know about the Security, Privacy and Enforcement Rules that had been added to HIPAA which we covered earlier.
- 68% were unaware that the Office of Civil Rights carried out audits of the industry.
- 19% didn’t know if they had a HIPAA compliance plan; 23% stated they had none.
- 62% of business owners, administrators and managers claimed they provided their staff with HIPAA training on an annual basis, but only 65% could provide proof (this compliance training is required by law).
- 45% of respondents claimed they had a formal policy for dealing with breach notifications.
- 33% of those surveyed have actually performed a risk analysis regarding PHI to establish when and how violations might occur.
Unfortunately, these are just some of the unsettling signs that the industry hasn’t necessarily done the best job in adjusting to HIPAA or the changes that have occurred over the years. Aside from the impending audit that will most likely occur in the coming months, you can also expect that further changes may be made to ensure concerned parties actually comply with the law.
On top of that, as hackers find new ways to reach PHI, HIPAA will need to be modified with more rules to combat these attempts.
To Whom Does HIPAA Apply?
If you’re wondering if HIPAA applies to you or your organization, the answer is probably “yes.” Do you own a company or work in HR? Then, HIPAA applies to you. This is especially true if you work for a health insurer, health plan or service transactions between one of these two entities and individuals. Working with PHI like this means the HIPAA Privacy and Security provisions we covered earlier are of special relevance to your line of work.
However, even if you’re just an employee, if you receive health coverage through your company, HIPAA is still relevant. It’s important that you understand the above so that you know when an organization is in violation of this federal law. Workers who are transferring companies or have a preexisting condition are particularly vulnerable to be victimized by such violations – even when the parties involved had the best of intentions – so it would be wise to review this material so you aren’t forced to go without health care. Aside from just understanding the HIPAA definition, you want to know what health care providers are required to do on your behalf.
All that being said, the three main entities that need their employees to understand HIPAA so they can do their daily work are:
- Health Care Providers
- Health Care Clearinghouses (this would be a billing service, community health management information system or community health management information system, repricing company and other entities that either process or assist with processing PHI – they can be private or public)
- Health Plans
Keep in mind that, as of 2009, HIPAA now applies to business associates too. This means that if your company uses third-party entities to assist with transactions that involve PHI, you are responsible for compliance on your end, but this other company must also follow HIPAA rules too.
Furthermore, the Health Information Technology for Economic and Clinical Health (HITECH) Act that was passed in 2009 as part of the American Recovery and Reinvestment Act also increases many of the penalties associated with violating HIPAA. Clearly, as we touched on above, further steps may be necessary, but regardless of the monetary penalties, being charged with an infraction could do serious damage to your company’s reputation, so if your organization falls under one of the above classifications be sure you know what is expected of your employees.
HIPAA-Compliant Security Awareness
The minimum requirements for a HIPAA-compliant security awareness program are laid out in 45 CFR (Code of Federal Regulations) Subtitle A §164.308(A)(5). There are four basic topics that covered entities must address:
Security reminders and updates
- Training new employees on HIPAA
- Conducting ongoing education
- Sending out regular email reminders regarding what is expected from staff
Malicious software and protections against it
- Security software must be installed on all company devices
- Emphasis must be placed on detecting when you’re being attacked
- Software must be updated in a timely manner
- Your company needs a process in place for recording login credentials
- Software must be used for tracking when people log in to your system
- Login attempts and discrepancies must also be monitored
- Create procedures for creating and changing passwords
- Use software for safeguarding these passwords
The Health Insurance Portability and Accountability Act is an expansive collection of laws that continues to evolve even as recently as this past January. Although it mostly concerns health care providers, clearinghouses and health plans, if you’re insured or offer coverage to your employees, it’s important to understand how these regulations affect your PHI. Beyond just understanding the basic HIPAA definition, you must also pay attention to changes that are being made and look for the fallout from audits of the industry.
Recent HIPAA Overview and Resources Articles and Updates
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- HIPAA Security Checklist
- Applicable Non-healthcare Regulations
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Healthcare's Many Cybersecurity Challenges — CyberSpeak Podcast
- Breach Notification Requirements for Healthcare Providers
- Does History Need to Repeat Itself? Lessons Learned From WannaCry