Risk Assessment
Policies & Procedures
Employee Training
Business Associate Agreements
Resources
What is HIPAA
History of HIPAAWho has to be compliant?
Final Omnibus Ruling
The HIPAA Rules
The Privacy Rule
The Security Rule
The Breach Notification Rule
Privacy Rule and Security Rule Relationship
HITECH
Penalties
History of HIPAA
With the goal of increasing the efficiency of health care and providing a way for more Americans to receive health insurance, the U.S. government passed the Health Insurance Portability and Accountability Act (HIPAA) on August 21, 1996. Created with three main provisions (portability, tax and administrative simplification), HIPAA provided new instruction on a wide array of health care practices. From that instruction, the U.S. Department of Health and Human Services (HHS) birthed the HIPAA Privacy Rule.
While the Privacy Rule defined who was required to be HIPAA compliant and issued several regulations for those Covered Entities on the proper uses and disclosures of Protected Health Information (PHI), it did not provide clear implementation specifications to combat the growing technological risks of PHI in electronic form. So, HHS created the Security Rule to provide specific security instructions and safeguards for Covered Entities to implement to ensure the confidentiality, integrity and availability of electronic PHI (ePHI). These standards include requirements from physical locks on doors that house electronic tools holding ePHI to encryption methods in emails.
In the next couple decades, after the HIPAA ruling became law, the government passed new laws and released new rulings to strengthen HIPAA’s ability to meet its objectives. In 2009, congress created the Health Information Technology for Economic and Clinical Health (HITECH) Act, which increased civil and criminal penalties for noncompliance with the HIPAA rules and increased the enforceability of those rules. HITECH introduced the Breach Notification Rule for how Covered Entities are to handle breaches of PHI. It also set a clear incentive program for all health care entities to move their health information to electronic form through the Meaningful Use agenda, which provides financial assistance for health care entities to implement Electronic Health Records (EHRs). In January 2013, about four years after HITECH passed, HHS released the Final Omnibus Ruling to improve and solidify HIPAA’s Privacy and Security Rule standards. The ruling increases protection of patient privacy, patient’s rights and government enforcement of the law.
Moving from HIPAA’s history to its future, it is important to note that the government continues to take actions to help, encourage and push health care entities toward having all their health records in electronic format. Steps like Meaningful Use are being used to help health care entities have the financial ability to transfer their health records to electronic form. Requiring the use of Electronic Health Records (EHRs) can be seen as the final step in fulfilling HIPAA’s goals for efficiency and portability and the government plans to enact this requirement in the near future. Electronic form provides the easiest, most efficient, portable way for health care entities to share PHI for treatment and other authorized purposes. EHRs coupled with the Privacy, Security and Breach Notification Rules will help the health care industry provide the best health care possible while protecting the individual’s privacy and rights.
HIPAA Timeline
HIPAA becomes law in 1996
HITECH Passes in 2009 (Addendum to HIPAA related to “meaningful use”)
January 25, 2013: Omnibus Ruling Delivered
March 26, 2013: Compliance Deadline (90 days)
September 23, 2013: Enforcement Deadline (180 days)
March 1, 2014: Breach Reporting Deadline (Retroactive Effect)
September 24, 2014: Business Associate Agreement Modification Deadline
January 1, 2015: Electronic Health Record Payment Adjustments Deadline (Medicare/Medicaid Reduction Penalty)
Who has to be compliant?
All organizations that create, receive, transfer, store or perform any other function with Protected Health Information (PHI) must comply with the HIPAA rulings. Protected Health Information (PHI) is individually identifiable health information that is maintained and/or transmitted on any form or medium, e.g., electronic or paper health records. Entities that handle PHI, in any form, must apply appropriate safeguards and take necessary actions to ensure the protection of PHI from unauthorized uses or disclosures. The level of required HIPAA compliance and documentation varies based on whether the organization is a Covered Entity, a Business Associate or a Subcontractor.
Covered Entities are health plans, health care clearinghouses and health care providers who transmit any health information in electronic form in connection with a transaction. Covered Entities include, but are not limited to, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, hospitals, pharmacies, health insurance companies and company health plans. Covered Entities are required to meet all of the HIPAA standards including the Privacy Rule, Security Rule and Breach Notification Rule.
Along with the typical covered entities mentioned above, there are three other organizational structures that fall under the Privacy Rule’s organizational options for covered entities: Hybrid Entities, Affiliated Covered Entities (ACEs) and Organized Health Care Arrangements (OHCAs). A Hybrid Entity is a single legal entity that performs covered and non-covered functions. A Covered Entity must document the health care components of their organization; only those portions are required to follow all of the Privacy Rule regulations. ACEs are legally separated covered entities that are controlled by common ownership. To designate themselves as a single covered entity, these covered entities must document the designation and perform all covered functions in compliance with the Privacy Rule. OHCAs are separate covered entities that share PHI to manage their shared work. According to the Privacy Rule, they are permitted to share PHI that is documented as the joint health care operations of their arrangement.
Business Associates are persons or entities, outside of a Covered Entity’s workforce, that perform a function or activity on behalf of the Covered Entity, or provide certain services to the Covered Entity that involve the use or disclosure of PHI. Business Associates can provide Covered Entities with legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. According to the HIPAA standards, Covered Entities are required to create and enact Business Associate Agreements with these persons and/or entities. These contracts must be tailored specifically for each Business Associate and must specify their permitted uses and disclosures, along with several other requirements, that are detailed in the HIPAA rules. It is also important to note that a Covered Entity can be the Business Associate of another Covered Entity.
Subcontractors are business associates of other business associates. Subcontractors create, receive, maintain or transmit PHI on behalf of another business associate. A subcontractor must have a business associate contract with the other business associate. It is not necessary for this subcontractor to have a contract with the Covered Entity. They are only required to have an agreement with the associate for which they directly provide services.
Final Omnibus Ruling
In order to stay up-to-date with the demands of our digital age, the U.S. Department of Health and Human Services (HHS) formed the final omnibus rule in January 2013. According to HHS, the final omnibus rule was created to better protect individuals’ health information by improving the privacy and security standards of the Health Insurance Portability and Accountability Act of1996 (HIPAA). In their official press release, HHS said that “The final omnibus rule enhances patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.”
Understanding the omnibus rule’s new set of standards is a crucial step toward HIPAA compliance. One of the added standards holds business associates and subcontractors, who receive protected health information (PHI) from covered entities, responsible for several of the HIPAA requirements. Another added rule increases the penalties for noncompliance depending on the level of negligence; fines can be up to $1.5 million per calendar year, but cannot exceed that number in that year, whether it’s a one-time penalty at that amount or multiple violations throughout the calendar year that add up to it. The rule also clearly defines breach reporting standards, which strengthens the breach notification requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH).
For patients, the rule expanded their individual rights in multiple ways. With the omnibus rule, patients can now request copies of their electronic medical records. Individuals who pay cash can determine what information their provider may or may not share with their health plan. The rule also further protects patients by setting new limits on the use and disclosure of PHI for marketing and fundraising; patient health information cannot be sold without the patient’s permission. Another stipulation of the rule provides easier processes for individuals to formally allow researchers to use their private health information.
For more information about the final omnibus rule, read the HHS press release by clicking here.
The HIPAA Rules
As part of the HIPAA rulings, there are three main standards: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each incorporates numerous specifications that Covered Entities must appropriately implement for their organization. All three incorporate the need for dynamic and active action, as well as thorough documentation. Covered Entities have to not only become HIPAA compliant, but remain compliant by continually reviewing and updating organizational practices, structures, policies and procedures.
The Privacy Rule is a set of national standards purposed to define appropriate and inappropriate uses and disclosures of protected health information (PHI), inform individuals of their privacy rights, and ultimately, protect health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule as an implementation guideline for Covered Entities to follow so they can adequately meet the HIPAA requirements. According to HHS, “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being [sic].”
The Security Rule is another set of national standards that provides protection for electronic Protected Health Information (ePHI) by requiring that entities take appropriate steps to safeguard the ePHI that their organization creates, receives, uses or maintains. The Security Rule requires that Covered Entities assess their methods for protecting ePHI and apply specific safeguards to ensure the confidentiality, integrity and security of ePHI. Covered Entities must apply administrative, physical and technical safeguards. As society continues to create new technologies, it is important for Covered Entities to implement technical safeguards to carefully monitor the uses of their organization’s technologies and instruct their workforce members accordingly. While new technologies present more opportunities for ease of access to ePHI for treatment and other authorized purposes, they also create increased risks for security incidents and breaches.
The Breach Notification Rule requires that Covered Entities and their Business Associates follow specific steps in the event of a breach of unsecured protected health information. The Breach Notification Rule’s specific requirements include actions to take for notifying the individual(s) affected by the breach, the media and the HHS Secretary. In association with the HITECH Act, this rule incorporates many other specific regulations that must be followed when a breach of PHI has occurred, as well as information detailing the monetary penalties associated with non-compliance.
Privacy Rule and Security Rule Relationship
At their core, both the Privacy Rule and Security Rule were created to protect health information from unauthorized views, uses and/or disclosures, and, most importantly, to protect the rights of the individual. While they are very similar in their purpose and in many of their requirements, there are two main distinctions between the two rules. The distinctions deal with the different types/forms of Protected Health Information (PHI) and the difference in safeguard specifications.
The first distinction separates the two rules based on whether the PHI is in electronic, written or oral form. The Privacy Rule deals with all forms of PHI, electronic, written and oral; whereas, the Security Rule deals only with PHI in electronic form, ePHI. For example, because the Security Rule gives Covered Entities implementation specifications for creating, receiving, maintaining and transmitting ePHI, it addresses how to properly transmit ePHI over the internet, on a thumb drive, or any other electronic way, to protect the information from unauthorized uses and disclosures.
The second distinction separates the two based on the level of detail, or lack thereof, given for safeguard specifications. The Privacy Rule informs Covered Entities that they must have administrative, technical and physical safeguards in place to properly protect PHI; however, it does not clearly detail or specify the kind of steps that should be taken to provide these safeguards. On the other hand, the Security Rule details specific security requirements that Covered Entities are to directly follow. For example, one Security Rule physical safeguard requires that Covered Entities keep an inventory of all of their workstations that house ePHI, like laptops, tablets, iPads, etc. Most of the Security Rule specifications, since there are such a wide range of Covered Entities, allow for personalization for each entity to decide what is reasonable and appropriate for their organization. The Security Rule is kind of like the more detailed, specific guide for applying the Privacy Rule standards in the electronic world of Protected Health Information (PHI).
For enforcement, the Office for Civil Rights (OCR), within the U.S. Department of Health and Human Services (HHS), enforces the Privacy Rule, and the Centers for Medicare and Medicaid Services (CMS) enforces all other Administrative Simplification requirements, which includes the Security Rule. It is also important to note when discussing the two rules, and the difference between PHI versus ePHI, that the government is pushing for all health information to be moved to electronic format for ease of use and improvement in health care services. If all health records are electronic, then they can be shared and accessed more quickly, thus providing improved treatment.
In our HIPAAgps platform, we refer to both PHI and ePHI, while reminding you that you may be required by law to move all of your records to electronic form in the near future.
To learn more about the relationship between the Privacy Rule and the Security Rule, click here.
HITECH Act
According to the U.S. Department of Health and Human Services (HHS), the Health Information Technology for Economic and Clinical Health (HITECH) Act promotes “the adoption and meaningful use of health information technology,” while also discussing and providing provisions that “strengthen the civil and criminal enforcement of the HIPAA rules.”
Enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) and containing revisions for the Social Security Act, the HITECH Act established four categories of violations and accompanying penalties. The penalties can reach a maximum of $1.5 million for violations of the same provision, and the lowest penalties have all increased significantly for each violation due to the revisions. The act also amended the rule that allowed Covered Entities to be excused from a penalty if they could show that they “did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties),” the HHS site states. Also, the Covered Entity can be excused of a penalty, if it is corrected within 30 days and was not due to willful neglect.
To learn more about HIPAA fines, penalties and enforcement, click here.
Penalties
| Cause of Violation | Penalty Range Before Omnibus* per Violation | Penalty Range After Omnibus** per Violation | Upward Limit |
| Ignorance w Due Care (no longer a defense) | $100/violation or $25K for multiple identical violations | $100-$50K/violation | $1.5M |
| Reasonable Cause (knew or should have) | $100/violation or $25K for multiple identical violations | $1K-$50K/violation | $1.5M |
| Willful Neglect (Corrected) | $100/violation or $25K for multiple identical violations | $10K-$50K/violation | $1.5M |
| Willful Neglect (Not Corrected) | $100/violation or $25K for multiple identical violations | $50K/violation + | $1.5M |
In applying these amounts, the Department will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts as required by the statute at section 1176(a)(1) and the regulations at § 160.408 (i.e., based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors set forth at § 160.408).
*CE could argue case with Secretary and have penalties reduced
**OCR “must” apply the penalty fairly across all entities, not “settle” complaints
Back to Top