Be Part of the Ultimate Safety & Compliance Community
Trending news, knowledge-building content, and more – all personalized to you!
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides rights and protections for patients, along with participants and beneficiaries in group health plans. HIPAA’s privacy rule affects the relationships between group health plans, their employer-sponsors, and the insurers and administrators of their benefits.
In general, privacy is about who has the right to access personally identifiable health information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. Covered entities include health plans, health care clearinghouses, and health care providers who conduct health care transactions electronically. Employers, in their activities as employers, are not considered covered entities. When they sponsor health care plans, they are involved because the plans are covered entities.
Privacy. Title II of the Act includes a section, Administrative Simplification, requiring improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data.
Employers are covered by the privacy rule when they:
Protected health information (PHI) is that which identifies an individual’s physical or mental health condition, the health care that the individual has received, or payments for such care. In contrast, summary health information, which excludes individuals’ names and identifying information, may be disclosed to, and used by, employers — without consent — for certain functions such as obtaining bids for insurance coverage.
The privacy standards:
Actions employers may want to take include the following:
Individuals may authorize the disclosure of their PHI. Authorizations are an individual’s signed permission to allow a covered entity to use or disclose the individual’s PHI that is described in the authorization for the purpose(s) and to the recipient(s) stated in the authorization. Authorizations allow additional, specific uses of health information beyond treatment, payment, and health care operations to be released.
Notices. Covered entities must provide notice of patient’s privacy rights and the privacy practices to affected individuals. The notice must explain how you may use and disclose PHI. The notice also needs to contain the individuals’ rights with respect to the PHI, how the individuals may exercise their rights, your legal duties with respect to PHI, and who individuals can contact for further information. The notice must also have an effective date.
Security. Security is an important part of the privacy provision. The health care industry has been moving away from paper processes and relying more heavily on the use of computers to pay claims, answer eligibility questions, provide health information, and conduct a host of administrative functions. Under HIPAA, health plans that engage in electronic health care transactions, and/or maintain electronic PHI (EPHI) need to ensure their systems provide reasonable security from unauthorized access, alteration, deletion, and transmission.
The security rule provides for ensuring that the confidentiality, integrity, and availability of EPHI created, received, maintained, used, or transmitted is protected. The security rule gets more technical than the privacy rule, as it involves information technology.
Breaches. The American Recovery and Reinvestment Act of 2009 (ARRA) included some HIPAA privacy requirements addressing breaches of PHI. In general, The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of ARRA, required that covered entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI must notify each individual whose PHI has been or is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach.
Unsecured PHI. All these breach requirements deal with what is known as “unsecured protected health information.” This is defined as PHI that is not secured through the use of a technology or methodology specified by the U.S. Department of Health and Human Services (HHS) that will render PHI unusable, unreadable, or indecipherable to unauthorized individuals.
Notification. You have a few methods to use to make to notify individuals of a breach:
If the breach involves more than 500 residents of a state or jurisdiction, you need to provide notice to prominent media outlets service the state or jurisdiction. If the breach involved more than 500 individuals, you must immediately notify the HHS. If it involved fewer than 500 individuals, you may maintain a log of the breach and annually submit the log to the HHS.
The HHS has posted a list on its website of covered entities involved in breaches involving 500 or more individuals.
Content of notification. Breach notices need to include the following information:
Fines. Noncompliance with HIPAA privacy and security rules calls for severe civil and criminal penalties. The American Recovery and Reinvestment Act of 2009 increased the penalties, and added tiers. The original $100 per violation with a related cap of $25,000 for multiple violations of the same requirement is still in place. The tiers are as follows:
Culpability | Minimum penalty/violation | Maximum penalty/violation | Annual limit |
---|---|---|---|
No knowledge | $100 | $50,000 | $25,000 |
Reasonable cause | $1,000 | $50,000 | $100,000 |
Willful neglect — corrected | $10,000 | $50,000 | $250,000 |
Willful neglect — not corrected | $50,000 | $50,000 | $1,500,000 |