Health Insurance Portability and Accountability Act (HIPAA) compliance were established to safeguard private and sensitive patient data for the healthcare industry. The Security rule includes who is covered, what electronic health information is protected.
Until HIPAA wasn’t established, there was no security standard set for protecting the health information existing in the healthcare industry.
As new technologies were introduced, such as EDI solutions that were crafted to remove the paper-based manual work. EDI integration was meant to reduce the time spent on paper processes while heavily relying on this electronic information system for paying claims, answer to the question related to eligibility, provide necessary health information, and conduct a range of other benefits administration functions.
Table of Contents
What Is Protected Health Information (PHI)?
Privacy Rules were set with security standards. The Privacy rule standards were crafted to direct the use and disclosure of individual health information. Protected Health Information (PHI) is a standard for the individual privacy rights to control patient data.
Objective Of Privacy Rule:
This standard was issued by HHS – Department of Health and Human Services to assure that the individual’s health information is well-protected and the transmission of the healthcare data must be of high quality.
Overall, the Privacy Rule was passed to promote quality and strike balance in using and protecting the privacy of the people’s data who seek care and healing.
The rule is flexible yet comprehensive that covers a variety of uses and disclosures that needs to be addressed by the entities who are in the healthcare industry.
The latest Privacy Rule was published on December 10, 2020. The rule had some modifications to empower patients, improve their coordination care, and reduce regulatory burdens. The latest modification was meant to increase permissible disclosures of PHI, which –
- Strengthens individual rights to inspect their PHI.
- Shortens response time – from 30 days to 15 days.
- Clarifying form and format.
- Informing individuals on retaining their right to obtain direct copies.
- Reducing the identity verification burden.
- Creating a roadmap to share PHI in an EHR
- Limiting the right to access to direct the transmission of PHI to the third party.
- Amending permissible fee structure for direct records access.
- Eliminating the written acknowledgement of receipt of a direct treatment provider’s NPP.
- History Of Privacy Regulations
When the Health Insurance Portability and Accountability Act was formed in 1996, public law was formed. HIPAA requested the Secretary to issue privacy regulation. The request for regulation was made as Congress was not enacting any privacy legislation thereby, HHS proposed a rule for individually identifiable health information security & privacy. Multiple public comments were received for the rule and then on December 28, 2000, the final Privacy regulation was passed as “Privacy Rule”.
This rule was rolled out to publicize the standards for the electronic exchange, privacy, and security of health information.
However, regardless of a strict rule release, the regulation went under several modifications until the final modification was published on August 14, 2002.
What And Who Is Covered In The Privacy Rule?
Since the Privacy Rule applies to the healthcare industry, hence the standard applies to the health plans, clearinghouses, and to healthcare providers whose task is to transmit information from one connection to another through EDI or electronic form. Let’s elaborate and understand the covered entities.
Healthcare plans were designed to cover the entities who wanted to have insurance for health, dental, vision, and prescription drugs. Health plans are also inclusive of employer-sponsored group plans, government and church-sponsored health plans, and multi-employer health plans.
Health Care Providers:
A healthcare provider is a covered entity, who electronically transmits healthcare information with certain transactions. The transactions have standards established by HHS under HIPAA Transaction Rule. These transactions under standardized connection, include claims, benefits eligibility inquiries, referral authorization requests, or any other. The Privacy Rule also underlined the transactions, electronically transmitted, whether directly or through a billing service or a third party.
Clearinghouses usually process the nonstandard information into standards received from another entity. Healthcare clearinghouse includes repricing companies, offer billing services, value-added networks, community health management information, and switches for processing these data to a healthcare plan to a healthcare provider.
They are the organization or a person other than the covered entity who performs certain functions or activities on behalf of the covered entities. However, a clearinghouse has limited access to disclosure of the individual health information for data aggregation, management, administrative, accreditation, accounting, consulting, or financial services.
Information That Is Protected:
Protected Health Information:
The Privacy Rule was designed to protect the “individually identifiable health information” which is transmitted by the covered entities and business associates. The “individually identifiable health information” most likely are demographic data that includes the individuals –
- Past, present, and future mental or physical health conditions.
- Provision of health care
- Payment provision of health care in the past, present, or future.
De-Identified Health Information:
This point certainly is free from the use or disclosure of health information (de-identified). De-identified data do not provide any reasonable basis. This kind of information can only be adequate for the covered entity when they have adequate knowledge, such as relatives, household members, and employers, to identify the individual.
Underlining The Principles For Uses And Disclosures Of Healthcare Information:
The basic principle dictates that only the covered entities and the individual who is subject to the information can access the healthcare information protected through Privacy Rules.
Individuals when requested, in writing, for access to its information for any accounting purposes of protected health information and HHS, when undertaking compliance investigation or enforcement review & action can access the healthcare information.
Permitted Uses And Disclosures:
Without the individual’s consent and authorization, a covered entity is permitted to view but not use the protected health information. Only certain conditions, such as treatment, payment, and operations activities are leveraged where accounting activities take place. Additionally –
- When an individual is in an emergency, or not available – in such scenarios covered entities can use for professional judgment, such as facility directories and notification, and other purposes.
- The other scenario is incidental use or disclosure of information that occurs as a result of “incident to”. As long as the entity or healthcare provider has adopted reasonable safeguards, the information can be shared.
- Disclosure of protected health information can be done under specific conditions or limitations applied to each public interest purpose, such as preventing or controlling disease, injury, disability, or reports received of child abuse and neglected, tracking of products, product recalls, and post-marketing surveillance, exposed to communicable disease, work-related illness or injury at the workplace.
- Other than these, entities can disclose the healthcare information in front of judicial or administrative proceedings, conditions required by law, to funeral directors, for essential government functions, to facilitate donation or transplantation, or for generalized knowledge.
Authorized Uses And Disclosures:
An entity under treatment, payment, benefits open enrollment, or benefits eligibility on individual granting cannot disclose healthcare information. The written consent of the individual specifies the authorized uses and disclosure. However, the agreement is again limited to the covered entity –
- Psychotherapy notes created by the entity can be used.
- A covered entity can use psychotherapy notes for its training, to secure from legal proceedings brought by the individual, for HHS investigation, determine compliance with Privacy Rules, averting serious and imminent threats & many more lawful activities.
Some may use the information for marketing purposes. The Privacy Rules have dictated standards for marketing activities. Marketing also requires an agreement between the covered and the third-party entity, defining the information for disclosure. The agreement includes –
- Communication for the treatment.
- Communication for case management or care coordination.
- Communication for describing health-related products and services or payments.
- Communication about the participation of the providers or network.
Limited Uses And Disclosures:
The Privacy Rule states that the covered entity or the health care provider must share the bare minimum information and try the best possible to protect the data in order to achieve the intention of the standard.
Hence, a covered entity must originate or acquire stringent policies and procedures to limit access or disclosure. However, the policies and procedures can be exempted under certain circumstances, as mentioned in the above points.
In case of the request received from another covered entity, the entity holding protected healthcare information must follow the same rule – uncovering only limited information that too under reasonable circumstances.
HHS has offered flexibility and scalability in the protective rule analyzing the range and size of covered entities implementing the solutions appropriately. However, the nature of the business defines the entity’s size and resources.
It is well dictated in the Privacy Rule that disclosure of all parts of the protected healthcare information can endanger the individual. So, the covered entity must integrate a few requisites for handling the information –
- A covered entity can designate a responsible privacy official for developing and implementing privacy policies and procedures.
- The covered entity must train its employees, volunteers, and trainees about the privacy policies and procedures for them to carry out as well.
- Quick mitigation strategies to deter the harmful effects due to disclosure of protected information by any entity.
- Appropriate technical and physical safeguards must be implemented to avoid any protected healthcare information violation of the Privacy Rule.
- A covered entity must have relevant procedures for the individuals to complain about compliance with Privacy Rules and privacy policies.
- The covered entity must cooperate with the rights provided by Privacy Rules and assist the HHS investigation process for compliance instead of retaliating.
- The covered entity must have a record maintained of their individuals – from the date of creation to the last effective date, privacy policies, privacy notices, disposition of complaints, and other activities and designations following Privacy standards.
Health data transmission must also follow HIPAA transactions sets, such as EDI 834 for benefits enrollment in a secure manner. The fully insured or transmitted data must comply with the following – ban on retaliatory acts and waiver and document requirements concerning plans sponsored by a health insurance issuer.
What Are The Organizational Options?
The Privacy Rule permits a Hybrid entity to manage covered and non-covered functions.
- Covered entities affiliated to common ownership can designate themselves as a single covered entity.
- Privacy Rule encourages different associations of covered entities to manage & benefit their common enterprise.
- Privacy Rule for the covered entity managing multiple covered functions is designed as they must operate covered functions with compliance to Privacy Rule provisions.
- The group health plan must follow these plans to protect the health information and plan a sponsor – enrollment, and dis-enrollment, premium bids, summarizing health information, certification to plan sponsor for eligibility of health insurance coverage while keeping the information confidential.
- Following other provisions, such as the requirement of the personal representative, special cases (minors) exemption, and application of federal and state requirements.
What Happens When You Are Non-Compliant?
When you are consistent with the principles for achieving compliance, the office for civil rights rewards you with technical assistance to help them with Privacy Rules. But, those who fail are liable for civil money penalties.
The penalty amount for the violation before 2/18/2009 was up to $100 per violation. After the date mentioned, the per violation penalty has increased to $50,000 or more. If you see this yearly – the penalty before 2/18/2009 would be $25,000, and after 2/18/2009, it will be $1,500,000 yearly.
You may even fall under the criminal penalty for disclosing individual health information up to $50,000. The Department of Justice has increased to $100,000 and 5 years of imprisonment. When wrongful conduct is found, such as sell, transfer or use the protected information, the penalty goes to $250,000 and up to 10 years of imprisonment.