What is HIPAA?

What is HIPAA?

Garrett McAnulla

Definition of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) created a new standard in managing sensitive patient data. Organizations that work with protected health information must create security measures that can ensure that PHI is not over-exposed. Covered entities can maintain HIPAA compliance by ensuring that PHI is stored in secure cyber-infrastructure as well as making sure that there are procedures and processes in place in regards to who can access PHI and in what circumstances.

History of HIPAA

HIPAA was signed into law on August 21, 1996. HIPAA was intended to “improve the portability and accountability of health insurance coverage.” The law also intends to include the prevention of fraud and abuse in the healthcare and insurance industries. The Act also impacts the administration of health insurance and promotes the use of medical savings accounts and encourages insurers to cover individuals with preexisting medical conditions.

What information is protected under HIPAA?

The HIPAA Privacy rules protect all individually indefinable health information that is held or transmitted by a covered entity or a business associate. This information can be stored in multiple forms such as paper, digital, or oral.

PHI can include:

  • An individual's history of a condition whether it present, past, or future both physical or mental
  • A patient's name, date of birth, social security number, address, biometric identifiers, or the PHI
  • Any care provided to an individual
  • Information concerning the payment for the care provided to the individual that identities the patient

What are HIPAA-covered entities?

HIPAA Covered entities are categorized into four different groups:

  • Healthcare providers: an individual health professional or a health facility organization licensed to provide health care diagnosis and treatment services including medication, surgery, and medical devices. Health care providers often receive payments for their services rendered from health insurance providers.
  • Health plans: Entities that provide or pay the cost of medical care. Health plans include- health, dental, vision, and prescription drug insurers. Medicaid, Medicare, Medicare+Choice, health maintenance organizations, and long-term care insurers. Health plans can also include government, employer, and churches sponsored health plans
  • Healthcare clearinghouses: Clearinghouses are electronic stations or hubs that allow healthcare practices to transmit electronic claims to insurance carriers in a secure way that protects patient health information, or protected health information. Clearinghouses offer medical billers and billing managers a way to consolidate and aggregate electronic claim information
  • Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These services include billing, data analysis, claims processing, and utilization review.

HIPAA Privacy Rule penalties

Under the HIPAA privacy law, penalties and fines can be enforced when there is a healthcare data breach or when the covered entity fails to give patients access to their PHI. Penalties are based on severity however they are split into four categories

  1. Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
  2. Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
  3. Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
  4. Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

Physical, Technical, and Policy Safeguards

The US Department of Health & Human Services requires physical and technical safeguards for organizations hosting and storing sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

In addition to technical safeguards, HIPAA requires access control allowing only authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log-off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software