The Health Information Portability and Accountability Act (HIPAA) was signed into law in 1996. Two additions were made. Protection for the privacy of Protected Health Information (PHI) became effective April 14, 2003 including standardization of electronic data interchange in health care transaction, effective October, 2003. The second part of HIPAA was security. Protection for the security of electronic Protected Health Information (e-PHI) which became effective April 20, 2005.
The Privacy Rule sets the standards for how covered entities(CEs) and business associates are to maintain privacy of PHI. The Security Rule defines the standards which require covered entities to implement basic safeguards to protect electronic PHI.
HIPAA is a Federal Law and was enacted by Congress as a response to healthcare reform. It is mandatory to protect the privacy and security of a patient’s health information. It also assists to prevent health care fraud and abuse and simplifies billing and other transactions reducing health care administrative costs.
Protected Health Information (PHI)
- Individually identifiable health information
- Transmitted or maintained in any form
- Created or received by a covered entity, business associate, or employer
Once you are a part of a covered entity, you are a covered entity with respect to all PHI, whether it is transmitted electronically, in paper format, or transmitted orally.
Examples of Covered Entities include
- Health Care Providers
- Clearinghouses for electronic billing
- Covered entities may only use and disclose PHI according to Privacy Rule provisions
- Business Associates
- Treatment and payment sources
- Individual has opportunity to agree or object
- Limited data set (facially de-identified, requires data use agreement between parties)
- With authorization
HIPAA Privacy Rule controls privacy unless a state law is stricter.
- CE may disclose PHI for treatment activities to another healthcare provider
- CE may disclose PHI to another CE or healthcare provider for the CE payment
Health Care Operations
- CE may disclose PHI to another CE for specific activities such as QI
- Individual may authorize the release of the PHI in writing with the signature and data provided
On January 17, 2013, the Department of Health and Human Services released the HITECH Act, aka the Omnibus Rule, under HIPAA. This Omnibus Rule represents the most comprehensive set of changes to HIPAA since its origination. It is a part of the American Recovery and Reinvestment Act of 2009. The Act allocated $20 Billion to health information technology projects, expanded the reach of HIPAA by extending certain requirements to business associates, and imposed a nationwide security breach notification law.
The new rule modifies the breach notification standard; imposes new rules regarding disclosures of PHI in marketing and sale of PHI. It enhances patient rights to access and control disclosure of PHI. It also expands specific HIPAA obligations to business associates.
HITECH Breach Notification Provisions
The HITECH Act requires Covered Entities (CEs) and business associates to notify affected individuals, the Department of Health and Human Services, and depending on the breach, the media, following discovery of a breach.
HITECH replaces the original “harm standard” under HIPAA. That standard had stated a breach had occurred if PHI was compromised and had significant risk of financial, reputational, or other harm to an individual as the result of the impermissible use or disclosure of PHI. HITECH amends the breach to clarify that the disclosure of PHI is presumed to be a breach with notification necessary unless a CE can demonstrate low probability that the PHI has been “compromised.”
Four factors must be included in any risk assessment, 1) the type and extent of PHI, 2) who was the unauthorized person committing the breach as well as who received the information, 3) whether the PHI actually was received and viewed, and, 4) the extent to which the PHI has been mitigated. Lawyers are asking what is meant by compromised PHI.
Compliance Officers need to keep HIPAA and compliance in front of personnel. Finding ways to do that can be challenging but well worth the effort. For most organizations, some of their greatest risks are those tied to PHI.
HITECH modifies the definition of business associates to include an entity that “creates, receives, maintains, or transmits” PHI on behalf of a CE. Business associates include subcontractors, vendors of personal health records that provide services on behalf of a CE. Business Associates are held directly accountable now to HIPAA. CEs had to revise their business associate agreements to comply with all applicable provisions of the HIPAA Security Rule. CEs are required to report breaches of unsecured PHI as business associates. CEs must hold business associates to the same stringent standards as they are held.
HIPAA HITECH makes business associates and their subcontractors directly liable for non compliance with the Security Rule and Privacy Rule requirements. Direct Liability flows from the following violations:
- Failure to provide breach notification to the CE
- Failure to provide access to a copy of electronic PHI to either the CE, or the patient’s designee
- Failure to provide an accounting of disclosures
- Failure to comply with the Security Rule
- Failure via impermissible disclosures of PHI
Individuals now have greater rights to obtain all of their health data, to access electronic copies, and to restrict when their information is shared and with whom. Their information must be available to them within a reasonable time. Even offsite stored info must be made available within 30 days.
Build security into hardware, software, and processes to the greatest extent possible. Make security provisions operate automatically where possible. When replacing manual processes with technology, validate the process and the fact that it does not increase risk. Technology for the sake of technology needs to be monitored also. Review your processes. Educate personnel to be privacy alert.
Build a meaningful HIPAA and Compliance audit system foundation that has value for the organization. It is mandated by the OCR. Agency audits of organizations began last year. Remember, not having an audit program can be costly, the OCR state fine can go up to $1.5 million for breaches.
Required Elements of a Patient Authorization
When reviewing the patient authorization, be certain it includes:
- A description of the PHI to be used or disclosed. Be specific
- The persons authorized to use or disclose the PHI
- The person or agency to whom the CE may disclose the PHI
- The purpose of the disclosure use
- The patient’s right to revoke the authorization
- The consequences if the patient refuses to sign
- An expiration date of the form
- Signed and dated by the patient
- PHI may be re-disclosed by a third party and a business associate, subject to the same HIPAA regulations
- Must be written in clear language
HIPAA continues to pose a growing liability for agencies. Review agency policies, procedures, and processes now. The audits are being increased. Be certain you have a Corporate Compliance Plan in place with strong attention to HIPAA Privacy, Security, and HITECH