If you handle information about medical or healthcare patients, you may need to follow HIPAA rules. Breaching the rules can lead to significant fines and even criminal prosecution.
Among other requirements, the rules cover the way you secure medical information, how you deal with breaches, and what you must tell people about the way you handle their data.
Here's what you need to know when it comes to HIPAA compliance.
- 1. HIPAA Background and Operation
- 2. Organizations Subject to HIPAA Rules
- 3. Information Covered by HIPAA Rules
- 4. The HIPAA Omnibus Rule
- 5. The HIPAA Privacy Rule
- 5.1. Access to Information
- 5.2. Privacy Management
- 5.3. Patient Rights and Notice
- 6. HIPAA Security Rule
- 7. HIPAA Breach Notification Rule
- 8. Penalties for Breaching HIPAA
- 9. Summary
HIPAA Background and Operation
HIPAA originally referred to the Health Insurance Portability and Accountability Act of 1996, which dealt mainly with the rights of workers to keep their health insurance when leaving a job. The law also covered the way healthcare organizations transferred information electronically.
In a data handling context, HIPAA more commonly refers to a series of subsequent regulations that began coming into force from 2003 and are collectively known as the HIPAA rules. They include:
- The HIPAA Privacy Rule (2003) which governs the collection, use and disclosure of personal health information
- The HIPAA Security Rule (2005) which governs the way organizations secure personal health information
- The HIPAA Breach Notification Rule (2009) which governs who organizations must inform about a breach and when
- The HIPAA Omnibus Rule (2013) which clarifies the obligations of contractors working with health information
The HIPAA rules work alongside other federal and state legislation. They do not override any other laws. This means that complying with HIPAA does not guarantee you meet any other privacy laws.
Organizations Subject to HIPAA Rules
HIPAA defines two groups covered by the rules.
The first is "covered entities." This specifically includes healthcare providers, healthcare clearinghouses and the operators of health insurance plans.
The definition is specific and narrow, meaning many organizations that may deal with medical issues are not classed as covered entities. Examples include life insurers, schools and gyms.
The second group is "business associates." This means any organization that is hired by a covered entity and accesses or uses personal health information as part of that work.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
The "business associates" class also extends to organizations that are hired by an existing business associate. To avoid confusion, these organizations are sometimes referred to as subcontractors.
Covered entities are subject to all the rules. Officially, business associates are subject to all the rules except the Privacy rule. (As we'll cover later, they are indirectly affected by its measures.)
Information Covered by HIPAA Rules
All of the rules are based around the handling of "personal health information." This means any information about a patient that can be linked to the patient through one of the following 18 identifiers:
- Account details
- Certificate or license numbers
- Complete face or any comparable photographic images
- Dates directly related to a person
- Details of Email addresses
- Device identifiers and serial numbers
- Fax number details
- Fingerprints, retinal and voice prints
- Geographical identifiers
- Health insurance beneficiary numbers
- IP address details
- Medical record numbers
- Names or part of names
- Phone number details
- Social Security details
- Vehicle license plate details
- Website URLs
- Any other unique identifying characteristic
This definition can be a little confusing at first glance. The key is that by protecting "personal health information," HIPAA theoretically removes the risk that any medical information can be connected to an individual.
For example, a medical record such as a history of treatment isn't automatically "personal health information." However, if that history includes the patient's name, it becomes "personal health information."
You may come across the term "de-identified" in regards to medical information. This means it has been stripped of any of the details that fall in these 18 categories. Once de-identified, medical information no longer comes under the HIPAA requirements.
The HIPAA Omnibus Rule
Although the Omnibus rule appears to be largely procedural, it has significant effects on business associates and their responsibilities. The key points of the rule are as follows:
- A covered entity must have a "business associate agreement" in place before sharing personal health information.
- The agreement must be reviewed at least annually and amended as necessary to reflect any changes in the relationship.
- The agreement must involve both parties formally recognizing they must follow HIPAA rules.
- The agreement must set out that the liability for a breach lies with whichever party is responsible for the breach.
- The agreement can (and usually should) set out measures for how the business associate will behave when handling the personal health information. These measures may reflect some or all of the requirements of the Privacy rule.
The Omnibus rule also says covered entities must do due diligence to check the business associate's security. This could include carrying out an audit and reviewing any past data breaches the business associate suffered.
Note that even with this due diligence, the covered entity doesn't have the authority to formally declare whether or not the business associate complies with HIPAA.
This extract from Microsoft's business associate agreement details how it will and won't user personal health information it accesses when customers (such as covered entities) use its software:
Note that safeguards are also addressed, with Microsoft stating it will use reasonable and appropriate safeguards to prevent any inappropriate use and disclosure of the protected health information.
The HIPAA Privacy Rule
As noted before, the Privacy rule only directly affects "covered entities." However, business associates may need to follow some or all of the measures as a condition of their business associate agreement.
Access to Information
The use or disclosure of personal health information may require permission from the patient.
Ways you can use or disclose Personal Health Information without permission include the following:
- As part of treatment
- In the course of billing
- As part of health care operations
- When legally required to do so
Ways you can use or disclose Personal Health Information if you get spoken permission (which includes giving the patient a chance to object) include the following:
- To list them in a patient directory (for example so that staff know what room they are in)
- To share details with the patient's family or friends such as their location or condition
Ways you can only use or disclose Personal Health Information with written permission include:
- Sharing with third parties such as a lawyer
- Any information that relates to mental rather than physical health
- Any other information that isn't specifically stated in the law as being OK to share without permission
This sample HIPAA Privacy Authorization Form from Caring makes clear exactly what uses of data the patient is consenting to:
The HIPAA Privacy Rule says covered entities must do the following:
- Train staff on HIPAA
- Have clear procedures for complying with HIPAA
- Have a specific staff member or members responsible for compliance
- Have a procedure for handling patient privacy complaints
Patient Rights and Notice
Under the Privacy Rule, patients have the right to see copies of their medical and billing records and ask for changes if necessary.
They also have the right to know how you have disclosed their Personal Health Information. They can ask for you to restrict the way you use or disclose the information, though you don't have to agree.
Most importantly, patients have the right to get a copy of a Notice of Privacy Practices. This must include:
- An outline of how the Privacy Rule both allows and restricts the use of the Protected Health Information
- The patient's privacy rights including to complain to you or to the Department of Health & Human Services
- Contact details for getting more information or making a complaint
You must provide the Notice of Privacy Practices several times and in several ways, including the following:
- The first time you encounter a patient, for example at an appointment, after an emergency or when somebody enrolls in a healthcare plan
- Publicly posted at your facility so that patients can see it
The rules on patients acknowledging this notice are arguably a little unintuitive but you still need to follow them.
- You must ask the patient to give a written acknowledgement (such as signing a form) that they've received the notice.
- If the patient does so, it doesn't give you any extra rights to use or disclose data.
- If the patient refuses to do so, you must make and keep a record of the refusal. The refusal doesn't stop you using or disclosing data in line with HIPAA.
DukeHealth's Notice of Privacy Practices sets out some of the ways it is allowed to (and does) use personal health information:
The Jackson Laboratory gives some examples of the patient's rights under HIPAA:
HIPAA Security Rule
The Security Rule governs how you secure Personal Health Information stored in electronic format. The key requirements are as follows:
- Make sure to keep the information confidential, complete and available.
- Protect against any "reasonably anticipated" risk of security breaches or damage to the data.
- Protect against any "reasonably anticipated" risk of unlawful use or disclosure.
- Make sure individual staff members follow these rules.
- Remember that both covered entities and business associates come under the Security Rule.
HIPAA Breach Notification Rule
The Breach Notification rule says what to do in the event of a breach. This means any unauthorized use or disclosure of unsecured Personal Health Information. (It doesn't cover access to secured data such as that stored in encrypted and unreadable form.)
The rule classifies breaches by two categories based on the number of affected patients in a single jurisdiction.
If this number is 500 or fewer it counts as a minor breach. You must tell the individuals concerned within 60 days of discovering the breach. You must also tell the Department of Health and Human Services by the 60th day of the following calendar year. (In other words, by March 1st, or by February 29th in a leap year.)
If this number is more than 500 it counts as a major breach. You must tell both the individuals concerned and the Department of Health and Human Services within 60 days of discovering the breach. You must also issue a media notice to a prominent outlet in the area and inform local law enforcement.
Penalties for Breaching HIPAA
The Department of Health and Human Resources can investigate alleged breaches of HIPAA and issue civil monetary penalties.
The amount of the penalty for each violation can fall into one of four defined ranges depending on the nature of the violation. Within each range, there's a maximum total annual penalty for all breaches of a particular provision of the law.
The lowest range is for unknowing violations where not only did you not know about the breach but you had no reasonable way of knowing. The range is $100 to $50,000 per violation, though the annual cap is $25,000. (This odd setup is because a 2019 change reduced the cap without changing the "per violation" range.)
The next range is called "reasonable cause" which means you didn't know about the breach but you would have if you took reasonable care. The range is $1,000 to $50,000 per violation with a $100,000 annual cap.
The next range is "Wilful neglect - corrected." That means you either intentionally broke the rules or you acted with "reckless indifference," but you fixed the breach within 30 days. The range is $10,000 to $50,000 per violation with a $250,000 annual cap.
The top tier, "Wilful neglect - uncorrected," is where you either intentionally broke the rules or you acted with "reckless indifference," and you didn't fix the breach within 30 days. The range per violation is a minimum of $50,000 and no upper limit, with an annual cap of $1.5 million.
The Department of Justice can and does prosecute for particularly serious breaches. Examples include stealing personal health information or attempting to sell it to a third party.
Let's recap what you need to know about the HIPAA rules.
- HIPAA refers to both a 1996 law and a series of four rules covering privacy, security, breach notifications and the relationship between health organizations and contractors.
- "Covered entities," meaning health care providers, healthcare clearinghouses and health insurance plans, are subject to all HIPAA rules.
- "Business associates" are contractors of covered entities (or of other business associates) who handle personal health information. They are subject to all HIPAA rules except the Privacy Rule.
- The rules deal with Personal Health Information. This means any patient information that can be linked to an individual through one of 18 identifiers.
- The Omnibus Rule says covered entities and business associates must have an agreement that sets out their respective responsibilities regarding HIPPA. Such agreements commonly require the business associate to protect patient privacy.
- The Privacy Rule sets out what data you can use with written permission, with spoken permission, or without needing permission.
- It also requires a Notice of Privacy Practices that details the patient's rights under HIPAA and how to exercise them.
- You must ask a patient to sign to acknowledge receiving the Notice of Privacy Practices. Whether or not they do so does not affect your respective rights or responsibilities.
- The Security Rule says you must keep personal health information confidential, complete and available.
- The Breach Notification Rule says you must tell affected individuals about a breach within 60 days. When you must tell the Department of Health and Human Services, and whether you have to tell the media or law enforcement, depends on the number of affected individuals.
- Breaking HIPPA rules can lead to a financial penalty. The size (and annual total limit) of a penalty depends on whether you acted intentionally or recklessly and how quickly you fixed the breach.