The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by Congress and signed by President Bill Clinton on August 21, 1996. HIPAA is broken down into 5 titles that were enacted to maintain the portability and continuity of health insurance coverage in group and individual markets, to simplify the administration of health insurance, and for many other purposes.
Before HIPAA, it wasn’t always possible for someone who had declined coverage to sign up outside of that open enrollment window. Generally accepted sets of cybersecurity solution standards or general requirements for protecting health information just didnt exist in the healthcare industry before HIPAA. The implementation of HIPAA policies, procedures and rules ushered in a new era for the healthcare industry, giving patients peace of mind and instilling more faith in healthcare practitioners.
Unfortunately, HIPAA compliance is not being prioritized in some healthcare organizations. These entities instead seek out shortcuts to cut costs while putting patient protected healthcare information (PHI) at risk of being breached. These breaches and the investigations in organizations that are not in compliance with HIPAA regulations have led to hefty fines as of recent years. In 2016 alone, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) collected a record-setting $23 million in HIPAA fines, greatly surpassing the previous record of $7.4 million in 2014.
Thats a lot of cheddar.
To keep your organization from violating HIPAA requirements and shouldering the weight of enormous fines and sanctions from the OCR, it is imperative that your organization educates itself on the types of violations that commonly incur these fines. Understanding where other organizations went wrong in their negligent quest for HIPAA compliance will give you much more insight into how you can optimize your quest for HIPAA compliance in the future.
HIPAA Requirements
HIPAA is a series of laws that have required health care organizations to invest time and money into training for strict compliance. HIPAA applies to covered entities that manage certain health plans, health care clearinghouses and health care providers as well as business associates such as service providers that create, receive, maintain or transmit Protected Health Information (PHI) for covered entities or other business associates.
Also Read: Top 5 Components of HIPAA Privacy Rule
Under HIPAA, participants could enroll in coverage if they meet certain criteria. For instance, if a marital situation changes or you move to a new location, HIPAA makes sure that you can get insurance without having to wait for open enrollment. HIPAA covers different aspects of handling PHI such as creating, storing, transferring and sharing the data. It provides guidelines via its 5 titles and 5 rules on how to meet privacy and security requirements that will ensure the sustainable protection of your patients PHI. Without further ado, lets break down the 5 titles of HIPAA:
Title I: Health Care Access, Portability, and Renewability
Title I establishes rules on how a group plan handles a pre-existing condition. Before HIPAA, there were many people who were completely denied health insurance based on chronic medical conditions, regardless of how well the condition was controlled. Today, group health insurance plans must follow rules regarding what’s considered a pre-existing condition and how long they can exclude coverage for these conditions.
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title II is broken up into 5 rules:
1. Privacy Rule
2. Transactions and Code Sets Rule
3. Security Rule
4. Unique Identifiers Rule
5. Enforcement Rule
Each of these 5 rules goes into considerable depth. Title II requires the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. Adopting these standards facilitates the improvement of efficiencies and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange across the healthcare industry.
Title III: Tax-related health provisions governing medical savings accounts
Title III provides for certain deductions for medical insurance, makes other changes to health insurance law, and establishes medical savings accounts for individuals. In laments terms, Title III standardizes the amount you can save per person in a pre-tax medical savings account.
Title IV: Application and enforcement of group health insurance requirements
Title IV addresses the application and enforcement of group health plan portability, access and renewability for those with pre-existing conditions, and modifies continuation of coverage requirements. It also clarifies continuation coverage requirements and includes COBRA clarification.
Title V: Revenue offset governing tax deductions for employers
Title V includes provisions related to company-owned life insurance, treatment of individuals who lose U.S. Citizenship for income tax purposes and repeals the financial institution rule to interest allocation rules.
HIPAA Rules
HIPAA rules were enacted after many years of collaboration with public and private sector healthcare providers. The five Rules were enacted from recommendations received from industry workgroups on topics pertaining to the effective management and protection of PHI. The main goal of these five Rules is to define uniform standards for transferring PHI amongst covered entities while simultaneously securing PHI and ensuring patient privacy and confidentiality. The act of complying with HIPAA Rules is not a surefire way to prevent all data breaches, but it will ensure that your healthcare organization achieves at least the minimum standard for data security, which will prevent most healthcare data breaches.
The Privacy Rule (circa 2000)
This rule addresses the use and disclosure of individuals health information called covered entities, as well as standards for individuals’ privacy rights to understand and control how their health information is used. The OCR is responsible for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. A major goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
The Transaction and Code Sets Rule (circa 2003)
This rule creates a uniform way to perform electronic data interchange (EDI) transactions for submitting, processing, and paying claims. The standards inherent in this rule apply to any healthcare plan, health care clearinghouse, and/or health care provider that transmits PHI in electronic form in connection to the defined transactions.
The Security Rule (circa 2003)
This rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires implementation of three types of safeguards (administrative, physical, and technical) to ensure the confidentiality, integrity, and security of electronic PHI.
The National Provider Identifier (NPI) Rule (circa 2005)
This rule is focused on National Provider Identifiers (NPIs) which are unique identification numbers that covered health care providers must utilize during their administrative and financial transactions. These NPIs must not carry other information about healthcare providers and must be used in lieu of legacy provider identifiers in the HIPAA standards transactions.
The Enforcement Rule (circa 2006)
This rule establishes compliance responsibilities for covered entities with respect to cooperation in the enforcement process. These rules govern the process and grounds for establishing the amount of a civil money penalty where HHS has determined that a covered entity has violated a HIPAA requirement. Procedures for hearings and appeals for any challenges to a HIPAA violation determination are outlined in this rule as well.
What is a HIPAA Violation?
HIPAA violations are based on the level of negligence and the amount of infractions for non-compliance. Fines increase as the number of patients and the amount of neglect increases. Heres a breakdown of the types of violations and the financial consequences that come with each infraction:
VIOLATION TYPE | EACH VIOLATION | VIOLATIONS OF AN IDENTICAL PROVISION IN A CALENDAR YEAR |
Individual didn’t know they violated HIPAA | $100 – $50,000 | $1,500,000 |
Reasonable cause and not willful neglect | $1,000 – $50,000 | $1,500,000 |
Willful neglect but corrected within time | $10,000 – $50,000 | $1,500,000 |
Willful neglect and is not corrected | $50,000 | $1,500,000 |
The consequences of HIPAA violations go far beyond the financial ramifications. Organizations can lose their good standing reputation, client/patient trust, and their ability to operate a business. It can take an organization months or even years to recover from a single HIPAA violation. The three common HIPAA violations that are outlined in the following sub-sections can be mitigated when you implement an effective compliance program that works for the needs of your organization:
PHI and ePHI Storage
Sensitive patient data is termed electronic protected health information (ePHI) and includes information like patient names, addresses, social security numbers, procedure codes, birth dates, and much more. If PHI is stored on a laptop or smartphone, those safeguards must be implemented on the respective device. Encryption is considered an addressable specification, meaning covered entities are only required to implement it if it reduces the risk of ePHI data breach. If you lose a laptop containing encrypted ePHI, the risk of an unauthorized user accessing the data is still low. However, the use of a laptop with unencrypted ePHI takes the risk of a data breach to a whole new level.
Data Breaches
Under HIPAA, organizations are required to report breaches that impact 500 or more individuals to federal regulators and affected individuals within 60 days. OCR treats data breaches severely when it finds that they’re the result of systematic neglect. An organization that suffers a data leak despite consistently good security practices might get only recommendations on improving them. One which is negligent, as in this case, could be made to give up a large amount of money and demonstrate improvement in its practices.
Below are the top 10 largest healthcare data breaches (listed by size, from largest to the smallest in terms of the number of individuals affected):
Number |
Healthcare Provider |
Individuals Affected |
Date of Breach |
1 |
Anthem Blue Cross |
78.8 Million | Jan-15 |
2 |
Premera Blue Cross |
11+ Million | Jan-15 |
3 |
Excellus BlueCross BlueShield |
10+ Million | Sep-15 |
4 |
TRICARE |
4.9 Million | Sep-11 |
5 |
University of California, Los Angeles Health |
4.5 Million | Jul-15 |
6 |
Community Health Systems |
4.5 Million | Jun-14 |
7 |
Advocate Health Care |
4.03 Million | Aug-13 |
8 |
Medical Informatics Engineering |
3.9 Million | Jul-15 |
9 |
Banner Health |
3.62 Million | Aug-16 |
10 |
NewKirk Products |
3.47 Million | Aug-16 |
Employee Training
HIPAA requires all covered entities to provide training to their employees in following HIPAA titles and rules. Covered entities are required to train all existing and new employees on HIPAA law, as well as providing a refresher course periodically. Failure to provide this required training could mean major penalties for your organization. Most violations pertaining to employees can easily be prevented through the implementation of HIPAA policies and procedures to ensure that all individuals with access to PHI receive the proper training on how to safely handle it.
Even if an individual is negligent and engages in prohibited conduct such as knowingly obtaining or using HIPAA-protected information without authorization, they can still face criminal prosecution. Even if they aren’t immediately aware that their actions are prohibited under the law, they are still held accountable for their negligence under HIPAA. Ensuring that your materials are current, manuals are updated, and that you are conducting annual HIPAA training will put your organization in prime positioning to prevent potential violations.
HIPAA Violation Cases
Many HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.
The 5 Largest HIPAA Penalties to Date include:
Number | Healthcare Provider | Amount |
1 | Advocate Health Care Network | $5.55 million |
2 | Memorial Healthcare System | $5.5 million |
3 | New York-Presbyterian Hospital and Columbia University |
$4.8 million |
4 | Cignet Health of Prince George County | $4.3 million (civil monetary penalty) |
5 | Fresenius Medical Care North America | $3.5 million |
The second-largest HIPAA penalty to-date was the $5.5 million penalty perpetrated by Memorial Healthcare Systems across six hospitals and other facilities across the state of Florida. Unauthorized employees had access to ePHI through shared login credentials. The reasons for the huge fine included failure to review access controls and examine audit logs. Credentials cannot be shared.
The July 2013 breach of more than 4 million patients confidential medical records that impacted Advocate Health Care Network ended up costing them a record $5.5 million in HIPAA violation penalties back in 2016. This breach involved the theft of four desktop computers from Advocate Medical Groups administrative buildings along with two subsequent breaches within three months of the record breach. The breach exposed demographic data, clinical data, health insurance information, payment card details, names, addresses, and dates of birth.
OCR investigators uncovered a catalog of HIPAA failures while investigating the 4+ million patient breaches at Advocate Health. It was determined that Advocate Health had failed to implement HIPAA policies and procedures to control physical access to ePHI stored in its data support center. OCR investigators determined that if these HIPAA policies and procedures would have been implemented, the breaches would not have taken place.
Closing Thoughts
Patients entrust healthcare entities with their PHI, therefore it is of paramount importance that these entities must protect it against deliberate or inadvertent misuse or disclosure from internal and external sources. Now that technologies are evolving and the healthcare industry is moving away from paper processes and relying more heavily on the use of electronic information systems, it is imperative for organizations to maintain their compliance with all facets of HIPAA. With healthcare organizations receiving millions of dollars in fines for non-compliance, it goes without saying that the best course of action to protect your patients PHI and maintain their trust in your organizational data security is in consistent HIPAA compliance.
Contact Us Now!