The Healthcare Insurance Portability and Accountability Act, commonly referred to as HIPAA, was signed into law on August 21, 1996. From the outset HIPAA was begun as a modernization effort towards healthcare records. Up until the mid-1990s, the vast majority of healthcare records were kept in hard copy. There also were no federal laws regulating the sharing or protection of sensitive health data up until the adoption of HIPAA. HIPAA was conceived at a time when enormous external forces were acting upon all industries including the health sector. The increasing data-driven world was outpacing the rate of change in the healthcare industry, and legislators and healthcare professionals recognized that patient data needed to be protected, while also remaining accessible to the patient themselves. At the same time, regulators and healthcare professionals recognized that moving forward health records were going to need to be digitized and stored electronically.
Since HIPAAs adoption into law in 1996, the law has undergone a number of seismic shifts to become what it is today. In this article, well outline what the changes to HIPAA law have been, how they impact healthcare and data security professionals, and share some tips on how to achieve and comply with HIPAA over the long-term. This information should prove helpful for people wondering what is HIPAA and how has HIPAA developed over time.
The Evolution of HIPAA
HIPAA law has experienced a number of significant changes since it was signed into law in 1996. While HIPAA established an important precedent when it was introduced, and included important safeguards that ensured employees wouldn’t lose health insurance when moving between employment, it lacked the detail and structure that would ensure it helped adequately secure the health information and privacy of patients. To rectify these shortcomings, HIPAA law has been supplemented over the years with the HIPAA Privacy Rule, Security Rule, Enforcement Rule, Breach Notification Rule, and finally the Health Information Technology for Economic and Clinical Health Act (HITECH). These rules were formalized and combined with HIPAA and HITECH to form the HIPAA Omnibus Rule which incorporated changes demanded of HIPAA from the HITECH Act, as well as including updates on improved data security as well as other changes.
Also Read: Top 5 Components of HIPAA Privacy Rule
From the inception of HIPAA the focus has been on securing protected health information (PHI), improving patient privacy, and modernizing ways that health information can be transmitted, stored, and accessed within healthcare institutions as well as between healthcare institutions. While the HIPAA law of the past was focused on physical health records, since the vast majority of modern medical records are in electronic form the focus has over time shifted to securing ePHI (electronic protected health information). With this in mind, well spend a bit of time outlining the specific HIPAA Rules and then discuss data security concerns related to HIPAA Rules in more detail.
HIPAA Privacy Rule
Technically the Privacy Rule is the Standards for Privacy of Individually Identifiable Health Information. The Privacy Rule was borne out of a requirement embedded in the original HIPAA text that required the Secretary of Health and Human Services to develop a standardized national system geared towards protecting the health information of individuals. Mandatory compliance with the Privacy Rule went into effect in April, 2003. Important facets of the Privacy Rule are that it gave the ability for individuals to request access to their medical information and records, as well as defined and placed limits on who could access PHI, when it can be accessed, and who it can be shared with. The scope of the Privacy Rule is broad, covering any health care provider that transmits ePHI electronically, as well as applying to all health plans and healthcare clearinghouses. This effectively means that if you are in the healthcare industry and deal with health information, the Privacy Rule applies to you.
HIPAA Security Rule
As part of the directive embedded in HIPAA for the Secretary of Health and Human Services to work towards protecting the health information of individuals, the HIPAA Security Rule was crafted and adopted alongside the Privacy Rule. The Security Rule is formally known as the Security Standards for the Protection of Electronic Health Information. The Security Rule was finalized in 2003 with a compliance deadline of April, 2005. The main thrust of the Security Rule is to provide guidelines that ensure there are adequate protections and safeguards in place for ePHI. The Security Rule can be viewed as a vehicle to mobilize the protections outlined and set forth in the HIPAA Privacy Rule. There are a couple of broad things to note about the Security Rule that is important to understanding from a data protection standpoint. The first is that the HIPAA Security Rule is more of a framework designed to ensure adequate protection against theft or intrusion, rather than a series of specific requirements that an organization must meet. The second point is that the Security Rule outlines specifications across three categories; administrative safeguards, physical safeguards, and technical safeguards. However, each organization is able to flexibly meet these specifications depending on their specific security and organizational needs so long as they maintain compliance.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is officially known as the Interim Final Rule for Breach Notification for Unsecured Protected Health Information, and became effective as of September, 2009. Technically the Breach Notification Rule has been withdrawn from consideration for a final ruling by the Office of Management and Budget. Until a new final rule is submitted to the Office of Management and Budget the Interim Final Rule remains in effect. As the name implies, the Breach Notification Rule requires covered entities, or healthcare providers and associated businesses that interact with health information, to notify the Secretary of Health and Human Services of the breach within a timely manner.
There are different notification rules for breaches involving less than 500 individuals, and breaches that affect more than 500 individuals. One of the primary differences between the two types of breaches is for breaches that involve more than 500 individuals a covered entity must notify the Secretary of Health and Human Services within 60 days of discovery of the breach. In contrast to this, breaches of unsecured PHI affecting less than 500 individuals must be reported no later than 60 days before the end of the calendar year in which it was discovered.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule was created as a way to give teeth to HIPAA law. Enforcement of HIPAA law and compliance oversight is under the purview of the Health and Human Services Office of Civil Rights (OCR). As outlined in the Enforcement Rule the OCR is responsible for civil enforcement of HIPAA, while the Department of Justice enforces any criminal penalties in regards to HIPAA violations. While the Enforcement Rule was crafted to provide teeth to HIPAA law, little enforcement occurred during HIPAAs early years. The HITECH Act, adopted in 2009, greatly increased the regulatory capacity of the OCR, allowing them to apply far larger penalties for HIPAA violations than they had in the past. In recent years, the number of resolution agreements between the OCR and entities that have violated HIPAA has dramatically increased, as have the fines associated with HIPAA violations and data breaches.
The Health Information Technology for Economic and Clinical Health Act, commonly referred to as the HITECH Act, was enacted and signed into law in February, 2009. The HITECH Act was part of the American Recovery and Reinvestment Act of 2009, and carried a number of provisions that would alter HIPAA and how it would come to be enforced. The most important aspect of the HITECH Act for modern HIPAA enforcement was the substantial increase in penalties that the OCR could levy for HIPAA violations. Much of the increase in recent years in the enforcement of HIPAA violations can be traced back to the robust enforcement rules embedded in the HITECH Act. Other significant provisions in the Act include authorizing States attorneys general to enforce HIPAA law. Additionally, the HITECH Act placed security and privacy audits under the purview of the Department of Health and Human Services.
HIPAA Omnibus Rule
The HIPAA Omnibus Rule became effective in March, 2013 and represents the current evolution of HIPAA law that we find today. The full text for the Omnibus Rule can be found here. The Omnibus Rule effectively combined the Security Rule, Privacy Rule, Breach Notification Rule, Enforcement Rule and HITECH Act into one final Rule. The Omnibus Rule represents an effort by the Health and Human Services Department to finalize the various Interim Final Rules that had been produced following the adoption of HIPAA. The Omnibus Rule was created to be a durable and longstanding document that could be used to as a reference point in the future, and contains extensive discussions about the intention of specific changes to HIPAA law. While the Omnibus Rule resulted in some changes to the Security Rule, it resulted in substantial changes to the HIPAA Privacy Rule as well as the HIPAA Enforcement Rule.
The HIPAA of today is not the original law that was enacted in 1996. Now that the law has been in existence for 22 years it has developed into a substantial law with regulatory and HIPAA compliant oversight. So, who has to worry about HIPAA laws? The answer is an organization that is considered a covered entity or business associate. Nearly anyone associated with the healthcare industry is considered in-scope for HIPAA. Covered entities include health plans, healthcare clearinghouses, and providers. Health plans refers to health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs like Medicare and Medicaid. Providers include anyone who provides treatment, such as doctors, psychologists, dentists, and even pharmacies. If you deal with patient health information, have access to patients care information, or are a business associate of helping to carry out health plan activities or functions, then HIPAA law applies to you.
Maintaining compliance with HIPAA is crucial not only to protect the ePHI of individuals around the country, but also to avoid the substantial fines and penalties associated with a HIPAA violation. HIPAA violations are aggressively enforced by the OCR, with penalties ranging up to $50,000 per violation up to a $1.5 million dollars maximum penalty per year. Unintentional violations are still punishable under the HIPAA Omnibus Rule, making compliance an effort that must be pursued across your entire organization. In order to assess compliance with the HIPAA Privacy, Security and Breach notification rules, the OCR can conduct audits of covered entities and business associates. If you are a covered entity or business associate that doesn’t have a dedicated data security team ensuring HIPAA compliance, consider contracting out your HIPAA compliance assessment to a third-party security assessor. Third-party security assessors like RSI Security are essential to ensuring your organizations systems, data processing, and patient records management processes are fully compliant with current HIPAA law.
Third-party security assessors can ensure that your systems and processes are fully compliant with HIPAA Security Rule standards. Third-party assessors can ensure that you have a HIPAA audit checklist, so you are audit and compliance-check ready at any time. At the same time, security risk assessors are experts at HIPAA requirements for ePHI and patient data handling, so you can be sure that throughout your organization your staff and processes are fully compliant with HIPAA Security Rule requirements. In todays world, the risks of non-compliance reach much further than the significant financial penalties associated with HIPAA violations. Ransomware attacks have the potential to lock patient records until ransoms are paid, while data breaches or intrusions of any kind have the potential to cause substantial reputational and financial harm.
Organizations under the umbrella of HIPAA law are encouraged to proactively assess their security situation before an audit or compliance check in order to avoid any costly fines, or even worse unwanted data intrusions that result in the loss of ePHI. Regular network intrusion tests and risk assessments are also highly recommended. This is particularly true due to the changing landscape of the healthcare field, where increasing numbers of network-connected devices are being introduced into the healthcare environment. Maintaining compliance with HIPAA is an ongoing effort that doesn’t need to be difficult, but does require a team with the right skills and knowledge base to ensure that compliance is achieved and maintained over time.