This HIPAA page has been created for the benefit of all staff responsible for Protected Health Information (PHI). The information on this page will serve as a guide to understanding HIPAA rules and regulations.
Understanding HIPAA is not easy. HIPAA legislation is so far-reaching and covers so many different scenarios, that our intention is to provide at outline of what staff need to know as they implement measures to comply with HIPAA.
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 as an Act to “improve the portability and accountability of health insurance coverage” for employees between jobs, and to combat waste, fraud, and abuse in health insurance and healthcare delivery.
Once HIPAA had been signed into law, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security rules. The Privacy Rule defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual." Instruction were issued on how PHI can be disclosed – and under what circumstances it is possible – while restrictions were placed on the use of PHI for marketing, fundraising, or research – which are only permissible if prior authorization has been obtained in writing from the client. Clients were also given the right to withhold information about treatment from health insurance providers if that treatment was privately funded.
The HIPAA Security Rule came into force two years later in 2005. Dealing specifically with electronically stored PHI (ePHI), THE Security Rule laid down three security safeguards – administrative, physical and technical – to outline compliance with HIPAA.
The introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 had the major goals of compelling healthcare authorities to use Electronic Health Records (EHRs) and to join the Meaningful Use incentive program. Stage One of Meaningful Use was rolled out the following year, incentivizing healthcare organizations to maintain PHI in electronic format, rather than in paper files and other physical forms.
With the incentive program also came an extension of HIPAA Rules to include Business Associates and third-party vendors/suppliers to the healthcare industry. The introduction of the Breach Notification Rule stipulated that all affected individuals must be notified of a breach within 60 days and that all breaches of EPHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ Office for Civil Rights.
The Omnibus Final rule of 2013 didn’t really introduce new legislation, but filled in the existing gaps in HIPPA and HITECH regulations, for example specifying encryption standards. The Privacy and Security rules were also amended to allow patient information to be held indefinitely and to apply new penalties – as dictated by HITECH – to covered entities that fell afoul of the HIPAA Enforcement Rule. What the Omnibus Final rule achieved more than any other previous legislation was to make covered entities more aware of HIPAA safeguards they had to implement.
The age of lax security standards has now passed and the healthcare industry, like the financial industry before it, must now raise the data security standards to ensure confidential data remains private.
For a link to our HIPAA Training presentation, please click here.