HIPAA stands for Health Insurance Portability & Accountability Act and was passed by Congress in 1996. The privacy aspect of HIPAA is overseen and enforced by the US department of health and human services (HHS) office, starting in April 2003. HIPAA does a few different things, but from a compliance point of view it’s all about mandating the protection of consumer health information, this is referred to as HIPAA privacy regulation. HIPAA privacy regulation requires health care providers and their business associates to develop and follow procedures to ensure the confidentiality and protection of protected health information (PHI).
Who does HIPAA affect?
HIPAA affects all companies that collect or process any protected health information (PHI), as well as these companies’ business partners. PHI is any individually identifiable health information, held or transmitted by a covered entity or business associate, in any form or by any medium. Failure to meet HIPAA compliance can result in fines between $100 to $50,000 per violation or per record. The maximum financial penalty is $1.5 million per year but you can also face jail time depending on how bad the violation is. The main focus of HIPAA is protecting PHI, here are some common examples of what would be considered PHI:
Dates, except year
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers including license plates
Device identifiers and serial numbers
Internet protocol addresses
Full face photos and comparable images
Biometric identifiers (i.e. retinal scan, fingerprints)
Any unique identifying number or code
How to tell if information is PHI?
Look at who collected information: If the person collecting the information is a health care provider or an associate of the health care information, it will typically be considered PHI.
Employment Records and Education Records: The information on these records are not considered PHI under HIPAA.
Does the information have identifiers that link it to a person: PHI ceases to be PHI if it is stripped of all the identifiers that tie the information to an individual. It becomes known as de-identified PHI and HIPAA rules no longer apply. Under HIPAA there are two methods of achieving De-identification, outlined below:
Expert Determination: This is when an expert in the area of de-identification evaluates your information and determines that the health information is not individually identifiable. While there is not a strict definition of what constitutes being an expert, the office of civil rights (OCR) within the department of Health and Human Services (HHS) evaluates a person based on education, professional experience and experience using health information de-identification methodologies.
Safe Harbor: This requires the removal of the 18 identifiers that allow for information to be linked to any individual person. Removing these means that the information has been de-identified. The 18 identifiers are as follows:
(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
(D) Telephone numbers
(L) Vehicle identifiers and serial numbers, including license plate numbers
(E) Fax numbers
(M) Device identifiers and serial numbers
(F) Email addresses
(N) Web Universal Resource Locators (URLs)
(G) Social security numbers
(O) Internet Protocol (IP) addresses
(H) Medical record numbers
(P) Biometric identifiers, including finger and voice prints
(I) Health plan beneficiary numbers
(Q) Full-face photographs and any comparable images
(J) Account numbers
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section [Paragraph (c) is presented below in the section “Re-identification”]; and
(K) Certificate/license numbers”
How to be HIPAA Compliant?
The overall mandate of HIPAA is to ensure companies and their associates protect the privacy of their customers’ PHI. To explain this simply there are four rules that a company needs to observe in order to compliant:
HIPAA Privacy Rule: HIPAA requires that companies get individuals written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations. It also prohibits an entity from conditioning treatment, payment, enrollment or benefits eligibility on an individual granting an authorization, except for limited circumstances.
The privacy rule requires Business Associates to:
Do not allow any impermissible uses or disclosures of PHI.
Provide breach notification to the Covered Entity.
Provide either the individual or the Covered Entity access to PHI.
Disclose PHI to the Secretary of HHS, if compelled to do so.
Provide an accounting of disclosures.
Comply with the requirements of the HIPAA Security Rule.
HIPAA Security Rule: This mandates appropriate Administrative, Technical and Physical safeguards to ensure that PHI is properly protected. The requirements for these are very detailed, you can find a full breakdown here.
HIPAA Enforcement Rule: This addresses all of the investigations, penalties and procedures for hearings that result from non compliance. *OCR= Office of Civil Rights
4. HIPAA Breach Notification Rule: HIPAA breach notification requires that healthcare providers notify patients in the event of data breach that affects their information. It also requires providers to notify the HHS and in the event that the breach includes more than 500 patients, to notify the media and the public.
HIPAA is a global compliance regulation that affects all companies that offer health care services and collect consumer health information. It extends to the business associates of those companies that handle that information in any way. HIPAA requires that you have safeguards in place to protect PHI, limit access to your PHI to authorized individuals and limit the use and sharing of that information to the minimum required to accomplish the intended purpose.