The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards for all organizations that work with Protected Health Information (PHI) of US Residents. It applies to all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, etc. The scope and applicability of the Act have been amended since 1996 to include additional rules.
The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. To ensure that businesses are informed of best practices, the OCR regularly publishes recommendations on new issues affecting healthcare. It also investigates common HIPAA violations on a regular basis.
The Rules of HIPAA Compliance are:
- HIPAA Privacy rule
- HIPAA Security rule
- HIPAA Enforcement rule
- HIPAA Breach Notification rule
- HIPAA Omnibus rule
HIPAA Privacy Rule: This rule mandates appropriate safeguards to protect the privacy of PHI and ensures that patient data cannot be used or disclosed without patient authorization. It gives patients and their nominated representatives rights over their PHI, including the right to obtain a copy of their health records or examine them – and the ability to request corrections if required.
HIPAA Security Rule: This rule outlines the standards that covered entities, business associates, and subcontractors must follow to protect PHI that is electronically created, accessed, processed, or stored. These standards are also intended for ePHI when it is at rest and in transit. The HIPAA Security Rule includes physical, administrative, and technical safeguards that organizations are required to implement.
HIPAA Breach Notifications Rule: This rule outlines the protocol that organizations must follow in case of a data breach containing ePHI or PHI. As per this rule, they are required to notify patients when there is a breach of their PHI. They also need to notify the HHS and issue a notice to the media if it affects more than 500 patients. Breach notifications must be made within 60 days and without unreasonable delay, following the discovery of a breach. For breaches involving less than 500 patients, they must conduct an investigation and report them through the OCR web portal. The OCR requires these reports on an annual basis.
The HIPAA Enforcement Rule: This rule comes into effect after a breach of PHI or ePHI. Under this rule, the OCR investigates the breach and has procedures for hearings. Penalties may also be imposed on organizations responsible for the breach. Fines are imposed for each violation based on a tiered system. The total value of the fine is related to the number of records exposed in a breach. It also considers the risk due to the exposure of that data and the level of neglect that the organization permitted. Criminal charges may also be laid on organizations that knowingly deviate from HIPAA rules. Additionally, patients who are victims of a breach can also file civil lawsuits under this rule.
HIPAA Omnibus Rule: The HIPAA Omnibus rule focuses on areas that previous HIPAA updates had overlooked. The most important addition made by this rule was the expansion of HIPAA compliance regulations to include business associates, and subcontractors. This rule also focuses on streamlining Business Associate Agreements (BAAs). A BAA is a contract that must be signed and implemented between covered entities, business associates and subcontractors before PHI or ePHI is shared or transferred.
There are two additional HIPAA rules which focus specifically on electronic data.
a) HIPAA Transactions and Code Set rule: This rule ensures a uniform way to exchange PHI between entities in the healthcare delivery ecosystem based on electronic data interchange (EDI) standards. It is used for all healthcare-related digital transactions.
b) HIPAA Unique Identifiers rule: This rule focuses on Identifier Standards for Employers and Providers. It requires employers and healthcare providers to have standard national numbers to identify them instead of their business names and other identifiers.
If you are looking for support to understand how HIPAA compliance rules apply to your organization and would like to connect with a HIPAA Expert, don’t hesitate to get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.
What is Protected Health Information (PHI)?