what is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a law, enacted in 1996 under President Clinton, which provides for regulations and privacy standards for your health information (among other things). The law has five main titles, but when most people speak of HIPAA, they are referring to Title II, which provides the privacy requirements.
HIPAA Policy has two main objectives: the easy flow of information for the benefit of the individual, and the protection of that data from unauthorized access. These two objectives are at odds with each other, so the rule tries to outline how this needs to happen. If, for instance, we just wanted your data secure, we would just could permanently delete it, so no-one could ever access it, but that doesn’t work! Or the opposite would be to post it on a public forum, so you could always access it… also not a good option.
who is covered by the rules?
Any healthcare provider is required to follow the rules of HIPAA, as well as health plans and “clearinghouses.” A clearing house is a business that assembles and disseminates health care information, for instance a billing company.
what information is protected?
HIPAA policy covers “individually identifiable health information” in any form or media. The rule declares that information to be “protected health information (PHI).” What do the PHI covered entities include? All personal:
Past, present, or future health conditions (physical or mental).
Healthcare services received.
All payments related to health care received, past, present, or future (e.g. all your medical bills, insurance adjustments, and payments).
PHI does not include statistical data, or data that does not reasonably identify and individual. Not Covered: “We received $20,000 in payments last month.” Covered: “Jane Doe paid $1000.”
principles from HIPAA stanndards
According to HIPAA standards, basically, you can’t use or disclose PHI unless 1) as required (or allowed) by the rule or 2) as the individual who is the subject requests in writing. The uses should also be to the “minimum necessary use and disclosure.”
The rule requires that you disclose the information a) when the individual requests it, b) when the HHS is doing a compliance investigation, and c) as required by law.
The rule allows the disclosure of PHI, without individual authorization, for the purposes or situations a) To the Individual, b) Treatment, Payment and Health Care Operations, c) Opportunity to Agree (basically if the individual is incapacitated), d) Incidental Use e) Public Interest and Benefit and f) “Limited Data Set”
Each instance is gone into in detail summarize each aspect see the footnotes for reference materials.
what is specifically required?
Here are some things that are specifically outlined:
- You must have policies and procedures for: Limiting Access and Use to PHI, allowing routine, recurring, or specific requests for disclosure, Allow certain requests to be considered “minimum necessary”
- Provide a written notice of your privacy policies
- Provide a “Proof of Receipt” for privacy notice
- Provide access for individuals to “review and obtain” their PHI
- Provide a way for PHI to be amended
- Provide a record of when PHI has been disclosed, for 6 years (with exceptions)
- Provide for a way individuals can restrict use or disclosure of their information
- Provide for a confidential communication channel of the PHI to the individual if requested
- Appoint a “privacy official” to develop and oversee internal policies
- Train workforce and management in HIPAA Security Standards and best practices
- Provide a means for mitigating any harmful effects caused by use or disclosure of PHI in violation of its privacy policies or HIPAA standards
- Provide a means for complaints about entity’s privacy practices
- Not retaliate against an individual for exercising her rights covered under HIPAA
- Document privacy policies and documents 6 years after their creation date or expiration date
what are the penalties for non-compliance?
The Department of Health and Human Services may impose civil penalties with calendar year caps for HIPAA non-compliance. These range from $100 to $50,000 per violation up to $1,500,000 per calendar year.
The Department of Justice can impose criminal penalties for willful neglect of the Privacy Rule, up to $50,000 and one-year in prison for basic offenses and up to $250,000 and 10 years in prison if the offense involves intent to sell or use for commercial advantage.
how do i know if I’m HIPAA compliant?
The first step to seeing if you and your business associates are in compliance is to start with a review of your processes. Reviewing your system’s security is an ongoing best practice for HIPAA compliance, and a great place to start if you haven’t done it. Our HIPAA compliance analysis will dive deep into your processes and policies to determine where you need to improve, where your health information risks are, and what you’re already doing well. For better security, you can contact us to discuss the survey or set up an initial, no-obligation consultation.