HIPAA (Health Insurance Portability and Accountability Act) is a law, enacted in 1996 under President Clinton, which provides for regulations and privacy standards for your health information (among other things). The law has five main titles, but when most people speak of HIPAA, they are referring to Title II, which provides the privacy requirements.
HIPAA Policy has two main objectives: the easy flow of information for the benefit of the individual, and the protection of that data from unauthorized access. These two objectives are at odds with each other, so the rule tries to outline how this needs to happen. If, for instance, we just wanted your data secure, we would just could permanently delete it, so no-one could ever access it, but that doesn’t work! Or the opposite would be to post it on a public forum, so you could always access it… also not a good option.
Any healthcare provider is required to follow the rules of HIPAA, as well as health plans and “clearinghouses.” A clearing house is a business that assembles and disseminates health care information, for instance a billing company.
HIPAA policy covers “individually identifiable health information” in any form or media. The rule declares that information to be “protected health information (PHI).” What do the PHI covered entities include? All personal:
Past, present, or future health conditions (physical or mental).
Healthcare services received.
All payments related to health care received, past, present, or future (e.g. all your medical bills, insurance adjustments, and payments).
PHI does not include statistical data, or data that does not reasonably identify and individual. Not Covered: “We received $20,000 in payments last month.” Covered: “Jane Doe paid $1000.”
According to HIPAA standards, basically, you can’t use or disclose PHI unless 1) as required (or allowed) by the rule or 2) as the individual who is the subject requests in writing. The uses should also be to the “minimum necessary use and disclosure.”
The rule requires that you disclose the information a) when the individual requests it, b) when the HHS is doing a compliance investigation, and c) as required by law.
The rule allows the disclosure of PHI, without individual authorization, for the purposes or situations a) To the Individual, b) Treatment, Payment and Health Care Operations, c) Opportunity to Agree (basically if the individual is incapacitated), d) Incidental Use e) Public Interest and Benefit and f) “Limited Data Set”
Each instance is gone into in detail summarize each aspect see the footnotes for reference materials.
Here are some things that are specifically outlined:
The Department of Health and Human Services may impose civil penalties with calendar year caps for HIPAA non-compliance. These range from $100 to $50,000 per violation up to $1,500,000 per calendar year.
The Department of Justice can impose criminal penalties for willful neglect of the Privacy Rule, up to $50,000 and one-year in prison for basic offenses and up to $250,000 and 10 years in prison if the offense involves intent to sell or use for commercial advantage.
The first step to seeing if you and your business associates are in compliance is to start with a review of your processes. Reviewing your system's security is an ongoing best practice for HIPAA compliance, and a great place to start if you haven’t done it. Our HIPAA compliance analysis will dive deep into your processes and policies to determine where you need to improve, where your health information risks are, and what you're already doing well. For better security, you can contact us to discuss the survey or set up an initial, no-obligation consultation.