The HIPAA laws – sometimes known as the HIPAA Rules or the HIPAA regulations – are the standards contained within the Administrative Simplification provisions of the Healthcare Insurance Portability and Accountability Act 1996. These standards govern the way in which Covered Entities conduct electronic transactions, maintain patient privacy, and safeguard Protected Health Information (PHI) to ensure its confidentiality, integrity, and availability.
This article provides an overview of the HIPAA laws and explains who they apply to, what information is protected under HIPAA laws, and what happens when violations of HIPAA laws occur. We have also provided information about the penalties that can be imposed for knowingly violating HIPAA and what new HIPAA regulations are being proposed. However, it is important to note that HIPAA provides a federal floor of standards, and more stringent standards may apply in some states.
Covered Entities under HIPAA
The term “Covered Entities” means the entities (businesses, organizations, non-profits, etc.) that are covered by the HIPAA laws. Generally, HIPAA Covered Entities are:
- Health plans
- Healthcare clearing houses
- Healthcare providers that transmit any information in an electronic form in connection with a transaction for which the Department of Health & Human Services (HHS) has adopted a standard.
Most healthcare providers – but not all – qualify as HIPAA Covered Entities and must comply with the HIPAA laws. Additionally, there are some entities that are required to comply with some HIPAA laws, but not others. These are known as “partial entities” and can include employers that administer self-insured health plans, educational facilities that provide medical services to the public, and Medicare prescription drug card sponsors.
Covered Entities can only use or disclose PHI under certain circumstances without a patient´s authorization. One of these circumstances is when they disclose PHI to a third-party for a healthcare-related function or activity. Third parties to whom PHI is disclosed are known as Business Associates, and they must also comply with the HIPAA laws – and any pre-empting state laws – while performing a function or activity on behalf of the Covered Entity.
What Information is Protected Under HIPAA Laws?
Before discussing what the HIPAA laws consist of, it is a good idea to explain what information is protected under the HIPAA laws in order to best understand the purpose of the laws and why they are enforced in the ways they are.
The information protected under HIPAA is known as Protected Health Information (PHI). PHI consists of eighteen “identifiers” that, individually or together, could be used to identify the subject of the information or “for which there is a reasonable basis to believe” could be used to identify the subject of the information.
The protected information can be in any form or media (i.e., electronic, paper, oral, etc.); however, the Privacy Rule (see below) notes that PHI is only protected when it is created, used, processed, maintained, or transmitted by a Covered Entity or its Business Associate and when the activity relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
There are exceptions to this explanation inasmuch as health information maintained in employment records is not protected under HIPAA laws if the employer is also a Covered Entity or Business Associate. It is also the case that PHI maintained by educational institutions is not protected under HIPAA laws if it is already protected under the Family Education Rights and Privacy Act (FERPA).
The HIPAA Privacy Rule
The HIPAA Privacy Rule was the first of the HIPAA laws to be enacted in 2002. The Rule had the objective of assuring individuals´ health information is properly protected, while allowing the flow of health information required to support high quality health care and public health. As well as defining who the HIPAA Privacy Rule applied to and the nature of information protected under HIPAA, the Rule also explains the allowable uses and disclosures of PHI.
The allowable uses and disclosures are broken down into three categories:
- Those that are required – to individuals on request and to inspectors from HHS´ Office for Civil Rights (OCR) who are conducting an investigation or compliance review.
- Those that are permitted – for treatment, payment, and healthcare operations purposes, incidental disclosures (explained below) and when disclosures are in the public interest.
- Those that require the authorization of the data subject – for example, to a life insurer for coverage purposes or to a prospective employer if the PHI relates to a pre-employment test.
The Privacy Rule also goes into great depth about patients´ rights. These include the right of a patient to request a copy of their medical records, to review it, and to request corrections when any information is inaccurate or incomplete. Patients can also request restrictions to permitted uses and disclosures of PHI and an accounting of disclosures to see who their PHI has been disclosed to. Covered Entities are required to inform patients of their rights via a Notice of Privacy Practices.
While the failure to comply with the “Individual Rights” section of the Privacy Rule is one of the leading causes of complaints to OCR, the area of the Privacy Rule that Covered Entities struggle with most is the Administrative Requirements. This is because the Administrative Requirements have been developed to apply to every type of Covered Entity from small rural medical practice to large multistate enterprise, and therefore they are “flexible” and open to misinterpretation.
One of the areas open to the most misinterpretation is workforce training. The workforce training standard – taken on its own – implies that members of the workforce (including volunteers, agency workers, members of the clergy, etc.) require one-time training on the Covered Entity´s policies and procedures that apply to their roles. However, Covered Entities are also required to maintain safeguards to prevent violations of the Privacy Rule, which would imply ongoing training is necessary to prevent shortcuts being taken “to get the job done”, and the shortcuts developing into a cultural norm of non-compliance.
The HIPAA Minimum Necessary Standard and Incidental Disclosures
One very important part of the HIPAA Privacy Rule is the standard related to “Limiting Uses and Disclosures to the Minimum Necessary”. This standard stipulates that Covered Entities must make reasonable efforts to use, disclose, or request (for treatment or payment purposes) only the minimum amount of PHI necessary to achieve the objective of the use, disclosure, or request. Any unreasonable disclosure is considered to be a violation of HIPAA.
The exception to this standard is when disclosures are made “incidental” to a permitted use or disclosure of PHI. In these circumstances, although more than the minimum information necessary may have been disclosed, it is not considered to be a violation of HIPAA if the incidental disclosure was relevant to the permitted disclosure, if it was limited in nature, and if it could not reasonably have been prevented by the Covered Entity´s due diligence.
HIPAA Documentation and Retention Requirements
The need to document compliance efforts features extensively throughout the HIPAA Privacy Rule. All policies and procedures must be documented, workforce training must be documented, the distribution of Notices of Privacy Practices must be documented, and all patient authorizations and complaints must be documented. Documentation is important because, without it, it can be difficult to prove compliance if a Covered Entity is subject to an OCR inspection or compliance audit.
The HIPAA Privacy Rule states that documentation relating to policies and procedures and privacy practices must be retained for a minimum of six years from the date they were last effective. However, if state or federal regulations require a longer document retention, the state or federal regulation preempts HIPAA, and the longer retention period applies. It is also important to retain any documentation for longer than stated if a compliance investigation or litigation is ongoing.
The HIPAA Security Rule
The HIPAA Security Rule was published in 2003. The Rule is a subset of the Privacy Rule inasmuch as it establishes minimum standards to protect electronic PHI (ePHI) from unauthorized uses and disclosures while at rest and in transit, ensure ePHI is not altered or destroyed inappropriately, and ensure appropriate access controls are implemented to monitor when and how ePHI is accessed. To simplify compliance, the HIPAA Security Rule is divided into three areas:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Administrative Safeguards
The Administrative Safeguards consist of actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. They also cover the conduct of Covered Entity´s and Business Associate´s workforces in relation to the safeguarding of ePHI from unauthorized uses and disclosures.
Both Covered Entities and Business Associates must conduct risk assessments and risk analyses to identify risks to ePHI and implement measure to mitigate the risks. Additionally, all members of the workforce must take part in an awareness and training program and be advised of the sanctions they will incur if they are responsible for a violation of HIPAA or a breach of unsecured ePHI.
Physical Safeguards
The Physical Safeguards require Covered Entities and Business Associates to implement measure that restrict physical access to facilities maintaining ePHI – for example, a Cloud Service provider hosting a patient database on behalf of a Covered Entity would have to ensure that their premises are secure and that access to the premises is controlled and monitored.
The Physical Safeguards also apply to physical devices that members of the workforce may use to access ePHI. Therefore, standards exist for the security of workstations, flash drives, mobile devices, and EHRs and controls must be implemented to control who uses these devices, how their activity is monitored, and how the devices are disposed of when no longer required.
Technical Safeguards
In some respects, the Technical Safeguards duplicate the standards of the Physical Safeguards inasmuch as many of the implementation specifications relate to access control, event logging, and monitoring activity. However, it is also necessary for Covered Entities and Business Associates to implement electronic measures that ensure ePHI is not improperly destroyed or altered.
Additionally, Covered Entities and Business Associates must implement measures to guard against unauthorized access to ePHI in transit. In most cases, the encryption of data satisfies this requirement, but it may be necessary to implement additional measures to guard against man-in-the-middle attacks when using public Wi-Fi or other unsecure channels of communication.
The HIPAA Enforcement Rule
When the HIPAA Privacy Rule was published in 2002, the section relating to “Enforcement and Penalties for Noncompliance” stated that the Department of Health & Human Services (HHS) would seek the cooperation of Covered Entities and provide assistance to support voluntary compliance. The Privacy Rule also included modest civil money penalties for noncompliance starting at $100 per Privacy Rule violation and increasing to a maximum of $25,000 for multiple violations.
The language of the Privacy Rule led many sceptics to comment that HHS was following a “policy of nonenforcement”. So, in 2005, HHS published the HIPAA Enforcement Rule that included new General Administrative Requirements relating to compliance and the procedures for conducting investigations. Although these initially had little impact on HIPAA compliance, the Enforcement Rule served as a steppingstone for tougher enforcement via the Breach Notification Rule.
What is the HITECH Act 2009?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced in an attempt to increase the alarmingly low rate of hospitals that adopted Electronic Health Records (EHRs). Although not a HIPAA Rule, changes had to be made to the HIPAA laws to address the increasing number of Covered Entities that would collect, store, and share ePHI electronically, and the likelihood that this could lead to an increasing number of breaches of unsecured ePHI.
These changes had a significant impact on HIPAA compliance and enforcement. From the enactment of HITECH, a new HIPAA Breach Notification Rule came into force, and State Attorneys General were given powers to take civil action against a Covered Entity responsible for a breach of unsecured ePHI. Subsequent changes attributable to the HITECH Act followed in the HIPAA Omnibus Rule in 2013, which included Business Associates now having to be compliant with certain HIPAA laws, and patients having additional Privacy Rule rights to access, review, correct, and transfer their PHI.
HIPAA Breach Notification Requirements
The HIPAA Breach Notification Rule outlines the processes a Covered Entity must follow when a breach of unsecured ePHI is identified. The processes are dependent on the extent of the breach. If the breach is deemed to be large, affecting over 500 individuals´ PHI, patients must be informed immediately and the HHS´ Office for Civil Rights notified within sixty days. Additionally, a media outlet source must be informed to issue a press release detailing the breach of data.
If a minor breach occurs, affected individuals must be informed and the breach included in a report to HHS´ Office for Civil Rights at the end of the calendar year. The exception to the HIPAA Breach Notification Requirements is when it can be demonstrated there is a low probability that PHI has been compromised by the unauthorized use or disclosure and there is a negligible likelihood that the subject(s) of the data breach will suffer harm. In these circumstances it is not necessary to report the breach to either the individual or the HHS´ Office for Civil Rights.
What Civil Penalty is Issued when a HIPAA Violation Occurs?
Although the Breach Notification Rule gave the HHS´ Office for Civil Rights to pursue enforcement action more rigorously, the majority of HIPAA violations and data breaches are resolved by technical assistance and Correct Action Orders. Where a violation or breach is considered sufficiently serious to warrant a civil penalty, the HHS´ Office for Civil Rights has adopted a four-tier scale of penalties depending on the nature of the event, the harm that resulted, and the level of culpability.
- Tier 1 – For Covered Entities and Business Associates that did not know – and could not have known by exercising reasonable due diligence – about the violation.
- Tier 2 – For Covered Entities and Business Associates when an avoidable violation occurs due to a reasonable cause, but not willful neglect.
- Tier 3 – For Covered Entities and Business Entities when a violation occurs due to willful neglect and the violation is corrected within 30 days.
- Tier 4 – For Covered Entities and Business Entities when a violation occurs due to willful neglect and the violation is not corrected within 30 days.
The HITECH Act significantly increased the amounts the HHS´ Office for Civil Rights can issue as civil penalties, and these amounts have since been adjusted to account for inflation. As of July 2022, the civil penalties that can be issued when a violation of HIPAA occurs are:
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
|---|---|---|---|---|
| Tier 1 | Lack of Knowledge | $127 | $63,973 | $1,919,173 |
| Tier 2 | Reasonable Cause | $1,280 | $63,973 | $1,919,173 |
| Tier 3 | Willful Neglect | $12,794 | $63,973 | $1,919,173 |
| Tier 4 | Willful Neglect not Corrected within 30 days | $63,973 | $1,919,173 | $1,919,173 |
The HIPAA Final Omnibus Rule
The HIPAA laws were updated via the publication of the HIPAA Final Omnibus Rule in 2013 to incorporate most of the privacy provisions of the HITECH Act and implement changes attributable to the passage of the Genetic Information Nondiscrimination Act (GINA). As mentioned previously, the major changes to the HIPAA laws included making Business Associates directly liable for compliance with certain HIPAA laws and expanding patients´ Privacy Rule rights. Other changes included:
- Strengthening the limitations on uses and disclosures of PHI.
- Prohibiting the sale of PHI without individual authorization.
- Modifications to the requirements for Notices of Privacy Practices.
- Adopting additional HITECH Act enhancements to the Enforcement Rule.
The HIPAA Final Omnibus Rule was most effective in raising awareness of the HIPAA laws. Additionally, the HHS´ Office for Civil Rights was given the resources to pursue enforcement action more effectively, resulting in Covered Entities and Business Associates taking HIPAA compliance more seriously.