HIPAA — What does it mean
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act) is a united states federal law formulated to create national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. This bill was signed into law by President Bill Clinton on August 21, 1996.
The law’s main objective is to prevent healthcare fraud and ensure that all ‘protected health information’ (PHI) was appropriately secured, and restrict access to health data to authorized individuals.
The diagram below depicts the areas of the coverage of the law.
Why is HIPAA Important?
HIPAA provides numerous benefits to patients as well as healthcare organizations.
For Patients:
- Implements multiple entities that must be implemented to safeguard the sensitive patient personal & health information
- Safely retrieve copies of the healthcare information when required
For Healthcare Organizations:
- Helped to convert paper-based records to electronic copies of health information
- Streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely.
What are HIPAA titles?
The Federal law covers five critical topics called ‘Titles’. Following are the details that are covered in the HIPAA federal law. Titles also have subsections that cover critical topics like Privacy and security.
HIPAA’s privacy rule
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) held by “covered entities” (generally, health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions). The privacy rule’s primary objective is to ensure that an individual’s health information is appropriately protected while allowing the needed health information flow.
Permitted use & disclosure according to privacy law:
- Allowed to use the individual’s information for treatment, payment & healthcare operations
- Disclosure of personal health information only when the individual agrees to share
HIPAA’s security law:
The HIPAA Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI), including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI).
To comply with the HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated, impermissible uses or disclosures
- Certify compliance by their workforce
The above points are covered under 3 categories in security law
- Administrative safeguards — define policies and procedures to comply with the law
- Physical safeguards — Controlling the physical access for accessing the personal health information
- Technical safeguards — Controlling the access of computer systems and enabling the covered entities to transmit the personal health information in a protected way in open networks
Violations & Impact
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Failure to Comply with HIPAA can result in Civil & Criminal Penalties
Civil Penalty:
Criminal Penalty:
- Covered entities and specified individuals who “knowingly” obtain or disclose individually identifiable health information leading to a penalty of fine up to $50000 and imprisonment up to 1 year
- Offenses committed under pretenses leading to a fine up to $100000 and imprisonment up to 5 years
Conclusion:
It is the covered entity’s responsibility, be it healthcare clearinghouses, health insurers, or medical service providers, to ensure that access to patient health information and medical records is only given to authorized individuals, and health organizations have their environment protected for safe access of the personal health information.
