What is Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy–Kassebaum Act, is a federal law that was enacted in 1996. It aims to make it easier for people to keep their health insurance when they change jobs, to protect the confidentiality and security of health care information, and to help the health care industry control its administrative costs.
Of the Act’s five titles, Title II concerns health care information security.
Title II: Administrative Simplification
Title II of HIPAA contains Administrative Simplification (AS) provisions that require the Department of Health and Human Services (HHS) to address the security of health care information.
It mandates the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers, and addresses the security of health care data.
The Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by covered entities, and protects individuals’ rights to understand and control how their health information is used.
PHI is defined as information, including demographic data, that can be used to identify an individual. It can exist in any medium and can relate to an individual’s past, present, or future physical or mental health condition, to the provision of health care to the individual, or to past, present or future payment for the provision of health care to the individual. PHI includes common identifiers such as an individual’s name, address, date of birth, or Social Security Number.
Covered entities must not use or disclose PHI except:
- If the Privacy Rule permits or requires it.
- If an individual (or their representative) authorizes the disclosure of their information in writing.
Covered entities must disclose PHI in only two situations:
- To individuals (or their representatives) when they request access to their PHI.
- To HHS when it is undertaking a compliance investigation or review or enforcement action.
Covered entities are permitted but not required to use and disclose PHI without an individual’s authorization:
- To the individual who is the subject of the information.
- For their own treatment, payment and health care operations activities.
- When informal permission has been obtained by asking the individual outright.
- As a result of, or "as incident to" an otherwise permitted use or disclosure (as long as the covered entity has adopted reasonable safeguards and the information shared is limited to the "minimum necessary").
- For 12 national priority purposes. Specific conditions or limitations apply to each public interest purpose.
- As part of a limited data set (i.e. when certain specified direct identifiers have been removed) for research, health care operations and public health purposes.
There are no restrictions on the use or disclosure of information that cannot be used to identify an individual.
Among many other obligations, covered entities must keep track of PHI disclosures, must document privacy policies and procedures, must appoint a Privacy Official, and must train all members of staff in relevant procedures.
See the HHS website for full information on the Privacy Rule >>
The Transactions and Code Sets Rule
The HIPAA Transactions and Code Sets Rule relates to the standardization of electronic transactions.
The Security Rule
The HIPAA Security Rule complements the Privacy Rule and deals specifically with Electronic Protected Health Information (EPHI). It states that covered entities must:
- Ensure the confidentiality, integrity, and availability of all EPHI they create, receive, maintain, or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
The Security Rule identifies certain administrative, physical and technical security safeguards that need to be implemented by covered entities to protect EPHI and establishes the standards that should be used to address these safeguards.
For each Standard, the Rule names required specifications (which must be implemented) and addressable specifications (which are more flexible). The covered entity’s choice of addressable specifications must be documented, and should be regularly reviewed and modified according to changes in security effectiveness as determined by risk analysis.
See the HHS website for full information on the Security Rule>>>
The Unique Identifiers Rule
The HIPAA Unique Identifiers Rule states that all HIPAA-covered health care providers using electronic communications must use a single National Provider Identifier (NPI). The NPI is a unique ten-digit identification number that carries no extra information about the health care provider such as the state in which they live or their medical specialty.
The Enforcement Rule
The HIPAA Enforcement Rule establishes procedures for compliance and investigations and sets civil money penalties for violations of the HIPAA AS Rules. HHS’s Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. All health care organizations impacted by HIPAA are required to comply with the standards within two years of adoption.
The Enforcement Rule is supplemented by the HITECH Act of 2009.
Enacted in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act imposes stricter penalties for HIPAA violations and requires data breaches affecting 500 or more individuals to be reported to HHS and the media, as well as to the affected individuals. The HITECH Act also extends the Privacy and Security Rules of HIPAA to apply to the business associates of HIPAA covered entities.
If you believe a covered entity or business associate has violated your or anyone else’s health information privacy rights or has committed another violation of the Privacy, Security, or Breach Notification Rules, you should file a complaint with OCR within 180 days of discovering the alleged violation.
OCR reviews all complaints it receives. According to the HHS website there were 12,915 complaints received in 2013. If a covered entity or business partner is found to have breached the Privacy or Security Rules, OCR will attempt to resolve the case by obtaining voluntary compliance, corrective action, and/or resolution agreement from the covered entity. If OCR is not satisfied with the resolution, it may decide to impose civil money penalties (CMPs) on the covered entity.
The HIPAA violation penalty structure is tiered according to the cause of the incident and the actions taken to remedy it. In cases of willful neglect, fines are much higher than those incidents that covered entities and business associates would not have known about by exercising reasonable diligence.
A single incident might result in multiple violations. If, for example, the records of 500 individuals were lost in once incident, that would count as 500 violations.
- CMPs for HIPAA violations range from fines of $100 per violation (with an annual maximum of $25,000 for repeat violations) to fines of $50,000 per violation (with an annual maximum of $1.5 million).
- Criminal penalties range from fines of $50,000 and one year’s imprisonment to fines of $250,000 and ten years’ imprisonment.
All enforcement sata is avaliable on the HHS website >>
ISO 27001 and HIPAA
Organizations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS, and the GLBA) often seek registration to ISO 27001, since this international Standard can centralize and simplify disjointed compliance efforts.
ISO 27001 presents a comprehensive and international approach to implementing and maintaining an Information Security Management System (ISMS), and it is often the case that companies will achieve compliance with a host of related legislative frameworks simply by achieving ISO 27001 registration. By virtue of its all-inclusive approach, ISO27001 encapsulates the information security elements of HIPAA, by providing an auditable Information Security Management System designed for continual improvement.
HIPAA is limited to the mandates provided by the US legislation while ISO 27001 is an international Standard that is relevant globally, and it is often used by organizations with an international presence. It may be appropriate for organizations with an international footprint to consider conformance to both frameworks.
The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing, and managing an ISMS and provides associated guidance for conducting risk assessments and applying the necessary risk treatments.
Further, the additional external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders‐essential for securing certain global and government contracts.
Purchase your copy of the standard today >>