The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996 and is a set of regulations that aim to protect the privacy of patient health information from unauthorized disclosure. HIPAA applies to any organization that handles Protected Health Information (PHI), including healthcare providers, insurers, and even business associates such as billing companies. Under HIPAA, all PHI must be kept confidential and secure, and only authorized individuals should have access to it.
HIPAA closely follows the cybersecurity framework developed by The National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. NIST’s mission is to promote innovation and industrial competitiveness by developing computer security standards and guidelines and providing a risk-based approach for organizations to manage their cybersecurity threats. It is intended to be used by organizations of all sizes, sectors, and industries. The framework is not a one-size-fits-all solution, but it can be customized to fit the needs of any organization.
The framework consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function represents a different aspect of cybersecurity risk management. It is regularly revised to reflect changes in the cybersecurity landscape, with its most recent updates announced as recently as 2022.
Required Compliance
If an individual or group meets the definition of a covered entity or a business associate, they are required by law to comply with HIPAA Rules.
Covered Entities
Under HIPAA, a “covered entity” is any organization that deals with protected health information and includes hospitals, clinics, pharmacies, health plans, clearinghouses, and even some employers. Covered entities are required to take steps to safeguard patient data from unauthorized access, use, or disclosure.
Covered entities must comply with HIPAA by implementing physical, technical, and administrative safeguards to ensure that patient information remains confidential and secure. If a covered entity fails to comply with HIPAA, it may be subject to hefty penalties or fines.
Business Associates
According to HIPAA, business associates are individuals or organizations that perform specific functions on behalf of a covered entity such as claims processing, billing, and data analysis.
To comply with HIPAA, they must enter into a Business Associate Agreement (BAA) with the covered entity detailing the nature of their relationship and outlining their obligations concerning PHI. Business associates are also required to implement appropriate safeguards to protect the privacy and security of PHI, and they must report any incidents of unauthorized access or disclosure to the covered entity.
What Are HIPAA Rules?
HIPAA is divided into a set of rules that more precisely define the various categories of data protection and compliance.
Security Rule
The HIPAA Security Rule is a federal law that requires covered entities to implement security measures to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). In addition, the Security Rule establishes national standards for conserving ePHI, which are classified into the following three administrative safeguards.
- Administrative Safeguards include conducting risk assessments, risk management policy, training, contingency plans, restricting 3rd party access, reporting security incidents, etc.
- Physical Safeguards include facility access controls, the use and positioning of workstations, mobile device procedures, inventory of hardware, etc.
- Technical Safeguards include access control, ePHI authentication, encryption and decryption tools, activity logs and audit controls, automatic log-off of PCs and devices, etc.
Privacy Rule
The HIPAA Privacy Rule is a set of federal regulations that protect individuals’ health information privacy. The rule establishes standards for how covered entities handle protected health information and gives individuals the right to access, control, and correct their PHI. The Privacy Rule also limits how covered entities can use and disclose PHI for marketing and fundraising purposes. In addition, the rule requires them to get authorization from patients before using or disclosing their PHI for most other purposes.
Breach Notification Rule
The HIPAA Breach Notification Rule is a federal law that requires covered entities to provide sufficient notification following a data breach. The rule covers a wide range of information, including but not limited to health information, demographic information, financial information, and contact information.
In the event of a data breach, covered entities must notify affected individuals, the US Department of Health and Human Services (HHS), and, in some cases, the media. The notification must be made promptly and include information about the nature of the breach, the type of information involved, and the steps affected individuals can take to protect themselves from identity theft and fraud.
Covered entities that fail to comply with the HIPAA Breach Notification Rule can be subject to civil and criminal penalties.
Enforcement Rule
The HIPAA Enforcement Rule describes the types of investigations HHS may conduct, the process HHS will follow in conducting investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The rule also references specific procedures that apply to investigations and hearings conducted by HHS’ Office for Civil Rights (OCR). Finally, the rule sets forth requirements for covered entities regarding complaints filed with OCR, contact information that must be made available to individuals about how to file complaints with OCR, and recordkeeping requirements related to complaints filed with OCR.
Omnibus Rule
The HIPAA Omnibus Rule is a set of regulations finalized by the US Department of Health and Human Services in 2013. It was designed to address advances in technology and changes in the healthcare landscape since HIPAA was first enacted in 1996.
Under the rule, covered entities must ensure that patient data is properly secured in transit and at rest. They must also confirm that only authorized individuals have access to patient data and that patients are notified of their rights concerning their health information.
The Omnibus Rule applies to all entities covered by HIPAA, including healthcare providers, insurers, and other health plans.
Minimum Necessary Rule
The HIPAA Minimum Necessary Rule is a federal law that takes steps to ensure that only the minimum amount of PHI necessary is used, disclosed, or requested. The rule applies to all uses and disclosures of PHI, including those made for routine activities such as treatment, payment, and healthcare operations. There are some exceptions to the Minimum Necessary Rule, but in general, covered entities must make a good faith effort in limiting the exposure of PHI to the least number of people possible to satisfy a particular purpose or carry out a specific function.
The HITECH Act
The HITECH Act of 2009 was established as a successor to HIPAA in response to the growing concerns about the misuse of electronic health information. The act expanded the scope of HIPAA by applying its privacy and security protections to a broader range of entities, including business associates, and by increasing the potential penalties for non-compliance.
The HITECH Act required the Department of Health and Human Services to develop new privacy and security rules. These rules went into effect in 2013 and included provisions that strengthened the restriction on the use and disclosure of protected health information, expanded the rights of patients to access their own information, and established new requirements for covered entities to safeguard electronic health information.