HIPAA

(HEALTH INSURANCE PORTABILITY

AND ACCOUNTABILITY ACT)
 RA Group, JSS College of Pharmacy, Mysuru
HIPAA (Health Insurance Portability and Accountability Act)

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States
legislation that provides data privacy and security provisions for safeguarding medical
information.

The law has emerged into greater prominence in recent years with the proliferation of health data
breaches caused by cyberattacks and ransomware attacks on health insurers and providers.

The act, which was signed into law by President Bill Clinton on Aug. 21, 1996, contains five
sections, or titles.

Title I: HIPAA Health Insurance Reform

Title II: HIPAA Administrative Simplification

Title III: HIPAA Tax-Related Health Provisions

Title IV: Application and Enforcement of Group Health Plan Requirements

Title V: Revenue Offsets

Title I: HIPAA Health Insurance Reform

Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects
health insurance coverage for workers and their families when they change or lose their jobs. It
also prohibits group health plans from denying coverage to individuals with specific diseases and
pre-existing conditions, and from setting lifetime coverage limits.

Title II: HIPAA Administrative Simplification

Title II directs the U.S. Department of Health and Human Services (HHS) to establish national
standards for processing electronic healthcare transactions. It also requires healthcare
organizations to implement secure electronic access to health data and to remain
in compliance with privacy regulations set by HHS.

Title III: HIPAA Tax-Related Health Provisions

Title III includes tax-related provisions and guidelines for medical care. It provides for certain
deductions for medical insurance, and makes other changes to health insurance law.

HIPAA Page 372

 RA Group, JSS College of Pharmacy, Mysuru
Title IV: Application and Enforcement of Group Health Plan Requirements

Title IV further defines health insurance reform, including provisions for individuals with pre-
existing conditions and those seeking continued coverage. It specifies conditions for group health
plans regarding coverage of persons with pre-existing conditions, and modifies continuation of
coverage requirements.

Title V: Revenue Offsets

Title V includes provisions on company-owned life insurance and the treatment of those who
lose their U.S. citizenship for income tax purposes.

In healthcare circles, adhering to HIPAA Title II is what most people mean when they refer
to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II
includes the following HIPAA compliance requirements:

 National Provider Identifier Standard. Each healthcare entity, including individuals,

employers, health plans and healthcare providers, must have a unique 10-digit national
provider identifier number, or NPI.

 Transactions and Code Sets Standard. Healthcare organizations must follow a

standardized mechanism for electronic data interchange (EDI) in order to submit and
process insurance claims.

 HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually
Identifiable Health Information, this rule establishes national standards to protect patient
health information.

 HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected
Health Information sets standards for patient data security.

 HIPAA Enforcement Rule. This rule establishes guidelines for investigations into
HIPAA compliance violations.

Purpose of HIPAA

HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous
health insurance coverage for workers who lose or change their job, and to reduce the

HIPAA Page 373

 RA Group, JSS College of Pharmacy, Mysuru
administrative burdens and cost of healthcare by standardizing the electronic transmission of
administrative and financial transactions. Other goals include combating abuse, fraud and waste
in health insurance and healthcare delivery and improving access to long-term care services and
health insurance.

HHS expanded the act when it put the HIPAA omnibus rule in place in 2013 to implement
modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information
Technology for Economic and Clinical Health (HITECH) Act. These guidelines concern the
responsibilities of business associates of covered entities. The omnibus rule also increased
penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.

The HHS Office for Civil Rights (OCR), which enforces HIPAA, issued guidance in 2016
clarifying that cloud service providers and other business associates of healthcare organizations
are covered by the HIPAA privacy, security and breach notification rules. HIPAA violations can
prove quite costly for healthcare organizations.

The HIPAA Breach Notification Rule within the omnibus set of regulations requires covered
entities and any affected business associates to notify patients following a data breach.

In addition to the notification costs, healthcare organizations can encounter fines after HIPAA
audits mandated by the HITECH Act and conducted by the Office for Civil Rights. Providers
could also face criminal penalties stemming from violations of the HIPAA privacy and security
rules.

In 2010, the Federal Trade Commission extended the breach notification rule and its enforcement
to healthcare organizations not covered by HIPAA, including vendors of electronic health
records (EHRs) and EHR-related systems.

OCR undertook its first round of HIPAA audits of healthcare organizations in 2012 and 2013.
Those pilot audits carried no fines or penalties.

A considerably wider, formal round of desk and in-person audits of about 200 healthcare-
covered entities and business associates began in 2016 and continued into 2017. These audits
were expected to carry fines or corrective plans.

HIPAA Page 374

 RA Group, JSS College of Pharmacy, Mysuru
OCR further strengthened the HIPAA security rule in 2016 by releasing a crosswalk between
aspects of the National Institute of Standards and Technology's Cybersecurity Framework to
identify cybersecurity gaps and align HIPAA with national cybersecurity standards.

Organizations can lower their risk of regulatory action through HIPAA compliance training
programs. OCR has six educational programs on complying with privacy and security rules. A
number of consultancies and training groups offer programs, as well. Healthcare providers may
also choose to create their own training programs, which often encompass each organization's
current HIPAA privacy and security policies, the HITECH Act, mobile device
management processes and other applicable guidelines.

While there is no official HIPAA compliance certification program, training companies offer
certification credentials to indicate an understanding of the guidelines and regulations specified
by the act.

HIPAA Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information, commonly known as
the HIPAA Privacy Rule, establishes the first national standards in the United States to protect
patients' personal or protected health information (PHI).

HHS issued the rule to limit the use and disclosure of sensitive PHI. It seeks to protect the
privacy of patients by requiring doctors to provide patients with an account of each entity to
which the doctor discloses PHI for billing and administrative purposes, while still allowing
relevant health information to flow through the proper channels.

The privacy rule also guarantees patients the right to receive their own PHI, upon request, from
healthcare providers covered by HIPAA.

Who is covered by and must follow HIPAA?

The HIPAA Privacy Rule applies to organizations that are considered HIPAA-covered
entities, including health plans, healthcare clearinghouses and healthcare providers. In addition,
the HIPAA Privacy Rule requires covered entities that work with a HIPAA business associate to
produce a contract that imposes specific safeguards on the PHI that the business associate uses or
discloses.

HIPAA Page 375

 RA Group, JSS College of Pharmacy, Mysuru
What information is protected?

The HIPAA Privacy Rule protects all individually identifiable health information that is held or
transmitted by a covered entity or a business associate. This information can be held in any form,
including digital, paper or oral. This individually identifiable health information is also known as
PHI under the Privacy Rule.

What is considered protected health information under HIPAA?

PHI includes:

 a patient's name, address, birth date and Social Security number;

 an individual's physical or mental health condition;

 any care provided to an individual; or

 information concerning the payment for the care provided to the individual that identifies
the patient, or information for which there is a reasonable basis to believe could be used
to identify the patient.

The HIPAA Privacy Rule does not consider employment records -- including information about
education, as well as other records subject to or defined in the Family Educational Rights and
Privacy Act -- as PHI.

For de-identified data, however, there are no restrictions to its use or disclosure. De-identified
data does not identify or provide information that could identify an individual.

Administrative requirements

The Privacy Rule lays out certain administrative requirements that covered entities must have in
place.

These requirements include the following:

 A privacy official must be appointed who is responsible for developing and implementing
policies and procedures at a covered entity.

 Employees, including volunteers and trainees, must be trained on policies and

procedures.

HIPAA Page 376

 RA Group, JSS College of Pharmacy, Mysuru
 Appropriate administrative, technical and physical safeguards must be maintained to
protect the privacy of PHI in a covered entity.

 A process for individuals to make complaints concerning policies and procedures must be
in place at a covered entity.

 If PHI is disclosed in violation of its policies and procedures, a covered entity must
mitigate, to the furthest extent actionable, any harmful effects.

HIPAA penalties

Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to
give patients access to their PHI, could result in a fine from OCR.

The minimum penalty for:

 Unknowingly violating HIPAA is $100 per violation, with an annual maximum of

$25,000 for repeat violations.

 Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum
of $100,000 for repeat violations.

 Willful neglect of HIPAA, but the violation is corrected within a given time period, is
$10,000 per violation, with an annual maximum of $250,000 for repeat violations.

 Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per
violation, with an annual maximum of $1.5 million for repeat violations.

The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5
million for repeat violations.

Covered entities and individuals who intentionally obtain or disclose PHI in violation of the
HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the
HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a
$100,000 fine and up to 10 years in prison.

HIPAA Page 377

 RA Group, JSS College of Pharmacy, Mysuru
HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information, commonly
known as the HIPAA Security Rule, establishes national standards for securing patient data that
is stored or transferred electronically.

The rule requires the placement of safeguards, both physical and electronic, to ensure the secure
passage, maintenance and reception of PHI. When addressing the risks and vulnerabilities
associated with PHI and electronic protected health information (ePHI), health care organizations
should ask three key questions.

 Can you identify the sources of ePHI and PHI within your organization, including all PHI
that you create, receive, maintain or transmit?

 What are the external sources of PHI?

 What are the human, natural and environmental threats to information systems that
contain ePHI and PHI?

OCR enforces the HIPAA Security Rule, which aims to protect patient security, while still
allowing the health care industry to advance technologically.

Under HHS' meaningful use program for certified health IT, healthcare organizations receiving
federal incentive payments must attest to following privacy and security procedures based on
HIPAA.

HIPAA omnibus rule

The HIPAA omnibus rule, in a health information technology context, is a rule enacted by OCR
to modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory
amendments under the HITECH Act.

The HIPAA omnibus rule marked the most extensive changes to the HIPAA Privacy and
Security Rules since they were first implemented. Changes include the following:

 Strengthening the privacy and security protection for individuals' PHI.

 Modifying the Breach Notification Rule for unsecured PHI, and putting in place more
objective standards for assessing a healthcare provider's liability following a data breach.

HIPAA Page 378

 RA Group, JSS College of Pharmacy, Mysuru
 Modifying the HIPAA Privacy Rule to strengthen the privacy protections for genetic
information.

 Outlining OCR's data privacy and security enforcement strategies, as updated for the
EHR era and as mandated by the HITECH Act.

 Holding HIPAA business associates to the same standards for protecting PHI as covered
entities, including subcontractors of business associates, in the compliance sense.

 Stipulating that, when patients pay by cash, they can instruct their provider not to share
information about their treatment with their health plan.

 Setting new limits on how information is used and disclosed for marketing and
fundraising purposes.

 Prohibiting the sale of an individual's health information without their permission.

 Making it easier for parents and others to give permission to share proof of a child's
immunization with a school.

 Streamlining an individual's ability to authorize the use of his health information for
research purposes.

 Increasing penalties for noncompliance based on the level of negligence, with a

maximum penalty of $1.5 million per violation.

 Guaranteeing that organizations can operate with certainty that their privacy and security
policies comply with all the applicable regulations.

The 563-page rule, released Jan. 17, 2013, went into effect March 26, 2013.

HIPAA business associate

HIPAA defines a business associate as any organization or person working in association with or
providing services to a covered entity who handles or discloses PHI or personal health records
(PHR).

Examples of business associates include accounting or consulting firms that work with covered
entities, such as hospitals or doctors, or any number of other organizations that have or could
have access to PHI or PHR.

HIPAA Page 379

 RA Group, JSS College of Pharmacy, Mysuru
Updates made to the HIPAA regulation by the HITECH Act require business associates to
comply with HIPAA mandates regarding the handling and use of PHI.

As of Feb. 18, 2010, the Department of Health and Human Services can audit business associates
for HIPAA compliance.

Examples of HIPAA business associates

According to the HHS, examples of HIPAA business associates include:

 When a health plan uses a third-party administrator to help with claims processing.

 If a certified public accounting firm provides accounting services to a healthcare provider

and has access to protected health information.

 When a hospital has a consultant perform utilization reviews.

 When a healthcare clearinghouse translates a claim from a nonstandard format to a

standard format for a healthcare provider, and then sends the process transaction to a
payer.

 When a physician uses an independent medical transcriptionist's services.

 When a pharmacy benefits manager manages a health plan's pharmacist network.

Mobile application developers could also be considered HIPAA business associates because
many healthcare mobile applications handle PHI.

HHS gave a scenario where an app developer would be considered a HIPAA business associate:
A patient is told by her provider to download a health app to her smartphone. The app developer
and the provider have a contract for patient management services that includes remote patient
health counseling, patient messaging, monitoring the patient's food and exercise, and EHR
integration and application program interfaces. Furthermore, the information the patient inputs
into the application is automatically incorporated in the EHR.

Under HIPAA, a HIPAA business associate agreement (BAA) is a contract between a HIPAA-
covered entity and a HIPAA business associate (BA). The contract protects PHI in accordance
with HIPAA guidelines.

HIPAA Page 380

 RA Group, JSS College of Pharmacy, Mysuru
Effective Feb. 18, 2010, in accordance with the HITECH Act, a BA's disclosure, handling and
use of PHI must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates. Under
the HITECH Act, any HIPAA business associate that serves a healthcare provider or institution
is subject to audits by OCR within HHS, and it can be held accountable for a data breach and
penalized for noncompliance.

HIPAA business associate contract requirements

According to HHS, HIPAA business associate contracts or other written arrangements should:

 Describe how the business associate is permitted and required to use PHI.

 Require that the business associate not use or disclose PHI, other than as specified in the
contract or as required by law.

 Require the business associate to use appropriate safeguards to ensure the PHI is used as
detailed in the contract.

 Require the covered entity to take reasonable steps to cure any breach by the HIPAA
business associate if and when they know of one. If this is unsuccessful, the covered
entity is required to terminate the contract with the business associate.

 Report the event to the OCR if terminating the contract with the business associate is
impossible.

 Report to the HHS OCR if there is a problem in terminating the contract with the
business associate.

With these new regulations in mind, a HIPAA business associate agreement should explicitly
spell out how a BA should report and respond to a data breach, including data breaches that are
caused by a business associate's subcontractors. In addition, HIPAA business associate
agreements should require a BA to demonstrate how it should respond to an OCR investigation.

HIPAA-covered entity

A HIPAA-covered entity is any organization or corporation that directly handles PHI or PHR.
The most common examples of covered entities include hospitals, doctors' offices and health
insurance providers.

HIPAA Page 381

 RA Group, JSS College of Pharmacy, Mysuru
Covered entities are required to comply with HIPAA and HITECH mandates for the protection
of PHI and PHR.

Reference : http://searchhealthit.techtarget.com/definition/HIPAA

HIPAA Page 382