Day 1: Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs) and give patients an array of rights with respect to that information.
- Privacy Rule – protects individuals health information
- Security Rule – national standards around ePHI, Protected Health Information
- Breach Notification Rule – requirements to report
Overseen by US Department of Health & Human Services, Office for Civil Rights (OCR)
Home Health Provider to Pay $240K in HIPAA Violation Fines
Lincare, Inc. will need to pay for its HIPAA violations which disclosed PHI for nearly 300 patients.
Who is a Covered Entity (CE)
Health care providers who conduct certain standard administrative and financial transactions in electronic form. Any health care provider who bills electronically (such as a current Medicare Home Health provider) is a CE
- Health plans
- Health care clearinghouses
Business Associate (BA)
- BA may be;
- A person or entity
- One who performs certain functions or activities on the CE’s behalf
- when the services involve the access to, or the use or disclosure of, PHI or PHR
You hire a web designer to maintain your practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. The web designer is a BA.
You hire a web designer to maintain your practice’s website. The designer installs the new electronic version of the Notice of Privacy Practices (NPP) and improves the look and feel of the general site. However, the designer has no access to PHI. The web designer is not a BA
HIPAA Settlements, Fines, & Penalties
The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time of the HIPAA violation. These fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
OCR has also levied criminal charges for HIPAA violations in the past. Director of OCR, Jocelyn Samuels, went on record in February of 2016, saying that:
“While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules”
HITECH – Strengthens HIPAA Enforcement
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
Four Tiers – Violation Penalty Tiers
- First Tier: the covered entity did not know and could not reasonably have known of the breach – $100 – $50,000 per incident up to $1.5M
- Second Tier: the covered entity “knew or by exercising reasonable diligence would have known” of the violation, though they did not act with willful neglect. – $1,000 – $50,000 per incident up to $1.5M
- Third Tier: the covered entity “acted with willful neglect” and corrected the problem within a 30-day time period. – $10,000 – $50,000 per incident up to $1.5M
- Fourth Tier: the covered entity “acted with willful neglect” and failed to make a timely correction —- $50,000 per incident up to $1.5M
PHI – Protected Health Information
If you work in healthcare or are considering doing business with healthcare clients that requires access to health data, you will need to know what is considered protected health information under HIPAA law. The HIPAA Security Rule demands that safeguards be implemented to ensure the confidentiality, integrity, and availability of PHI, while the HIPAA Privacy Rule places limits the uses and disclosures of PHI.
Violate any of the provisions in the HIPAA Privacy and Security Rules and you could be financially penalized. There are even criminal penalties for HIPAA violations. Claiming ignorance of HIPAA law is not a valid defense
PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply
PHI – 18 Identifiers
PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.
- Names (Full or last name and initial)
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email Addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license number
- Vehicle identifiers (including serial numbers and license plate numbers)
- Device identifiers and serial numbers;
- Web Uniform Resource Locators(URLs)
- Internet Protocol (IP) address numbers
- Biometricidentifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
A Home Health care agency had a breach of Protected Health Information (PHI) involving their outsourced Physical Therapy company. The agency received a letter from the PT company’s attorney stating that 60 of the agency’s patients had their information breached when the PT company’s file server was compromised. The PHI included treatment reports, name, address and social security numbers. This situation offers some valuable lessons for both covered entities and business associates.
While it was the PT company that suffered the breach, ultimately it is the agency’s patients who had their information compromised. This brings up a huge point that the actions or inactions of a business associate can have a major impact and liability to a covered entity (medical practice). Signing a HIPAA business associate agreement is a requirement but does not guarantee that a covered entity is protected from business associate related breaches. It is very important to ensure that business associates are protecting PHI.