The Health Insurance Portability and Accountability Act (HIPAA) is one of the most influential pieces of healthcare legislation in U.S. history. Signed into law by President Bill Clinton in 1996, it consists of five main titles, with Title II containing most of the key regulations that health administrators must now account for when managing IT systems that transmit electronically protected health information (ePHI, or just PHI).
A Look at ePHI, Covered Entities, and Business Associates Under HIPAA
PHI consists of individually identifiable health information about a patient's past, present, and projected future health conditions, the care they've received, and the payments they submitted. Two of the biggest regulations under Title II are known as the Privacy Rule and Security Rule and they both govern the handling of ePHI.
Between them, these rules spell out the extensive responsibilities that apply to covered entities and their business associates. For HIPAA purposes, a covered entity is any health plan, healthcare clearinghouse, or provider that conducts transactions for which the Department of Health and Human Services (HHS) has adopted standards. A business associate is any organization or person, other than the covered entity itself, which renders specific services for or on behalf of the covered entity. For example, a company conducting utilization review for a private insurer would count as a business associate subject to HIPAA compliance.
HIPAA rules are thereby incumbent on a vast universe of entities performing essential and routine activities such as electronically submitting claims and conducting experimental medical research, all of which involve working with ePHI. Let's go through these rules one at a time, starting with the Privacy Rule.
What is the HIPAA Privacy Rule?
The Privacy Rule is designed to strike a balance between the efficient transmission of ePHI and the reduction of risk associated with it. To reach this goal, the Privacy Rule defines a strict set of circumstances under which ePHI may be used or disclosed by covered entities and their business associates.
These bodies must disclose ePHI in only two scenarios – first when an individual or their personal representative specifically requests it and second when HHS requires it for an investigation or enforcement. Beyond that, there a few more instances in which covered entities and business associates are permitted (not required) to use and disclose ePHI even without the individual's authorization:
- To the individual directly
- For the purposes of treatment, payment, and healthcare operations
- During opportunities to agree or object, such as when entering contact information into facility directories or notifying family members of updates
- In various incidental cases
- For public interest and benefit activities, including disclosures to public health authorities and for individuals who are victims of domestic violence, abuse, and neglect
- For entry into a limited dataset
Overall, the Privacy Rule defines when it is permissible or mandated to use or disclose ePHI. The Security Rule extends the Privacy Rule by stipulating requirements for how the ePHI itself is secured during these instances.
What is the HIPAA Security Rule?
The Security Rule requires all covered entities and their business associates to ensure compliant administrative, physical, and technical controls are in place to protect ePHI. Its overarching purpose is preventing unauthorized access.
All ePHI must be kept confidential, with its integrity and availability preserved as well. Covered entities and business associates must identify and protect against any "reasonably anticipated" threats to this information.
It's important to note that the Security Rule does not make specific recommendations on IT infrastructure solutions. Instead, it sets rules for what must be considered when implementing, evaluating, and changing these technologies. For example, the Security Rule requires training and supervision of any workforce that works with ePHI. It also mandates the security of ePHI transmitted over a network, which in practice usually means encrypting that data once it leaves an organization's firewall.
The Security Rule preempts state laws that conflict with it. It also includes requirements for audit controls so that there's a full record of access histories and activities for IT systems containing ePHI.
The Stakes for HIPAA Compliance
Failing to meet the mandates set by the Privacy Rule or the Security Rule carries two major risks. First, the covered entity or business associate could be found in violation by HHS and penalized accordingly. Second, ePHI could be compromised in a data breach that causes significant reputational and financial damage.
Between April and June 2018, 3 million patient records were breached, according to the Protenus Breach Barometer. Many of the incidents in question involved repeat offenders within the affected organizations, underscoring the risk of not addressing HIPAA compliance early and often.
A robust compliance strategy is necessary for defending against not only external cyberattacks but also from insider threats, which can be intentional or inadvertent. Something as simple as someone forgetting to use email encryption or leaving a logged-in workstation unattended can precipitate a costly breach.
How an HCMBA From GW Prepares You for the World of HIPAA Compliance
The healthcare Master of Business Administration (HCMBA) from the George Washington University (GW) provides the rigor and convenience that can give your career aspirations real liftoff. Fully online, the GW HCMBA is both comprehensive and customizable – it will immerse you in the most germane discussion in modern healthcare leadership (including HIPAA and information security more generally) while also offering numerous options in terms of electives, projects, and other opportunities like study abroad.
For over a decade, many doctors nurses, hospital administrators, pharmacists, and other healthcare professionals have used the GW HCMBA program as a gateway to rewarding careers. To learn more about how to apply, visit the main program page, and answer a few simple questions to receive more information.
Recommended Readings:
The Pressures Facing Healthcare Leaders Today
How We Can Expect the Healthcare Industry to Change in the Future
Sources:
Summary of the HIPAA Security Rule
Summary of the HIPAA Privacy Rule
142 healthcare data breaches in Q2, 30% caused by repeat offenders