The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules protect the privacy and security of health information and provide individuals with certain rights to their health information.
The Health and Human Services Office for Civil Rights (2016),enforces the HIPAA Privacy, Security, and Breach Notification Rules. Violations may result in civil monetary penalties. In some instances, criminal penalties may be enforced by the U.S. Department of Justice.
This module describes the HIPAA, the Privacy Security Rule and the Breach Notification Rule. It will also cover how and when to disclose private health information. Lastly, it will discuss HIPAA compliance challenges.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was first introduced in 1996 by president Bill Clinton, and was originally intended to improve the portability and accountability of health insurance coverage. The act promoted the use of medical savings accounts by introducing tax breaks and ensured coverage for employees with pre-existing medical conditions. It also ensured that coverage continued when individuals changed employer. Since then, the act has grown to be a vehicle to encourage the change from paper files to electronic while ensuring the safety of data. Additionally, it defines actions that covered entities must take to notify the victim and to mitigate the damage incurred.
HIPAA, Privacy, Security, and Breach Notification Rules protect the privacy and security of health information and provide individuals with certain rights to their health information (Health and Human Services, [HHS], 2016).
The Privacy Rule
Sets national standards for when protected health information (PHI) may be used and disclosed. The Privacy Rule protects individually identifiable health information, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes information that relates to the individual’s:
- Present, or future physical or mental health or condition
- Provision of health care to the individual
- Past, present, or future payment for the provision of health care to the individual PHI includes many common identifiers, such as name, address, birth date, and Social Security number
The HIPAA Privacy Rule establishes standards for the protection of PHI held by private entities such as:
- Health plans
- Health care clearinghouses
- Those health care providers that conduct certain health care transactions electronically
- Their business associates
Table 1: Covered Entities and Examples
|Health care clearinghouses|
|Health care providers|
The Privacy Rule gives patients important rights with respect to their health information, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.
A covered entity may use and disclose protected health information, without an individual’s authorization, for the following purposes or situations (HHS,2016):
- To the Individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Health Care Operations;
- Opportunity to Agree or Object
- Incident to an otherwise permitted use and disclosure
- Public Interest and Benefit Activities; and
- Limited Data Set for the purposes of research, public health or health care operations. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
A covered entity also may rely on an individual’s informal permission to disclose to the individual’s family, relatives, or friends, or to other persons whom the individual identifies, protected health information directly relevant to that person’s involvement in the individual’s care or payment for care. In addition, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. Furthermore, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts.
The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.
The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. These include (HHS, 2016):
- Required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).
- Public Health Activities. Covered entities are allowed to disclose protected health information to: (1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; (2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance; (3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and (4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.
- Victims of Abuse, Neglect or Domestic Violence. Covered entities may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence in certain circumstances.
- Health Oversight Activities. Covered entities may disclose protected health information to health oversight agencies such as audits and investigations necessary for oversight of the health care system and government benefit programs.
- Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.
- Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions:
- When required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests)
- To identify or locate a suspect, fugitive, material witness, or missing person.
- In response to a law enforcement official’s request for information about a victim or suspected victim of a crime.
- To notify law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death.
- Whenever a covered entity believes that protected health information is evidence of a crime that occurred on its premises
- By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
- Decedents. Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
- Cadaveric Organ, Eye, or Tissue Donation. Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
- Research. “The Privacy Rule allows covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: (1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; (2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or (3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.
- Serious Threat to Health or Safety. Covered entities may disclose protected health information when they feel it’s necessary in order to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat. Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
- Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.41
- Workers’ Compensation. Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits
The Security Rule
Specifies what safeguards are in place that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information. (e-PHI).The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing (HHS, 2018).
Prior to HIPAA, there was no consensus on an accepted set of security standards or general requirements for protecting health information. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based tasks (HHS, 2018).
Today, providers are using digital clinical applications such as computerized order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient, the rise in the adoption rate of these technologies increases the potential security risks (HHS, 2018).
The major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The health care marketplace is diverse, and thus, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI (HHS, 2018).
The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person (HHS, 2018).
HHS recognizes that covered entities range in size. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources (HHS, 2018).
When a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider (HHS, 2018):
- Its size, complexity, and capabilities
- It’s technical, hardware, and software infrastructure
- The costs of security measures
- The likelihood and possible impact of potential risks to e-PHI
Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment
The Security Rule (HHS,2018), requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce.
The Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate. (HHS, 2018).
A breach is, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: (HHS, 2018).
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the protected health information or to whom the disclosure was made
- Whether the protected health information was actually acquired or viewed
- The extent to which the risk to the protected health information has been mitigated
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach” (HHS, 2018)
- Unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority
- An inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.
- Covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance. (HHS,2017)
Following a breach of unsecured protected health information; covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records. That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day. Hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur (“Healthcare Data Research Statistics”, 2018).
HIPAA Compliance Issues
A HIPAA violation occurs when a HIPAA covered entity or a business associate fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules. Violations may be intentional or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules (HHS, 2018).
An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications. Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.
Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules (HHS, 2018).
If the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
The four categories used for the penalty structure include (HIPAA Journal, 2018):
- Category 1:A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2:A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3:A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases the violation where an attempt has been made to correct the violation
- Category 4:A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct
HIPAA compliance is an ongoing process and efforts ensure that safeguards remain effective and staff remains vigilant of their responsibilities with respect to PHI and HIPAA. Regular risk analyses need to be performed to identify new risks to the confidentiality, integrity, and availability of PHI and those risks must be properly managed and reduced to an acceptable level. Documentation should be maintained on compliance efforts as it will need to be inspected by regulators in the event of an audit, if a complaint is made about an organization, or if there is a breach of protected health information.
Ways that an organization can ensure HIPAA compliance include: (Marco, S. 2015)
|Be informed and educated||Hold in-office trainings to teach employees all they need to know about HIPAA privacy and security regulations and to answer any questions they might have.|
|Maintain/protect the possession of mobile devices||The most common HIPAA violation today is mobile devices storing patient health information being lost or stolen. Continually remind employees to be aware of where mobile devices are at all times and to shut them down and lock them up when they’re not using them.|
|Enable firewall and encryptions||It’s essential to enable encryptions, firewalls and secure user authentication on every device. There are technologies that can also remotely lock, or wipe (ie. Reset to factory defaults erasing all apps and data) using apps and software programs.|
|Assure that files are stored correctly||Remind employees who deal with patient files to focus on what they’re doing and double check that they properly store and save files in the right folders and drives.|
|Properly dispose of paper files||PHI when not filed should be shredded immediately so that sensitive information is not left around for others to view.|
|Keep anything with patient information on it away from view||Keep patient folders closed, don’t have appointment calendars openly displayed in patient areas and keep your computer monitors and mobile device screens hidden from patients and visitors.|
|Use social media wisely||Employees and the company remain HIPAA compliant by having a company rule not to post any text or pictures about what goes on in the workplace on social media or even on their personal blog.|
A medical center, involving 3 hospitals settled with the Office of Civil Rights for $999,000 for compromising patient privacy during the filming of an ABC documentary.
All three hospitals reached separate settlements with OCR for inviting ABC film crews to film on site without first obtaining patient authorization. Hospital number 1 was fined $100,000, hospital number 2 settled for $384,000 and hospital number 3 paid $515,000. Each will need to implement staff training as part of individual corrective action plans.
Those plans included developing policies and procedures around photography, video recording and audio recording. The hospitals will also need a process for both evaluating and approving requests from the media to film not otherwise open to the public.
According to the settlement agreements, all three hospitals denied they impermissibly disclosed patient health data and said they did obtain proper consent. Further, the plans stated the agreements are not an admission of liability and “potential violations alleged in the covered conduct do not constitute findings of fact.”
OCR differed in its findings, stating there was no concession the hospitals were not in violation and not liable for monetary fines.
This was a breach because patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments. Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.
HIPAA IT Challenges
Some of the HIPAA Challenges for an organization include:
• Assuring that patient’s receive their own medical records in a timely manner
• Attaining a level of security provided by and maintained by Information technology (IT)
• Balancing education of staff with enforcement
Examples include: (National Association of Independent Review Organizations, 2018)
1. Missing patches for operating systems and applications. Without the latest security updates to both an operating system and application software, the organization is placing itself at unnecessary risk.
2. Failure to monitor and detect sensitive data loss (data exfiltration). This process should be automated. An organization should be the first one to know if they have a breach.
3. Weak passwords. Select strong passwords. For example use lower case and upper case letters, numbers and symbols. Another option uses “multifactor authentication” requirements to log in.
4. Lack of logs and audit trails than can conduct forensics to identify and respond to a breach. Similar to an organization’s failure to monitor a data breach, a lack of “threat intelligence” can doom an organization.
5. Some applications have deficiencies in coding, which can lead to a breach. The instructional IT expert should be expect to double check the security of a given application.
6. Lack of security validation for new systems. Security compliance should validate that systems are configured securely. In addition the electronic health record (EHR) system need to be assessed via a thorough round of vulnerability and penetration testing.
7. Missing or outdated anti-malware technology. For the best outcomes, anti-malware updates should be automatic and centralized and not up to individuals to update their own computers.
8. No encryption of sensitive information in transit. Email and files should be encrypted for greater security.
9. Lack of trained staff to maintain security controls. While many organizations face a budget crunch when it comes to employing full-time IT staff, there are ways to maximize resources, including free training.
10. Outdated disaster recovery plans. A disaster recovery plan should be consistently updated to avoid missteps when a breach does occur.
HIPAA Journal. Health care data breach statistics (2018).
Retrieved from https://www.hipaajournal.com/healthcare-data-breach-statistics/.
HIPAA Journal Health care data breach statistics. (2018).
Retrieved from https://www.hipaajournal.com/become-hipaa-compliant/.
HIPAA One. Seven Ways Employees and Help Prevent HIPAA
Retrieved from Violations. (2015).https://www.hipaaone.com/7-ways-employees-can-help-prevent-hipaa-violations/.
Nairo. Top 10 Challenges for Meeting HIPAA Security Compliance.
Retrieved from fhttps://www.nairo.org/top_10_challenges_for_meeting_hipaa_security_compliance/.
US Department of Health and Human Services. (2018) For Health Care Professionals.
Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html.