Modifications to the Privacy, Security, Enforcement and Breach Notification Rules under the Health Insurance Portability and Accountability Act (HIPAA) include changes that will affect how providers and payers protect a patient’s personal health information (PHI). The focus of the new enforcement guidelines has shifted from voluntary to punitive. The rule also makes business associates (BAs) more accountable for breaches of PHI, and this comes with the risk of financial penalties.
The HIPAA Privacy Rule is a set of federal standards created to protect the privacy of patients’ medical records and other health information maintained by covered entities, which include providers, hospitals, healthcare clearinghouses, health plans, the Centers for Medicare & Medicaid Services (CMS), as well as all other governmental health programs, such as the Veterans Health Administration. These standards now provide patients with immediate access to their medical records and with significant control over how their personal health information is used and disclosed.
CMS specifies that the changes provide the public with increased protection, because penalties are increased for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation. Additionally, the changes strengthen the HITECH breach notification requirements and clarify when breaches of unsecured health information must be reported to HHS. These changes broaden who is responsible for the patient’s PHI and extends consequences to more individuals, including small practices, payers and other BAs, such as a practice’s billing services or clearinghouses.
CMS has allowed the new HIPAA rules to expand the rights of all patients. For example, patients can now request a copy of their medical records in electronic form, and if a patient pays by cash, they can instruct the provider not to share any information about their treatment with their health plan provider. The omnibus rule also makes it easier for parents and/or guardians to give permission to share proof of a child’s immunization with a school and gives covered entities and BAs up to one year after the 180-day compliance date to modify contracts to be in compliance.
The Office for Civil Rights has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices. Since the compliance date in April 2003 to the present, the compliance issues HHS has investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of PHI;
- Lack of safeguards of PHI;
- Lack of patient access to their PHI;
- Uses or disclosures of more than the minimum necessary PHI; and
- Lack of administrative safeguards of electronic PHI.
Protected Health Information
The privacy rule protects all “individually identifiable health information” that is stored or transmitted by a covered entity or its BA, in any form, whether electronic, paper or oral. “Individually identifiable health information” is information, including demographic data, that relates to the patient’s past, present or future physical or mental health or condition; all provision of healthcare to a patient; or the past, present or future payment for the provision of healthcare to the patient. This also includes any information that identifies the individual through any of the common identifiers (e.g., name, address, birthdate, Social Security number).
Administrative Requirements
HHS recognizes that there is a wide range of sizes of covered entities, from the smallest provider to the largest, multi-state health plan. As a result, there’s some flexibility and scalability within the rule that allow covered entities to analyze their individual needs and implement solutions appropriate for their environment. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.
Privacy Policies & Procedures
It’s important for all covered entities to develop and implement written privacy policies and procedures that are consistent with the privacy rule as designed by HHS.
In-Office Privacy Personnel
All covered entities are required to designate a privacy official responsible for developing and implementing its privacy policies and procedures. There should also be a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Employee Training & Management
All covered entities are required to have training for all of their employees on the privacy policies and procedures, as necessary and appropriate for them to carry out their daily job functions. Covered entities must have appropriate sanctions that must be applied against any employee who violates the organization’s privacy policies and procedures or any part of the privacy rule.
Safeguards for Patient Data
There must be reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI. For example, such safeguards might include shredding documents containing PHI before discarding them, securing medical records with lock and key or passcode, and limiting access to keys or passcodes to only those who need to have them.
HIPAA Enforcement and Penalties
Voluntary compliance with all privacy rules and guidelines is required by all covered entities. HHS may impose civil money penalties on a covered entity of $100 per failure to comply with a privacy rule requirement, but the penalty may not exceed $25,000 per year for multiple violations of the identical privacy rule requirement in a calendar year. HHS will also apply criminal penalties if a person knowingly obtains or discloses a patient’s identifiable health information. This violation of HIPAA includes a fine of $50,000 and up to one year of imprisonment. Criminal penalties increase to $100,000 and up to five years of imprisonment if the behavior involves false pretenses, and $250,000 and up to 10 years of imprisonment if the violation involves the intent to sell, transfer or use a patient’s identifiable health information for commercial advantage, personal gain or malicious harm. In cases of wrongful behavior, criminal sanctions will be enforced by the Department of Justice.