The short answer to “Why was HIPAA created?” would be: the Health Insurance Portability and Accountability Act was created to assure the security of an individual’s medical records and other personal health information while also making it easy for them to access their own data.
But, it’s not that simple.
Why was the Health Insurance Portability and Accountability Act created? …the long version
Ok; let us start with the definition:
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a series of national data security standards that health care organizations must have in place in order to ensure the privacy and security of protected health information (PHI).
What are the basics of HIPAA?
Well, the basics of HIPAA consist of 3 primary rules that keep patient’s health information away from prying eyes:
The Security Rule: specifies the safeguards that covered entities and business associates must implement to protect the confidentiality, integrity, and availability of protected health information. When it comes to electronically stored protected health information (ePHI), this security rule lays down three security safeguards – Administrative, Physical, and Technical – that must be adhered to in full in order to comply with HIPAA. The safeguards have the following goals:
- Administrative – to create policies and procedures that clearly show covered entities and business associates how they need to comply with the Act
- Physical – to control the physical access of data storage devices and areas (server rooms, for example) to protect against unauthorized access
- Technical – to protect health information data packets as they are in transit over open communication networks
The Privacy Rule: sets the national standards that outline when PHI can be used or disclosed without the patients’ authorization; on the other hand, the privacy rule also outlines patients’ rights over their own personal health information and includes their right to access, copy, or edit their records (in case of errors).
The Breach Notification Rule: states that – within 60 days – covered entities must notify any affected patients about a leak or loss of their PHI; they also need to contact the U.S. Department of Health & Human Services (HHS) and might even need to handle press releases to the media and the public in general.
In 2013, the HIPAA Omnibus Rule was added which resulted in the final version of the HIPAA Privacy Policy and Security Rule. It also laid out the final rules for the enforcement, breach notification, and the Genetic Information Nondiscrimination Act (GINA).
HIPAA enforcement authorities
The Department of Health & Human Services’ Office for Civil Rights is responsible for the implementation of the Privacy and Security Rules.
And, since taking on the responsibility in 2003, the Office for Civil Rights’ actions have continued to consistently make significant advances in the PHI handling practices of covered entities – like health care (and related human services) providers.
Who does HIPAA privacy and security rules concern?
HIPAA was created to define the protocols of PHI security and privacy rules for:
Covered Entities (CE)
Covered entities are health care providers, health plans, and health care clearinghouses. They are directly involved in the creation, storage, and maintenance of protected health information which means they are expected to be fully compliant with every single Privacy Rule and Security Rule in the HIPAA regulations.
Examples here could be company health plans, third-party health insurance companies, HMOs, and government programs that pay for health care, like Medicare.
Business Associates (BA)
Business Associates are organizations that are hired by covered entities (or other business associates) that will need to handle PHI over the course of the work they’ve been hired to perform.
Some examples of business associates include IT service providers, cloud data storage service providers, practice management firms, physical storage providers, and similar companies.
While business associates are not themselves required to comply with the HIPAA Privacy Rule in its entirety, they must still comply with the regulatory standards that do apply to them. It, therefore, becomes a necessity for the covered entities to sign a Business Associate Agreement with them to ensure the health information that is being shared is kept secure and that they abide by every applicable Privacy Rule under HIPAA.
What are some HIPAA violations?
A HIPAA Privacy or Security Rule violation may be committed in cases like:
- Health care employees illegally accessing PHI without the right authority or the patients’ consent
- Health care employees disclosing PHI – intentionally or unintentionally – without the specific consent of patients
- Patients’ medical records being mishandled, thus, putting the data at risk of snooping, theft, being altered or destroyed
- Releasing PHI to third parties without proper authorization or consent
- PHI storage devices getting lost or stolen resulting in the content possibly ending up in the hands of malicious parties
- Health care employees using their personal devices to access PHI
- Sharing PHI on social media platforms with patients’ information and images ending up where everyone can access them
- Health care employees texting PHI – which could end up with them sending the personal health information to the wrong recipients
- The occurrence of data breaches resulting in illegal access and loss of PHI
- Lack of training on the secure handling of PHI as well as not having, and enforcing, data security policies
How to become HIPAA compliant?
Finally, let’s have a look at what it takes for covered entities and their business associates to become HIPAA compliant. After all, it always helps to be proactive when it comes to staying compliant with PHI handling laws.
And so, here are some steps to take to ensure HIPAA compliance by meeting every Security or Privacy Rule:
- Conducting risk assessments: rolling out audit campaigns and testing scenarios could help in identify any issues before they even occur
- Training staff on privacy policies: health care providers, as well as their business associates, should ensure their employees know what to do – and not do – when it comes to handling PHI
- Creating and enforcing policies: making sure everyone knows how they are supposed to handle PHI; also, enforcing the policies strictly should be a must
- Securing PHI data: creating a secure database – and data access system – that is impenetrable, incorruptible, and not prone to human error; in short, they need a database system that meets all HIPAA requirements
As a matter of fact, a cloud database solution with a secure front end can be easily created using today’s low-code, cost-effective development platforms. Anyone can create one, and we can show you how. Simply contact us today.