This landmark law imposes stringent privacy and security mandates on health care providers—and most of their IT vendors.
HIPAA summary: What is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act) is a law passed in 1996 that transformed many of the ways in which the healthcare industry operated in the United States. The law had many important and far-reaching effects, but from the perspective of IT pros, its most important provisions are mandates that health care providers keep any personally identifiable medical information private and secure. These mandates have made the modern world of electronic medical records safer for patients, but also impose a number of sometimes onerous regulations on medical providers and their IT partners, with annual compliance costs estimated at $8.3 billion a year.
What are the key components of HIPAA?
HIPAA is broken down into sections, called titles, with Titles I and II being the most important. Title I covers the portability part of the name of the law; it ensures that, in most cases, people moving from one group health insurance plan to another can’t be denied benefits based on pre-existing conditions.
For most people, this health insurance portability has had the biggest impact on their lives. For those in IT or health care administration, however, it’s Title II, which covers the accountability part of the law’s name, that keeps them up at night. Title II mandates that anyone who deals with individuals’ medical data take active steps to keep that data private and secure. The people and organizations who fall under the law’s umbrella—covered entities, in HIPAA-speak —include not just obvious candidates like doctor’s offices and hospitals, but anyone who touches patient information, such as third-party billing services and IT vendors.
Like many wide-ranging U.S. federal laws, HIPAA outlines broad principles to guide government regulations, but leaves the details of those regulations to the relevant agency in the executive branch—the Department of Health and Human Services (HHS), in this case. While the law was passed in 1996, the sets of regulations covering the law’s topics—called rules—were rolled out by HHS over the next few years. Accountable has the details, but here’s a short time timeline. (We’ll be diving more deeply into these rules in subsequent sections of this article.)
In 1998, HHS proposed the Security Rule, which aimed to improve the protection of health-related information that’s shared amongst different health care providers and other entities. This rule was only finalized in 2003 and went into effect in 2005.
In 1999, HHS proposed the Privacy Rule, which specified the standards needed to keep health information private, defined what pieces of protected health information (PHI) were covered by the law, and gave individuals the right to access their own health-related information. This rule was implemented, with some modifications, in 2003.
In 2005, to address instances where covered entities were not complying with the Security and Privacy Rules, HHS proposed the Enforcement Rule, which allowed the department to investigate complaints and issue fines.
In 2009, Congress passed the HITECH Act, with the aim to encourage healthcare providers to make more use of electronic health records (EHRs). Later that year, HHS rolled out the HITECH Enforcement Act Rule to protect these records within the existing HIPAA framework, which dramatically increased the costs of noncompliance.
Also in 2009, HHS issued the Breach Notification Rule, which laid down disclosure notification rules for covered entities whose systems are hacked.
In 2013, the HIPAA Omnibus Rule came into effect, making a number of tweaks to existing rules, the most important of which was the extension of the Privacy and Security Rule provisions to business associates of covered entities. Business associates don’t deal directly with patients but still have access to PHI, and can range from software vendors to transcriptionists, lawyers, and accountants.
By far the most important developments here are the Privacy and Security Rules, since the other rules mostly either enforce or extend those rules. Let’s dive into those two rules in more detail.
The Security Rule: How does HIPAA provide security?
In order to comply with the HIPAA Security Rule, covered entities must maintain “reasonable and appropriate” safeguards to protect PHI. These safeguards must include administrative measures like risk analyses and workforce training, physical safeguards like workplace access controls, and technical implementations like cybersecurity software controls. The overall goals should be to:
- Ensure the confidentiality, integrity, and availability of all PHI handled or transmitted
- Protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated but impermissible uses or disclosures
- Ensure workplace compliance
The rule does not mandate any specific measures to be taken to implement these goals, and gives covered entities some flexibility to determine how best to go about all this based on their size, environment, and technical means. However, this flexibility also brings with it ambiguity for covered entities as to whether their security plans truly meet HIPAA’s standards. (For more details, check out HHS’s summary of the rule.)
The HIPAA Privacy Rule
The HIPAA Privacy Rule imposes a balancing act on covered entities. On one hand, it recognizes that, in order for the health care system to function, PHI needs to be handed off between various individuals, organizations, and companies. On the other, it mandates that patients have the right for their medical and personally identifying information to remain private.
The Privacy Rule’s solution to this conundrum is the Minimum Necessary Standard. In essence, any individual working for a covered entity should have access to the PHI they need to do their job—but nothing beyond that. Obviously this is easier said than implemented in practice, and again this ambiguity drives anxiety over compliance.
Accountable lists a number of concrete steps that covered entities can take to meet the mandates of the privacy rule, along with the specific information that falls under the umbrella of the law. Most of the steps companies need to take are administrative and range from designating a privacy officer to training employees on Privacy Rule requirements to supplying patients with privacy notices.
One major mandate of the HIPAA Privacy Rule is that patients themselves have the right to access their own medical information. In addition, they can dispute data or request alterations, and proactively request restrictions on sharing of that data. For a more in-depth look, check out HHS’s summary of the rule.
When you hear the phrase HIPAA compliance used in the tech industry, generally that refers to the technical and administrative measures necessary to comply with HIPAA Title II, and the bulk of that work involves meeting the requirements of the Security and Privacy Rules, as outlined above. There are some other more minor requirements as well: all covered entities must have a National Provider Identifier and adhere to the Transaction and Code Set Standards for electronic data interchange.
In practice, the complex and ambiguous nature of the Security and Privacy Rules has spawned a cottage industry of vendors willing to offer compliance help. A wide of variety of software packages promise to help you keep your company in compliance with the law, and if you need more handholding, there’s a thriving consultancy business as well. Often the two are combined, with software vendors customizing solutions to your company’s needs and providing resources like training or verification along with it.
Keep in mind that, due to the extension of HIPAA’s reach to business associates of health care providers, it’s not just doctors and insurance companies that need to be HIPAA compliant. If you’re selling products or services to anyone in the health care industry, you’ll need to be able to assure your customers that your offerings are HIPAA compliant. That’s why everyone from computer programmers to cloud service providers needs to be aware of HIPAA mandates.
Getting staffers up to speed on their HIPAA duties is another requirement that has spawned a whole ecosystem of providers. 3i International has a good outline of what sort of internal training HIPAA requires, and Abyde explains who needs to receive that training. If you’re in the market for a training partner, Threat Stack has a comprehensive list of training resources, while Atlantic.net provides rates its top 10 HIPAA training companies of 2020.
HIPAA violations may come to light in a number of ways. Ideally, they would be caught and rectified by an organization’s internal auditing processes. (Indeed, HIPAA mandates audits and risk assessments for precisely this reason.) But they may often become public in ways more catastrophic for the organization—revealed by an internal whistleblower or customer complaint, for instance, or sniffed out by state or federal regulators. (HHS’s Office for Civil Rights is the main enforcer of HIPAA’s regulations).
HIPAA Journal provides a list of a number of common types of HIPAA violations, with real-world examples, that makes instructive reading. Many of them are quite straightforward—one health system filmed patients without their consent, for instance, and another disclosed a patient’s PHI in a press release. There are also cases like Anthem’s $16 million fine for failure to adequately protect its systems in the wake of a massive hack.
Somewhat more obscure are the “process” violations of HIPAA regulations that come to light only in the aftermath of a data breach, at which point the punishment for breaking HIPAA rules is piled on top of the crisis caused by the breach’s aftermath. For instance, a pair of incidents in 2013—a vacationing doctor’s unencrypted laptop being stolen and a spreadsheet with patient data uploaded to a noncompliant cloud server—exposed the PHI of more than 7,000 patients at Oregon Health and Science University. In a settlement with HHS, OHSU paid $2.7 million in HIPAA fines because they hadn’t implemented an enterprise-wide risk analysis that might have prevented both incidents.
The stakes are very high, which is why you need to make sure you do things correctly. Be prepared!
This post was first shared on CSO Online, HIPAA explained: definition, compliance, and violations, on January 25, 2021.