What is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Among other measures, the Act led to the establishment of federal standards for safeguarding patients´ “Protected Health Information” (PHI) and ensuring the confidentiality, integrity, and availability of PHI created, maintained, processed, transmitted, or received electronically (ePHI).
When the Health Insurance Portability and Accountability Act was passed by Congress in 1996, the establishment of federal standards for safeguarding PHI was not one of the primary objectives. Indeed, the long title of the Act doesn´t even mention patient privacy or data security:
“An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.”
So how did HIPAA evolve from being a vehicle for improving the portability and continuity of health insurance coverage to being one of the most comprehensive and detailed federal privacy laws? The answer can be found deep in the Administrative Simplification provisions of HIPAA Title II.
What is HIPAA Title II?
HIPAA consisted of five Titles addressing the primary objectives of the Act:
- Title I: Health care access, portability, and renewability.
- Title II: Preventing health care fraud and abuse; administration simplification; medical liability reform.
- Title III: Tax-related health provisions governing medical savings accounts.
- Title IV: Application and enforcement of group health plan requirements.
- Title V: Revenue offsets governing tax deductions for employers.
Most of HIPAA Title II concerns measures to control health plan fraud and abuse (rather than health care fraud and abuse), the allocation of funds to pay for the measures, and sanctions against individuals or organizations that defraud or abuse a health plan or program. The provisions related to administrative simplification are discussed below, while the provisions for medical liability reform (of which there are few) only relate to whistle blower protection for reporting fraud and abuse.
With regards to the Administrative Simplification provisions, the preamble states their purpose is to improve the Medicare and Medicaid programs, and the efficiency of the health care system via a “the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information”. The responsibility for accomplishing this purpose is delegated to the Secretary for Health & Human Services (HHS).
The preamble could give the impression that the Administrative Simplification provisions of HIPAA Title II will improve accessibility to and affordability of the Medicare and Medicaid programs, or that the development of a health information system would streamline the provision of healthcare between providers. However, when you read the Administrative Simplification provisions, their primary purpose is to reduce the administrative costs of providing and paying for health care.
The Administrative Simplification provisions were important in the context of improving the portability and continuity of health insurance coverage because it was necessary to improve portability and continuity without increasing administration costs. Any increase in administration costs would have been passed on by covered health plans as increased costs to healthcare providers and as increased premiums for insurance coverage – something Congress was keen to avoid.
The final Administrative Simplification provision is possibly the most important of all – requiring the Secretary for Health & Human Services to develop “recommendations on standards with respect to the privacy of individually identifiable health information”. If Congress did not enact federal privacy legislation within three years, the Secretary was to issue the recommendations as a Final Rule. Ultimately this short passage of HIPAA Title II was to become the HIPAA Privacy Rule.
The Regulatory Landscape when HIPAA was Passed
So far, we´ve answered the question what is HIPAA by providing an overview of the Act, identifying where the provisions were within the Act that triggered the Privacy and Security Rules, and specifying who was delegated responsibility for developing the Rules. To best explain what happened next, it is important to understand the regulatory landscape at the time and the patchwork of legislation that influenced the development of the Privacy and Security Rules.
Prior to the passage of HIPAA, only ten states granted individuals privacy rights in their constitutions, although the privacy of individuals with specific conditions was required by federal law. For example, the Veterans Omnibus Health Care Act 1976 protects the privacy of medical records held by the Dept of Veterans Affairs relating to drug abuse, alcohol abuse, and AIDS. In addition, consumers of federal programs such as Medicare and Medicaid also have privacy rights under the Privacy Act 1974 – but only for records maintained by the Centers for Medicare & Medicaid Services (CMS).
The patchwork of legislation often failed to prevent unauthorized disclosures of personal health or payment information. Furthermore, unless a patient´s data was protected by an existing state or federal law, data could be freely exchanged between (for example) health plans and finance agencies – which could affect the patient´s ability to apply for a home mortgage. Similarly, a health plan could find out about a patient´s condition or treatment through non-regulated channels and increase the patient´s premiums or deductible – even if the patient had paid for treatment privately.
In addition to accommodating existing state and federals laws, the Secretary of Health & Human Services was given guidelines to work within. In respect of reducing the administrative costs of providing and paying for health care, HHS had to develop standards for the electronic exchange, privacy, and security of health information in financial and administrative transactions, while the recommendations on standards with respect to the privacy of individually identifiable health information had to cover:
- The rights that an individual who is a subject of individually identifiable health information should have.
- The procedures that should be established for the exercise of such rights.
- The uses and disclosures of such information that should be authorized or required.
Because the standards relating to the privacy of individually identifiable information were subject to a three year delay, the Notice of Proposed Rulemaking for the Security Rule was the first to be issued in 1998. The Notice of Proposed Rulemaking for the Privacy Rule was issued in 1999; but due to several years of revisions due to stakeholder comments, public hearings, and other issues, the Privacy Rule was not published until 2002, and the Security Rule until the following year.
Rules Extend Privacy Rights & Data Security Nationwide
The Privacy and Security Rules introduced minimum privacy, technical, physical, and administrative requirements that apply to all “Covered Entities” nationwide, unless state laws, alternative federal legislation, or professional regulations have more stringent requirements. HIPAA preempts all other federal, state, and professional regulations. The safeguards also apply to Business Associates who provide services for Covered Entities, and contractors who provide services for Business Associates.
An Enforcement Rule was introduced in 2006 to tackle noncompliance with HIPAA; and, in 2009, the HHS´ Office for Civil Rights issued its first financial penalty for a violation of HIPAA – CVS Pharmacy Inc. being ordered to pay $2.25 million for the improper disposal of patient health records. Multiple penalties have since been issued – not only by the Office for Civil Rights, but also by State Attorney Generals. The DoJ has also pursued several successful criminal convictions for violations of HIPAA.
Further Rules have reinforced the importance of HIPAA compliance. The Breach Notification Rule in 2009 made it a requirement for Covered Entities and Business Associates to report data breaches to individuals, the Office for Civil Rights, and – in some cases – the media. The Rule also shifted the burden of proof. Previously, OCR would have to establish a breach had occurred. Now, organizations have to prove an unauthorized disclosure of unsecured PHI does not constitute a breach.
In 2013, the Omnibus Final Rule enacted provisions of the HITECH Act which made changes to the Security Rule to improve data security and further restrict access to ePHI. The Omnibus Final Rule also enhanced HHS´ powers to enforce HIPAA, updated the Breach Notification Rule, and made Business Associates directly liable for data breaches and HIPAA violations. Changes to the Privacy Rule are currently under consideration that may affect the answer to what is HIPAA in the future.
What is HIPAA? FAQs
Which organizations does HIPAA apply to?
HIPAA applies to all Covered Entities, Business Associates, and contractors providing a service to a Business Associate. Covered Entities are defined as health plans, health care clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. Teaching institutions can also qualify as “Hybrid Entities” if they provide medical services to both students and non-students.
Business Associates are persons or organizations who perform a service for a Covered Entity that involves the use or disclosure of PHI. Services can include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial services, data analysis, claims processing or administration. A Covered Entity can be a Business Associate of another Covered Entity, but a member of a Covered Entity´s workforce is not a Business Associate.
Why might a teaching institution qualify as a hybrid entity?
One of the most quoted examples of a federal law pre-empting HIPAA is FERPA – the Family Education Rights and Privacy Act. FERPA protects the privacy of student education records, and – under FERPA – any medical treatment received by a student is recorded on their educational record. Consequently, if only students receive medical treatment in a teaching institution, the institution is not a Covered Entity under HIPAA. However, if a teaching institution provides medical services for non-students, the medical records of non-students are protected by HIPAA, while the medical records of students remain protected by FERPA.
What states have more stringent data protection laws than HIPAA?
Most states have a selection of data protection laws; and although some may have more stringent individual standards than HIPAA (i.e., some states require data retention beyond six years), none replace HIPAA in its entirety. However, it is important not only to know which laws apply in the state where your organization is located, but also in any jurisdictions in which your organization creates, maintains, processes, transmits, or receives PHI.
This is because in some states (i.e., Texas), data protection laws apply to any organization that creates, maintains, processes, transmits, or receives healthcare information relating to a citizen of that state – even if the citizen was not physically present in the state when the activity occurred. Furthermore, some data protection laws do not distinguish between Covered Entities and Business Associates. Any organization that engages in a covered activity is a Covered Entity.
What privacy rights exist under the Privacy Act 1974?
The Privacy Act 1974 restricts how federal agencies collect, maintain, use, and disclose personally identifiable information. The basic policy objectives of the Privacy Act are:
- To restrict disclosure of personal identifiable records maintained by agencies.
- To grant individuals increased rights of access to agency records maintain on themselves.
- To grant individuals the right to seek amendment of agency records when the records are not accurate, relevant, timely, or complete.
- To establish a code of fair information practices that requires agencies to comply with the statutory norms for collection, maintenance, and dissemination of records.
The basic policy objectives of the Privacy Act mirror several HIPAA Privacy Rule standards relating to patients´ rights and technical, physical, and administrative safeguards of the HIPAA Security Rule. However, while most federal agencies have to comply with the Privacy Rule at all times, agencies who collect, maintain, use, or disclose PHI have to comply with HIPAA at all times – unless a Privacy Act implementation specification provides better privacy rights or data protection than HIPAA.
When might professional regulations preempt HIPAA?
The best example of when professional regulations preempt HIPAA is the military. Under the Military Command Exception, healthcare professionals can disclose the PHI of Armed Forces personnel to command authorities for activities such as fitness for duty determinations, fitness to perform a particular assignment, or other activities necessary for a military mission. Mental health disclosures are also permitted when there is a serious risk of harm to self, others, or a mission.
This post, What is HIPAA?, was shared by HIPAA Journal on February 23, 2022.