In this post, we will be focusing on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We will look at what the HIPAA law is, and which employers it applies to. We will also focus on what constitutes a HIPAA violation, what the consequences of a violation are, and what HIPAA compliance solutions covered entities can implement to prevent a breach.
- HIPAA Explained
- What Employers Need to Know
- Filing a HIPAA Requirement Complaint
- Compliance with HIPAA
- HIPAA FAQ
HIPAA is the acronym for the Health Insurance Portability and Accountability Act passed by Congress in 1996. The federal law protects the privacy rights of individuals in the US and establishes a set of standards to protect against the unauthorized disclosure of sensitive and individually identifiable Protected Health Information (PHI). Aside from protecting privacy rights, the act has also helped to modernize the flow of PHI in the U.S. and reduce national healthcare fraud and abuse.
HIPAA guidelines are enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). Any company or individual that comes into contact with PHI must implement appropriate policies, procedures and safeguards to protect data and ensure compliance with HIPAA law.
HIPAA regulations do not apply to workplace health records held by an employer that relate to employee benefits such as life insurance, disability, workers compensation, or long-term care insurance.
HIPAA provides federal protection for the following information:
- Diagnosis and treatment information included in medical records by doctors, nurses, and other medical professionals
- Medical test results and other patient information
- Records held by health insurance providers
- Billing information relating to medical treatment
- Prescription information
- Any other individually identifiable health information
Individuals have the right to view all data held by a covered entity and receive notice when personal information is used and shared.
As we mentioned above, only those companies deemed a “covered entity” must comply with HIPAA regulations.
HIPAA covered entities include:
- Healthcare providers that transmit health information, including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health insurance companies and HMOs
- Government healthcare programs
- Healthcare clearinghouses
- Business associates of covered entities that require access to health insurance data, such as contractors, billing companies, lawyers, accountants, IT specialists, and companies that destroy medical records.
Aside from the HIPAA privacy rule, covered entities are also governed by The Privacy Rule, which sets standards for protecting PHI, and The Security Rule, which specifies safeguards for protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). Any breach of personal health data must be notified to the U.S. Department of Health & Human Services (HHS).
Most employers are considered “non-covered” entities and they are therefore not subject to HIPAA rules and regulations. Even if an employer provides healthcare coverage to its staff, it is the responsibility of the insurance company to ensure data security and HIPAA compliance.
Examples of organizations that do not have to comply with the HIPAA privacy act include:
- Life insurers
- Most employers, except those requesting access to medical records for workers’ compensation claims, etc.
- Workers compensation carriers
- Most schools and school districts
- Many state agencies like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
Although HIPAA does not apply to non-covered entities, these companies still have a legal obligation to protect the confidentiality of employee health information in their possession under the US Privacy Act of 1974 and the Americans with Disabilities Act (ADA) as well as state-level regulations relating to data protection. The California Consumer Privacy Act, for example, provides individuals with the right to view, access, and opt-out of the processing of their personal data by businesses at any time. And in Massachusetts, the PATCH Act enforces additional measures to protect access to confidential healthcare information.
HIPAA can be a confusing regulation for employers. It’s important to establish whether or not your company is a covered entity so that you can implement the necessary measures to protect your data. Most employers that offer health insurance benefits for medical and/or dental care, for example, fall into the “Health Plans” category, although requirements depend on how PHI is maintained, transmitted and received.
Although the exchange of employee medical information with a company covered by HIPAA, such as an insurer, doesn’t necessarily mean that the regulation must be enforced, the law does apply to any company that receives, processes, handles, or stores employee medical records for the purpose of employee compensation claims or relating to sick leave or health insurance. This is especially relevant during public health emergencies such as the current COVID-19 pandemic.
Human resources managers must, therefore, be familiar with the restrictions and controls implemented by the HIPAA to ensure the necessary policies and procedures are put in place to safeguard employee data.
HIPAA does not:
- Stop an employer from requesting a doctor’s note for an absence
- Prohibit an employer from requesting information relating to benefit programs, disability compensation, wellness programs or healthcare coverage
- Prevent an employer from maintaining employment records, providing healthcare service providers and insurers are HIPAA compliant.
Although HIPAA may not apply to your company, it is still important to safeguard employee records and hold periodic training sessions to create a culture of privacy and data security in your organization.
A HIPAA infringement is a failure to comply with any aspect of the standards and provisions of the HIPAA security rule. This can include the unauthorized use and disclosure of an individual’s PHI; failure to implement administrative, technical, and physical safeguards to ensure the confidentiality of electronic PHI; delayed breach notifications; and failure to conduct regular risk analyses. It can also include a failure to provide individuals with access to their PHI or to ensure HIPAA-compliant agreements are made with business associates.
HIPAA infringements are usually discovered in one of three ways:
- Investigations into a data breach conducted by the Office for Civil Rights (OCR) or by the state attorney general.
- Investigations into complaints about covered entities and business associates
- An external HIPAA compliance audit
It is important for covered entities to conduct a regular internal HIPAA audit to detect and correct any potential violations before they are identified by regulators and penalties are issued. The longer an issue exists, the higher the penalty.
HIPAA regulations are enforced by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Many violations are detected by covered entities during routine internal audits or reported internally by employees. Any external complaints reported by healthcare workers, patients, and health plan members are investigated by the OCR.
By law, the OCR can only act if:
- The action took place after the HIPAA date of enactment (April 14, 2003)
- The complaint has been filed against an entity that is required by law to comply with HIPAA regulations (a covered entity)
- It specifically violates HIPAA regulations
- The complaint has been filed within 180 days of the violation being detected
Investigations include conducting compliance reviews and performing education and outreach programs. In the event a non-compliance is detected, the OCR will attempt to obtain voluntary compliance, corrective actions, and/or a resolution agreement. Violations can also result in civil and criminal penalties if the complaint is referred to the Department of Justice.
Breach fines and charges for violating HIPAA regulations are handled by the Department of Justice and split into two categories: reasonable cause and willful neglect.
- Fines for “reasonable cause” violations range from $100 to $50,000.
- Penalties for “willful neglect” violations can range from $10,000 to $50,000 and can result in criminal charges.
- Charges for offenses involving fraud can result in a $100,000 fine, with up to 5 years in prison.
- Offenses that include the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm can result in fines of $250,000 and up to 10 years in prison.
- The maximum penalty for a willful violation that is not corrected within the required time period is set at $1.5 million per year.
In the event you are personally affected by or witness a HIPAA breach, it must be reported to the Office for Civil Rights. Complaints can be filed against covered entities and their business associates.
Anyone can report a health information security breach with the OCR. Complaints must be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal within 180 days of a violation being observed and must specify the non-compliant action. If a breach is detected during the investigation, the covered entity or business associate must voluntarily comply with HIPAA rules, take corrective action, and/or agree to a settlement. If the breach is not resolved the OCR may impose fines and penalties.
If you are a covered entity or the business associate of a covered entity you must be aware and comply with HIPAA standards. You should also introduce a series of best practices to ensure a corporate culture of security privacy and protection is created in your organization. It’s a good idea to include a HIPAA compliance checklist in your policies and procedures.
Here are a few examples of common do’s and don’ts:
- Provide regular training to employees so that they are aware of regulations on PHI use and disclosure and general workplace confidentiality procedures.
- Create a clear set of HIPAA policies and procedures and ensure they are available to all employees
- Establish a Privacy Officer in your human resources department to process complaints and provide information on data privacy procedures.
- Conduct a regular HIPAA security risk assessment to detect potential violations
- Conduct regular training sessions to ensure employees are aware of updated HIPAA policies and requirements
- Disclose passwords or share login credentials
- Leave portable devices or documents unattended
- Access patient records out of curiosity
- Access your own medical records
- Dispose of PHI in general waste by shredding or pulverizing
- Share ePHI on social media
To end this post, we have put together a few additional Frequently Asked Questions. If you have any other questions that we haven’t included, please feel free to leave them in the comments section below and we’ll get back to you.
What are Common Examples of HIPAA Infractions?
Examples of common HIPAA violations include the following:
- Failure to perform a risk analysis
- Failure to promptly release information to patients
- Unauthorized access to medical records (insider snooping)
- Missing patient signatures
- Releasing information to an undesignated party
- Distributing unauthorized health information
- Releasing the wrong patient’s information
- Use of unsecured devices for storing private health information.
Famous cases of violations that you may have heard of:
- The University of California Los Angeles Health System was fined $865,000 when the OCR discovered that a physician had accessed the medical records of celebrities and other patients without authorization. The doctor became the first healthcare employee to be jailed for a HIPAA violation and he was sentenced to four months in federal prison.
- Multiple breach reports were filed against the University of Rochester Medical Center after portable devices containing ePHI were confirmed as lost/stolen. The case was settled for $3 million.
- The OCR imposed a $1.6 million penalty on the Texas Health and Human Services Commission (TX HHSC) for multiple violations including a risk analysis failure, an access control failure, an information system activity monitoring failure, and an impermissible disclosure of patient ePHI.
Can you Sue for a HIPAA Violation?
There is no private cause of action in HIPAA, so it is not possible for an individual to sue under the terms of the act. However, you may have a right to sue based on state law if harm has been caused as a direct result of negligence or a violation (although this can be expensive and there is no guarantee of success).
Is Talking About a Patient a HIPAA Breach?
Healthcare providers are permitted to discuss patients with other members of the care team but talking about specific patients and disclosing their health information to family, friends & colleagues would be classified as a HIPAA violation. Providers must also “reasonably protect” PHI to limit disclosure, such as not discussing a patient’s case in a public area.
Written by Cat Symonds