Due to increasing public concern regarding the safety of individual patient data and tech evolution that enables easy access to healthcare data, the U.S. Department of Health and Human Services had a goal to improve the Health Insurance Portability and Accountability Act (HIPAA) of 1996 by adding a HIPAA privacy rule.
Prior to HIPAA, no publicly accepted set of security standards or any kind of general requirements for protecting patient data existed in the U.S. healthcare industry.
As new technologies have evolved, the healthcare industry has begun to move away from paper processes and rely more heavily on the power of electronic information systems to collect and store health information, respond to eligibility questions, and conduct a host of other clinical and administrative functions.
The HIPAA privacy rule was imposed to better regulate the use of Electronic Protected Health Information (e-PHI) by limiting the access to such data, guaranteeing patient rights, defining its electronic use, and proposing procedures for safeguarding such data.
The final compliance date for the HIPAA privacy rule was April 14, 2003. Thus, any healthcare institution that doesn’t comply with this rule since that date will face massive fines.
To restore trust in the healthcare system, U.S. officials created six principles within the HIPAA privacy rule that ensure the legitimacy and security of patient data of all Americans.
Let’s check out those principles now!
1. What personal data is protected under the HIPAA?
HIPAA law has defined what kind of patient information should be protected by healthcare institutions.
The e-PHI that should be of your concern are:
- Information put in medical records used by doctors and nurses
- Conversations about patient treatments and other clinical needs
- Personal information stored in your computer system
- Billing information
Make sure that you know all the channels used to communicate this information to be able to protect it well.
2. The Span of Enforcement
The HIPAA law applies to the healthcare industry, but not to all healthcare providers. In this section we cover which entities fall under the HIPAA law, how their business associates are impacted, and the exceptions.
The covered entities include health plan providers, the majority of regular healthcare providers, and healthcare clearing houses. Healthcare plans are provided by HMOs, health insurance companies, company health plans, and specific government programs that cover healthcare, such as Medicaid and Medicare.
In the medical majority group fall all the institutions that conduct healthcare business electronically, such as the electronic billing of a health insurance. Those institutions are most doctor practices, clinics, hospitals, psychologists, chiropractors, dentists, nursing homes, and pharmacies. Healthcare clearing houses are all the organizations that process nonstandard e-PHI from another organization into a standard form.
Business associates are considered all companies that are subcontractors or contractors of the covered entity. They need to comply with HIPAA as they will be granted the access to patient e-PHI to be able to provide their services to the covered entity.
In the business associates category fall all the:
- Entities that are responsible for the payment transactions to your institution and vice versa
- Companies that assist in the administration of health plans
- Outsourced professionals such as accountants, lawyers, and IT specialists
- Organizations that store or delete medical records
However, a great deal of entities that work with e-PHI don’t need to comply with HIPAA. Examples of organizations that do not have to follow the Privacy and Security Rules include:
- Life insurers
- Workers compensation carriers
- The majority of law enforcement agencies
- Numerous state agencies such as child protective service agencies
- The majority of schools and school districts
- Multiple municipal offices
If you fall under the covered entities and business associates group then continue reading!
3. Consumer Control – Privacy Rule
The HIPAA privacy and security law has introduced clauses that aim to give patients more control over the use of their e-PHI. All the entities that are covered in this rule must comply with all the consumer rights to operate legally.
Together with financial data, patient data is ranked as the most sensitive data which is most often hackers’ targets. The HIPAA law has certain set of consumer rights that limit the use of their e-PHI as well as improve data processes of healthcare providers.
The privacy rules your organization needs to comply with are:
- Enabling access to data: The basic HIPAA consumer right is to enable patients to access their data at any time they find suitable. In the end, it is their data we are talking about.
- Provide a copy of e-PHI: After they’ve been with you for a period of time, they may decide to switch to your competitor or change to a different healthcare provider. In that case, they will need their complete patient history so that they can continue to have certain treatments somewhere else. The copy of their data should be delivered in an easy transmissible format that can be opened by third parties.
- Corrections to patient information: There will be a time when a patient notices some system mistake or an employee mistake as their data may not look right. Thus, giving them the ability to correct the information in your database should be more than welcome.
- Data use notice: Before you start collecting any data, you need to inform your patients about any practice and your institution’s policy you are planning to implement that is related to the use of their personal data.
- Wait for the consent: You are not allowed to process any patient data before they give you permission for such actions. When you have their consent, your purpose of data use is legitimate and you can use their data even for marketing purposes.
- Create a report of use: For any data sharing, you will need to provide your patients with a report that outlines all the purposes and future plans for it.
- The right to file a complaint: When a patient has a valid doubt that their data may be misused they are allowed to file a complaint within your institution or in the worst-case scenario with HHS.
For any e-PHI misuse or breach there are certain federal penalties. The fines for violating the HIPAA privacy rule range from $100 per violation, to up to $250,000 for disclosures made in error, to 10 years in prison for malicious use of patient records.
5. Public Responsibility
The HIPAA law made it clear how e-PHI should be disclosed in non-business situations as well. You will need to follow certain standards if your intent is to release patient records data for purposes such as: research, public health, fraud and abuse investigations, and quality assessment purposes.
6. Security Rule
The use of personal data is equally important to its safeguarding. The HIPAA law promotes employment of certain procedures, tools and company measures that will ensure the highest level of data security possible. They suggest installing the latest technologies that will keep malicious attackers far away from the patient database door.
In addition, they advise healthcare institutions to consider their capabilities, size, and complexity to achieve the highest security as well as the security costs and all potential risks to e-PHI. The HIPAA law doesn’t suggest the exact tools to use, however, they advise to continuously review and modify your security tools and efforts.
To make the whole e-PHI process more efficient, industry leaders started employing customer service helpdesk solutions that collect patient data while complying with the HIPAA law.
This solution is cheaper as you avoid multiple costs of hiring legal professionals and supervisors who will need to oversee numerous customer reps to guarantee their compliance. You can kill two birds with one stone if you choose this tech advancement rather than wasting tons of money on the countless billable hours necessary to bring your institution up to speed on HIPAA compliance.