Why was HIPAA Created?

HIPAA was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from theft and fraud…

Understanding HIPAA:

Following are the eighteen personal identifiers that could allow a person to be identified with health data known as “Protected Health Information” (PHI) – note: when stored or communicated electronically, “PHI” is preceded by an “e” – ePHI.

Names or part of names Any other unique identifying characteristic
Geographical identifiers Dates directly related to a person
Phone number details Fax number details
Details of Email addresses Social Security details
Medical record numbers Health insurance beneficiary numbers
Account details Certificate or license numbers
Vehicle license plate details  Device identifiers and serial numbers
Website URLs IP address details
Fingerprints, retinal and voice prints Complete face or any comparable photographic images

The main takeaway for HIPAA compliance is that any company or individual that comes into contact with PHI must enact and enforce appropriate policies, procedures and safeguards to protect data. HIPAA violations occur when there has been a failure to enact and enforce appropriate policies, procedures and safeguards, even when PHI has not been disclosed to or accessed by an unauthorized individual.

Violations of HIPAA often result from the following:

Lack of adequate risk analyses.
Lack of comprehensive employee training.
Inadequate Business Associate Agreements.
Inappropriate disclosures of PHI.
Ignorance of the minimum necessary rule.
Failure to report breaches within the prescribed timeframe.

Some HIPAA violations are accidental offences – for example, leaving a document containing PHI on a desk in clear view of anyone passing by. However, OCR does not consider ignorance an adequate excuse for HIPAA violations… it is likely that a course of “corrective action” will be required.

Who does HIPAA apply to?

Practically all health plans…healthcare providers …are considered to be “HIPAA Covered Entities” (CEs) under the Act. Normally, these are entities that come into contact with PHI on a constant basis.

Five HIPAA Rules Explained:

The rules are as follows:

HIPAA Privacy Rule

The Privacy Rule dictates how, when and under what circumstance PHI can be used and disclosed…It sets limits regarding the use of patient information when no prior authorization has been given by the patient. Additionally, it mandates patients and their representatives have the right to obtain a copy of their health records and request corrections to errors. CEs have a 30-day deadline to respond to such requests.

HIPAA Security Rule

The Security Rule sets the minimum standards to safeguard ePHI. Anybody within a CE  who can access, create, alter or transfer ePHI must follow these standards. Technical safeguards include encryption to NIST standards if the data goes outside the company’s firewall.

Breach Notification Rule

The Department of Health and Human Services must be notified if a data breach has been discovered. This must be within 60 days of the breach’s discovery for incidents involving 500 or more individuals, and within 60 days of the end of the calendar year in which the breach was experienced for breaches of fewer than 500 records. Individuals whose personal information has been compromised must also be informed within 60 days, and if more than five hundred patients are affected in a particular jurisdiction, a media notice must be issued to a prominent news outlet serving that area.

Omnibus Rule

The Omnibus Rule activated HIPAA-related changes that had been part of the HITECH Act.




Enforcement Rule

Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been determined appropriate fines can be issued. For example, if it is determined that the violation was due to ignorance, a fine of up to $50,000 can be levied against the negligent party per violation with an annual maximum of $25,000 for violations of an identical provision. If the violation was because of willful neglect and was not rectified within 30 days, a fine of $50,000 per offence is possible up to an annual maximum of $1,500,000 for violations of an identical provision.

Since the Final Omnibus Rule was introduced in 2013, new guidelines have been released on how PHI must be accessed and sent in a medical-related environment. The revised Act allocates patients further rights to know and manage how their health information is used.

HIPAA covered entities must put in place mechanisms to limit the flow of information inside a private network, monitor activity on the network and take steps to stop the unauthorized disclosure of PHI beyond the network’s boundaries. More attention must be invested in conducting risk assessments, and new reporting procedures have been implemented to cover data breaches.

HIPAA Record Retention Requirements

There are no HIPAA record retention requirements as far as medical records are concerned but medical record retention requirements are covered by state laws. Data retention policies must therefore be developed accordingly. When medical records are retained, they must be kept secure at all times. HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI from the date of creation of ePHI to its secure disposal.

While there is not a minimum HIPAA medical record retention period, HIPAA does require covered entities to retain HIPAA-related documents. CFR 164.316(b)(2)(i) states that HIPAA-related documents must be retained for a period of six years from the date that the document was created. For policies, it is six years from when the policy was last in effect.

HIPAA Violation Reporting Requirements

The HIPAA Breach Notification Rule -  45 CFR 164.400-414 – requires notifications to be issued after a breach of unsecured protected health information.

A breach is defined as a use or disclosure of protected health information not permitted by the HIPAA Privacy Rule that compromises the security or privacy of protected health information. Notifications are not required if a HIPAA-covered entity can demonstrate there is a low probability that PHI has been compromised, with that determination made through a risk analysis.

If notifications are required, they must be issued to patients/health plan members ‘without unnecessary delay” and no later than 60 days after the discovery of a breach. A media notice must also be issued if the breach impacts more than 500 individuals, again within 60 days. The notice should be provided to a prominent media outlet in the state or jurisdiction where the breach victims are located.

The individual and media notices should include a brief description of the security breach, the types of information exposed, a brief description of what is being done by the breached entity to mitigate harm and prevent future breaches, and the steps that can be taken by breach victims to reduce the potential for harm.

The HHS’ Secretary must also be notified within 60 days of the discovery of a breach if the breach impacts 500 or more individuals, and within 60 days of the end of the calendar year in which the breach was experienced if the breach impacts fewer than 500 individuals.

Most Common HIPAA Violations

Most Common HIPAA Violation Causes:

Professional Hackers
Business Associate Disclosure
Incorrect Administrative Procedures
Unauthorized access to records
Insufficient IT Security Measures
Unauthorized access
Employee Dishonesty
Lost or Stolen Devices
Employee Accidental Disclosure
Improper Disposal

Risk Analysis Failures*

One of the most common HIPAA violations discovered by OCR is the failure to perform a comprehensive, organization-wide risk analysis. HIPAA requires covered entities to conduct regular risk analyses to identify vulnerabilities to the confidentiality, integrity, and availability of PHI.

Risk Management Failures

All risks identified during the risk analysis must be subjected to a HIPAA-compliant risk management process and reduced to a reasonable and appropriate level. Risk management is critical to the security of ePHI and PHI and is a fundamental requirement of the HIPAA Security Rule.



Lack of Encryption or Alternative Safeguards

While HIPAA does not demand the use of encryption, encryption is an addressable implementation specification and must be considered. The failure to use encryption or an alternative equivalent safeguard to ensure the confidentiality, integrity, and availability of ePHI has resulted in many healthcare data breaches.

Security Awareness Training Failures

HIPAA requires covered entities to implement a security awareness training program for all members of the workforce, including management. Training should be provided regularly, and the frequency should be determined by means of a risk analysis.

Improper Disposal of PHI

When PHI or ePHI is no longer required it must be disposed of securely in a manner that ensures PHI is “unreadable, indecipherable, and otherwise cannot be reconstructed.” Paper records should be shredded, burnt, pulped, or pulverized, while electronic media should be cleared, purged, degaussed, or destroyed.

Impermissible Disclosures of PHI*

An impermissible disclosure of PHI is a disclosure not permitted under the HIPAA Privacy Rule. This includes providing PHI to a third party without first obtaining consent from a patient and ‘disclosures’ when unencrypted portable electronic devices containing ePHI are stolen.

Failure to Adhere to the Minimum Necessary Standard

Covered entities must take steps to limit access to PHI to the minimum necessary information to achieve the intended purpose.

Failure to Provide Patients with Copies of PHI on Request*

The Privacy Rule permits patients to access PHI and obtain copies of their protected health information on request. Requests for copies of PHI must be dealt with promptly and copies provided within 30 days of the request being received.

Failure to Issue Breach Notifications Promptly

In the event of a data breach, notifications must be issued to affected individuals to alert them to the exposure of their PHI. Breach notifications must be issued without unreasonable delay and no later than 60 days from the date of discovery of the breach.





HIPAA Implications for Patients

The HIPAA implications for patients are that their healthcare information is treated more sensitively and can be accessed more quickly by their healthcare suppliers. Electronically stored health information is now better secured than paper records ever were, and healthcare groups that have put in place mechanisms to adhere with HIPAA regulations are witnessing greater efficiency.  This results, as far as patients are concerned - in a higher standard of healthcare.

On the negative side, healthcare groups want to increase the services they can supply, want to enhance the quality of care and improve patient safety through research.  Regrettably, research is limited by HIPAA, and restricted access to PHI has the potential to slow the pace at which improvements can be made in healthcare.

Explaining HIPAA to Patients**

Healthcare organizations are now required by law to give patients a notice of their privacy practices and get patients to sign to confirm receipt of the document. A good practice to adopt is to put all relevant information in the Notice of Privacy Practices and then give patients a summary of what the policy contains. For instance, explain to the patient:

They may request their medical records whenever they like.
They may request you amend their medical records to correct errors.
They can limit who has access to their personal health information.
They can choose how you communicate with them.
They have right to complain about the unauthorized disclosure of their PHI ans suspected HIPAA violations.

Healthcare Organizations and the Implications of HIPAA

If data privacy and security is not adequately managed, the Office for Civil Rights can issue fines for non-compliance. Avoidable data breaches could see considerable financial penalties applied. Under the penalty structure brought in by HITECH Act, violations can lead to fines up to $50,000 per violation up to a maximum of $1.5 million per year, for violations of an identical provision. Lawsuits can also be initiated by state attorneys general and fines of up to $250,000 per violation category are possible. Covered entities may also be sued by victims of data breaches. CEs and their employees who breach HIPAA for personal gain or under false pretenses can be held criminally liable and have criminal penalties imposed by the Office for Civil Rights, via the Department of Justice, which can include a fine of up to $250,000, restitution, and up to ten years’ imprisonment with a further two years for aggravated identity theft.

Explaining HIPAA to Staff

In order to adhere with HIPAA, organizations must compile privacy and security policies for their employees and develop a sanctions policy for staff members who do not comply with HIPAA requirements. Although the HIPAA regulations require training to be provided annually, there is so much for employees to take in relating to the security and privacy of personal health information, that compliance training sessions are better short and frequent. Employees should be prevented from exchanging information about patient healthcare via their mobile device unless appropriate controls have been implemented. This may mean workers may have to download safe communication apps to their personal mobile devices in order to communicate ePHI.