Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is legislation that provides data privacy and security provisions in order to safeguard medical information. It was created primarily to modernize and streamline the flow of healthcare information. At its core, HIPAA provides the following:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes;
- Requires the protection and confidential handling of protected health information.
The federal law was signed by President Bill Clinton on August 21, 1996 and became part of the Social Security Act. Once HIPAA was signed into law, it was the US Department of Health and Human Services (HHS) that was charged in creating the first HIPAA Privacy and Security Rules.
Since being signed into law there have been major additions to HIPAA over the past 20 years. The introduction of the Privacy Rules, Security Rule and Breach Notification Rule, and the Ominbus Final Rule. HIPAA also includes Title II, also known as the Administrative Simplification Act, which requires the health care industry to become more efficient by encouraging the use of electronic media for transmission of certain patient administrative data. To make the public feel more secure with electronic transmission of data, the government developed privacy and security rules to complement the transaction rules. HIPAA overrides state laws regarding the safety of medical information unless the state law is considered more stringent than HIPAA.
The act was to promote the use of medical savings accounts by introducing tax deductions incentives, provides coverage for employees and pre-existing medical conditions and simplifies the administration of health insurance.
HIPAA contains five sections, or titles:
- Title I: HIPAA Health Insurance Reform. Title I protects health insurance coverage for individuals who lose or change jobs. Additionally, it prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions and from lifetime coverage limits.
- Title II: HIPAA Administrative Simplification. Title II directs the U.S. Department of Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
- Title III: HIPAA Tax Related Health Provisions. Title III includes tax-related provisions and guidelines for medical care.
- Title IV: Application and Enforcement of Group Health Plan Requirements. Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.
- Title V: Revenue Offsets. Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.
HIPAA is only applicable to covered entities and their business associates. A HIPAA covered entity is defined as any organization or corporation that directly handles Protected Health Information (PHI) or Personal Health Records (PHR). Covered entities are required to comply with HIPAA and HITECH (Health Information Technology for Economic and Clinical Health) Act which mandates the protection of PHI and PHR. This protected information can be held in any form, including but not limited to, digital, paper or oral.
The Privacy Rule defines the (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
The follow covered entities fall within three categories:
- Healthcare Provider– Healthcare providers include doctors, clinics, psychologists, laboratories, dentists, nursing homes and pharmacists.
- Health Plans– Health plans include health insurance companies, health maintenance organizations (HMOs), company health plans and government healthcare programs, such as Medicare, Medicaid, as well as, military healthcare programs.
- Healthcare Clearinghouse- Healthcare clearinghouses are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services and community healthcare systems for managing health data.
HIPAA applied to organizations that are considered HIPAA covered entities. It also requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the business associates uses or discloses.
The Privacy Rules, effective April 14, 2003, established the first national standard in the United States to protect patients’ personal or PHI. The HHS issued the rule as to limit the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients by requiring doctors to provide patients with an account of each entity to which the doctor discloses PHI for billing and administrative purposes, while still allowing relevant health information to flow through the proper channels. The Privacy Rule also guarantees patients the right to receive their own PHI, upon request, from healthcare providers covered by HIPAA.
PHI should be disclosed and permission should be sought from patient before using their personal information for marketing, fundraising or research. Additionally, patients have the right to withhold information about their healthcare from health insurance providers when their treatment is privately funded.
The Privacy Rule penalties vary depending on the security of the infraction, which is split into four categories:
- Unknowingly violating HIPAA is a $100.00 per violation, with an annual maximum of $25,000.00 for repeat violations.
- Reasonable causes for violating HIPAA is $1,000.00 per violation, with an annual maximum of $100,000.00 for repeat violations.
- Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000.00 per violation, with an annual maximum of $250,000.00 for repeat violations.
- Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000.00 per violations, with an annual maximum of $1.5 million for repeat violations.
Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000.00 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000.00 fine and up to 10 years in prison.
The Security Standards for the Protection of Electronic Protected Health Information, commonly known as the HIPAA Security Rule, established national standards for securing patient data that is stored or transferred electronically. It comes from the National Institute of Standard and Technology’s (NIST) Cybersecurity Framework. The HIPPA Security Rules aims to balance patient security with the advancement of health technology.
The rule requires the placement of safeguards, both physical and electronic, to ensure the secure passage, maintenance, and reception of PHI. When addressing the risks and vulnerabilities associated with PHI and ePHI, healthcare organizations and covered entities should ask three key risk analysis questions:
- Can the sources of ePHI and PHI within the organization including all PHI created, received, maintained or transmitted be identified?
- What are the external sources of PHI?
- What are the human, natural and environmental threats to information systems that contain ePHI and PHI?
Using the answers to these questions, organizations can decide what measures they need to take to maintain or develop a HIPAA complaint security management.
To directly address the electronically stored PHI (ePHI), the Security Rule specified three security safeguards – administrative, physical, and technical- that must adhere to HIPAA. Examples of the safeguards:
- Administrative-to create policies and procedures designed to clearly show how the entity will comply with the act.
- Physical-to control physical access to areas of data storage to protect against inappropriate access.
- Technical-to protect communication containing PHI when transmitted electronically over open networks.
The Omnibus Final Rule became effective on March 26, 2013 and achieved more than any previous legislation to make covered entities more aware of HIPAA safeguards that they had to adhere to. The HIPAA Omnibus Rule modifies the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under the HITECH Act. The Omnibus Rules marked the most extensive changes to the HIPAA Privacy and Security Rules since they were first implemented. Examples of these changes are as following:
- Strengthening the privacy and security protection for individuals’ PHI
- Holds HIPAA Business Associates to the same standards for protecting PHI as covered entities
- When patients pay by cash, they can instruct their provider not to share information about their treatment with their health plan
- New limits on how information is used and disclosed
The failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules resulted in the introduction of the Enforcement Rule in March 2006. The Enforcement Rules gave the Department of Health and Human Services the power to investigate complaints against covered entities for failure to comply with the Privacy Rule and to fine covered entities for avoidable breaches of ePHI due to not following the safeguards laid down by the Security Rule.
The HIPAA Privacy Rule establishes the first national standards in the United States to protect patients’ personal or protected health information (PHI). HHS issued the rule to limit the use of disclosure of sensitive PHI.
In 2009 HIPAA evolved to introduce the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH had the primary goal of compelling healthcare authorities to implement the use of Electronic Health Records (EHRs) and introduce the Meaningful Use incentive program. By incentivizing healthcare organization to maintain the Protected Health Information of patients in electronic format, rather than in paper files.
Expected HIPAA Changes
January 5, 2021 HR Bill 7898 was singed into law which amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to create a safe harbor for health care organizations and business associates that have implemented recognized security best practices prior to experiencing a data breach. The aim of the bill is to encourage an adoption of common security framework throughout the industry.
The update requires the HHS Office for Civil Rights to take security best practices, such as the adoption of a recognized cybersecurity framework, into consideration when deciding on penalties and sanctions related to data breaches. The bill also requires HHS to decrease the extent and length of audits when an entity has achieved industry standard security best practices.
In summary, HIPAA was created to improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.
Stateside Insurance Services, since 2003, has focused on providing comprehensive health insurance information, responsive customer service and expert industry knowledge for Texas consumers. Stateside has annually been recognized by health insurance carriers and the Health Insurance Marketplace as a Top Producer in Texas.
Whether the health insurance policy is for an individual, family, small business or supplemental Medicare coverage, Stateside dedicates the time, and our deep industry expertise, to ensure our clients have identified the best health insurance plan for their specific needs.
Stateside is available to answer any general questions regarding your coverage options, can provide a subsidy determination, and even assist in creating and submitting online applications for ACA compliant plans during an Open Enrollment or throughout Special Enrollment periods.
Stateside can be contacted either by phone (866) 444-3332 (toll free) or by email at firstname.lastname@example.org. Our Telephone Appointment System can be accessed through:
By using the Telephone Appointment System, clients can take advantage of scheduling a health insurance discussion when convenient fortheir schedule. During Open Enrollment phone appointment availability is expanded to include extended hours and weekends.