HIPAA – Purposes and Compliances

Share on facebook
Share on telegram
Share on twitter
Share on linkedin
HIPAA Purposes and Compliances 1
15 mins read

Table of Contents

What is HIPAA

Since the internet became prevalent and ubiquitous, the world has made significant movements towards the digitalization of all types of data to create faster and more convenient use of them. Moreover, in many spheres, it might ease the task of transferring data among different organizations and institutions. Thus, it has become inevitable to create legislation that will minimize the leak of information, violations of privacy, fraudulent activities, etc. One of such practices is known as HIPAA. It has made tremendous developments ensuring personal information to be under protection. So, what is HIPAA?

HIPAA is aimed to expand the use of medical data in digital versions, simultaneously protecting it. HIPAA (Health Insurance Portability and Accountability Act) was signed by Bill Clinton in 1996. This legislation aims to combine healthcare and insurance within digitalization. But not everything is so positive about this as this legislation has entailed some risks as well.  

With modernization and digitalization, much has paved the way for several scams of different forms. Thus, the protection of personal data has become a must. Consequently, both the insurance and healthcare industries have come up with policies that ensure protection from theft, fraudulence, deceit, etc. So, it’s not just about turning medical data to be digitally accessible, but it’s also about protecting this data. 

Protection has always been a spotlight, and HIPAA does its best in addressing such an issue. Even though this legislation was enacted more than two decades ago, it’s so relevant and critical nowadays. Given how often medical data breaches take place, such events need prevention even though it seems a bit hard.

Stemming from it, one of such law requirements is that any personnel working with patients should be aware of the patient’s sensitive information and, thus, better protect these data so that no breach could happen. To make this possible, healthcare, businesses, and insurance industries need to work with such data to follow HIPAA rules.

HIPAA Medicine doctor working with computer interface as medical

What is the purpose of HIPAA?

Being one of the legislative acts that mainly affect healthcare, it has undergone several changes throughout history, thus becoming one of the most important legislation that attempts to control the patients’ information. At the very beginning, it was aimed to ensure health insurance for medical staff. After some amendments, it also prioritized privacy and patient data-related issues.

But it wasn’t all about insurance and privacy legislation, but also another purpose of HIPAA was to make the job of medical staff be hassle-free and more efficient. For example, an introduction of code sets made the job easier and more convenient in terms of transfer of data, checks for eligibility, billing, and other operations.

The security part of HIPAA is known for 3 main purposes. The first one is to make sure that electron data regarding the patient is protected. Secondly, it’s important to ensure that such data is protected at a maximum level. Moreover, there should be a maintenance of the PHI auditable trail.

It should be clear that any information that is specific to the patient should be considered private and in no way, it should be shared with any entities without granted permission. Thus, HIPAA doesn’t only make this obligatory but it also improves the standards of healthcare. 

So, for now, HIPAA is more related to legislation focusing on ensuring the security of data. To make it clearer, it’s important to look at 3 types of laws introduced to HIPAA. Since it’s a set of legislative acts, with the purposes mentioned above, it’s important to look at some of them separately.

Privacy Rule

This one was signed in 2000. Its main purpose is to clarify how and with whom any kind of information can be shared. It clarifies that HPI should be accessible only to the authorized personnel. It states that any information that is accessed without permission should entail fines. Simply put, patients are granted more freedom to control their information.

Security Rule

After 3 years following the Privacy Rule, another important legislation known as the Security Rule was signed. The difference from the previous one is that the latter one is about requiring organizations to employ 3 types of safeguards. They are administrative, technical, and physical. If to consider these 3 ones, it can be concluded that legislation requires safe, integral, confidential, and responsible use of electronic health data, e-PHI.

Breach Notification Rule

Another rule prioritizing patient’s data is the Breach Notification Rule signed in 2009. As the name suggests, this law requires any organizations, covered entities, or business associates to notify patients and the media in case of a serious data breach. It’s only covered entities who are responsible for informing about the breach. The same rule applies to business associates as well.

4 objectives of HIPAA

Definitely, when considering HIPAA, there’s a lot of speculation on how data should be used, shared, transferred, etc. It’s known that medical staff isn’t so happy about this legislation seeing it restrictive in many senses. So, there are 4 objectives stated in the following 5 titles:

  • ensuring health insurance
  • decrease fraud and abuse in healthcare
  • setting standards for efficiency of PHI
  • assurances of privacy and security

Also, when considering the legislative acts, it’s essential to note that the first title is ’s about ensuring the insurance can be accessed, transferred, and remade. Here it identifies the main legislation regarding how coverage and renewal of insurance can be ensured. One of the main advantages of this title is discrimination elimination.

The second title of this legislation is having measures against fraud in healthcare and avoiding the abuse in any means. Those rules described above are part of the second title in the legislation of HIPAA. Moreover, there’s one more interesting rule added, which is known as Omnibus Rules, to be discussed later.

The third Title is more concerned about tax-related issues. It has specifications and stipulations regarding medical savings accounts.  Moreover, it has some new regulations on insurance as well. The fourth one deals with enforcing and applying group health plan requirements. And the last one deals with offset provisions.

But as it’s clear, the main part of HIPAA that is more evident and required these days is the second title that attempts to prevent leak and breach of any patient’s data. This is important because it doesn’t deal with the information he or she doesn’t need to know. For example, a physician dealing with the patient should not disclose his social number, or a technician helping to maintain electronic data storage should not access the patients’ information and their conditions. All of these are considered to be sensitive and private information and lead to the concept of the minimum necessary information to be used.

 “Minimum Necessary” standard applies to HIPAA

HIPAA Minimum Necessary standard is one of the most critical provisions to understand in-depth. This affects medical personnel working with patients each day. There are some important aspects to keep in mind, but before delving into where the HIPAA “minimum necessary” standard applies, it’s better to understand what it is.

It’s a provision demanding covered entities and business associates limit the ways of how PHI is used and ensure that no extra and unneeded information will be disclosed. In other words, it is about ensuring that patient information is to be used where it’s needed and not used where it’s not required. So, when such information is used, transferred, or revealed, only those authorized ones should be dealing with this information so that there’s no data breach, fraud, or abuse.

To exemplify, if the information is disclosed to the business associate responsible for performing any particular service for any covered entity, this means there should be PHI of that patient should be accessible. So, it’s critical that the covered entity has made all attempts to make sure that accessible information is specifically reasonable and relevant. Put it simply, if A requests information from B about the P, patient, the information should disclose all historical evidence about P, but only the part that is required for the service to be completed.

Any extra information disclosed can lead to problems and can be treated as a violation. It’s clear that any physician may request all the historical data about a particular patient, he or she is treating at the moment of access. But that should be limited to that patient only. The other sensitive aspect here is that this physician will access the patient’s social security number. So, from this moment of access, this information should not be unveiled or shared with anyone.

But all that isn’t so simple as it may seem at first. Thus, it’s important to understand where the HIPAA Minimum Necessary standard applies. Actually, this applies to any use or revealing of permitted information. So, according to the rule, such permitted information includes employing, requesting, disclosing, and transferring data like images, copies of PHI, medical charts, etc. Moreover, this standard applies to accessing PHI or ePHI with the purpose of transferring the data to other business associates or covered entities.

However, to understand how this works, it is not a bad idea to look where this standard doesn’t apply. Actually, according to HIPAA, there are 6 exceptions to the standard of Minimum Necessary.

  • when a request to access PHI is made by the healthcare providers with the intention to provide treatment
  • when patients ask for copies of their own medical history and records
  • when there is a valid authorization for the use of PHI
  • when requests are made in accordance with Administrative Simplifications Rules
  • when a request is made by the Department of Health and Human Services according to some HIPAA stipulations
  • when requests are reasoned with other law regulations.

But another important aspect is how covered entities do their best in protecting the patient data when there’s a need to share patient data for getting services. There’s a need for a reasonable justification to be made by covered entities. Here comes the need for so-called Reasonable Reliance, where someone can judge how any part of the information to be shared, used, or disclosed. So, under particular circumstances, much depends on the covered entity. But under which circumstances?

  • when there is a request made by a public official in accordance with Privacy Rule.
  • when a request is made by another entity
  • when a request is made by a physician or business associate
  • when a request is done by a researcher only if he or she can provide documentation from IRB (Institutional Review Board)

So, when the above-mentioned cases happen, it’s only the covered entity who is responsible to judge if the information to be accessed is the minimum necessary one.  To make Minimal Necessary standard more efficient, there are some critical tips to follow:

  • allocating and locating the PHI, and making sure what kind of PHI is included in ePHI. It’s important to have a crystal-clear ePHI so that the covered entity can classify different types of information
  • classification of information about the patient so that the covered entity can assign the access permission based on different levels of authorizations. This can restrict access to such details as a social number, health insurance details, and so on. For example, not all medical staff treating the patient needs to access all the historical data of the patient.
  • it’s important to inform and train medical staff members about what type of data they’re allowed to use and share. Moreover, it’s important that all medical staff should know what to expect once they violate privacy rules and obligations. So, to have some sanction policy would be great in order to avoid violations of HIPAA standards.
  • It’s important to set some alerts in case of unauthorized access to ePHI. This will ensure better options for safety and data protection. With this, it would be easy to monitor who accesses information without permission or authority. Or it can show that PHI has been accessed without any reasonable purpose.
  • Another important tip is to constantly have audits of logs and granted permissions. With this, it is easy to spot who has accessed PHI and why it has been accessed. It’s important not to forget that accessing more information than needed can also be considered a violation of privacy rules.

Some examples of violations

One of the violations of Minimal Necessary standards in accordance with HIPAA rules is when someone tells about the patient’s condition when it’s not necessary to do so. It’s regarded as verbal disclosure. One such interesting case happened in one of the hospitals. A nurse informing her patient about the coming medical procedure, the nurse warned doctors performing this procedure about the patient’s Hepatitis C. But it’s not only physicians who heard about this condition, but all around the doctors became aware of that.

So, what can be bad about informing about potential danger related to the patient’s condition? The nurse warned doctors to wear gloves, which actually is a standard for those performing medical procedures. So, there was no need for that. Thus, providing more than enough resulted in the resignation of this nurse. Stemming from this example, there’s great importance that should be considered and taken seriously as to what kind of information should be told and shared. As in the case above, the deed of the nurse didn’t entail any evil purpose, but she violated the standard of the minimum information to be used or shared.

But do violations happen quite often? Definitely, as the world has made it harder to keep everything in secret. There are many cases of such violations where patient data was somehow shared within various social platforms. A great example of such a case is when Elite, a dental institution, shared information about their patient on Yelp, a kind business, and social platforms. This led to an investigation that resulted in fining Elite with $50K.

It’s quite sensitive to be careful with what people share while working with patients. One simple share of a photo of a neonatal baby can lead to investigation and fine. Another great example of how social media where such violations occur is the case with a staff of Glenview nursing home. Two nurses shared the video on social media where they taunted an old patient with dementia. This led to the loss of jobs. 

HIPAA compliance checklist 2020 for software

With the latest updates regarding HIPAA security rules and privacy rules, there is a compliance checklist regarding how software should function in accordance with standards intended to protect the personal and health information of any patient.

1. Authorization: if the software is compliant with HIPAA regulations, it should employ at least two-factor authorization from the below list:

  • use of unique data like PIN or password
  • additional data like security code
  • use of biometrical info that can’t be copied
  • location-specific authorization

2. Security plan: any measure taken to protect a patient’s data. It can include the following:

  • list of measure to assure the safety of data
  • identification for each medical staff member with the option of accessing PHI
  • Solutions to probable problems that may occur in the future

This plan is also known as a remediation plan that is one of the main required components in the HIPAA compliance checklist.

3.Emergency plan: it’s a plan to be implemented in case some kind of attack takes place. This ensures the safety of the data during emergencies. This may include the following:

  • having the list of all members with their allocated roles and responsibilities along with their contact details.
  • details regarding the organization’s digital healthcare system
  • detailed plan on how to proceed in case of emergency
  • plan for recovery

Such a plan is important not only when it comes to compliant aspects, but it’s important that any organization should be ready for possible risks. Threat assessment and a detailed plan to overcome the emergency are quite critical.

4. Monitoring of authorized uses 

It’s important that software based on an automated system identifies and checks access attempts. Thus, constant monitoring is a must component. This includes several aspects:

  • audit controls and logs which identify suspicious attempts to access protected information
  • log-offs based on automated system ensuring logouts of every staff member upon completion of their shifts
  • monitoring of accesses during an emergency that allows accessing the profile of any user without their presence

5. Backup plan: it’s about having a duplicate of PHI that should be stored separately. There are some aspects to look into:

  • patient’s information should have at least 3 copies stored in a safe place. Thus, there is a need for extra 2 storages.
  • there’s a need to use 256-bit AES protocol protection along with two-factor authentication. This protocol should be employed when transferring data to other servers or cloud storage.  

It’s clear that the HIPAA compliance checklist is to ensure the maximum levels of security when using electronic PHI.

About Cloud storage

Another important aspect is regarding the compliance in cloud storage given the covered entities’ interest in the storage of data. It’s not surprising that with a huge amount of data, it’s critical to get the storage where all information would be safe but conveniently accessible. Here comes the HIPAA Omnibus Rule that ensures the protection of patient’s data irrespective of storage.

Although the storage isn’t something required and comes as an ideal solution to keep the data in the cloud storage, it’s important that any kind of entity planning to benefit from such service should do their own research to reach conclusions if they’re in need of cloud storage. Still, why is there a need for such storage means?

With cloud storage, it makes it accessible from various places. Moreover, it has an outsourcing option. For CEs, there are 3 storage variants. One is Software as a service, it has word processing along with email options. The other one is Platform as a service. This is good for remote access. The last one is Infrastructure as a service, with a focus on maintenance, hardware, and networking.  

Conclusion

When it was first introduced, HIPAA intended to help and develop the healthcare industry. With some time, it introduced some new standards improving and focusing on more privacy and data protection. Now, HIPAA consists of several legal acts that are incorporated in one legislation, and it’s more known to be a regulation protecting data from being shared, posted, stolen, etc.

Click to rate this post!
[Total: 3 Average: 5]
Share on facebook
Share on telegram
Share on twitter
Share on linkedin
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.