The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law in 1996 and encompasses five different subject areas (Titles I-V). Perhaps the most important subject area for healthcare compliance purposes is Title II, which is called “HIPAA Administrative Simplification.” HIPAA was passed into law during the early years of the internet, so the purpose of Title II was to establish national standards for electronic health care transactions and require healthcare actors to safeguard the privacy and security of electronic healthcare data. HIPAA Title II established guidelines on how healthcare actors can use and disclose “personal healthcare information” (PHI), which is any information that can identify a patient as well as the patient’s healthcare data.
The two operative parts of HIPAA Title II are the Privacy Rule and the Security Rule. The Privacy Rule sets forth 18 specific types of PHI such as a patient’s name, social security number, medical record number, etc. The healthcare actors that are obligated to protect PHI are “covered entities” and “business associates.” Covered entities include healthcare providers, health plans, and healthcare clearinghouses which handle healthcare data. A business associate is any person that works for a covered entity and has access to PHI or otherwise provides services to covered entities involving the disclosure of PHI. Examples of these latter service providers include lawyers, accountants, e-mail services, outside billing services, collection services, and IT services.
The HIPAA Title II Security Rule established national standards to protect electronic PHI in the hands of a covered entity or business associate, requiring them to create safeguards to ensure the confidentiality, integrity, and security of electronic PHI. The nature of these safeguards depends on a variety of specified factors, including the size of the entity, the entity’s technological infrastructure, the likelihood and potential impact of risks to the entity’s PHI, and the costs of potential safeguards. It’s important to note, however, that even though cost is a factor in this decision just because a certain technological protection system is expensive doesn’t mean a covered entity or business associate is relieved of its obligation to implement robust security measures.
HIPAA also includes a Breach Notification Rule which requires covered entities and business associates to report a breach of unsecured PHI to the Department of Health and Human Services; notify patients affected by the breach; and inform the news media. In addition, business associates that experience a breach must notify the covered entities they work for.
A breach is any unauthorized disclosure—unless the covered entity or business associate can show that there is a low probability that the PHI was compromised based on a risk assessment which encompasses the following information: the type of PHI and likelihood that it can identify patients; the nature of the disclosure; the person who made the disclosure; whether PHI was actually obtained or viewed; and the extent to which the risk to PHI has been mitigated.
There are three exceptions where an unauthorized disclosure that would otherwise be considered a breach isn’t deemed a breach. First, there is no breach if the PHI was disclosed in good faith by employees of a covered entity or business associate while acting within their approved scope of work. Second, there is no breach if a person authorized to access PHI discloses PHI to another employee at the same covered entity or business associate who is also authorized to access PHI. Finally, there is no breach if either the covered entity or business associate believed in good faith that the person who wasn’t authorized to obtain or view the PHI wouldn’t be able to remember it.
The penalties for violating HIPAA can be severe, including not only hefty financial penalties but even jail time. Civil penalties (i.e. fines) for HIPAA violations are determined by which “tier” they fall under, with higher tiers and heavier fines reserved for more willful violations. Criminal penalties including fines and/or imprisonment are reserved for persons who knowingly obtain or disclose individually identifiable health information in violation of HIPAA or who transfer or sell such information for financial gain or for purposes of harming someone.
In short, covered entities such as Skilled Nursing Facilities (SNF’s) must take care to comply with HIPAA in order to avoid severe penalties. Part of a covered entity’s HIPAA compliance program must include an annual risk assessment to determine if the entity’s PHI might be at risk, if there are any threats, and whether the entity’s current protective measures need to be improved. In addition, SNF staff must be trained in HIPAA compliance because even if a facility has robust HIPAA compliance policies and procedures in place they are meaningless unless the staff implements them.
Clearpol’s Policies.ai software is designed to facilitate compliance with HIPAA and other healthcare rules and regulations relevant to healthcare facilities. Our software not only enables users to be informed about healthcare laws, but also helps healthcare facilities create internal policies that will ensure thorough healthcare compliance.