HIPAA Updates And Implications In 2022
In 1996, The US congress brought an act that was going to be prudent when it came to ensuring the quality of healthcare and the protection of a patient’s privacy. This act was known as HIPAA or the Health Insurance Portability and Accountability Act, and it provided guidelines to several aspects of the healthcare industry regarding the use and disclosure of Public Health Information or PHI.
However, the rules provided in HIPAA slowly became outdated with the introduction of several updates to the infrastructure of healthcare facilities. One example is the outsourcing of payment processing and record-keeping to EHR or Electronic Health Record Vendors, another is the inclusion of Clearinghouses that act as mediators between healthcare providers and insurance companies. With the inclusion of several parties that have access to health records, it becomes hard to maintain the security and privacy of both future and existing patients. But there have been changes and amendments made to HIPAA whenever a new kind of player was introduced in the Health Care Supply Chain.
Today, we will be discussing in detail the recent changes made to HIPAA, some new acts introduced that affect how HIPAA is implemented, and what HIPAA is in itself.
The Privacy Rule
The Health Insurance Portability and Accountability Act, or HIPAA is a legislative act that is divided into three main sections or “rules”. The first rule is the Privacy rule. It specifies the entities that are covered by HIPAA, including organizations and individuals. As well as, what actions these entities can take when it comes to the use and disclosure of Public Health Information.
The privacy rule specifies the following entities as “covered entities”
- Insurance Companies
- Clearing Houses (middlemen between hospitals and insurance companies)
- Business associates that handle outsourced clerical work
These covered entities are obligated to protect the privacy of information while preventing any lapse in the quality of healthcare due to lack of medical information. This is a line that all the covered entities must tightly walk to ensure that they do not face heavy penalties, financial or otherwise.
The privacy rule also specifies scenarios during which information can be used, with or without the consent of a patient for situations outlined in HIPAA. Generally, the main reasons for using a patient’s medical information is for either treatment or billing through insurance companies. However, there are also certain scenarios that can be a viable reason to access the information without consent.
Such scenarios include:
- Required under law
- Public health studies
- Police investigations
- Judicial proceedings
- Identifying deceased personnel
- To prevent death/injury
- Worker’s Compensation
- Organ donation
- To complete government functions
However, it is common to review such requests under judicial supervision rather than letting the covered entities make these decisions on their own.
The privacy rule is not aimed at limiting access to medical information for these covered entities, rather it is there to ensure the proper flow of information for healthcare purposes while making sure that there is no illegitimate use of PHI or Public Health Information. And with the implementation of new methods for the electronic transmission of information between hospitals, there have been amendments made to HIPAA that assist the government by outlining certain security and compliance requirements in a section of HIPAA known as “the Security Rule”.
The Security Rule
The security rule is a section of the Health Insurance Portability and Accountability Act (HIPAA) that dictates the safeguards a covered entity must put in place for the protection of e-PHI or electronic Public Health Information in terms of physical security, administrative guidelines, and technical security.
All covered entities must comply with these guidelines otherwise they will be subject to litigation, financial penalties, and non-monetary penalties such as the revoking of their licenses to practice in the healthcare industry. The government has also placed different regulations for entities depending on the size of their organization. And to provide even more flexibility so that healthcare facilities are not forced to shut down, some regulations can be exempt while some are mandatory.
Additionally, covered entities including hospitals, insurance providers, clearinghouses, and administrative companies are all required to perform risk assessments in their respective offices to identify and rectify any problems in their physical, electronic, and administrative defenses. This includes protection against both internal and external threats.
The administrative guidelines in the Security Rule of HIPAA inform entities about the managerial policies they must put into place for the protection of e-PHI. This section mainly states the policies related to hiring, and employee access when it pertains to the safety and privacy of electronic health information. One large aspect of administrative protection that is emphasized in HIPAA is the proper training of employees to handle sensitive data responsibly. Aside from training, the administrative guidelines also dictate which employees are allowed access to the sensitive information and which are not.
The security rule also has guidelines for entities regarding the physical protection of their medical records, including security personnel, and procedures for creating safe spaces to physically store machines that hold sensitive information, as well as limiting unauthorized physical access to such machines for all employees and outsiders. A portion of these requirements can be catered to by providing electronic security systems, while the remainder requires physical barriers to be put in place.
As all the records protected under the security rule are electronic, the technical protections that must be put in place are created with access control and data requirements in mind. One such protection is the issuing of a unique electronic ID for every employee that is allowed access to sensitive health information.
To protect against unauthorized access by employees that have been given access to certain sets of data, a method of recording and viewing access records is also recommended in the technical protections under the Security Rule. Of course, there are also several other aspects in technical protection such as automatic logouts and end-to-end encryption of e-PHI.
The Breach Notification Rule
Despite all the layers of protection the United States Govt. has placed on the privacy and safety of Public Health Data, it is impossible to say that there will be no breaches whatsoever in data privacy and security. And in the event that a hospital, insurance provider, or any other healthcare-related entity finds that their data has been compromised, they must inform the proper authorities as mentioned in the Health Insurance Portability and Accountability Act as well as take action to mitigate the effects of said breach.
This provision is applicable to both electronic and physical forms of PHI or Public Health Information. One great thing about the Breach Notification Rule is that it was created keeping in mind that data breaches can happen in both large hospitals and private clinics, which are of considerably different sizes. Hence, HIPAA has provisions for which entities must be informed of a data leak based on the size of the data that has been stolen or illegitimately accessed.
In the event that 10 or more people have their data breached, the entity that has identified the data leak must send a notification to each individual in writing. However, there are also procedures in place to inform individuals if there is no accurate contact information available. The entity that reports the breach must post information about the breach and contact information for further assistance on their website for up to 90 days following the breach.
As well as information about the nature of the breach, entities are responsible for advising patients on the steps they must take to mitigate the damage from the data theft, and for preventing further breaches after an audit has been completed.
There are also instances of massive data leaks that affect more than 500 individuals. In such cases, HIPAA mandates that the covered entity reporting the data breach must notify the individuals themselves, the media, and the Secretary of Breaches of Unsecured Protected Health Information through the HHS website. If the breaches are less than 500 people but still noteworthy, then they must provide notification in an annual report of data breaches which is due within the first two months of each year.
2013: The HIPAA Omnibus Rule
Since 1996, HIPAA has remained largely the same except for minor changes here and there. But that was only until 2013 when the new HIPAA omnibus rule was passed in order to increase the security of protected medical information within the United States Health Care System.
The omnibus rule was developed during a time when the internet and digitization of major business and government processes were underway. As such, the omnibus rule is aimed at ensuring the privacy and adequate flow of data within the healthcare system by introducing changes that are compliant with the Health Information technology for Economic and Clinical Health or HITECH act passed in 2009 under President Barack Obama.
The HITECH act gave rise to new criteria for privacy regulations, breach notification regulations, and business associates which were fairly new concepts at the time. Another significant change that the Omnibus rule brought about was the increase in powers of the Office for Civil Rights (OCR) in the HHS. Following the compliance date of the Omnibus rule (September 23, 2013), patients could ask for copies of their medical records while the definition of what a business associate is was broadened to include any company, group, or individual that was provided even the smallest level of access to Protected Health Information. This included security companies, accounting firms, insurance companies, and their affiliates.
The HITECH Act and the Omnibus Rule also created several limitations regarding the use of medical information for marketing and fundraising purposes. It also restricted organizations from selling medical information to research groups and any organization or individual without expressed written consent from the patients themselves.
Finally, the Omnibus rule also implied certain security requirements on different sizes of covered entities to ensure they were protected against physical and cybernetic breaches of information.
2016: The 21st Century Cures Act
While the Omnibus rule was introduced to improve the privacy protections of Public Health Information or PHI, the 21st Century CURES Act was tabled to help speed up innovation in the medical research industry of the United States with the understanding that it would have global implications. The CURES Act helped ease the flow of information between healthcare practitioners, patients, and other members of the healthcare supply chain.
One significant rule added to the CURES Act was the Interoperability and Information Blocking Rule, which came into effect in April 2021. Section 4003 of the CURES Act dictated that electronic medical health information technology in all hospitals should be such that it can communicate with different devices found in various other healthcare facilities around the country so that easy flow of information was made possible.
However, the rule also specified instances where information blocking was allowed or not allowed. Information blocking is the practice of restricting access to ePHI by a certified Health IT entity. These entities are prohibited from blocking access to ePHI under state or federal law. However, information blocking can be allowed in certain instances that have merit. One such example could be the prevention of serious injury, protecting privacy, and improving the overall performance of the health IT sector.
In certain cases, entities are also allowed to review requests for access to ePHI if they follow certain procedures laid out in the CURES Act. These cases could range from licensing, fees, and limiting content provided in a fulfilled request if certain conditions are met as specified under the CURES Act.
Implications of HIPAA Updates
Although the latest additions to HIPAA may contradict each other when it comes to the nature of each act, the CURES Act, HITECH Act, and the HIPAA Omnibus rule are aimed at creating a seamless system in which medical information can be easily accessed by the right authorities while unauthorized access becomes that much harder to gain thanks to added security and privacy policies. Though it may cause some hindrances in the short term, there are bound to be some benefits in the long term as we slowly integrate more advanced technology to ensure the eradication of discrimination based on medical history, e.g. substance abuse. And there are also bound to be improvements in healthcare quality as the flow of information to healthcare facilities becomes smoother and interoperable.