Abstract
The Health Insurance Portability and Accountability Act of
1996, Public Law §§ 104-191 was national legislation passed to protect all
"individually identifiable health information" held or transmitted by
a covered entities (Health plans, Healthcare clearinghouses, and Healthcare
Providers) or its business associates, in any form or media, whether electronic,
paper or oral. This information is known as "protected health
information” (PHI) and it includes demographic data, which relates to the
individual’s past, present, or future physical health condition or mental
health, provision for payment of healthcare for the individual, common
identifiers (e.g., name, address, birth date, Social Security Number), and any
health information that which is reasonably perceived as identifiable to the
individual.
Keywords:
(Notice of Privacy Practices) (Inspection) (Complaints)
(Amendments)
(Restricting Disclosure) (Communication) (Personal
Representatives) (Security Rule)
(Safeguards) (Compliance and Enforcement) (Penalties for
HIPAA Violations) (Criminal Penalties) (Breach Notification) (HIPAA’s impact
over the last five years) (References)
(Table 1 HIPAA Statutes) (Table 2 Top 5 Issues Investigated
of 2018-2021)
Notice of Privacy Practices
The Privacy Rule requires
covered entities to supply a Notice of Privacy Practices form to their
patients. Covered Entities must have a form for patients to sign to acknowledge
they received the NPP, or documentation must be substituted in place of the form.
The notice will inform the individual, (patient) of how the covered entity will
use (internal) and disclose (external) their PHI. The form will also inform the
patient they have the right to request the covered entity:
to review and obtain a copy of their protected health
information in their medical records.
restrict use or disclosure of their PHI.
amend their protected health information in the medical
record when that information is inaccurate or incomplete.
send communications using a specified contact method,
e.g.: email instead of phone contact or in a closed envelope rather than a
postcard.
to treat a "personal representative" the same
as the individual, with respect to uses and disclosures of the individual’s
protected health information. (“3000, Administrative Policy | Texas Health and
Human Services”)
to make a complaint with them or to make a complaint with
HHS if they feel their privacy rights have been violated.
*With some exceptions or some requests may be denied at the
covered entities discretion.
The
Security Rule
Secures ePHI, but the standard
also applies to physical PHI. ePHI may be stored on computers, mobile devices,
networks, or the cloud. The Security Rule requires covered entities to employ
safeguards to ensure confidentiality, integrity, and security of electronic
protected health information in electronic use and disclosure. Safeguards are
as follows:
•
Administrative controls: – policies and procedures.
• Physical
controls: – tangible or physical controls to protect data and prevent it from
theft or unauthorized access or persons.
• Technical
controls: – protected computer systems and protection sending electronic PHI
over open networks to prevent ePHI from access by unauthorized or unintended
recipient.
Compliance
and Enforcement
HHS will seek the cooperation of covered entities and may
provide technical assistance to help them comply voluntarily with the Rule.
Complaints about potential HIPAA violations are investigated by the OCR, and
while many prove to be unsubstantiated, oftentimes a HIPAA covered entity or an
employee of that organization, is discovered to have violated patient privacy
or HIPAA Breach, Penalties: (“How Does OCR Deal with HIPAA Complaints? -
hipaajournal.com”)
• Category
1: $100 minimum fine per violation, $50,000 maximum fine.
the covered entity was not aware of and could not have
reasonably known was a violation by exercising a reasonable amount of due
diligence (“What are the Penalties for HIPAA Violations? - HIPAA Guide”)
• Category
2: $1,000 minimum fine per violation, $50,000 maximum fine.
the covered entity should have been aware of but could not
have been prevented even with a reasonable amount of care (“HIPAA Enforcement
Rule - Violations”)
• Category
3: $10,000 minimum fine per violation, $50,000 maximum fine.
willful neglect of HIPAA Rules, in cases where efforts have
been made to address the violation within 30 days. (“What are the Penalties for
HIPAA Violations? - HIPAA Guide”)
• Category
4: $50,000 minimum fine per violation.
willful neglect, where no efforts have been made to correct
the violation in a reasonable period (“What are the Penalties for HIPAA
Violations? - HIPAA Guide”)
Criminal
Penalties
The Department of Justice will
enforce criminal sanctions.
·
up to one-year imprisonment and $50,000 fine -
if a person knowingly obtains or discloses individually Identifiable health
information in violation of HIPAA (“Eligibility Transaction System Inquiries
Rules of Behavior”)
·
up to five years imprisonment and $100,000
fine- if the wrongful conduct involves false pretenses, (“HIPAA Privacy Rules
for the Protection of Health and Mental Health ...”)
·
up to ten years imprisonment and $250,000 fine-
if the wrongful conduct involves the intent to sell, transfer, or use
individually identifiable health information for commercial advantage, personal
gain, or malicious harm. (“HIPAA Flashcards | Quizlet”)
Breach
Notification
An impermissible use or
disclosure of protected health information is presumed to be a breach.
Following a breach of unsecured protected health information, covered entities
must send notice of the breach to: (“Breach Notification Rule | Guidance Portal
- HHS.gov”) affected individuals, the Secretary, and, (In certain
circumstances,) to the media. "In addition, business associates must
notify covered entities if a breach occurs or at by the business
associate." (“Breach Notification Rule | Guidance Portal - HHS.gov”) And
covered entities handle sending notification of a breach that occurred by a
business associate
HIPAA’s
Impact on Healthcare Professionals in the Past Five Years
HIPAA Privacy over the last
five-year period. The 2016/2017 Audit findings highlighted covered entities
failures to comply were felt across the board. The findings were significant to
drill down into the specifics of the non-compliance and insufficiency. As a
result, the plain language in the Notice of Privacy Practices and Electronic
Notice of Privacy Practices was reconsidered and enhanced by compliance
protocols focused efforts. Another major initiative to come from this audit was
the Individual Access to PHI, which was found to be inadequate or incorrect
policies and procedures for providing access resulted in the need to be reconsidered
and policies and procedures had to strengthened. Breach Notification Response,
Breach Notification Response Time Frame, Notification of Breach by Business
Associate to Covered Entity, Content of Breach Notification were all found to
be insufficient, not followed through, no process, no reasonable time set lead
to improvements to the Plain language, new response time frames, and
clarification of impermissible uses.
HIPAA is having a profound
impact on fraud and abuse detection and prevention, electronic communication
standards, and health information security. The impacts on Healthcare Providers
have proven to be costly in efforts to maintain compliance with the technical
and physical standards and even more so for some providers who have settled
cases for non-compliance. Impermissible Uses and Disclosures remain the top
issue of the top five Issues in Investigated Cases Closed between 2018-2021.
See Table 2.
Table 2 - Top Five Issues in Investigated Cases Closed with
Corrective Action, by Calendar Year
Issue 1 Issue 2 Issue 3 Issue
4 Issue 5
2021 Impermissible
Uses & Disclosures Access Safeguards Administrative Safeguards Breach
– Notice to the individual
2020 Impermissible
Uses & Disclosures Safeguards
Access Administrative
Safeguards Technical Safeguards
2019 Impermissible
Uses & Disclosures Safeguards
Access Administrative
Safeguards Technical Safeguards
2018 Impermissible Uses & Disclosures Safeguards Administrative Safeguards Access
Technical Safeguards
(Top
Five Issues in Investigated Cases Closed | HHS.gov)
References
3000, Administrative Policy | Texas Health and Human
Services,
https://www.hhs.texas.gov/handbooks/primary-health-care-services-program-policy-manual/3000-administrative-policy.
How Does OCR Deal with HIPAA Complaints? -
hipaajournal.com,
https://www.hipaajournal.com/how-does-ocr-deal-with-hipaa-complaints-3514/.
What are the Penalties for HIPAA Violations? - HIPAA Guide,
https://www.hipaaguide.net/hipaa-violation-penalties/.
What are the Penalties for HIPAA Violations? - HIPAA Guide,
https://www.hipaaguide.net/hipaa-violation-penalties/.
Eligibility Transaction System Inquiries Rules of Behavior,
https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/HETSHelp/Downloads/Eligibility-Transaction-System-Inquiries-Rules-of-Behavior.pdf.
HIPAA Privacy Rules for the Protection of Health and Mental
Health ..., https://omh.ny.gov/omhweb/hipaa/phi_protection.html.
HIPAA Flashcards | Quizlet, https://quizlet.com/147370189/hipaa-flash-cards/.
Breach Notification Rule | Guidance Portal - HHS.gov,
https://www.hhs.gov/guidance/document/breach-notification-rule.
The 2016-2017 HIPAA Audits Industry Report may be found at:
https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf - PDF
Top Five Issues in Investigated Cases Closed with
Corrective Action, by ..., https://www.hhs.gov/guidance/document/top-five-issues-investigated-cases-closed-corrective-action-calendar-year-0.
