HIPAA Compliance

HIPAA was intended to ease the sharing of Personal Health Information (PHI) between entities that have a need to know while maintaining an acceptable and reasonable level of privacy to the individual whose information is at stake.

HITECH was intended to fund and define sharing rules for Electronic Medical Records (EMR) to further their use in hopes of curtailing growing health care costs.

The Acts are administered by the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It is the OCR which has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law in the Act and write the rules and regulations.

There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.

A BA is someone who a CE uses for services and who needs access to the PHI of the CE’s patients to perform some level of service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.

Since the HIPAA omnibus rule changes have been implemented, cloud service providers and other hosting providers are now considered BAs.

HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

There are three things that HIPAA requires:

1. Integrity of information – the medical record must be accurate
2. Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual.
3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime.

The rules and regulations are documented in the Code of Federal Regulations (CFR). Parts 160 and 164 of the CFR are the two that pertain to HIPAA. When someone says they adhere to HIPAA rules, it means they adhere to the paragraphs in the Parts. For example, one of the paragraphs says:

Paragraph 164.308(a)(1)(i) Standard: Security Management Practices – Implement policies and procedures to prevent, detect, contain, and correct security violations.

In essence, the rules say:

• Protect the Availability, Integrity and Confidentiality of PHI
• Have Business Associates Agreement with clients who have PHI
• Report any violations of PHI misuse to the OCR.

The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.

The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”. Within each category, there are 2 tiers.

Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve any jail time.

Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.