HIPAA compliance is the most important part of handling protected health information. This law legally binds covered entities and their business associates to follow regulations when handling protected medical information. But what does HIPAA compliance involve?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of rules and regulations for the protection and distribution of medical records outlined by the U.S. Department of Health and Human Services (HHS) in 1996. HHS proposed the legislation to improve accountability for employees between jobs and combat waste, fraud, and abuse in healthcare and health insurance.
HHS originally established HIPAA to:
- Enable U.S. workers to transfer and continue health insurance for themselves and their families when they lose their job or accept a new one
- Reduce healthcare abuse and fraud
- Set standards for healthcare data during processes such as electronic billing
- Legally require the confidential handling and safeguarding of protected health information
Since its introduction, HHS has periodically added additional rules to HIPAA to further help regulate the transmission, use, and protection of protected health information (PHI) for covered entities and their business associates. The primary rules that apply to the average release of information are the Privacy Rule and Security Rule.
What are covered entities?
Not everybody who interacts with medical records is considered a covered entity, but those who are must be aware of their responsibilities when handling patient medical records. HIPAA identifies covered entities as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information via methods for which HHS has adopted standards.
HIPAA regulations also apply to business associates who need access to medical records to serve covered entities. The key here is not that they have access to patient medical information, but that they are performing services for the covered entities.
HIPAA requires that business associates sign a Business Associate Agreement before performing services for a covered entity that may expose them to PHI. Some examples of business associates include:
- Outside lawyers, IT specialists, and accountants
- Software companies who handle protected health information
- Claims processing companies
- Medical transcription companies
- Companies that help healthcare providers accept payment for providing medical services
- Health plan companies
- Medical record destruction and archive services
The Privacy Rule
The Standards for Privacy of Individually Identifiable Health Information, commonly known as the Privacy Rule, is a set of standards added to HIPAA in 2003 to help safeguard protected health information. Additionally, the rule sought to enhance patient rights regarding their medical records.
Before the Privacy Rule, there were no federal rulings that regulated the use and disclosure of medical records. It is the first and only federal health privacy law. A previous federal constitutional right to privacy did exist, but it was not absolute. Professionals were often allowed to disseminate PHI without patient consent if the court deemed the benefits of releasing records to be greater than the patient’s desire for privacy.
Furthermore, there was little protection when it came to private entities. It was not uncommon for health insurance companies to send detailed health reports to other companies before HIPAA. In some cases, people would leave mental and physical disorders undiagnosed to avoid having their bosses find out.
HIPAA and the Privacy Rule ended this fear by giving patients significantly greater control over their health information. It empowers patients to do the following:
- Control the use and disclosure of their PHI in most cases
- Request, examine, and correct their medical records
- Understand how their PHI has been and will be used
- Make more informed healthcare decisions
In granting patients additional rights and protections, they imposed greater regulation over how covered entities and their business associates can handle medical records. Changes include:
- Establishing baseline safeguards to protect medical records
- Setting boundaries on how medical records can be used and released
- Holding violators accountable with steep financial and criminal penalties
- Limiting released medical records to the minimum necessary standard
The Security Rule
The second addition to HIPAA came in the form of The HIPAA Security Rule Standards and Implementation Specifications, or Security Rule, in 2005. This outlined the technological, administrative, and physical requirements to appropriately safeguard protected health information.
HHS proposed the Security Rule in response to the growth of electronic medical records disclosure to create a baseline of requirements for covered entities. If state laws differ from the regulations outlined in the Security Rule, covered entities should always follow the more stringent standards.
HIPAA defines the administrative safeguards as “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” (45 C.F.R. § 164.304).
The physical safeguards involve a covered entity’s electronic data and the physical systems that house it (45 CFR §164.310). These policies help ensure only authorized users can access ePHI on the covered entity’s computer servers. Certified electronic health records technology (CEHRT) can fulfill some of these requirements, but likely not all.
The Technical safeguards cover the policies and procedures for the use of the technology used by covered entities to control access to ePHI (45 CFR §164.312).
The Security Rule is flexible, containing both requirements that all covered entities must adhere to and addressable requirements. HHS enforces these on a case-by-case basis based on the size of the covered entity. The covered entity must provide documentation if they deem an addressable requirement unreasonable or inappropriate.
The Breach Notification Rule
The HIPAA Breach Notification Rule, added in 2009, outlined the process of determining the risk factor when medical records are breached and cemented a necessary process covered entities must follow in the event of a breach.
First, the covered entity must perform a risk analysis. This determines the potential harm the breach could cause to the patient. The risk assessment factors that determine potential harm are outlined by HHS as such:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
If a covered entity or business associate accidentally sends protected health information containing the patient’s name and information to the wrong fax number, it cannot be taken back. Once stolen, criminals and hackers who obtain patient information can use it however they wish, which threatens the patient’s security. This would be on the higher end of the risk spectrum because it
Notifications after a breach
If there is a breach of protected health information, the covered entity must notify the individual affected, the HHS Secretary, and, if more than 500 individuals are affected, relevant media outlets. Also, business associates must notify covered entities of their breaches.
For the individual affected by the breach, the covered entity must notify them via their preferred method. If the breach includes at least 10 individuals with incomplete or incorrect contact information on file, the healthcare provider must set a notification on their homepage for 60 days and set up a phone number patients can call to ask if they were affected.
The covered entity must also notify the HHS Secretary of every breach of medical records. If a breach impacts 500 or more individuals, the healthcare provider must notify the Secretary “without reasonable delay” and always within 60 days. If the breach impacts fewer than 500 individuals, the breach can be instead included in the end-of-year report.
When 500 or more individuals are affected by a breach of protected health information, the covered entity must also notify relevant media entities. This must also be done within 60 days, and the included information must be the same as the information sent to the affected individuals.
Throughout this entire process, the healthcare provider is also responsible for the burden of proof. Following a medical records breach, they must document either their attempts to provide the required notifications or prove that the disclosure should not be considered a breach.
For a more comprehensive breakdown of the Breach Notification Rule, click here for the full details on the HHS website.
The Omnibus Final Rule
HHS wrote the Omnibus Final Rule to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA rules in 2013. This primarily sought to update and clarify existing aspects of the Privacy Rule and the Security Rule, including the tiered penalty structure of the HITECH Act.
The Omnibus Rule removed a previously-existing breach notification threshold. It required covered entities to report to the Secretary only when the breach affected 500+ people or posed a significant risk of harm to the individual(s) affected. Now all breaches must be reported regardless of risk or size.
Additionally, the Omnibus Rule requires business associates to report their own breaches and face the same tiered penalty structure for non-compliance. These penalties can range from $100 to $50,000 per violation. The tier is based on an entity’s due diligence and the degree of willful neglect. These can reach a maximum of $1.5 million per violation.
The Omnibus Rule also improved patients’ rights to access their medical information. In addition to greater freedom for requesting and reviewing their medical records, they can also restrict some disclosures to health plans.
The HITECH Act
HHS introduced the HITECH Act as part of the American Recovery and Reinvestment Act (ARRA) in 2009. In addition to expanding the adoption of certified electronic health record technology (CEHRT), the act closed off HIPAA loopholes to increase business associates’ responsibility, gave patients the right to request their medical records electronically, and introduced the tiered penalty structure.
Previously, only 10% of healthcare providers used electronic health records, and the rest still kept paper files. The act provided financial incentives to help offset the implementation and training costs. This drove most healthcare providers to adopt electronic health record systems.
HHS wanted healthcare providers to explore the full capabilities that certified electronic health record technology could safely offer. To accomplish this, they introduced the Meaningful Use program with the HITECH Act to increasingly reward healthcare providers who met key objectives using CEHRT.
The Hitech Act also required business associates to sign Business Associate Agreements (BAA) before handling protected health information. This legally binds them to follow HIPAA regulations or face the same penalties as covered entities.
Staying compliant during the release of information
The regulations set into place by HIPAA and the HITECH Act have shaped the health information landscape and made releasing medical records a risky process. Healthcare providers must share medical records via accessible means for the average person, but the complicated security standards mean you could be violating HIPAA without even realizing it.
The stringent release of information standards and documentation requirements make it essential for healthcare providers to investigate their methods constantly to ensure they are still compliant.
ChartRequest is a modern HIPAA-compliant release of information and care coordination software solution. We designed our platform to help covered entities, business associates, and patients safely navigate the exchange of protected health information.
Healthcare providers in our network also never need to worry about losing or forgetting about a medical records request. We make it easy to meet the 30-day turnaround requirement of HIPAA. Also, our full-service users can expect an average turnaround time of just a few days by outsourcing the process to our expert.
Additionally, ChartRequest protects healthcare providers in the case of an audit with our meticulous, automated audit log. We add a new timestamp every time either party interacts with the request which you can access anytime.
The release of information should not feel like rolling a dice. Avoid uncertainty, protect yourself from unintentional HIPAA violations.