What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act
HIPAA is a federal law covering healthcare and health insurance industries. It addresses a number of topics and mandates that PHI (also referred to ePHI if it is in electronic form) must be protected in order to maintain the privacy and confidentiality of patients’ medical information. This mandate is addressed in two key HIPAA provisions: the Privacy Rule and the Security Rule.
PHI
PHI is individually identifiable health information, including demographic information, that is:
- Created, received, transmitted, or maintained by a healthcare provider, health plan, or healthcare clearinghouse
- Relates to the past, present, or future physical or mental health or condition of an individual
- Relates to the provision of health care to an individual
- Relates to the past, present, or future payment for the provision of healthcare to the individual
- Can be used to identify the individual.
HIPAA mandates that PHI must be protected in both physical and digital form. Such information is classified as Restricted/PHI by UAB’s Data Classification Rule. Examples of HIPAA/PHI data that must be protected include names, address, dates, phone numbers, email addresses, SSNs, account numbers, photos, etc.
PHI can appear in a number of different formats. Examples of media on which PHI can appear include, but are not limited to, the following:
- Written documentation and all paper records, including prescription labels and ID bracelets
- Spoken and verbal information, including discussions with or about patients, and voice mail messages
- Electronic information stored on a computer, laptop, mobile device, USB drive, or other electronic media
- X-rays, photographs, and digital images
Requirements
Privacy Rule
The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO). When HIPAA permits the use or disclosure of PHI, the covered entity must use or disclose only the minimum necessary PHI required to accomplish the business purpose of the use or disclosure. Even when PHI is used or disclosed for appropriate business purposes, if the PHI is not limited to the necessary minimum, it is a HIPAA violation. The only exceptions to the necessary minimum standard are those times when a covered entity is disclosing PHI for the following reasons:
- Treatment
- Purposes for which a patient authorization is signed
- Disclosures required by law
- Sharing information to the patient about himself/herself
Security Rule
The Security Rule and its associated regulations contain 18 standards that must be met in order to provide the appropriate security safeguards to protect the confidentiality, integrity, and availability of patients’ PHI. These regulations address a number of issues regarding the protection of PHI. Examples of such issues include, but are not limited to, prohibiting downloading or copying of PHI, conducting risk assessments at least every two years, requiring the encryption of all hard drives containing PHI, etc.
To ensure that the requirements of the Security Rule are met, UAB has adopted a set of Security Core Policies and the Data Protection Rule which describes security requirements that must be followed.
PHI and Third Parties
A covered entity can share PHI with a third party, but that party must be an authorized Business Associate (BA) and there are requirements and stipulations on how PHI can be shared. Examples of BAs include an electronic patient record vendor or a company that shreds physical media that contain PHI.
In order to share PHI with a BA, a UAB covered entity must execute a signed Business Associate Agreement (BAA) with the third party before the PHI can be shared.
For more on HIPAA, BAs and BAAs, and the associated forms, visit UAB’s HIPAA web site. Note: Users must be on either the UAB or UABMC network to access this site.
Penalties
The Department of Health and Human Services (HHS enforces a tiered civil penalty system for non-compliance with the HIPAA Privacy Rule and Security regulations. The following actions could occur should a non-compliance issue arise:
- Monetary penalties that range from $100 to $1.65 million per violation could be assessed, depending on the circumstances.
- HHS must investigate any complaint that could possibly result from a violation due to willful neglect and must impose penalties if such neglect is confirmed. “Willful neglect” is defined as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA.
- State attorneys general also can pursue civil suits against persons who violate HIPAA.
The U.S. Department of Justice is responsible for enforcing criminal penalties for non-compliance with the HIPAA Privacy Rule. Criminal penalties for “wrongful disclosure” include both large fines of $50,000 to $250,000 and up to 10 years in prison. Examples of wrongful disclosures include accessing health information under false pretenses, releasing patient information with harmful intent, or selling PHI.
Note: Penalties and fines apply to members of the workforce and other individuals, not just to the covered entities.
In addition to the federal and state penalties and fines, members of the UAB/UABHS workforce are subject to disciplinary action, up to and including termination of employment or assignment, for non-compliance with HIPAA privacy and security regulations, policies, and procedures.