Health Insurance Portability and Accountability Act (HIPAA)

Who is excluded from HIPAA compliance? 

Generally, any entities that do not engage in standard healthcare transactions covered by HIPAA rules are excluded. Examples include organizations such as:

• Life Insurers.
• Employers.
• Schools and School Districts that do not maintain student health records electronically.
• Workers' Compensation Insurers. 

What are the requirements for covered entities under HIPAA ? 

In order to be compliant with HIPAA, covered entities must take a series of proactive steps to ensure the safety of health information they collect, store, and process, the first of which is understanding HIPAA’s regulations and rules. To help you better understand the HIPAA requirements we’ve summarized the HIPAA Rules and their regulations. First, let’s look at the basic steps for compliance with HIPAA:

• Protect Patient Privacy: As a covered entity, you must keep patients' personal health information private. This means you can only share their information for specific reasons such as treatment, payment, or healthcare operations, and even then, only the minimum necessary information should be shared.
• Implement Security Measures: You must protect all electronic health information using appropriate administrative, physical, and technical safeguards. This includes securing computers and networks, limiting access to authorized individuals, and training employees on how to handle sensitive health information securely.
• Patient Rights: You must respect and facilitate patients' rights to access and control their health information. This includes providing patients with copies of their health records upon request, correcting inaccuracies in their information, and providing an accounting of disclosures when requested.
• Notice of Privacy Practices: You are required to provide a clear and concise document outlining your practices regarding the use and protection of their health information and explaining patients' rights under HIPAA. When it comes to your website, you are required to have a clear privacy policy available which explains to individuals what types of PHI is collected, how the data is used, who the data is shared with, and how the data is protected.
• Risk Assessments: You are required to conduct regular assessments to detect vulnerabilities in the protection of PHI.
• Policies and Procedures: Another requirement for covered entitled is implementing and updating privacy policies that comply with HIPAA regulations.
• Breach Notification Procedures: Your organization should have in place protocols to follow in the event of a breach of PHI.
• Business Associate Agreement (BAA): As a covered entity, you must have a contract or other arrangement with your business associates that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the requirements to protect the privacy and security of protected health information. These agreements ensure that business associates use, disclose, and safeguard PHI only as permitted or required by the contract and the HIPAA Rules. By definition, a business associate agreement helps to ensure that the third parties handling PHI maintain the confidentiality, integrity, and availability of that data in compliance with HIPAA regulations.
  
  

The HIPAA Privacy Rule 

The HIPAA Privacy Rule outlines a series of obligations which focus on the protection of individually identifiable health information (IIHI) and are directed towards covered entities, as defined above, including their websites. Key obligations include the following: 

• Uses and Disclosures of Protected Health Information 
  • Establish Policies and Procedures: Develop and implement on-site and website-specific policies that limit the use and disclosure of PHI strictly to those situations permitted by the Privacy Rule, such as for treatment, payment, or healthcare operations, or where the individual has authorized the disclosure.
  • Apply Safeguards: Ensure that PHI is not used or disclosed improperly by applying appropriate administrative, technical, and physical safeguards. As regards websites, this would include encryption and secure access protocols.
  • Minimum Necessary Use and Disclosure: When using or disclosing PHI, or when requesting PHI from another entity, use or request only the amount of information that is minimally necessary to achieve the purpose of the use or disclosure.
• Individual Rights: 
  • Consumer rights requests: Provide individuals with a way to submit requests on your website for the rights afforded to them by the HIPAA. This includes:  
    • Access to PHI: Provide individuals with access to their PHI in a designated record set. This includes the right to inspect or obtain a copy of the information within 30 days of the request.
    • Amendments to PHI: Allow individuals to request an amendment of their PHI if they believe it is inaccurate or incomplete. Covered entities must consider the request and, if appropriate, make the necessary amendments.
  • Notice of Privacy Practices: Develop and distribute a notice that provides a clear explanation of how PHI is used and disclosed, the individual’s rights, and the entity’s legal duties regarding the PHI. In the case of your website, clearly post and make accessible a privacy notice on the website detailing how PHI is used, disclosed, individual rights, and the entity's obligations under HIPAA.
• Minimum Necessary Requirement 
  • Define Minimum Necessary: Define what constitutes the "minimum necessary" use and disclosure of PHI based on the specific duties and roles within the organization, making sure these are also adhered to in your website’s operation.
  • Restrict Access: Restrict access to PHI to only those workforce members who need it to perform their job functions.
  • Review Procedures: Regularly review and update your on-site and website procedures to ensure compliance with the minimum necessary standard when using or disclosing PHI.
• Business Associates 
  • Business Associate Agreements (BAAs): Ensure that agreements with business associates contain assurances that they will use PHI only as permitted by the Privacy Rule and will safeguard the information from misuse. As far as your website is concerned, there also you are required to ensure that any third-party service providers who have access to PHI collected by your website are bound by BAAs that mandate compliance with the HIPAA Privacy Rule and protect the information from misuse.
  • Oversight and Compliance: Monitor business associates' compliance with the HIPAA regulations and take corrective action for any breaches or violations.
  • Documentation and Record Keeping: Maintain documentation of the business associate agreements and any incidents of use or disclosure of PHI that are inconsistent with the agreements.
• Administrative Safeguards 
  • Privacy Policies and Procedures: Develop, implement, and maintain privacy policies and procedures that comply with the HIPAA Privacy Rule.
  • Workforce Training and Management: Train all members of the workforce on the privacy policies and procedures, both on-site and website ones, as necessary and appropriate for them to carry out their functions. Implement disciplinary measures for violations of these policies.
  • Complaint Management: Provide on your website a way for individuals to make complaints about your privacy practices and address such complaints effectively.
  • Data Privacy Officer: Designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures that apply to your organization both on-site and on the website.

The HIPAA Security Rule

The HIPAA Security Rule establishes a series of obligations for the protection of electronic protected health information (ePHI) collected on websites which can be grouped into several areas, such as administrative, physical, and technical safeguards, as follows: 

Administrative Safeguards

• Security Management Process: 
  • Risk Analysis and management: Perform and document a thorough risk assessment to identify all potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI handled through your website and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with the security policies.
  • Information System Activity Review: Regularly review web server logs, audit trails, and access records to monitor the security of the ePHI on your website.
• Assigned Security Responsibility: Designate a security official responsible for developing and implementing security policies and procedures for website operations.
• Workforce Security: 
  • Ensure that all members of the workforce have appropriate access to ePHI and prevent those who do not have access from obtaining access to ePHI.
  • Implement procedures to authorize and/or supervise employees who work with ePHI.
• Security Awareness and Training: Provide specific training for web administrators and other relevant personnel on the security policies and procedures concerning the website.
• Security Incident Procedures: Develop and implement procedures to address and respond to security incidents involving your website that result in a breach of ePHI.
• Contingency Plan: Establish (and implement as needed) policies for responding to emergencies or technical failures that affect the website and potentially compromise ePHI.
• Evaluation: Periodically evaluate your website’s security policies and procedures to determine their effectiveness in protecting ePHI.

Physical Safeguards

• Facility Access Controls: Implement policies to limit physical access to facilities while ensuring that properly authorized access is allowed.
• Workstation Use: Specify the proper functions to be performed and the manner in which those functions are to be performed on workstations that access ePHI.
• Workstation Security: Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users.
• Device and Media Controls: Govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility.

Technical Safeguards

• Access Control:
  • Implement technical policies and procedures that allow only authorized persons to access ePHI on your website.
  • Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
• Audit Controls: Implement hardware, software, and/or procedural mechanisms to record and examine activity on your website, especially for actions involving access or changes to ePHI. 
• Integrity: Implement policies and procedures to ensure that ePHI is not improperly altered or destroyed, such as digital signatures. 
• Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to ePHI via your website is the correct one by implementing robust authentication procedures such as multi-factor authentication.
• Transmission Security: Implement technical security measures on your website, such as encryption, in order to prevent any unauthorized access during the ePHI’s transmission. 
  
  

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notifications following a breach of unsecured protected health information (PHI) or electronic protected health information (ePHI) in the case of websites of covered entities.

Key aspects of the HIPAA Breach Notification Rule include the following:

What Constitutes a Breach?

A breach is generally defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. However, there are exceptions where an incident might not be considered a breach:

• When the unauthorized acquisition, access, use, or disclosure of PHI/ePHI is unintentional and occurs at the hands of a person acting under the authority of the covered entity or business associate.
• If the PHI/ePHI is acquired, accessed, or disclosed in good faith and within the scope of authority.
• Where the covered entity or business associate has a reasonable belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information.

What are the Notification Requirements?

• Notification to Individuals: Covered entities must notify affected individuals without unreasonable delay and in no case later than 60 days after discovering the breach. The notification should include, to the extent possible, a description of the breach, the types of information involved, the steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate the harm, and contact procedures for individuals to ask questions.
• Notification to the Secretary of HHS: For breaches involving fewer than 500 individuals, the covered entity must maintain a log and annually report the breaches to HHS. For breaches of 500 or more individuals, the covered entity must notify the Secretary of HHS without unreasonable delay, and in no case later than 60 days from the discovery of the breach.
• Notification to the Media: For breaches that affect 500 or more individuals in a state or jurisdiction, covered entities must provide notice to prominent media outlets serving the state or jurisdiction, within the same 60-day timeframe.
• Notification by Business Associates: If the breach occurs at or by a business associate, the business associate must notify the covered entity of the breach. The covered entity is then responsible for ensuring that individuals, HHS, and potentially the media are notified in accordance with the Breach Notification Rule.
• Notifications for Unsecured PHI: The Breach Notification Rule applies to unsecured PHI/ePHI, which refers to information that is not protected through the use of a technology or methodology specified by the Secretary of HHS that renders PHI/ePHI unusable, unreadable, or indecipherable to unauthorized individuals. Examples include encryption of ePHI and the destruction of paper records of PHI.

What are the Exemptions to the Breach Notification Rule? 

There are exemptions to the Breach Notification Rule, such as when a risk assessment determines that there is a low probability that the PHI/ePHI has been compromised. The assessment should consider factors such as the nature and extent of the PHI/ePHI involved, to whom the disclosure was made, whether the PHI/ePHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

What are the consumer rights under HIPAA ? 

HIPAA provides several important rights to consumers concerning their health information, ensuring they have significant control over their personal health data. These rights are primarily articulated through the HIPAA Privacy Rule and are as follows: 

• Right to Access
• Right to Correct
• Right to an Accounting of Disclosures: Individuals have the right to receive a detailed account of certain disclosures of their PHI.
• Right to Request Restrictions: Consumers have the right to request a restriction on certain uses or disclosures of their health information, including disclosures to family members or others involved in their care or payment for their care. However, covered entities are not required to agree to these restrictions, except in the case of disclosures to a health plan for purposes of payment or healthcare operations when the item or service has been paid out of pocket in full.
• Right to Request Confidential Communications of Protected Health Information: Consumers can request, and covered entities must accommodate reasonable requests, to receive communications of health information by alternative means or at alternative locations. For example, a patient can ask to be contacted at a different mailing address or by email.
• Right to a Notice of Privacy Practices: Covered entities are required to provide individuals with a notice that explains how the entity may use and share their health information and describes the privacy rights of the individuals. Consumers have the right to receive this notice and should be prompted to review it.
• Right to File a Complaint: If consumers believe their privacy rights have been violated, they have the right to file a complaint with the healthcare provider or insurer and the U.S. Department of Health and Human Services Office for Civil Rights.

How to respond to consumer requests under HIPAA ?

When consumers exercise their rights under HIPAA, covered entities have a series of obligations about replying to these requests, which vary depending on the type of request, as follows: 

• Right to Access Health Information: Covered entities must allow individuals to inspect or obtain copies of their health information, typically within 30 days of the request. An extension of up to 30 additional days is allowed if the covered entity provides a written explanation for the delay and the date by which the records will be provided. Entities may charge a reasonable, cost-based fee for producing the copies, which may include the cost of supplies for creating the copy, labor for copying the PHI, and postage if the individual requests the copy be mailed.
• Right to Request Amendments: Covered entities must consider requests for amendments to health records. If they accept the request, they must make the appropriate amendments. If they deny the request, they must provide a written denial that explains the basis for the denial, informs the individual of the right to submit a written statement of disagreement, and provides information on how the individual can file a complaint. This process must typically be completed within 60 days of the request, with one possible 30-day extension if the entity notifies the individual in writing of the reasons for the delay.
• Right to an Accounting of Disclosures: Covered entities must provide an accounting of disclosures of the individual’s PHI that occurred in the past six years, excluding disclosures for treatment, payment, and healthcare operations. The accounting must include the date of each disclosure, the recipient of the disclosed PHI, a brief description of the PHI disclosed, and the purpose of the disclosure. This information must be provided within 60 days of the request, with one possible 30-day extension for good cause shown.
• Right to Request Restrictions: While covered entities are not required to agree to restrictions on the use or disclosure of PHI for treatment, payment, or healthcare operations, they must agree to restrictions on disclosures to a health plan when the individual has paid out of pocket in full for the healthcare item or service. If the covered entity agrees to the restriction, they must abide by it unless the information is needed to provide emergency treatment.

• Right to Request Confidential Communications: Covered entities must accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. The individual does not need to provide a reason for the request, but must specify how or where they wish to be contacted.
• Notice of Privacy Practices: Covered entities are required to provide individuals with a notice of their privacy practices at the first service encounter and upon request thereafter. The notice must be posted in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered entity to be able to read the notice.

HIPAA enforcement and penalties

The U.S. Department of Health and Human Services (HHS) enforces HIPAA compliance through its Office for Civil Rights (OCR). Penalties for non-compliance can be severe, ranging from monetary fines to criminal prosecution. The fines vary based on the nature of the violation and the level of negligence involved. HIPAA penalty tiers are structured to reflect the perceived culpability of the covered entity or business associate involved in the violation. 

HIPAA Violation Penalty Tiers

Financial penalties for HIPAA violations can be grouped in the following tiers: 

Tier 1: The covered entity or business associate was unaware (and by exercising reasonable diligence would not have known) that it violated HIPAA.

Penalty: $100 to $50,000 per violation, with an annual maximum of $25,000 for repeat violations of the same provision.

Tier 2: The violation had a reasonable cause and was not due to willful neglect.

Penalty: $1,000 to $50,000 per violation, with an annual maximum of $100,000 for repeat violations of the same provision.

Tier 3: The violation was due to willful neglect but was corrected within the required time period.

Penalty: $10,000 to $50,000 per violation, with an annual maximum of $250,000 for repeat violations of the same provision.

Tier 4: The violation was due to willful neglect and was not corrected.

Penalty: $50,000 per violation, with an annual maximum of $1.5 million for repeat violations of the same provision.

Criminal penalties for HIPAA violations are divided into three tiers: 

Tier 1: same as above, the covered entity or business associate was unaware of the violation. 

Penalty: up to 1 year imprisonment. 

Tier 2: using false pretense to obtain PHI. 

Penalty: up to 5 years imprisonment.

Tier 3: for violations committed with the malicious intent “to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.”

Penalty: up to 10 years imprisonment. 

Data Subject Rights - GDPR vs. HIPAA

FAQs about the Health Insurance Portability and Accountability Act (HIPAA)