Since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, federal and state agencies have developed and refined privacy rules aimed to regulate the transmission of protected health information. HIPAA applies to many types of entities, including academic institutions, professional associations, and non-government organizations. To comply with HIPAA, they have implemented their own policies and codes of conduct.
In addition to the ethical reasons for protecting the personal health information of individuals, the failure to do so can result in hefty fines for institutions and individuals. Data security breaches have occurred, as well as settlements with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Earlier this year, a specialty care center had to pay $300,000 for violating HIPAA rules. A university health center was fined $875,000 to settle a hacking breach.
A new vocabulary accompanied HIPAA, including terms like “covered entities,” which means organizations, agencies, or individuals that are responsible for the privacy and security of protected health information (PHI), or e-PHI (electronic protected health information). Covered entities include health care providers, health facilities, health plans and insurers, laboratories, and health care information clearinghouses. Business are subject to HIPAA and held liable for their own violations. Business associates include businesses or individuals that perform certain functions or services that involve the use or disclosure of protected health information on behalf of a covered entity.
As a result of the signing of the HIPAA law, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule establishes national standards for the protection of certain health information, while the Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
The Privacy Rule gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.
The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of electronic health information.
The HIPAA Privacy Rule covers PHI in any medium, including paper, fax, and even conversations in person or over the phone. The HIPAA Security Rule covers ePHI.
Both Privacy and Security Rules have varying implications for different professionals — clinicians, researchers, marketing specialists, or fundraisers, to name a few.
Patient Rights Under the Privacy Rule
Within the privacy rule, patients have five key health records rights.
Access: a right to gain access to and obtain a copy of all of one’s health records. This is subject to some exceptions (such as the details of psychotherapy notes).
Amendment: a right to request amendment, or correction, of errors found in those records, or to include a statement of disagreement if the covered entity maintains that the information is correct.
Disclosure accounting: a right to receive an accounting of how one’s health information has been used. For example, covered entities must provide, upon request, a list of the persons and organizations to whom it has been disclosed.
Restriction/Confidential communications requests: a right to request restrictions on access to, and additional protections for, particularly sensitive data.
Limits on additional uses: a right to prevent certain additional types of use, such as fundraising, marketing, or research, unless specifically authorized.
In 2020, HHS proposed changes to HIPAA that may significantly enhance individuals’ rights of access to PHI.
Under the privacy rule, health care workers have specific duties and obligations. These duties can be summarized with a commonsense approach. Workers should use or disclose PHI only for legitimate, work-related purposes, consistent with their institution’s policies and procedures. Limit your uses and disclosures of PHI to the minimum necessary to achieve work purposes. Exercise reasonable restraint and caution. Most of the largest fines and sanctions against health care providers have been for deliberate or malicious misuse of PHI, followed by negligence.
Technology and digital communications have dramatically increased the efficiency and, some might argue, quality of health care. Health care providers and insurers now commonly use clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHRs), and radiology, pharmacy, and laboratory systems. With these technologies has also come increased risk of mishandling protected health information.
The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing.
The Security Rule covers four major areas:
- Risk assessment
- Administrative safeguards
- Physical safeguards
- Technical safeguards
Covered entities should evaluate their own needs and implement solutions for their own environments. This can include conducting an internal security audit to identify and mitigate risks, based on these factors:
- Its size, complexity, and capabilities
- Its technical, hardware, and software infrastructure
- The costs of security measures
- The likelihood and possible impact of potential risks to e-PHI
In addition to a technical risk analysis, organizations should identity and implement administrative safeguards to protect e-PHI. This included mandatory training of personnel and periodic re-assessment of policies and procedures.
Physical safeguards include managing access to facilities, as well as securing computer workstations and digital devices.
Technical safeguards can include access control through passwords or other mechanism that allow only authorized personnel the ability to access e-PHI. Organizations should implement periodic audits of the security systems, including the transmission networks. This includes vigorous monitoring of potential breaches or hacks to computer systems and information technology (IT) networks.
In July 2022, the National Institute of Standards and Technology (NIST) released an updated draft of its HIPAA Security Rule guidance. The guidance addresses risk assessment and management as they apply to access controls, personnel training, contingency planning, and facility safeguards, among other areas.
Changes in 2022
The HHS issued guidance earlier this year that specifically addresses sexual and reproductive health. According to HHS, the guidance does three things:
- “addresses how federal law and regulations protect individuals’ PHI relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
- addresses the extent to which private medical information is protected on personal cell phones and tablets
- provides consumer tips for protecting individuals’ privacy when using menstrual period trackers and other health information apps”
The COVID-19 pandemic led to a surge in telehealth services, and the use of video consultations between patients and their providers. In response, OCR issued the Telehealth Notification to assist the health care industry’s response to the public health emergency and to quickly expand the use of remote health care services. Basically, the guidance eased the enforcement of rules against using remote telehealth technologies even if they did not strictly comply with HIPAA rules, as long as covered entities employ “reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.”
Reasonable safeguards include:
- Conducting the calls in a private room or space
- Using a lowered voice and avoiding the use of speakerphones
- Verifying the identity of the person either orally, in writing, or electronically
In June 2022, HHS issued guidance on the use of audio-only technologies by clarifying how covered entities can provide these services in compliance with the HIPAA Rules.
At the center of these is HIPAA, which aims to balance the needs of health care providers to access and share health information with the rights of patients to their privacy.