What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
What are the 5 titles of HIPPA?
HIPAA five sections, or titles:
- Title I: HIPAA Health Insurance Reform. Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions and from setting lifetime coverage limits.
- Title II: HIPAA Administrative Simplification. Title II directs the U.S. Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. It also requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
- Title III: HIPAA Tax-Related Health Provisions. Title III includes tax-related provisions and guidelines for medical care.
- Title IV: Application and Enforcement of Group Health Plan Requirements. Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.
- Title V: Revenue Offsets. Title V includes provisions on company-owned life insurance and the treatment of those who lose their U.S. citizenship for income tax purposes.
Title II : HIPAA Administrative Simplification
HIPAA Title II is what most people mean when they refer to HIPAA compliance. Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:
- National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit National Provider Identifier number, or NPI.
- Transactions and Code Sets Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
- HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
- HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information (ePHI) sets standards for patient data security.
- HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.
What information is protected under HIPAA?
The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a BA. This information can be held in any form, including digital, paper or oral.
PHI includes but is not limited to the following:
- a patient’s name, address, birth date, Social Security number, biometric identifiers or other personally identifiable information (PII);
- an individual’s past, present or future physical or mental health condition;
- any care provided to an individual; and
- information concerning the past, present or future payment for the care provided to the individual that identifies the patient or information for which there is a reasonable basis to believe could be used to identify the patient.
PHI does not include the following:
- employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA); and
- deidentified data, meaning data that does not identify or provide information that could identify an individual — there are no restrictions to its use or disclosure.
Specific examples of PHI include a medical record, laboratory report or hospital bill because these documents contain identifying information — the patient’s name, for example — associated with health data.
One example of information that is not PHI would be blood pressure or heart rate data collected by a consumer health device, like a smartwatch, because it is not shared with a covered entity.
What are the penalities for HIPPA voilations?
Privacy rule penalties vary depending on the severity of the infraction. They are split into four categories:
- Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
- Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
- Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
- Willful neglect of HIPAA, and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.