The Health Insurance Portability and Accountability Act or Kennedy–Kassebaum Act or as we commonly refer to as the HIPAA Act, was enacted on Aug'21, 1996. This Act had the Secretary of Health and Human Services (HHS) in standardizing it publicly through stipulating its every one-other electronic exchange, privacy, and security of the Protected Health Information (PHI).
Today majority of the physicians, as well as the practices are slowly adapting to digitalization and there is a gradual ascent of EHR/EMR, Patient inquiry portals, and Insurance website portals. As there is a high concern for Privacy and Security policies, which have arrived at a stage to construct a few required stringent enforcement by the HIPAA and the HITECH Act.
It was in 2003, that The Department of Health and Human Services’ Office for Civil Rights (OCR) was made responsible for HIPAA enforcement. There are five titles of the HIPAA Act that govern around the PHI, prevention of healthcare frauds as well as abuse, administrative simplification, healthcare coverage modifications, medical savings account, and provisions on the interest allocation rules.
- HIPAA and its main functions
The most significant responsibilities that come with HIPAA are ensuring the integrity, confidentiality, and availability of the healthcare information while providing access to Healthcare Providers, Payers, and Clearinghouses, in turn, to help continue providing effective patient care. Congress had passed the HIPAA law to establish the Federal standards for the security and privacy of protected health information.
However, in Today's Age, there has been a drastic escalation on PHI exchange between both Covered and Non-covered entities.
- Healthcare Providers
- Clearinghouses
- Payers
With the enforcement of the HITECH Act on Feb'17, 2009, even business associates such as billing companies and sub-contractors are subjected to comply with HIPAA.
- 5 Rules for enforcing Administrative Simplification
There are five rules for administrative simplification and they are
- Privacy Rule
This is the rule which is meant to regulate usage and disclosure of the PHI by the covered entities. A covered entity is subjected to disclose upon a request within a month's time. Patients should be well informed of how their personal data would be used or disclosed. Here, the HITECH Act was implemented to promote and expand the adoption of Information Technology. This HITECH Act makes these business associates accountable for the above sections of the HIPAA Act.
- Transactions and Code Sets Rule
This was mainly intended for standardizing the transactions in Healthcare. Every provider who bills claim electronically after July 1, 2005, has to engage in a HIPAA standardized way to get reimbursed. The Key EDI transactions (X12) that are used for compliance are (835), (837), (820), (270), (271), (276), (277), (278) and (997). For information, See, 42 USC § 1320d-2 and 45 CFR Part 162.
- Security Rule
This is treated as a complimentary for the Privacy rule. Security rule focuses on the Electronic PHI, whereas Privacy rule, focuses on PHI. It has three security safeguards featuring Administrative, Physical and Technical safeguards.
Administrative Safeguards: It makes the covered entity and business associates to adopt a designated set of privacy policies and procedures for protecting the health information of an organization workforce.
Physical Safeguards: It controls the physical access to PHI limits the usage to authorized individuals, monitoring public access to equipment which contains PHI.
Technical safeguards: It includes the restriction of access to manipulate data which was not approved, the risk analysis and management, and the protection from intrusion.
- Unique Identifiers Rule
This rule implicates a standard 10 digit identifier which replaces any other identifiers assigned by Federal and Commercial Insurance Payers. As from 2007, only the National Provider Identifier (NPI) shall be used by covered entities to identify Healthcare service providers to perform standardized transactions. Yet, it cannot replace the provider's DEA number, the state license or even TAX-ID. It shall be unique and does not represent any additional information.
- Enforcement Rule
This rule is about establishing the procedures to penalize the violation of HIPAA rules. Entities are subjected to take corrective measures when there is a breach. HIPAA Violations can be avoided and eradicated by appending changes in your privacy policies or by taking corrective action.
- The information that the HIPAA Act protects
All the protected information which falls under the categories such as patient demographics, medical history, transaction history, and even their provision on individual healthcare carrier which could reveal the identity of a patient.
Hence there should be limitations on the usage of PHI to a need to know basis. These software, hardware and any other access to potential healthcare data should be authorized or restricted based on how the associates are adequately trained and licensed.
- HIPAA Violations and its Monetary penalties
Here, the monetary penalties are always based on the level of negligence. They are separated by four tiers of culpability under the HITECH Act.
- In case the person is not aware of, and by exercising the reasonable diligence, would not have known, that the person violated HIPAA;
- The violation occurred because of some reasonable cause and not by willful neglect;
- The violation was due to willful neglect that is timely corrected;
- The violation was due to willful neglect that is not timely corrected.
These fines are usually issued by State Attorney General and the OCR. They range from $100 to $1,500,000 per each tier of violation on the year.
- Implementation of Effective Risk Management Strategies
Let's put first things first, a Risk analysis must be done by reviewing Medical Groups, which are similar. Some of the common risks which a practice may usually experience can be while storing, accessing, or even while transmitting PHI. So, every Practice needs its customized Risk Management Strategies in place. Here, we will discuss the standard strategies that can be implemented at almost every Practice setup.
- Accessing the PHI
We should ensure to address these clearance procedures, verified training and issues of unauthorized access on an associate's sanctioned work policy. They must be well trained on the Privacy Rules and should possess eligible clearance to access EPHI. Installing Firewall and Virus protection software on all portable devices that has access to EPHI.
Enabling two-factor authentication for granting remote access to systems. Apart from the regular username and password, we need to add a secondary factor of requiring users to answer their secret question to access these systems. There should be some default time outs or a session termination on inactive devices.
- Storing PHI
All the associates should have training on policies which are needed for users to search their files which are deleted either intentionally or unintentionally. When there is no operational justification,downloading EPHI onto some remote devices should be prevented. Installing Firewall and Virus protection software on all portable devices that has access to EPHI.
There should be a procedure meant for media disposal and at the least minimum, a back up of data should be taken before you decide to delete from those devices which were subjected to a breach. These back-up data should always be encrypted. Ensuring to identify the hardware devices that have to be tracked for maintaining a record of movements. Also, try installing biometrics password protection on portable devices and assign to only that specific associate.
- Transmitting PHI
Measures can be taken to prohibit transmission of EPHI via open networks such as the Internet. SSL should be the minimum requirement for systems that manage EPHI in any form. Installing Firewall and Virus protection software on all portable devices that has access to EPHI. Even for email, via SSL and the message-level standards to be implemented such as S/MIME, SET, PEM, PGP, etc.,
As we conclude, it is understandable that these new standards and technologies have already simplified the way in which data is transmitted now and then. These standards have created tremendous opportunities for any improvements we see in today's healthcare system. However, these technologies have also created some setbacks lately by creating complications and increasing the risk of loss.
And, these issues are easily manageable when the practice is partnered with a HIPAA compliant business associates who can implement the same with less toil and trouble.