HIPAA

About

➀ Read and Learn

The following course content

Introduction   

As nurses we have been tasked with learning about HIPAA and bringing this law into our practices. HIPAA is a federal law enacted in 1996 to allow workers to carry forward their health insurance (portability) when changing jobs using such coverage as Cobra or another short-term health insurance product.  

It also set up a Privacy Rule to protect patients’ private health information (PHI) without their knowledge or consent to share (1). After HIPAA National standards were set up, the U.S. Department of Health and Human Services (HHS) issued the HIPAA Security Rule to protect “a subset of information covered by HIPAA’s privacy rule” (1). In this course we will review the HIPAA law, its role and who it protects.   

Before HIPPA was enacted, a Congressional Report documented the waste of healthcare dollars to “fraudulent or abusive practices by unscrupulous healthcare workers.” In other words, the medical community and insurance companies used different transaction rules and codes to process claims. These practices needed to change so all healthcare agencies, physician offices, and insurance companies spoke the same language (2). It was also created to watch for fraud and abuse, which was thought to lower costs and protect consumers against rising insurance premiums (2).

Covered Entities and Privacy Rule 

As previously stated, all health-related entities fall under the HIPAA Privacy ruling, but a few others must follow the law. This includes healthcare clearing houses “Business Associates” (i.e., anyone who provides a service or acts on behalf of a covered person), and those “who provide Medicare prescription drug discount cards” (2). 

Examples are as listed by the U.S. Centers for Disease Control and Prevention (CDC) (1): 

• Any prescription insurers, including health, dental, and vision providers 
• Health Maintenance Organizations (HMOs) 
• Medicare, Medicaid, and insurers who offer Medicare Alternatives 
• Insurers who cover long-term care 
• Health plans for employees 
• Health plans sponsored by the churches and the government 
• Health plans for multi-employer  

The term “hybrid entities” or self-insured single employer groups health plans, and employers who act on behalf of a covered person must also comply with HIPAA (2). To that end, every piece of the HIPAA law is mandated. However, there are some ruling exceptions, such as email encryption. Emails must be encrypted if a firewall does not protect them. This exception must be noted within a written document and supported by a risk assessment of the email (2).

Security Rule 

The security rule set by HIPAA is a subset of the Privacy Rule. As technology progressed, the use of emails and electronic transfers of protected health information (PHI) in healthcare also rose. The Security Rule was then developed to ensure that any covered entity must protect privacy using email or other electronic methods. In this case, the PHI is now called e-PHI or electronic protected health information.  

To comply with the rule, all electronic information must (1): 

• Ensure the e-PHI is confidential, available, and has integrity. 
• Be aware of any threats to the security of the information and against them. 
• Anticipated impermissible uses or disclosures that are not allowed must be protected. 
• The workforce or employers must certify compliance within their facilities. 

Many healthcare facilities are now using one internal electronic method, such as patient portals, to transmit information to the patient on diagnoses and test results and communicate securely with their providers.

HIPAA Enforcement and Penalties 

As previously stated, HIPAA is a federal law. The HHS Office for Civil Rights (OCR) is the agency responsible for ensuring the Privacy rule is followed by all covered entities. The OCR enforces the standards of HIPAA and will carry out compliance and complaint reviews (2, 3). If a covered entity is out of compliance, OCR will send assistance to that agency to help with compliance. If an entity refuses to comply, that entity may be penalized monetarily. If an agency is out of compliance with any part of the ruling, these penalties may be imposed. Penalties will depend on the error type, the date, and whether the party involved was aware of the failure to comply or intentionally disclosed information under the rule (2).  

The monetary amount violation is as follows (3): 

• Penalty amount per violation is $127 to $63,973 
• The calendar year cap for the same required or prohibited violation is $25,000 to $1,919,173 

If the entity is out of compliance due to a misunderstanding of the rule and is corrected within 30 days, the penalty may not be imposed. Another reduction of a penalty may happen if the non-compliance was due to reasonable cause and the penalty did not “fit the crime” (3). 

Criminal penalties may also be imposed if the person obtained or disclosed PHI violating the Privacy Rule with full knowledge. In this case, the criminal penalty may be up to $50,000 and 1-year imprisonment. If the violation includes pretenses, the penalty will increase to $100,000 and 5 years in prison. If the non-compliant person or entity intends to sell or use the information for commercial or personal gain or transfer, the penalty is $250,000 and up to 10 years imprisonment. The responsible agency for criminal penalties is the Department of Justice (DOJ) (3).

Other Implications 

Since HIPAA was enacted in 1996, patients are likely to feel more confident that their sensitive healthcare information will be protected. Electronic records are more protected than written records due to advanced technology. Healthcare organizations have been charged with implementing systems to maintain privacy and protection (2).   

The hospital organization I previously worked for has established a single online system for the whole organization, whether in the hospital, physician’s office, clinic, or ancillary divisions. It has facilitated entering and retrieving patient information much quicker than searching a paper record. This significant change has improved staff efficiency and easier reporting to insurance companies. Staff workflows have changed, and the system is becoming more efficient (2). 

The downside to these newer methods is cost. We have seen more and more hospital organizations and physicians merge to save money, which may, in the long run, have “the potential to reduce the level of care” (2). Hospitals and physicians must meet specific quality measures by Medicare and health plans to comply with the HHS department. Although the up-front costs to compliance are vast, the hope is that they will be reduced in the long term (2).

Patient Rights  

We have covered a substantial amount of information about the HIPAA law and Privacy and Security Rules, but what rights do the patients have under HIPAA? The National Coordinator for Health Information Technology, which has teamed with HHS, has developed information for patients about their rights.   

PHI is anything put in your patient’s medical record by you, the nurse, the physician/provider, and other health care providers with access to the information. It also covers any conversations between nurses and other healthcare providers, PHI in the health insurance company’s computer system, any billing information, and most other health information of your patients (4).   

The information is protected by law because any covered entity must have safeguards. The covered entity and business associates must also attempt to minimize uses and disclosures by the development of policies and procedures in place to limit who can and cannot view PHI, and they must structure and deliver education to all staff who are charged with protecting PHI (4).  

Patients should be educated as to their rights within the Privacy Rule and HHS listed below (4): 

• Request to see their health records 
• Request corrections to any errors in the health record 
• Receive a document about how other entities may share and use PHI 
• Decide to share PHI with others, such as for marketing purposes 
• Receive a report on when or why their PHI was shared for certain purposes 
• File a complaint with HHS, their provider, or insurance company 

In the case of a minor child or children, it is standard for the parent or legal guardian to exercise rights under HIPAA. In the situation where the parent is “not considered the child’s representative” (3), the State and other law will determine parental rights to access and control PHI for their minor children (3). 

Legal Disclosure of Health Information 

The following are cases in which PHI may be legally disclosed without a person’s consent (3): 

Public Health  

Activities that are authorized by the law, including agencies that report to the U.S. Food and Drug Administration (FDA) for adverse events, product tracking, or recalls. Communicable disease exposure of individuals required by the government and Occupational Safety and Health Administration (OSHA) concerning work-related injuries or illness. 

Cases of Assault/Abuse 

Victims of domestic violence, neglect, or abuse may have their PHI requested by government authorities. 

Federal Audits/Investigations 

PHI is used legally for audits and investigations by the government for oversight of the healthcare system. 

• PHI may be shared in judicial or administrative events through a court or executive board or in the case of a subpoena. 
• Law enforcement is ordered by the law to identify or locate a fugitive, missing person, witness or suspect, a victim, a criminal death, and a medical emergency that did not happen on site. 

Post-Mortem 

• A funeral home may request, as needed, and to medical examiners when determining the cause of death. 
• Covered entities may use PHI for the ease of cadaveric organ or tissue donation and transplant. 

Research Purposes 

Research purposes after a covered entity receives a document that the patient has waived authorization, and the PHI is approved by the Institutional Review Board (IRB). 

Serious Threat to Health/Safety 

“Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat)” (3). 

Essential Government Functions 

Essential government functions include the military, intelligence, and national security events, the Secret Service to the president, medically appropriate decisions for state department employees, specific enrollment of government benefit programs, and the safety of inmates or employees in a correctional institution. 

Workers’ Compensation 

“Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses” (3).

Psychotherapy Disclosures 

In the event the PHI is for psychotherapy, it is still mandated that a patient’s information be kept private. However, there are exceptions in which psychotherapy notes may be disclosed by a covered entity (e.g., provider or facility) without the individual’s authorization. These include (3):  

• For treatment (if the covered entity originated the notes) 
• For its own training 
• To defend itself in legal proceedings brought on by the individual 
• For HHS to investigate or determine the covered entity’s compliance with the Privacy Rules 
• To avert a serious and imminent threat to public health or safety 
• To a health oversight agency for lawful oversight of the originator of the psychotherapy notes 
• For the lawful activities of a coroner or medical examiner or as required by law 

Amendments to HIPAA  

Since the origination of HIPAA in 1996, significant changes and updates have been implemented. Following these updates, the Health Information Technology for Economic and Clinical Health (HITECH) Act established The Breach Notification in 2009 and the Omnibus Final Rule in 2013. These updates placed a considerable burden on covered entities, which caused a significant time and effort to comply (5). 

Some minor updates include the 2014 inclusion, which allows patients to see their test results, which aligns the Privacy Rule with the Clinical Laboratory Improvement Amendments (5). 

One of HHS’s goals is to decrease the burden on healthcare-covered entities, so a Request for Information (RFI) was sent out to these entities by HIPAA. Some of the proposed changes that are pending are listed below (5):  

• Retraining employees of the new rules, policies, and procedures 
• Providers will have 15 days to comply when records are requested instead of 30 days 
• Electronic health records (EHRs) will include billing records to be provided to the patients as part of their PHI 
• A proposed part 2 to protect substance abuse and mental health 
• The patient will be allowed to photograph and take notes of their PHI 
• HIPAA fines and settlements to be shared with victims of HIPAA violations 

Other changes to HIPAA were made during the recent Covid-19 pandemic, which eased the burden on covered entities to test and treat patients with Covid-19. These changes were reversed on May 11, 2023 (5). Penalties for HIPAA violations could also change in 2024.

Conclusion

As we have learned in this course, HHS developed and began to enforce compliance with the HIPAA rule in 1996, with several updates since that year. HIPAA was designed to protect individuals’ private healthcare information. We learned the description of “covered entities” and “business associates” and their requirements to comply with the law.   

Not only do these entities have rights and responsibilities, but the individual patients do as well. We also reviewed monetary and civil penalties for non-compliance and our role as healthcare professionals under HIPAA. With the inception of artificial intelligence, our roles may change again, and HIPAA will play a part.

➁ Complete Survey

Give us your thoughts and feedback