HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. It has two main purposes: to provide continuous health insurance coverage for workers, who lose or change their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include improving access to long term care services and health insurance.
The act signed into law by President Bill Clinton on Aug. 21, 1996, contains five sections, or titles.
- HIPAA Health Insurance Reform
- HIPAA Administrative Simplification
- HIPAA Tax-Related provisions
- Application and Enforcement of Group Health Plan Requirements
- Revenue offsets
The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients’ personal or protected health information (PHI). HHS issues the rule to limit the use and disclosure of sensitive PHI. It seeks to protect the privacy of patients by requiring doctors to provide patients with an account of each entity to which the doctor discloses PHI for billing and administrative purposes, while still allowing relevant health information to flow through the proper channels. It also guarantees patients the right to receive their own PHI, upon request, from healthcare providers covered by HIPAA. In the United States, federal law requires healthcare information to be guarded. Hence, this act comes with a cost and it is huge.
To fulfill the obligation of HIPAA, healthcare systems have employed more compliance officers and deployed technology which will help to improve the system and guarding private information of the patients. At the time of implementation, the Department of Human and Health Services (HHS) estimated that HIPAA would initially cost healthcare systems approximately $113 million with subsequent maintenance costs of $14.5 million per year. However, the actual costs of HIPAA compliance are estimated at closer to $8.3 billion a year, with each physician on average spending $35,000 annually for health information technology upkeep. These costs do not account for the added stress inflicted upon healthcare clinicians and patients struggling to allow each other access to important and necessary healthcare information.
Compliance with HIPAA privacy rules does have a price: HIPAA has contributed to the unsustainable rising costs of healthcare and lack of interoperability. HIPAA has impeded communication about risks to the public, contributed to inefficient care of patients by protecting physician communication, deterred medical research through the high costs of compliance, and stolen physician time from patients. However, there are loopholes in the systems that are required to be fixed.
- Stolen laptop
- Stolen phone
- Stolen USB device
- Malware incident
- Ransomware attack
- Business associate breach
- EHR breach
- Office break-in
- Sending PHI to the wrong patient/contact
- Discussing PHI outside of the office
These HIPAA violations commonly fall into several categories:
- Use and disclosure
- Improper security safeguards
- The Minimum Necessary Rule
- Access controls
- Notice of Privacy Practices
A Use and Disclosure violation occurs when a covered entity or business associate improperly distribute PHI or ePHI to an incorrect party. To maintain compliance with the HIPAA Security Rule, HIPAA-beholden entities must have proper physical, administrative, and technical safeguards in place to keep PHI secure. In recent years, ransomware attacks have ramped up against targeted health care organizations.
Medical data is worth three times as much as financial data on the black market, meaning that health care organizations are increasingly vulnerable to cyber security attacks. HIPAA security safeguards can defend health care organizations against ransomware and prevent data breaches. The Minimum Necessary Rule states that employees of covered entities may only access, use, transmit, or otherwise handle the minimum amount of PHI necessary to complete a given task. If a large portion of a patient’s medical record is exposed to a data breach because the Minimum Necessary Rule was not followed, that can lead to a violation of the HIPAA Privacy Rule and result in violation fines.
Access controls are an aspect of HIPAA regulation that limits the number of staff members at an organization that has access to PHI. Access to PHI should be limited, based on the roles and responsibilities of the employee in question. If access controls are too broad, then PHI is exposed to unnecessary risk. If a health care organization experiences a data breach due to improper HIPAA access controls that can lead to some major fines for negligence. Covered entities must allow patients to review and agree to their organizational Notice of Privacy Practices before beginning treatment.
HIPAA regulation mandates that covered entities must have their Notice of Privacy Practices posted in plain sight for patients to review. Common HIPAA violations can result from a covered entity’s failure to properly disclose their Privacy Practices, or a breach thereof. Under the HIPAA Privacy Rule, patients have certain rights to the access, privacy, and integrity of their healthcare data and PHI. Furthermore, HIPAA has also made harder for physicians and patients to work with innovators to advance healthcare technology. This is because information cannot be shared with third parties for instance with researchers and innovators. Patients, physicians, and others in healthcare have complained about outdated healthcare technology, but the lack of easy access to healthcare data is a major barrier to this advancement.
To solve the problems, HHS tried to reassess the cost-benefit analysis. To promote interoperability of electronic health records, HHS issued Draft 2 of the Trusted Exchange Framework and Common Agreement (TEFCA) for public comment and a final version is in progress. But a better test of the value of HIPAA would be to place the decision about privacy in patients’ hands by creating an opt-in regime. If patients valued their privacy, they could choose to opt into HIPAA protections, unless there was a pressing safety or public health issue. We would then quickly find out that most folks would likely choose not to exercise the option because most people do not place a high value on medical privacy. It could be better if healthcare institutes can educate patients about the benefits of being able to share health care information freely.