HIPAA is short for Health Insurance Portability and Accountability Act. It was signed into law on August 21, 1996. But for over 25 years it’s been in operation, there have been several major additions to the initial guidelines. All in all, its main aim is to protect sensitive patient data.
Things Medical Students Should Know About HIPAA Compliance
As a medical student, you should know everything about HIPAA compliance. Once you get to the field and start your practice as a medic, you’ll have to follow the prevailing law in the letter. Otherwise, you’ll be risking heavy penalties. Here are 11 things you should know about HIPAA compliance:
1. It’s Inescapable
There’s no way around HIPAA compliance as long as you handle protected health information. In this sense, all medical students must undergo relevant training. Do note that it’s not just a one-off thing. The compliance guidelines evolve year after year.
So, you’ll still need to enrol in related courses even when you become a medical professional. It’s the only way you’ll be able to understand the latest requirements and subsequently implement the necessary protocols in handling patient data.
2. Protected Health Information (PHI)
It’s imperative to understand the kind of patient information that HIPAA terms as sensitive. Here are some of the main ones:
- Physical and mental health conditions of patients, including the past ones and those predicted to occur in the future
- Payments made by patients for healthcare services
- Demographic data
- Medical histories
- Test results
- Insurance information
Also included under PHI is all individually identifiable health information. In other words, any data that can be used to identify, contact, or locate a person. These include:
- Full names
- Geographical data like zip code
- Bank account numbers
- Phone numbers
- License numbers
- Fax numbers
- Vehicle license plate numbers
- Web (Uniform Resource Locators) URLs
- Email addresses
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Fingerprints
- Voiceprints
- Health insurance beneficiary numbers
- Mug shots
None of these pieces of information should leak to unauthorized persons. If that happens, the individual or organization responsible will have violated the guidelines.
3. Covered Entities
HIPAA defines covered entities as those individuals or institutions that directly handle PHI in making transactions. These include:
- Doctors
- Nurses
- Pharmacists
- Clinics
- Nursing homes
- Psychologists
- Health insurance companies
- Healthcare clearinghouses
- Home health agencies
- Government programs that pay for healthcare
- Military health programs
The transactions in question include activities like coordination of benefits, eligibility checks for patients, payment of medical bills, checking healthcare status, and processing healthcare claims, among several others.
HIPAA regulations apply to all the above-listed covered entities. So, if you happen to work in any of these organizations, it’s in your best interest to comply with the guidelines.
Additionally, the rules spill over to the business associates of the covered entities. By definition, a business associate is any person or company that offers services to the covered entities and needs access to PHI.
Some of the most notable business associates include cloud storage providers, credit card companies, data storage enterprises, consultants, attorneys, claims processors, accountancy firms, collection agencies, and medical device manufacturers.
Before they access PHI, they usually must sign an agreement with the covered entities, promising not to disclose the sensitive patient data to any third party.
4. The Privacy Rule
The law requires all covered entities to have policies and procedures in place to ensure that all PHI is handled properly. Interestingly, HIPAA doesn’t provide the exact procedures on how to safeguard sensitive data. It remains the duty of the entity in question to come up with its specific policies in accordance with current industry standards.
Accordingly, the organization must ensure that every employee gets adequate training on how to implement the company-specific policies and procedures. It’s mandatory to have records of these training sessions. And more importantly, the employees must openly acknowledge that they’ve understood the content of the coaching sessions and are ready to follow the guidelines as they work.
5. The Minimum Necessary Rule
HIPAA advises covered entities to take prudent measures to limit the use of PHI to the minimum necessary to achieve any desired purpose. For instance, if a doctor sends the full copy of a patient’s medical record, yet just a part of it would suffice, he violates the minimum necessary rule. Likewise, a physician attending to a patient requires their medical history, but not their Social Security Number.
However, the minimum necessary rule doesn’t apply in the following scenarios:
- PHI disclosures mandated by law
- Healthcare practitioners requesting PHI so that they treat a patient
- PHI requests by the Department of Health and Human Services (HHS)
- Patients requesting copies of their medical records
- PHI requests backed by the patient’s authorization
6. Patient Rights
Under the HIPAA guidelines, patients have several rights in connection with their PHI. These are as follows:
- Patients can request access to their medical records by filling an authorization form.
- They can request changes to their PHI if they suspect they’re erroneous in some aspects. In this case, the covered entity should confirm the validity of the claims and make the necessary arrangements.
- They have the right to limit the disclosure of their sensitive data.
Upon admission to any healthcare institution, patients must be given the Notice of Privacy Practices, which details their rights regarding their PHI, and what the covered entities can do with the sensitive information.
7. The Security Rule
This rule states that both covered entities and their business associates must have administrative, physical, and technical safeguards to protect PHI from unauthorized access. Here’s a breakdown of the three kinds of safeguards required:
Administrative:
Every organization that handles PHI must have a set of protocols that define the handling procedures of sensitive patient data. These protocols must subsequently be taught to the employees of that specific organization.
Most importantly, the healthcare firm must carry out a risk analysis to determine all possible ways that HIPAA could be violated. From the findings, they can propose corresponding mitigation measures.
Physical:
The storage areas for hardcopy patient medical records must have secure locking systems to restrict unauthorized access. If possible, they should also be fitted with alarms that go off whenever there’s an attempt to access the data illegally.
Better still, offices with workstations that house sensitive data must be out of bounds for unauthorized persons. Each employee must know which workstation they can use and which one they shouldn’t.
And when it comes to disposing of devices, all sensitive data must be wiped off before doing away with them. You understand that dumped devices may fall on the hands of witty individuals who may try to recover any stored data left there intentionally or by mistake.
Technical:
For online transmission of PHI, the devices and software in use must have data protection measures like firewalls, encryption, and strong passwords. Additionally, each employee with access to PHI must have a unique identifier for logging in to the various platforms.
This helps in keeping track of the persons handling PHI at any given moment. In case of a breach, it becomes easy to trace the events that led to it.
8. The Penalties
HIPAA classifies violations into four distinct levels, each with its accompanying fine as follows:
Level 1:
Those violations that couldn’t be avoided, given that the entity in question couldn’t know about the impending data breach in good time. The penalties for such violations range from a minimum of USD$100 to a maximum of USD$50,000, with an annual cap of USD$1,500,000.
Level 2:
Those unintentional violations for which the entity in question should have realized before they occurred. These carry penalties between USD$1,000 and USD$50,000 per violation, with a yearly limit of USD$1,500,000.
Level 3:
Those violations arising out of willful negligence, but correction measures are taken within 30 or so days. These violations attract fines between USD$10,000 and 50,000 per violation, with a penalty cap of USD$1,500,000 during a single calendar year.
Level 4:
Finally, the worst HIPAA violations are those arising from willful negligence without any timely attempt to stop the leakage of PHI. As such, the penalties for this kind of violation start at USD$50,000.
From the foregoing, it’s clear that any violation can instantaneously cripple you financially. The fines are too heavy, especially if the entity in question isn’t well established financially. Thus, it pays to be compliant by all means possible.
For an employee who violates HIPAA regulations for individual gain or to cause malicious harm, the following jail terms are applicable:
- Knowingly gaining access to PHI: A jail term not exceeding one year
- Collecting PHI under false pretense: A jail term not exceeding five years
- Knowingly breaching HIPAA to gain monetary benefits or cause harm to the patients: A jail term not exceeding ten years
- Aggravated identity theft: Compulsory two-year jail term
Such criminal violations of the HIPAA regulations are investigated and penalized by the U.S. Department of Justice. In addition to serving time in prison, the responsible employee risks getting disqualified from practicing by professional boards. That’s quite a blow to your career. After all those years of study and work, you’re literally robbed of your chance to ever work as a medical professional.
9. The Breach Notification Rule
You now understand that the penalties are softer for any entity that attempts to rectify the situation before things disproportionately get out of hand. The moment you detect a breach of PHI, you must inform the affected individuals as well as the Department of Health and Human Services. PHI breaches are categorized according to the number of affected individuals as follows:
- Minor Breach: Affects less than 500 patients. This must be reported by the end of the year in which the breach occurred.
- Meaningful Breach: Affects more than 500 patients. It must be reported within two months from the time of detection. On top of notifying the affected persons and HHS, the mainstream media must also be notified.
In reporting a breach, you must include the following information in the report:
- Whether you’re a covered entity or business associate
- Name of the covered entity or business associate
- Type of covered entity—either health plan, healthcare provider, or healthcare clearinghouse
- Street Address
- Contact information
- Number of persons affected by the breach
- Type of the breach, such as hacking, improper disposal, or theft
- Location of the breach, for instance, desktop PC, laptop, email, electronic medical record, network server, etc.
- Type of PHI involved in the breach
- Brief description of the breach
- The safeguards in place before the breach took place
- Actions are taken in response to the breach
With such detailed information, the Office for Civil Rights is in a good position to investigate the circumstances surrounding the breach. As a covered entity, here are some of the actions you can take the moment you detect a breach:
- Adopt new encryption technologies
- Change passwords to stronger that are difficult to crack
- Improve the physical security of storage areas
- Sanction the persons involved. If possible, terminate their contracts.
- Set new risk management rules and retrain employees on the same
When you prove to the authorities that you tried your best to rectify the situation, the fines may be a bit more manageable.
10. How OCR Enforces HIPAA
The HHS Office for Civil Rights is responsible for enforcing the HIPAA rules. First and foremost, they investigate any complaints they receive from affected persons. The intrusion of privacy must have taken place after the laws were signed into place. For instance, the Privacy Rule took effect on April 14, 2003, while the Security Rule started operating on April 20, 2005. The OCR doesn’t look into any breach of PHI before these dates.
Additionally, the complaint must be against a listed covered entity. If the complaint is against entities like life insurers, employers, schools, state agencies, and municipal offices, the OCR won’t pursue it any further. Also, the complaint must be filed within 180 days after discovery. If any person makes a complaint after the provided time limit, they must show good cause for the delay.
Aside from complaints, OCR may also conduct compliance reviews on a given organization to ascertain whether they’re HIPAA-compliant. Such compliance audits are random, and so it pays to always be prepared at all times.
11. Designated HIPAA Security Official
Because of the seriousness of HIPAA compliance, it’s a requirement for all healthcare organizations to have a full-time employee tasked with developing HIPAA policies and guidelines and implementing them.
But that’s not to say that all the HIPAA-related work must be handled by one person. Depending on the organization’s size, there can be several other persons with specific responsibilities operating under the designated security official with overall responsibilities. Here are typical responsibilities of the designated security official:
- Formulating policies and procedures to detect and prevent PHI breaches.
- Correcting PHI breaches in case they occur.
- Staff training on organizational security awareness.
- Investigating unfortunate data breaches so as to come up with measures to avoid a repeat of the same mistake in the future.
- Conducting a risk assessment of the organization’s PHI in regards to third parties like Business Associates.
- Looking into disaster recovery and business continuity after catastrophic breaches.
If interested, you too can try your luck for such a position. The ideal candidate for the role must have a thorough grasp of HIPAA and strong organizational skills. Additionally, they must be good in IT and have a complete mastery of the organization’s computer systems. This way, they can adequately prevent data breaches.
12. Security Breaches Keep Increasing
The healthcare industry, like many other industries, is struggling to transition to paperless mode. Instead of keeping printed copies of patient medical records, such information can be uploaded to cloud storage platforms. This system is very convenient for all those who need access to patient information.
However, with the increased convenience comes the risk of hacking. Expert reports have it that most breaches occur through hacking. There are individuals out there sworn to disrupt the peace of hardworking individuals and organizations. Once hackers get access to PHI, they can prevent the rightful persons from using the information until they pay them some amount of money.
Others do it for the sake of defaming organizations they have a grudge with. Once the public gets to know that a certain hospital isn’t careful enough with sensitive patient data, they’ll just avoid doing business with the hospital. The result is very low patient volume, which translates to meager profits.
Therefore, it’s critical to stay alert whenever doing anything on the web. As a precaution, it pays to have a HIPAA IT solution that encrypts every message and file before sending it to the recipient.
The recipient must then decrypt the message to understand the contents. Equally important is the need to avoid messaging systems like emails with very shallow security measures. And on top of that, ensure that every platform with PHI is password-controlled.
Bottom Line
It doesn’t break the bank to be HIPAA compliant. But the violations might render you bankrupt. So, make a point of ensuring that you’re operating within the laid-out guidelines. And it all starts with training. Get the proper education from the word and update your skills as often as the compliance guidelines get updated. That way, you’ll always be on the right side of the law.
Robert Murphy is a university professor. He shares his educational insights and expertise through guest posting. Robert is married with four children. He loves playing golf and tennis during his free time.
