Are you confused as to what exactly HIPAA is and how it works? We have put together a list of things you should know about it to get you familiar with the basics.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal Health Information (PHI), essentially your medical record. HIPAA was introduced with the aim to ease the sharing of Personal Health Information (PHI) between entities that have a need to know, while also maintaining an acceptable and reasonable level of privacy to the individual whose information is in question.
What HIPAA covers?
The three pillars of which HIPAA was built around are as follows:
- The integrity of information – the medical record must always be accurate.
- Confidentiality – The medical record should only be viewed by those who need to see it, and all uses of that data should be knowable by the individual.
- Availability – The medical record must be readily available, i.e. no reasonably avoidable downtime.
HIPAA regulates the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI, regardless of whether it’s electronic or not. The enforcement rules specify what happens if you fail to treat PHI carefully, i.e. the penalties
What is HITECH?
The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in 2010. This act was brought into existence in order to update HIPAA rules and provided federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). The reason behind HITECH upgrading HIPAA was that medical records now came in digital form. As a result of this, they needed new rules for protection and availability.
What do the rules and regulations require from us?
The primary reasons behind the rules and regulations are to:
- Protect the Availability, Integrity and Confidentiality of PHI
- Have Business Associates Agreements with any vendors that touch protected health information (PHI)
- Report any violations of PHI misuse to the OCR
They do not specify any specific technology design or platform, just that the data must be secure. There are certain industry practices that they assume you would use, such as NIST, for protecting data. They would likely consider you negligent if you were not to use such practices.
What penalties are there in the case of a violation?
The penalties for violating HIPAA rules are, in the worst case, pretty severe. They can range from $100 to $50,000 per violation up to a maximum of $1,500,000 per year. They can even carry criminal charges which could ultimately result in jail time. Penalties are suffered if PHI (or ePHI, Electronic Personal Health Information) is released to the public in the unencrypted form of more than 500 records.
The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Wilful Neglect”.
- Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve criminal charges
- Wilful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.
These are just a few of the core detail about HIPAA to help you gain a basic understanding of the topic.