Working in a large organization with over 100+ employees? Discover how Dovetail can scale your ability to keep the customer at the center of every decision. Contact sales.
Protecting a patient’s personally identifiable information (PPI) and protected health information (PHI) is essential while transmitting, managing, and storing electronic health records.
Maintaining HIPAA compliance helps establish trust in your healthcare organization and prevents penalties. Meanwhile, patients can have peace of mind that their PPI and PHI are safe with you and your medical practice.
Computer hardware became more affordable in the early 90s, and the internet made accessing and sharing information easier. Medical facilities transitioned from paper to electronic health records (EHRs) for efficiency.
In 1996, with the onset of the electronic transmission of health information, Congress designed a law called the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule was published later.
Congress enacted HIPAA for other purposes, too. An initial goal of HIPAA was to make healthcare distribution more efficient by simplifying administration. Another aim was to enable more Americans to access health insurance coverage through transferable rights in certain circumstances.
This portion of the HIPAA law established measures to ensure people retained health insurance coverage between jobs. It guarantees coverage for employees with pre-existing conditions under certain circumstances, including when they
Leave a job that provided group health plan coverage and move to another job with group health plan coverage
Lose group health plan coverage, meet the definition of a HIPAA-eligible individual, and want to acquire individual health insurance coverage
Has individual health insurance coverage and now want to enroll in a new group health plan
This aspect of the HIPAA law does not:
Allow people to keep their current plan or benefits when losing a job or changing jobs
Require a new employer to offer health coverage
Guarantee the benefits will be the same if a person transfers from one plan or policy to another
The Department for Health and Human Services (DHHS) nationally standardized electronic healthcare transactions, identifiers, code sets, and operating rules for providers, health plans, and employers. These standards improved the efficiency and effectiveness of healthcare overall because they reduced paperwork and streamlined administrative processes.
Little was known about PHI’s vulnerability when accessed and shared via electronic transmission. Congress asked the DHHS to recommend standards to protect PHI privacy while healthcare providers and plans maintained or shared the information electronically.
Our team can give you a demo, help you choose the right plan and ensure you get the most out of Dovetail.
Request a demoThe types of data HIPAA protects are sensitive and non-sensitive personally identifiable information (PII) and personal health information (PHI) categories. Medical conditions are an example. These data types are protected to ensure confidentiality and safeguard against unauthorized use and disclosure.
Personally identifiable information is information that, when used alone or with other data, can generally or specifically identify an individual. Non-sensitive PII can include the following:
Zip code
Date of birth
Race
Gender
Sensitive PII can be used alone or combined with other PII for identity theft. Here are some examples:
Social security number
Full name
Driver’s license number and information
Financial information
Medical records
Protected health information is made up of three types of data under HIPAA:
Any information related to past, present, or future physical or mental health conditions
Provisions of healthcare
Payments for healthcare rendered that is electronically transmitted, maintained, or received by the following:
Healthcare provider
Health plan
Public health authority
Employer
Life insurer
School or university
Healthcare clearinghouse
Once these entities are subject to HIPAA standards, they are bound to safeguard PPI and PHI from unauthorized access.
The DHHS created a standard set of codes for different healthcare services and medications to distribute healthcare more efficiently with minimal errors. The DHHS established a national standard of coding for the following:
Diagnoses
Procedures
Services
Equipment
Supplies
Medications
HIPAA standardizes the following five code sets for simplification and efficiency:
ICD-10—International Classification of Diseases, 10th edition for diagnoses and procedures
CPT—Current Procedural Terminology for outpatient services and procedures
Healthcare Common Procedure Coding System (HCPCS) for healthcare equipment and supplies and services not covered by CPT codes
CDT—Code on Dental Procedures and Nomenclature
NDC—National Drug Codes
Adopting these HIPAA codes enables healthcare providers and health plans to communicate effectively with one another. At the same time, administrative duties become more efficient with fewer errors.
Not all healthcare providers are subject to HIPAA, although state privacy regulations may apply. Compliance only applies to entities that access and store health records electronically according to the DHHS’ standards. These institutions can be considered covered entities or business associates.
Entities subject to HIPAA standards are health plans, healthcare clearinghouses, and providers who transmit health information related to healthcare financial or administrative activities. These include a first report of injury, eligibility for a health plan, and health plan premium payments.
A person or organization can be considered a business associate if they create, receive, maintain, or transmit PHI on behalf of the covered entity but do not work for it. Business associates can include health information organizations or e-prescribing gateways requiring routine access to PHI.
Here are some of the rules set out by the HIPAA legislation:
Although the HIPAA law was created in 1996, the final Privacy Rule wasn’t published until 2002.
The Privacy Rule states permissible uses, disclosures, and the circumstances in which authorization is required, and gives patients rights over their PHI.
Published in 2003, the final Security Rule covers administrative, physical, and technical security measures that should be adopted when creating, collecting, using, maintaining, or transmitting PHI electronically.
For example, the rule requires an administrative sanction policy to be put in place for employees who don’t comply with the covered entity’s or business associate’s security policies and procedures.
Implementing policies and procedures that shield facilities and equipment from unauthorized physical access, tampering, and theft is an example of a physical security measure. Assigning a unique name or number for identification while accessing systems or incorporating an automatic logoff after a set time of inactivity are examples of technical security measures.
The Breach Notification Rule applies to all breaches that occurred in 2009 or after. In this case, a breach means the acquisition, access, use, or disclosure of PHI in a way that’s not permitted under the Privacy Rule.
Once a breach occurs through covered entities or business associates, required notification processes must be activated for the affected individuals, the media, and the Secretary of the DHHS.
The Enforcement Rule encompasses compliance and investigations, the levying of civil financial penalties for a HIPAA violation, and hearing procedures.
This rule sets the standard for filing complaints and how the Secretary of the DHHS conducts investigations or compliance reviews. If investigations or reviews are ongoing, the covered entities or business associates are responsible for cooperating and permitting access to information.
The components of an effective HIPAA compliance program include the following:
A compliance officer and committee
Written policies, procedures, and standards of conduct
Training and education
Communication
Responsiveness
Enforcement
Internal audits
Appoint a compliance officer and compliance committee made up of people who understand the HIPAA law and accompanying rules. They will help implement written policies, procedures, and standards of conduct relating to your unique situation. Make sure all employees are aware of how they can help HIPAA compliance through training and education.
Develop lines of communication between employees and entities. This will enable breaches to be reported quickly and corrective action to be taken immediately. Ensure everyone is aware of potential disciplinary actions for HIPAA violations. Conduct regular internal monitoring and audits to be sure that compliance efforts are in effect at all times.
Trust is important between a patient and their healthcare provider. When patients can trust medical professionals with their sensitive personal and healthcare information, there can be an open and honest relationship about their physical well-being. Improved trust means patients are more open about pain and other symptoms, resulting in more efficient health resolutions and improved outcomes.
HIPAA also established a national Health Care Fraud and Abuse Control (HCFAC) program, which coordinates federal, state, and local law enforcement to reduce waste and fraud. When medical professionals work toward HIPAA compliance, they are also improving their medical organization’s profitability.
The DHHS can impose fines for noncompliance. The severity of the violation determines the amounts levied.
For infractions that occurred before 2009, the civil penalty won’t be less than $100 or more than $25,000 for identical offenses.
The penalties increase incrementally for violations after 2009 depending on the degree to which the entity knew about the breach. For example, if the offense occurred because the covered entity or business associate didn’t know and couldn’t have known about the violation, the fine will be between $100 and $50,000 per violation or no more than $1,500,000 per calendar year.
However, if the offense occurred due to willful neglect (the violation was known to have occurred and the offenders did nothing to correct it for 30 days), the civil penalty will be more than $50,000 per violation but not more than $1,500,000 per calendar year.
Civil suits can also arise if the aggrieved party suffered damages because of the HIPAA violation. Your organization’s reputation may suffer, and your practice may sanction you if you are found at fault.
When the DHHS investigates a HIPAA violation, they will consider the whole healthcare practice to be at fault. They will investigate to see what single or multiple events led to the breach.
Ultimately, it’s the practice’s responsibility to ensure compliance. If an employee is at fault, the practice could decide to take disciplinary action against them. The practice should already have a sanction policy, which is required under the Security Rule.
Train and educate your employees on the importance of HIPAA compliance and how to avoid unintentional violations. You will still face consequences even if you didn’t purposely commit an offense.
Here are some tips to prevent unintentional violations:
Double-check emails and phone numbers to ensure sensitive patient information isn’t sent to the wrong party
Don’t leave patient information unsecured
Dispose of patient information properly
Don’t use unsecured methods to transmit PHI
Remember to log off or lock your computer screen when leaving a workstation containing sensitive information
Don’t allow unauthorized individuals to access PHI
Provide notice of privacy practices, including how patient data is collected, used, and protected and informing patients of their right to access their medical records
Do you want to discover previous research faster?
Do you share your research findings with others?
Do you analyze patient research?
Last updated: 23 August 2023
Last updated: 23 August 2023
Last updated: 8 August 2023
Last updated: 2 August 2023
Last updated: 8 August 2023
Last updated: 10 August 2023
Last updated: 11 September 2023
Last updated: 31 July 2023
Last updated: 16 August 2023
Last updated: 22 August 2023
Last updated: 10 August 2023
Last updated: 25 November 2023
Last updated: 25 November 2023
Last updated: 11 September 2023
Last updated: 23 August 2023
Last updated: 23 August 2023
Last updated: 22 August 2023
Last updated: 16 August 2023
Last updated: 10 August 2023
Last updated: 10 August 2023
Last updated: 8 August 2023
Last updated: 8 August 2023
Last updated: 2 August 2023
Last updated: 31 July 2023
Get started for free
or
By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy