What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to establish standards for the protection of health information (Protected Health Information, PHI) of patients. For everything covered by HIPAA, there are strict guidelines regarding the distribution of PHI and when it is appropriate practice.
The Office for Civil Rights (OCR), part of the Department of Health and Human Services, oversee HIPAA compliance. Alongside state attorneys, the OCR can issue penalties to those seen to inappropriately share a patient’s PHI. HIPAA stipulates that, as well as financial penalties, covered entities (CEs) must adopt a corrective action plan to raise policies and practices to the accepted standard.
Common HIPAA Violations
HIPAA violations often result from the following:
- a lack of organizational-level risk analysis regarding confidentiality, integrity and sharing of PHI
- a lack of associate agreements that are HIPAA-compliant
- unlawful sharing of PHI
- failure to report breaches of PHI
- failure to adequately protect PHI.
As well as enforcing the legislation, settlements also serve to remind healthcare providers and the like of the importance of HIPAA compliance.
To comply with HIPAA legislation, the minimum amount of information possible must be shared with another party. If an excess of information is given, this is a violation.
Deliberate violations of HIPAA legislation result in the maximum possible fine being levied against the organisation.
Though some violations may be accidental, the OCR does not consider “ignorance” a just reason for HIPAA non-compliance.
Data Breaches and HIPAA Compliance
It is rare a week goes by without headlines involving high-level data breaches. Unfortunately, PHI is often a target of such cyber-attacks. Whilst organisations are expected to do everything in their capacity to reduce the risk of data breaches, the OCR knows that an impenetrable security system is nigh-on impossible. Thus, data breaches are not considered to be violations of HIPAA.
Risk Analysis, Business Associates and HIPAA Compliance
Likely to most common violation, the failure to perform an organisation-wide risk analysis of PHI often results in financial settlements with the OCR. Regular risk analysis is necessary to pinpoint vulnerabilities in the organisations’ practices. Thus, any potential risks are unaddressed and are more likely to lead to a violation of HIPAA.
Any party that is given access to PHI must comply with HIPAA. Violations of this sort often occur if business agreements have not been revised since the Omnibus Final Rule of 2013.
Encryption and HIPAA
To ensure that a patient’s personal data is adequately protected, all digital messages containing the patient’s information must be encrypted. Though it is not an absolute requirement under HIPAA legislation, failure to encrypt (and thus a failure to maximally safeguard a patient’s PHI) may be used as evidence if a breach occurs.
Texting PHI can be seen as HIPAA non-compliant. If the text message’s content and recipient are deemed non-essential, then the message would be seen as a breach of HIPAA legislation. The security of the message is also considered – if the message is not well encrypted or protected, the text is a violation of HIPAA.
Notification of HIPAA Breaches
As stipulated by the HIPAA Breach Notification Rule, if a breach has been identified it must be reported within 60 days of discovery. This is to ensure that the issue is dealt with promptly and minimise the further spread of the shared PHI.