HIPAA News

NIST Updates Guidance on HIPAA Security Rule Compliance

The National Institute of Standards and Technology (NIST) has updated its guidance for HIPAA-regulated entities on implementing the HIPAA Security Rule to help them better protect patients’ personal and protected health information.

The Security Rule of the Health Insurance Portability and Accountability Act established national standards for protecting the electronic protected health information (ePHI) that HIPAA-regulated entities create, receive, maintain or transmit. Ensuring compliance with the HIPAA Security Rule is more important than ever due to the increasing number of cyberattacks on HIPAA-regulated entities.

NIST published the first revision of its HIPAA Security Rule guidance in 2008, 6 years before the release of the NIST Cybersecurity Framework. Over the past 14 years, NIST has released other cybersecurity guidance and has regularly updated its Security and Privacy Controls (NIST SP 800-53). One of the main reasons for updating the HIPAA Security Rule guidance was to integrate it into NIST guidance that did not exist when Revision 1 was published in 2008.

“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule.”

NIST has mapped the elements of the HIPAA Security Rule to the NIST Cybersecurity Framework subcategories, the controls in NIST SP 800-53, has increased the emphasis on the risk management component of the guidance, and has integrated enterprise risk management concepts. NIST has also factored in the feedback received from healthcare industry stakeholders in its pre-draft call for comments.

The latest revision is more of a refresh than an overhaul. The structure of the guidance has only changed slightly with the content updated to have an increased emphasis on assessment and management of risk to ePHI

“We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” said Marron. “Our goal is to offer guidance and resources you can use in one readable publication.”

Comments will be accepted by NIST on the updated guidance – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2) – until September 21, 2022.

The post NIST Updates Guidance on HIPAA Security Rule Compliance appeared first on HIPAA Journal.

OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has sent a warning to healthcare providers about the importance of compliance with the HIPAA Right of Access with the announcement that a further 11 financial penalties for HIPAA-covered entities that have failed to provide patients with timely access to their medical records. The latest batch of enforcement actions brings the total number of financial penalties imposed under the HIPAA Right of Access enforcement initiative up to 38.

The HIPAA Right of Access gives people the right to inspect their protected health information that is held by a HIPAA-covered entity, check the information for errors, and request that any errors are corrected. People can also request a copy of their protected health information from healthcare providers and health plans. When such a request is made, the requested information must be provided in full within 30 days of the request being received. In very limited circumstances, an extension of 30 days is allowed. Requests can be submitted by patients or their nominated representatives, and parents and legal guardians of minors are permitted to obtain a copy of their minor’s records. Any individual requesting a copy of their records can only be charged a reasonable, cost-based fee for obtaining a copy of their records. The records should be provided in the format requested by the patient, provided the HIPAA-covered entity has the technical capability to provide records in that format.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019 in response to reports of widespread noncompliance with this important HIPAA right. “It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said OCR Director Lisa J. Pino.  “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”

HIPAA Right of Access Penalties

The latest penalties were all imposed for the failure to provide timely access to an individual’s medical records, rather than for charging unreasonable fees for exercising the Right of Access. All but one of these cases was settled with OCR, with the covered entities also agreeing to a corrective action plan to address the non-compliance and prevent further violations.

One HIPAA-covered entity refused to cooperate with OCR’s requests, resulting in a civil monetary penalty. ACPM Podiatry had received a request from a former patient for a copy of his medical records. OCR was notified on April 8, 2019, that ACPM had refused to provide those records. OCR provided technical assistance to ACPM on April 18, 2019, confirming that the records must be provided under HIPAA. The investigation was closed. A second complaint was then filed with OCR a month later when the records had still not been provided.

OCR’s investigation revealed the records had been withheld as the complainant’s insurance company had not paid the bill, but the complainant said the records were required in order to appeal the unfavorable decision, and that the records were necessary to file that appeal. While there was contact between OCR and ACPM Podiatry, ACPM failed to respond to OCR’s data access requests, OCR’s notice of proposed determination of a financial penalty, nor the Letter of Opportunity to provide evidence of mitigating factors, resulting in a civil monetary penalty being imposed.

Three of the enforcement actions stemmed from a HIPAA-covered entity failing to provide a patient’s nominated representative with a copy of the requested records when HIPAA allows the release of records to a personal representative. Two cases involved the withholding of a patient’s medical records due to outstanding medical bills. A patient’s right to obtain a copy of their medical records is not conditional on whether payment for medical services has been made in full.

A summary of each financial penalty has been provided in the table below.

HIPAA Covered Entity State Penalty Type Penalty Amount Individuals Affected Alleged Violation Reason
ACPM Podiatry IL Civil Monetary Penalty $100,000 1 Untimely Access Records not provided
Memorial Hermann Health System TX Settlement $240,000 1 Untimely Access Records not provided in full for 564 days from the initial request
Southwest Surgical Associates TX Settlement $65,000 1 Untimely Access Records not provided for 13 months
Hillcrest Nursing and Rehabilitation MA Settlement $55,000 1 Untimely Access Records not provided to a personal representative for 7 months
MelroseWakefield Healthcare MA Settlement $55,000 1 Untimely Access Failure to provide records to a patient’s nominated representative for 4 months
Erie County Medical Center Corporation NY Settlement $50,000 1 Untimely Access Failure to provide the requested records to a patient’s nominated representative
Fallbrook Family Health Center NE Settlement $30,000 1 Untimely Access Unspecified delay in providing requested records
Associated Retina Specialists NY Settlement $22,500 1 Untimely Access Failure to provide patient with access to records for 5 months
Coastal Ear, Nose, and Throat FL Settlement $20,000 1 Untimely Access Failure to provide patient with access to records for 5 months
Lawrence Bell, Jr. D.D.S MD Settlement $5,000 1 Untimely Access Failure to provide records for more than 3 months
Danbury Psychiatric Consultants MA Settlement $3,500 1 Untimely Access Withheld records for 6 months as the patient had an outstanding medical bill

OCR has now imposed 122 financial penalties on HIPAA-regulated entities to resolve HIPAA violations since 2008. The latest batch of HIPAA penalties brings the total enforcement actions in 2022 involving a financial penalty up to 16, exceeding the financial penalties imposed in all of 2021 by 2.

The post OCR Announces 11 Further Financial Penalties for HIPAA Right of Access Failures appeared first on HIPAA Journal.

ONC and OCR Release Updated Security Risk Assessment Tool

The Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) have released a new version of the HHS Security Risk Assessment (SRA) Tool.

The HIPAA Security Rule requires HIPAA-regulated entities to conduct a comprehensive, organization-wide risk analysis to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). All risks identified must then be subject to risk management processes to reduce the identified risks and vulnerabilities to a low and acceptable level.

Risk analyses/assessments are vital for HIPAA compliance. They help HIPAA-covered entities determine if they are compliant with the administrative, physical, and technical safeguards of the HIPAA Security Rule and help to identify the most effective and appropriate administrative, physical, and technical safeguards to protect ePHI. Investigations and audits of HIPAA-regulated entities have shown that the risk assessment/analysis is an aspect of compliance that many healthcare organizations fail to get right, and it is one of the most commonly cited HIPAA violations in OCR enforcement actions.

In 2014, ONC and OCR jointly developed and launched the SRA Tool to help small- and medium-sized healthcare practices and business associates with this important aspect of HIPAA Security Rule compliance. The SRA tool is a downloadable tool that can be used to guide HIPAA-regulated entities through the risk assessment process. The SRA Tool is a desktop application that uses a wizard-based approach involving multiple-choice questions, threat and vulnerability assessments, and asset and vendor management, and walks users through the security risk assessment process.

The SRA tool has been updated over the years, with the latest version incorporating new features in response to user feedback and public input. Those features include the incorporation of Health Industry Cybersecurity Practices (HICP) references, file association in Windows, improved reports, bug fixes, and stability improvements.

ONC and OCR have also developed a new SRA Tool Excel Workbook, which is intended to replace the legacy paper version of the SRA Tool. The workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application and is a good alternative for users who do not have Microsoft Windows.

ONC and ORC explain that the use of the tool does not guarantee compliance with HIPAA but can help them achieve compliance. The tool was developed for SMBs, and may not be appropriate for larger healthcare organizations.

The SRA tool, which can be downloaded here, can be installed as an application on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook can be used on other systems.

The post ONC and OCR Release Updated Security Risk Assessment Tool appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends

Start preparing now and get your telehealth services HIPAA compliant as when the COVID-19 Public Health Emergency (PHE) ends, the telehealth HIPAA flexibilities stop. That is the advice of the Department of Health and Human Services’ Office for Civil Rights, which released new guidance this week on HIPAA and audio-only telehealth services.

The Period of Enforcement Discretion Will End

In March 2020, the HHS’ Office for Civil Rights issued a Telehealth Notification and said it would be exercising enforcement discretion and would not be imposing sanctions and penalties for HIPAA violations with respect to the good faith provision of telehealth services. The move was intended to make it easier for healthcare organizations to offer telehealth services to patients to help prevent the spread of COVID-19.

OCR permitted healthcare organizations to use remote communication tools for telehealth, which included apps and platforms that would not normally be considered ‘HIPAA-compliant,’ and did not require HIPAA-covered entities to enter into a business associate agreement with the providers of remote communication tools. The notice of enforcement discretion stated that it lasted for the duration of the PHE. When the Secretary of the HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever comes sooner, the period of enforcement discretion will end. That means that the continued use of remote communication technologies could potentially violate the HIPAA Rules and could lead to financial penalties and other remedies to resolve the HIPAA violations.

In the new guidance on HIPAA and audio-only telehealth, OCR explains when, and under what circumstances, audio-only telehealth is permitted under HIPAA. OCR confirmed that telehealth services are permitted under HIPAA, but HIPAA-regulated entities should apply reasonable safeguards to protect the privacy of protected health information (PHI), such as ensuring telehealth services are provided in private settings, as far as is possible, and using lowered voices to reduce the potential for incidental disclosures of PHI. It is also necessary to verify the identity of the patient, orally or in writing.

The HIPAA Security Rule May Apply to Telehealth

The HIPAA Security Rule may apply to telehealth. When audio-only telehealth services are provided over standard telephone lines – landlines – the HIPAA Security Rule does not apply, as the information transmitted is not electronic. However, if electronic communication technologies are used, the HIPAA Security Rule does apply, which includes “Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra-, and extranets, cellular, and Wi-Fi.”

When these technologies are used, the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI), and risks and vulnerabilities must be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes. OCR suggests that due to the speed at which communication technologies evolve, a robust inventory and asset management process is recommended to identify such technologies and the information systems that use them, as this will help to ensure an accurate and thorough risk analysis.

Business Associate Agreements May be Required

Any vendor that is provided with access to ePHI, or comes into contact with ePHI, is required to enter into a business associate agreement (BAA) with a HIPAA-covered entity. BAAs may be required with vendors providing platforms to support telehealth. A BAA is only required when a telecommunication service provider (TSP) is acting as a business associate. The HIPAA conduit exception applies if the TSP has only transient access to the PHI it transmits. “If the TSP is not also creating, receiving, or maintaining PHI on behalf of the covered entity, and the TSP does not require access on a routine basis to the PHI it transmits in the call, no business associate relationship has been created.  Therefore, a BAA is not needed,” explained OCR in the guidance.

A BAA is required when a TSP is more than a conduit and is not just providing data transmission services, and is either creating, receiving, or maintaining ePHI. In such cases, a BAA is required before the service is used. That applies to remote communication technologies, mobile apps, and Internet and cloud services.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance [Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth] explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The post OCR Issues Guidance on Audio-Only Telehealth for When the COVID Public Health Emergency Ends appeared first on HIPAA Journal.

Healthcare Groups Provide Feedback on HITECH Recognized Security Practices

Earlier this year, the HHS’ Office for Civil Rights issued a request for information (RFI) on how the financial penalties for HIPAA violations should be distributed to individuals who have been harmed by those HIPAA violations, and the “recognized security practices” under the amended Health Information Technology for Economic and Clinical Health (HITECH) Act. The comment period has now closed, and OCR is considering the feedback received.

Background

It has long been OCR’s intention to distribute a proportion of the funds raised through its HIPAA enforcement actions to victims of those HIPAA violations; however, to date, OCR has not developed a methodology for doing so and requested feedback on a method for distributing the funds to ensure they are directed to victims effectively.

In January 2021, the HITECH Act was amended by Congress to encourage healthcare organizations to adopt recognized security practices. The amendment called for the Secretary of the Department of Health and Human Services to consider whether recognized security practices had been adopted by a HIPAA-regulated entity for no less than 12 months previously, when making certain determinations. Recognized security practices are those outlined by the National Institute of Standards and Technology (NIST), HIPAA Security Rule, and privacy and security frameworks.

Essentially, if recognized security practices have been adopted and have been continuously in place for at least 12 months, financial penalties could be reduced or avoided altogether, and the length and extent of audits and compliance investigations would be reduced.

Feedback from Healthcare Industry Groups

Several healthcare industry groups responded to the RFI and provided feedback, including the Healthcare Information and Management Systems Society (HIMSS), Medical Management Association MGMA, and the Connected Health Initiative (CHI).

HIMSS

HIMSS has welcomed the amendments to the HITECH Act and in its letter to the HHS stressed the importance of a unified approach to healthy cybersecurity and information privacy practices, as emphasized in the HITECH Security Practices.

HIMSS recommended “OCR implement policies that only afford enforcement discretion to situations involving use of security best practices as that discretion applies to safeguarding electronic protected health information (PHI) and not to other areas that are within the scope of HIPAA.”

HIMSS recommends OCR should foster innovation in standards by recognizing the value of adherence to widely accepted cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework and the HITRUST Common Security Framework, rather than trying to define a fixed set of cybersecurity practices, which has the potential to become outdated in a rapidly changing threat landscape. OCR should also align its work with other federal agencies to improve best practices for healthcare.

HIMSS expressed concern that “a strict interpretation of security practices in place continuously over a 12-month period could have the unintended consequence of discouraging the adoption of new methods during that time frame.” HIMSS stressed the importance of encouraging organizations to update security practices regularly as new technologies or methodologies emerge and giving them the flexibility to update processes throughout the year to meet ever-changing cybersecurity best practices without fear that they may run afoul of the requirement for consistent and continuous use. “HIMSS recommends OCR distinguish between confirming that a control is in place and narrowly defining how the control is implemented.”

With respect to the financial penalties, HIMSS suggested OCR should earmark some of the fine amounts for helping to fund and distribute educational materials and other resources to HIPAA-regulated entities to ensure that all organizations have the knowledge and resources to prevent or mitigate cyberattacks.

MGMA

MGMA explained in a letter to HHS Secretary Xavier Becerra that it represents a wide range of medical groups and hundreds of thousands of physicians, and has been working diligently to improve education on cybersecurity best practices. MGMA said its members are becoming more vigilant and are voluntarily taking steps to protect themselves and their patients and welcomes the efforts of the HHS to understand and consider those measures when making certain determinations.

MGMA has made three key recommendations. The HHS should provide HIPAA-regulated entities with the flexibility to choose which recognized security practices to adopt, as there are vast differences in the technical and financial capabilities of medical groups, which can include small private practices in rural areas to large regional and national health systems, and the full spectrum of physician specialties and organizational forms. If specific recognized security systems are required, there could be unintended consequences stemming from the increased cost and administrative burden. Medical groups need to balance security with their ability to stay financially viable and avoid interruptions to patient care. MGMA has recommended the HHS does not mandate what constitutes recognized security practices any further, and that the HHS should accept and not limit the broad statutory definition of the term recognized security practices.

MGMA has requested OCR provide best practices and education, including sample frameworks and checklists, that include real-world approaches for medical groups to implement acknowledged cybersecurity policies into their practices, and has also requested the HHS ensure potential requirements are consistent with other programs, such as the Office of National Coordinator for Health Information Technology (ONC) rulemaking to prohibit “information blocking.”

CHI

CHI said it supports OCR’s efforts to encourage the adoption of recognized security practices and for those practices to be considered as a mitigating factor when investigating data breaches, complaints, and reviews for potential HIPAA violations, but suggests that the 2021 HITECH Act revision should only apply to HIPAA compliance enforcement actions and audits.

Since current security standards will evolve over time, CHI recommends that OCR consider new and emerging risk management security standards in its recognized security practices, rather than specifying a set of security practices. CHI has also requested OCR provide up-to-date and clear information on the obligations of healthcare organizations under HIPAA, in light of the many changes that have occurred across the industry since the HITECH Act was passed, including changes to technology.

For instance, the HIPAA Privacy and Security Rules were introduced prior to the release of the first iPhone, and there is a lack of clarity about how HIPAA applies to mobile environments, which can deter healthcare providers from adopting patient-centered technologies and can prevent patients from fully benefiting from mobile technologies. Further guidance is needed to help healthcare providers adopt new technologies that enable care coordination and ensure compliance.

“OCR has created key guidance for mobile developers and those interested in the intersection between information technology and healthcare. OCR’s outreach focus is an educational campaign for that community, and we see vast improvement in the understanding, from connected health companies, of their roles and responsibilities under the HIPAA Privacy Rules,” explained CHI. However, similar educational campaigns are required for providers and patients.

CHI has requested the HHS make no revisions to the HIPAA Privacy Rule that require disclosures for any additional purposes besides to the individual when the individual exercises his/her right of access under the Rule, or to HHS for purposes of enforcement of the HIPAA Rules, as this could place an unnecessary burden on HIPAA-regulated entities and could lessen the protections for the privacy of individuals’ PHI.

CHI has also requested OCR provide sample business associate agreement language for developers and providers and should ensure that HIPAA does not prevent innovations in AI technology.

The post Healthcare Groups Provide Feedback on HITECH Recognized Security Practices appeared first on HIPAA Journal.

What Are THE 3 Major Things Addressed in the HIPAA Law?

Articles discussing the 3 major things addressed in the HIPAA law often tend to focus on the Administrative, Physical, and Technical Safeguards of the Security Rule. However, although the Safeguards of the Security Rule are 3 things in the HIPAA law, they are not THE 3 major things addressed in the HIPAA law.

When Congress passed the Health Insurance Portability and Accountability Act in 1996, it addressed three major things – the reform of the health insurance industry, the prevention of abuse and fraud in the health care industry, and the failure of the Clinton administration to deliver on an election campaign pledge to pass legislation that would provide universal health care for all Americans.

Had HIPAA not addressed these issues, subsequent events in HIPAA history may never have happened. For example:

  • Had the health insurance industry been allowed to continue operating as it did prior to HIPAA, tens of millions of Americans would be excluded from health plan benefits.
  • Had the level of abuse and fraud in the healthcare industry been allowed to continue, tens of billions of dollars would have been lost to unscrupulous actors.
  • Had the momentum to improve health care not been given a kickstart by HIPAA, subsequent health care initiatives may never have happened.

Consequently, although the Health Insurance Portability and Accountability Act did ultimately improve the privacy and security of health care data, increase patients´ rights, and help the healthcare industry become more efficient by streamlining the flow of information, none of these 3 things would have happened without THE 3 major things addressed in the HIPAA law.

The Reform of the Health Insurance Industry

The Need to Reform

Prior to HIPAA, the health insurance industry can be best described as complex. As the industry had evolved, many jurisdictions had interpreted the provision of indirect access to healthcare service as the “unlicensed practice of medicine”. This led to multiple states enacting legislation so that businesses could offer health care benefits to employees as a tax-free perk of the job.

Different states enacted different legislation, and this affected how much was charged for health insurance, who was eligible for health insurance, and whether or not it was possible to carry health insurance across state lines. Health insurance companies didn´t help matters by introducing exclusions for pre-existing conditions and limitations on portability between employments.

The differences between state laws, and the business practices of health insurance companies, made it difficult for small businesses to negotiate affordable group health care plans, and meant that many people could either not get insurance, or – if they did – were locked into a job because health benefits might not be available to them if they left and went to work for a different employer.

The Kassebaum-Kennedy Act

The Health Insurance Reform Act was introduced into Congress in 1995 by Senators Kassebaum and Kennedy. Its objective was “To provide increased access to health care benefits, to provide increased portability of health care benefits, to provide increased security of health care benefits, to increase the purchasing power of individuals and small employers, and for other purposes.”

Nothing in the Act (S.1028) suggested improved privacy and security of health care data, increased patients´ rights, or streamlining the flow of information. It was only when the provisions of a companion bill (HR.3103) were integrated into it, that the Kassebaum-Kennedy Act bore any resemblance to the final version of the Health Insurance Portability and Accountability Act.

However, when HIPAA was passed, the standards governing health care data, patients´ rights, and the flow of information were still several years away. It was not until 2002 that the Privacy Rule was published, and 2003 that the Security Rule was published. Furthermore, it could also be argued that neither Rule was effectively enforced until the Omnibus Final Rule was published in 2013.

How HIPAA Addressed Health Insurance Reform

The first of 3 major things addressed in the HIPAA law occurred because HIPAA introduced a federal floor of standards that health insurance companies were required to comply with. The Act prohibited the exclusion of individuals with certain pre-existing conditions and prevented the automatic termination of coverage when employees changed jobs or had a break in employment.

The Act also overruled any state laws prohibiting businesses from grouping together to negotiate better insurance rates in order to increase the purchasing power of small employers. However, there were concerns about the financial consequences of complying with HIPAA due to the cost of health care for higher-risk individuals and the reduced premiums from small businesses.

To overcome concerns that the increased costs to health insurance companies would be passed onto business and individuals in the form of increased premiums, provisions were included in HIPAA to increase the efficiency of claims processing (i.e., the Transactions and Code Sets Rule) and address abuse and fraud in the health care industry to reduce costs to health insurance providers.

Abuse and Fraud in the Health Care Industry

$7 Billion Lost Each Year to Fraud

In March 1996, Rep. Ted Archer – the Congressman responsible for introducing HR.3103 – presented a Congressional Report to the House Ways and Means Committee. The report revealed the scale of abuse and fraud in the health care industry, claiming that “as much as 10% of all total health care costs are lost to fraudulent or abusive practices by unscrupulous health care providers”.

At the time, health care costs were approximately $70 billion per year, and the abuse and fraud were not only attributable to health care providers charging too much for services or for services they hadn´t provided. Some health care providers performed unnecessary surgeries or accepted kickbacks from pharmaceutical companies to purchase medications at a higher cost than necessary.

The report also raises concerns that the loss to abuse and fraud in the health care industry could be far greater that estimated. It was noted that only a fraction of cases was investigated due to a lack of resources, that there was no coordination between law enforcement agencies at state and federal levels, and that the penalties for health care abuse and fraud were inadequate deterrents.

How HIPAA Addressed Abuse and Fraud

The passage of HIPAA led to the development of a Health Care Fraud and Abuse Program jointly administered by the Department of Health and Human Services and the Department of Justice. The Program was given sufficient funding to identify, investigate, and prosecute entities who commit fraud or abuse the system, and was launched in January 1997 with the following objectives:

  1. Coordinate federal, state, and local law enforcement programs to control fraud and abuse with respect to health plans.
  2. Conduct investigations, audits, evaluations, and inspections relating to the delivery of and payment for health care.
  3. Facilitate the enforcement of the civil, criminal, and administrative statutes applicable to health care in the United States.
  4. Provide industry guidance, including advisory opinions, safe harbors, and special fraud alerts relating to fraudulent health care practices.
  5. Establish a national data bank to receive and report final adverse actions against health care providers.

Additionally, a program was set up to educate the public about abuse and fraud in the health care system in order to mitigate the risk of consumers being unwitting victims of overpayments, false charges, and unnecessary surgery; and – somewhat ahead of its time – protocols were established to protect personally identifiable information used in fraud investigations.

How Effectively was Abuse and Fraud Addressed?

Prior to HIPAA, the Department of Justice had the resources to investigate an average of 21 non qui tam (non-whistle blower) cases per year under the False Claims Act and recovered less than $60 million per year in fines and settlements. In 2021, 97 non qui tam cases were investigated and $3.59 billion recovered relating to Medicare fraud alone. The total recovered in 2021 exceeded $5 billion.

While these statistics indicate there is a still a high level of fraud and abuse, the Department of Justice believes increasing enforcement action acts as a deterrent to potentially unscrupulous actors who might attempt to cheat the system at the expenses of the taxpayer. The Department also believes its efforts protect patients from medically unnecessary and potentially harmful actions.

What is also noticeable in the latest report is the increasing number of qui tam cases investigated each year. Due to the whistle blower protections in HIPAA, the number of investigations into employee tip-offs has increased from an average of 44 per year in the ten years prior to HIPAA to a ten-year average of 456 up to and including 2021 – a ten-fold increase in whistle blower tip-offs.

The Momentum to Improve Health Care

The Pledge of Universal Health Care

To fully appreciate the third of our 3 major things addressed in the HIPAA law, you have to go back to the election of President Clinton in 1992. Two of President Clinton´s key campaign pledges were health care reform and universal health care for all Americans; and, as soon as he took office, President Clinton established a top-level task force to deliver on his pledge.

However, the proposed Health Security Act of 1993 was strongly lobbied against due to concerns about it being overly bureaucratic, restricting patients choices, and forcing employers to provide health insurance coverage for all employees and their families. The American Medical Association also opposed the Act due to concerns it put financial interests ahead of medical interests.

Ultimately, the Act – and a subsequent compromise Act – failed to get the support it needed to pass the Democrat-controlled Congress. The failure of the Clinton administration to deliver on its election pledge contributed to the Democrat Party losing control of Congress in the 1994 mid-terms and losing the momentum towards health care reform and universal health care for all Americans.

How HIPAA Kickstarted the Momentum

HIPAA was the next big test of the Clinton administration´s health care reform plans, but this too had its opponents. Concerns were raised that the Act contained “vague provisions for federal regulation of the health insurance market – a responsibility traditionally left to the states – and that it gives the Secretary of Health and Human Services disturbingly broad powers in this area”.

The Act was also criticized for failing to provide tax equity for individuals and families outside an employer setting and for not allowing the self-employed to claim 100% tax relief on insurance premiums. Nonetheless, the provisions of HIPAA had bi-partisan support and passed the House by a large majority before being unanimously approved in the Senate.

Reporting on the signing of HIPAA, Paul Starr – a Professor of Sociology and Public Affairs at Princeton University – commented that the sentiment among advocates of health reform was “better than nothing”, but that it could serve as a stimulus to get more done in this area. As it turned out, the passage of HIPAA kickstarted the momentum that led to subsequent health care initiatives.

Subsequent Health Care Initiatives

President Clinton´s re-election in 1996 gave him a mandate to pursue further health care initiatives. With the momentum back, the Clinton administration pushed through budget reforms that assured the future of the Medicare Trust Fund, enacted legislation to help young people leaving foster care keep their health benefits, and addressed the issue of tax equity for non-employer health plans.

During his second term of office, President Clinton was also the driving force behind a successful child immunization program, introduced measures to reduce the number of foodborne illnesses, and enacted the Breast and Cervical Cancer Prevention and Treatment Act – an Act that has potentially saved millions of lives through the provision of federally-sponsored screening programs.

However, the biggest health care initiative of the second Clinton presidency was the Children´s Health Insurance Program (CHIP) which provided health care benefits for children of working families who do not qualify for Medicaid. In many states, the Program also provides prenatal care for pregnant women to reduce complications during pregnancy and prevent problems during delivery.

These are THE 3 Major Things Addressed in the HIPAA Law

When sources suggest the 3 major things addressed in the HIPAA law were the Safeguards of the Security Rule, it is important to remember that the Safeguards occupied less than half a line of text in the HIPAA law (see §1173(d) – Security Standards for Health Information), were not published until seven years after the passage of HIPAA, and were not effective until two years later.

However, without the reform of the health insurance industry, the prevention of abuse and fraud in the healthcare industry, and the continued momentum to improve health care, the health insurance and health care industries would look a lot different than they do today – at the likely cost to the health of tens of millions taxpaying Americans and their families.

The post What Are THE 3 Major Things Addressed in the HIPAA Law? appeared first on HIPAA Journal.

Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws

Healthcare privacy laws in the United States are due an update to bring them into the modern age to ensure individually identifiable health information is protected no matter how it is collected and shared. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is now more than 2 decades old, and while the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Privacy Rule that are due to be finalized this year, even if the proposed HIPAA Privacy Rule changes are signed into law, there will still be regulatory gaps that place health data at risk.

The use of technology for healthcare and health information has grown in a way that could not be envisaged when the Privacy Rule was signed into law. Health information is now being collected by health apps and other technologies, and individuals’ sensitive health information is being shared with and sold by technology companies. The HIPAA Privacy and Security Rules introduced requirements to ensure the privacy and security of health data, but HIPAA only applies to HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – and their business associates. Some of the emerging technologies now being used to record, store, and transmit health data are not covered by HIPAA and its protections and safeguards do not apply. Further, the proposed updates to the HIPAA Privacy Rule will make it easier for individuals to access their health data and direct covered entities to send that information to unregulated personal health applications.

New bipartisan legislation has now been introduced that aims to start the process of identifying and closing the current privacy gaps associated with emerging technologies to ensure health data are better protected, including health data that are not currently protected by HIPAA. The Health Data Use and Privacy Commission Act was introduced by Sens. Bill Cassidy (R-LA) and Tammy Baldwin (D-WI) and aims to set up a new commission that will be tasked with analyzing current federal and state laws covering health data privacy and make recommendations for improvements to cover the current technology landscape.

“As a doctor, the potential of new technology to improve patient care seems limitless. But Americans must be able to trust that their personal health data is protected if this technology can meet its full potential,” said Dr. Cassidy. “HIPAA must be updated for the modern day. This legislation starts this process on a pathway to make sure it is done right.”

The Comptroller General is tasked with appointing committee members who will be required to submit their report, conclusions, and recommendations to Congress and the President within 6 months. The commission will be required to assess current privacy laws and determine their effectiveness and limitations, any potential threats to individual health privacy and legitimate business and policy interests, and the purposes for which the sharing of health data is appropriate and beneficial to consumers.

The commission is required to report on whether further federal legislation is necessary and, if current privacy laws need to be updated, provide suggestions on the best ways to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy. Those recommendations could involve updates to HIPAA to cover a broader range of entities or new state or federal legislation covering health data. If updates are recommended, the commission will be required to provide details of the likely costs, burdens, and potential unintended consequences, and whether there is a threat to health outcomes if privacy rules are too stringent.

“I am excited to introduce the bipartisan Health Data Use and Privacy Commission Act to help inform how we can modernize health care privacy laws and regulations to give Americans peace of mind that their personal health information is safe, while ensuring that we have the tools we need to advance high-quality care.”

The Health Data Use and Privacy Commission Act has attracted support from a dozen medical associations and technology vendors, including the Federation of American Hospitals, College of Cardiology, National Multiple Sclerosis Society, Association of Clinical Research Organizations, Epic Systems, and IBM.

The post Bipartisan Legislation Introduced to Modernize Health Data Privacy Laws appeared first on HIPAA Journal.

HIPAA and Privacy Act Training

When a federal agency provides healthcare services, there may be circumstances in which employees need to undergo both HIPAA and Privacy Act training. In addition, as an increasing number of states enact their own privacy laws, there may also be occasions when employees of state agencies require HIPAA and Privacy Act training.

The Privacy Act of 1974 governs the collection, use, storage, and sharing of personally identifiable information maintained by federal agencies. Under the Act, U.S. citizens have the right to request a copy any data held about them and request that any errors are corrected, federal agencies must only collect data “relevant and necessary” to accomplish the purpose for which it is being collected, and sharing data between agencies is restricted and allowed only under certain conditions.

People acquainted with the Health Insurance Portability and Accountability Act will find these privacy provisions familiar as they closely resemble Patients´ Rights under HIPAA, the Minimum Necessary Standard, and Business Associate Agreements. Indeed, there are many similarities between HIPAA and the Privacy Act. However, despite the similarities, separate HIPAA and Privacy Act training is required by law in circumstances where both Acts apply.

The Laws Governing Privacy Act and HIPAA Privacy Training

Privacy Act training is governed by Part 24 of the Federal Acquisition Regulation. Subpart 24.3 states training must be provided initially and annually for employees that collect, create, use, process, store, or dispose of personally identifiable information, have access to systems on which personally identifiable information is maintained, or who “design, develop, maintain, or operate” a system which collects, creates, uses, processes, stores, or disposes of personally identifiable information.

HIPAA privacy training is governed by the Administrative Requirements of the HIPAA Privacy Rule. 45 CFR § 164.530 states a HIPAA Covered Entity must train all members of its workforce on the policies and procedures designed to prevent the unauthorized disclosure of Protected Health Information when they start working for the Covered Entity, whenever there is a material change to the policies and procedures, and when a need for refresher training is identified in a risk analysis.

The circumstances in which both Acts apply occur when a federal agency provides healthcare services to either its employees, or contractors, or civilians. Examples of agencies subject to both Acts include the Defense Department, the General Services Administration, and NASA – but while Privacy Act training is only necessary for employees with access to personally identifiable information, all employees of a Covered Entity are required to undergo HIPAA privacy training.

HIPAA Privacy and Security Training

The HIPAA Security Rule also requires Covered Entities and Business Associates who provide a service for a Covered Entity to implement a security awareness and training program. However, as the healthcare industry becomes increasingly digitalized, HIPAA privacy and security training is often provided simultaneously. This makes sense rather than have separate HIPAA privacy and security training sessions for employees who access Protected Health Information via EHRs.

The content of a security awareness and training program will closely align with the content of Privacy Act training inasmuch as electronic records containing personally identifiable information are subject to physical, technical, and administrative safeguards similar to those present in the HIPAA Security Rule. Indeed, the language of the Privacy Act relating to the encryption of data, automatic log-off, and the disposal of electronic media are remarkably similar to the language of HIPAA.

State Privacy Acts and HIPAA Privacy Rule Training

Because the Privacy Act applies only to federal agencies, many states are introducing their own privacy legislation that will apply to state and local government agencies and – in some cases – private organizations. Consequently, employees of public health departments, state-run correction centers, and public school systems currently subject to HIPAA may also have to undergo state privacy act and HIPAA Privacy Rule training – if training is mandated in the state´s legislation.

The post HIPAA and Privacy Act Training appeared first on HIPAA Journal.