HIPAA Rules and Regulations – HIPAA Journal
HIPAA Rules and Regulations HIPAA Journal
HIPAA Rules and Regulations
The HIPAA rules and regulations are the standards and implementation specifications adopted by federal agencies to streamline healthcare transactions and protect the privacy and security of individually identifiable health information. This guide explains why the HIPAA rules and regulations exist, what they consist of, and who they apply to.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) with the objective of reforming the health insurance industry. Due to concerns that the cost of the reforms would be passed onto plan members and employers, and that this would negatively impact tax revenues, Congress added a second Title to HIPAA – “Preventing Health Care Fraud and Abuse; Administrative Simplification”.
The measures in Title II were intended to neutralize the cost of the reforms. The measures introduced to prevent health care fraud and abuse gave HHS’ Office of Inspector General more resources to identify fraud and abuse in the healthcare industry, increased the civil and criminal penalties for violations of the Social Security Act, and widened the criteria for exclusion from federal health programs such as Medicare and Medicaid.
The Administrative Simplification measures instructed the Secretary for Health and Human Services to standardize the administration of healthcare transactions, adopt security standards for health information maintained or transmitted electronically, and “make recommendations with respect to the privacy of certain health information.” These instructions evolved into what many consider to be the HIPAA Rules and Regulations.
The HIPAA Administrative Simplification Regulations
The HIPAA Administrative Simplification Regulations occupy Parts 160, 162, and 164 in Title 45 of the Code of Federal Regulations (Public Welfare).
- Part 164 includes General Provisions (Subpart A), the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E).
- Part 162 includes further General Provisions (Subpart A), the Identifier Regulations (Subparts D to F), and the Transactions and Code Sets Rules (Subparts I to S).
- Part 160 also includes General Provisions (Subpart A), as well as the Enforcement Rule (Subparts C and E), and the process for determining HIPAA Civil Penalties (Subpart D).
The above HIPAA rules and regulations are mostly administered and enforced by HHS’ Office for Civil Rights (Parts 160 and 164) and HHS’ Centers for Medicare and Medicaid (Part 162). Other agencies involved in administrative activities include the Internal Revenue Service (who issue Employer ID Numbers), while the Federal Trade Commission has its own Health Breach Notification Rule for organizations not covered by the HIPAA rules and regulations.
In addition, State Attorneys General can take enforcement action against covered entities and business associates when a breach of unprotected health information harms a resident of the state, or when an organization violates a state privacy or security regulation that preempts HIPAA. Some states also have Breach Notification Rules with shorter notification periods than HIPAA and/or consumer data protection laws that allow for a private right of action.
The HIPAA Rules and Regulations in Part 164
General Provisions
All three Parts of the HIPAA Rules and Regulations commence with the General Provisions for that Part. General Provisions typically consist of an introduction to the Part, a list of definitions for terms that are only used in the Part, and any unique arrangements that apply to the Part. For example, the General Provisions of Part 164 include a definition of hybrid entities and standards for how the healthcare component(s) of a hybrid entity should operate.
The HIPAA Security Rule
The HIPAA Security Rule contains the standards and implementation specifications considered necessary to ensure the confidentiality, integrity, and security of electronic Protected health Information (ePHI). The Rule applies to all covered entities, business associates, and subcontractors with access to ePHI, who are responsible for ensuring all members of the workforce comply with this Subpart regardless of their access to ePHI.
HIPAA Rules on Contingency Planning
HIPAA Medical Records Destruction Rules
How to Make Your Email HIPAA Compliant
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule exists to ensure covered entities alert patients and plan members to a data breach in a timely manner so the victims of a breach can take steps to protect themselves against fraud and identity theft. The Rule covers topics such as the burden of proof, non-notifiable disclosures, law enforcement delays, notifications to HHS’ Office for Civil Rights, and – when required – notifications to the media.
The HIPAA Breach Notification Rule
Breach Notification Requirements
Healthcare Data Breach Statistics
Healthcare Data Breaches due to Phishing
How to Respond to a Healthcare Data Breach
The HIPAA Privacy Rule
The HIPAA Privacy Rule has two objectives – the protect the privacy of individually identifiable health information and increase individuals’ rights over how their health information is used and who it is disclosed to. Individuals also have the right to request copies of their health information, review it for errors, request amendments when errors exist, and transfer their health information to a different provider or health plan.
HIPAA and Social Media Guidelines
HIPAA Guidelines on Telemedicine
HIPAA Compliance for Home Health Care
HIPAA Rules on Disclosures to Family and Friends
How to Handle a HIPAA Privacy Complaint
The HIPAA Rules and Regulations in Part 162
General Provisions
The HIPAA rules and regulations in Part 162 apply to covered entities that conduct covered transactions in-house, health care clearinghouses, and business associates that conduct covered transactions on behalf of a covered entity. It is also necessary for healthcare providers who outsource covered transactions to monitor business associate compliance with the HIPAA rules and regulations in Part 162 for the reasons given below.
HIPAA Unique Health Identifier Regulations
Unique health identifiers are used to identify employers (EINs) when a plan member is enrolled or disenrolled from a health plan, and to identify healthcare providers (NPIs) in all HIPAA covered transactions. Healthcare providers need to ensure NPIs are used correctly in all covered transactions – regardless of whether they are conducted in–house or subcontracted – to prevent delayed eligibility checks, treatment authorizations, and payments.
HIPAA Unique Identifiers Explained
HIPAA Transactions and Code Sets Rules
The HIPAA transactions and code sets rules determine whether a healthcare provider qualifies as a covered entity or not. If a healthcare provider conducts any transactions electronically for which code sets exists, they qualify as a covered entity. If they do not conduct covered transactions electronically (i.e., only bill patients directly), they do not qualify as a covered entity and do not have to comply with the HIPAA rules and regulations.
HIPAA Transactions and Code Set Rules
The HIPAA Rules and Regulations in Part 160
General Provisions
The General Provisions in Subpart A of Part 160 and the section relating to the Preemption of State Law in Subpart B are very important in the context of understanding the HIPAA rules and regulations because they clarify when standards and implementation specifications apply to business associates, provide definitions of the most commonly used terms in HIPAA, and explain when a provision of state law preempts a provision of HIPAA.
Limited Data Sets under HIPAA?
Complying with HIPAA California Law
When Does State Privacy Law Supersede HIPAA?
The HIPAA Enforcement Rule
The Enforcement Rule was originally one Subpart of Part 160 – “Procedures for Investigations, Imposition of Penalties, and Hearings”. As the number of standards increased and the penalty structure was amended by the HITECH Act, the Enforcement Rule was split into separate Subparts “Investigations” (Subpart C) and “Hearings“ (Subpart E). The “Imposition of Penalties” now occupies Subpart D as HIPAA civil penalties are amended annually.
What Happens if You Violate HIPAA?
What Happens after a HIPAA Complaint is Filed?
HIPAA Civil Penalties
The HIPAA Civil Penalties are often a last resort for persistent offenders – HHS agencies preferring to “seek and promote voluntary compliance” with the HIPAA rules and regulations. However, although organizations might not be fined by HHS’ Office for Civil Rights, compliance with the HIPAA rules and regulations may be considered the “standard of care” in State Attorney General civil actions, private lawsuits, and class action lawsuits.
Penalties for HIPAA Violations
Enforcement Trends and Outlook
HIPAA Enforcement by State Attorneys General
MedData Settles Class Action Lawsuit for $7 Million
Who Do The HIPAA Rules and Regulations Apply To?
The HIPAA rules and regulations apply to health plans, health care clearinghouses, and healthcare providers who conduct covered transactions electronically – collectively “covered entities”. An individual or organization that provides a service for or on behalf of a covered entity – other than as a member of the covered entity’s workforce – is a business associate if the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI).
Business associates and subcontractors of business associates are required to comply with the Security and Breach Notification Rules, any other Administrative Simplification Regulations that apply to the service being provided, and any specific provisions included in the Business Associate Agreement between the parties. Compliance is required even when a business associate or subcontractor has “no view access” to Protected Health Information.
Workforce members are also required to comply with HIPAA. Workforce compliance is often assumed to be limited to workplace policies and procedures. However, §164.530(e)(1) requires covered entities to apply sanctions against workforce members” who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D of this part [the Breach Notification Rule]”
Applicability, Exceptions, and the Flexibility of Approach
In the context of who do the HIPAA rules and regulations apply to, it is important to be aware that covered entities, business associates, and workforce members do not have to comply with every standard and implementation specification – only those that are applicable to their operations. Those that are applicable should be determined by conducting a HIPAA risk assessment to identify where PHI is created, received, stored, or transmitted.
In addition, there are also a number of HIPAA exceptions. These can apply in circumstances where – for example – a state law preempts HIPAA, a patient provides their authorization for an otherwise impermissible disclosure, or when a covered entity conducts a patient safety activity such as a fire drill. Some third party service providers may also not be required to comply with the HIPAA rules and regulations if they are exempted by the HIPAA Conduit Exception Rule.
The flexibility of approach provisions can also affect how a covered entity or business associate complies with HIPAA. The provisions in §164.306(b) allow covered entities and business associates to take into account factors such as complexity, capabilities, and costs when deciding how they will comply with the Security Rule. Any decisions made on the basis of these factors must be justified and documented in case of a subsequent compliance investigation.
Future Changes to the HIPAA Rules and Regulations
In addition to complying with the current HIPAA rules and regulations, it is necessary to be aware of future changes to the HIPAA rules and regulations. This is because, when a new or revised standard is published, there is a limited time between publication, the effective date, and the compliance date. Some organizations may find it difficult to make whatever changes are necessary and provide workforce training on the changes within the time allowed.
When large scale changes occur – such as happened in 2013 with the HIPAA Omnibus Rule – almost every covered entity and business associate is impacted by the changes. This makes it harder to seek appropriate guidance from HHS and raises the likelihood of standards being misinterpreted. Fortunately, the changes since 2013 have been limited in scale (i.e., the NIC amendment to the Privacy Rule) or regular in nature (i.e., HCPCS code updates).
However, there is a growing list of HIPAA updates and changes in the pipeline – ranging from new Part 162 standards for electronic signatures on healthcare transactions, to new Security Rule standards to comply with HHS’ Healthcare Sector Cybersecurity Strategy. Significantly, it has been hinted that a failure to comply with the new Security Standards might not only result in a civil monetary penalty, but also in expulsion from federal health programs such as Medicare.
Reproductive Health Care Privacy Rule
HIPAA Updates and HIPAA Changes
HIPAA Compliance Needs to be Approached Holistically
Because of the wide range of applicable HIPAA rules and regulations, the wide range of covered entities and business associates they apply to, and the potential for exceptions, flexibilities, and changes, compliance with the HIPAA rules and regulations needs to be holistic, rather than piecemeal. Individuals and organizations subject to HIPAA compliance are advised to seek professional compliance advice if assistance is needed adopting a holistic approach to HIPAA compliance.
HIPAA Data Retention Requirements
HIPAA Business Associate Agreements
The post HIPAA Rules and Regulations appeared first on The HIPAA Journal.
PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists – HIPAA Journal
PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists – HIPAA Journal
PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists
Gaia Software has disclosed details of a February 2024 cyberattack, Pinnacle Orthopaedics & Sports Medicine Specialists are investigating an April 2024 cyberattack, and OB GYN Specialists of Lima have discovered the improper disposal of patient data.
Gaia Software
Gaia Software, a provider of electronic medical record and billing management software services to Americare Renal Center, has mailed notification letters to patients whose protected health information was compromised in a February 2024 cyberattack.
Gaia Software notified the HHS’ Office for Civil Rights about the breach on April 5, 2024, and confirmed in the breach report that the protected health information of 56,676 individuals had been compromised in the incident. The investigation into the incident concluded on April 19, 2024; however, details about the attack have only recently been made public.
According to the breach notification letters that were mailed on June 28, 2024, Gaia Software detected the cyberattack on or around February 5, 2024. The breach notification letters do not state whether ransomware was involved, only that the threat actor “attempted to infiltrate Gaia’s computer network and demand a ransom payment.”
Gaia Software said it has not detected any misuse of patient data but has confirmed that patient information was exposed and was potentially stolen in the attack. The types of data involved varied from individual to individual and may have included names, addresses, dates of birth, Social Security numbers, health insurance information, and/or health information.
Gaia Software said it is implementing additional safeguards and enhanced security measures to prevent similar incidents in the future and is reviewing information life cycle management. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single bureau credit monitoring/single bureau credit report/single bureau credit score services.
Pinnacle Orthopaedics & Sports Medicine Specialists
On June 21, 2024, Pinnacle Orthopaedics & Sports Medicine Specialists in Marietta, GA, announced that an unauthorized third party gained access to its computer network and potentially obtained patient data. The intrusion was detected on or around April 22, 2024, and steps were immediately taken to prevent further unauthorized access. Third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the security breach.
On or around April 29, 2024, Pinnacle confirmed that the protected health information of fewer than 10 patients had been stolen. Those patients were notified but as the investigation continued it became clear that more patients had been affected. On or around June 7, 2024, Pinnacle determined that the protected health information of more than 500 patients had been exposed. Pinnacle is currently undertaking a detailed review of the exposed files and cannot confirm at this stage exactly how many patients have been affected. Those individuals will be notified when the investigation is completed.
Pinnacle said the types of information involved vary from individual to individual and may include names, dates of birth, medical/health information, treatment/diagnostic information, health insurance information, and/or billing/payment information. Pinnacle said it is implementing enhanced security measures to prevent similar incidents in the future.
OB GYN Specialists of Lima
OB GYN Specialists of Lima in Ohio have notified 1,100 patients that some of their personal and protected health information has been exposed in an improper disposal incident. The incident was detected on June 14, 2024, and attempts were made to retrieve the documents, but it was not possible to retrieve them all.
The documents related to visits to its office between June 5, 2024, and June 13, 2024, and included the demographic information that is printed when patients visit, which may have also included test results. Steps have since been taken to prevent similar incidents in the future.
The post PHI Exposed in Cyberattacks on Gaia Software & Pinnacle Orthopaedics & Sports Medicine Specialists appeared first on The HIPAA Journal.
Email Breaches Reported by SkinCure Oncology & the Wisconsin Department of Health Services – HIPAA Journal
Email Breaches Reported by SkinCure Oncology & the Wisconsin Department of Health Services
SkinCure Oncology has notified 13,434 patients about an email attack that occurred in June 2023, and the Wisconsin Department of Health Services has announced a breach of the personal information of 19,150 Medicaid recipients.
SkinCure Oncology
SkinCure Oncology in Burr Ridge, IL, has issued individual notifications to 13,434 patients whose protected health information was compromised in an email breach that occurred more than a year ago. According to the substitute breach notice, the investigation confirmed that multiple email accounts were accessed by an unauthorized third party between June 23 and June 25, 2023.
A comprehensive review was conducted to identify the files in the email accounts, and on December 6, 2023, it was confirmed that protected health information was present in emails and email attachments. SkinCure Oncology believes files in those email accounts were viewed and potentially obtained in the attack. The exposed information varied from individual to individual and may have included names, birth dates, medical record numbers, medical histories, and health insurance information. A limited number of patients had their Social Security numbers, driver’s license numbers, financial account information, and/or credit card information exposed.
The delay in issuing individual notifications was due to the time it took for SkinCure Oncology and its practice partners to locate up-to-date address information. The substitute breach notice makes no mention of complimentary credit monitoring and identity theft protection services, only that patients should be vigilant against identity theft and fraud. Further information can be contained by calling SkinCure Oncology’s helpline – (866) 528-8844. The helpline is manned Monday to Friday from 8:00 a.m. to 5:30 p.m. Central Time.
Wisconsin Department of Health Services
Wisconsin Department of Health Services has reported a breach of the protected health information of up to 19,150 Medicaid recipients. The breach occurred at one of its partner organizations, Disability Rights Wisconsin, which discovered an unauthorized third party had gained access to an employee email account. It is unclear from the announcement when the breach occurred and when it was discovered.
Notification letters were sent to the affected individuals on June 21, 2024, and they were advised about the data that was exposed. Complimentary credit monitoring services have been offered to the affected individuals for 12 months and a helpline – 888-733-3814 – has been set up for individuals seeking further information. The helpline is manned Monday to Friday, from 8:00 a.m. to 8 p.m. Central Time.
The post Email Breaches Reported by SkinCure Oncology & the Wisconsin Department of Health Services appeared first on The HIPAA Journal.
HIPAA Rules and Regulations – The HIPAA Journal
HIPAA Rules and Regulations The HIPAA Journal