HIPAA Unique Identifiers Explained

Posted by Steve Alder

The requirement to adopt HIPAA unique identifiers for individuals, employers, health plans, and healthcare providers was originally included in the text of HIPAA in order to improve the efficiency of healthcare transactions and to reduce administrative costs. However, no standards were ever adopted for individuals, and the standards for health plans were rescinded in 2019.

The requirement for the Secretary of Health and Human Services (HHS) to adopt HIPAA unique identifiers appears in §1173 of HIPAA (42 USC 1320d-2(b)). Referred to as “unique health identifiers” in the text of HIPAA, the standard instructs the Secretary to:

“Adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers”.

The instruction was part of a larger goal to achieve uniform national health data standards that would support the efficient electronic exchange of health information used in HIPAA-covered transactions (the “health care system” mentioned above). However, the instruction was only partly complied with due to the cost and complexity of standardizing HIPAA unique identifiers for individuals and health plans.

The Cost of Adopting Individual HIPAA Identifiers

In 1998, HHS published a white paper containing multiple options for adopting individual HIPAA unique identifiers. The white paper listed 30 criteria for evaluating the options, and discussed the pros and cons of each identifier type. It also discussed the practicalities of adopting specific identifiers and the cost of implementation. Due to the costs of implementation and for converting existing systems, no standards for individual HIPAA unique identifiers were ever adopted.

The Quick Fix for Employer HIPAA Unique Identifiers

Employer HIPAA unique identifiers are necessary when an employer enrolls or disenrolls an employee in a health plan, or when a health plan needs to keep track of premium payments or contributions from a certain employer for certain types of benefit. As all employers are required by 26 USC 6011(b) to have an IRS-issued Employer Identification Number (EIN), HHS published a Final Rule in May 2002 adopting EINs as employer HIPAA unique identifiers.

The Complexity of Using Four Health Plan Identifiers

Due to the different ways in which health plans function, multiple codes of different lengths and formats were in use by the time HHS published a Final Rule in 2012. Even then, rather than there being one unique identifier for health plans, there were four. Due to the complexity of using the identifiers and the manual processes still required to process HIPAA transactions, the standards were never enforced and the HIPAA identifiers for health plans were rescinded in 2019.

Healthcare Provider Identifiers Were Already in Use

Prior to the passage of HIPAA, the Health Care Finance Administration (now known as CMS) had been working on a National Provider Identifier (NPI) for use in Medicare and Medicaid programs. In 1998, HHS proposed the NPI should be extended to all health plans. The proposal was finalized in 2004, and a National Plan and Provider Enumeration System was set up to assign HIPAA unique identifiers to healthcare providers not yet issued an NPI.

Unique Identifiers Should Not be Confused with PHI Identifiers

Several sources discussing HIPAA identifiers confuse employer and provider identifiers with the PHI identifiers that must be removed from a designated recorded set before any health information remaining in the record set can be considered de-identified under the safe harbor method of de-identification. It is important to understand the difference between the two types of identifiers to avoid preventable HIPAA violations.

Employer and provider identifiers are identifiers that must be used in healthcare transactions between providers (or their business associates) and health plans. PHI identifiers are individually identifying information that can identify the subject of PHI. Covered entities and business associates who are uncertain about the difference between HIPAA unique identifiers and PHI identifiers are advised to seek HIPAA compliance advice.

The post HIPAA Unique Identifiers Explained appeared first on The HIPAA Journal.

Heritage Valley Health System Pays $950,000 to Settle Alleged HIPAA Security Rule Violations

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle alleged HIPAA Security Rule violations with Heritage Valley Health System for $950,000. Heritage Valley is a 3-hospital health system with more than 50 physician offices and many community satellite facilities in Pennsylvania, eastern Ohio, and the panhandle of West Virginia.

In 2017, Heritage Valley was affected by a global malware attack that saw NotPetya malware installed on its network via a connection with its business associate, Nuance Communications. OCR launched an investigation of Heritage Valley in October 2017 following media reports of a data security incident to determine whether Heritage Valley was compliant with the requirements of the HIPAA Security Rule.

OCR’s investigation uncovered multiple Security Rule compliance failures, including the most commonly identified Security Rule issue – The failure to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(7) – requires covered entities to develop and implement a contingency plan for responding to an emergency that damages systems containing ePHI. Heritage Valley was found not to be compliant with this requirement. OCR also identified a failure to implement technical policies and procedures for electronic information systems that maintain ePHI only to permit access by authorized persons or software programs – 45 C.F.R. § 164.308(a)(4) and 164.312(a)(1)).

The healthcare industry is being targeted by ransomware groups and ransomware-related data breaches have increased by 264% since 2018. Healthcare organizations that are fully compliant with the HIPAA Security Rule can reduce the risk of a ransomware attack succeeding and can limit the harm caused in the event of a successful attack.

In addition to paying the financial penalty, Heritage Valley has agreed to implement a corrective action plan, compliance with which will be monitored by OCR for 3 years. The corrective action plan includes the requirement to conduct an accurate and thorough risk analysis, implement a risk management plan to reduce identified risks and vulnerabilities and review, develop, maintain, and revise as necessary its written policies and procedures to comply with the HIPAA Rules and provide training to the workforce on those policies and procedures.

“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer. “Safeguarding patient-protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”

This is the third OCR HIPAA penalty imposed in response to a ransomware attack and the fifth HIPAA enforcement action of 2024 to result in a financial penalty.

Total HIPAA enforcement funds paid to OCR

When announcing the enforcement action, OCR took the opportunity to remind all HIPAA-regulated entities of their responsibilities under the HIPAA Security Rule to take action to mitigate or prevent cyber threats. These include:

  • Reviewing relationships with business associates, ensuring a business associate agreement is in place, and addressing data breach and security incident obligations
  • Integrating risk analysis and risk management into business processes, and conducting risk analyses when new technologies are implemented and business operations change.
  • Ensuring an audit trail is maintained and information system activity is regularly reviewed
  • Encrypting ePHI to prevent unauthorized access and implementing multifactor authentication on accounts
  • Providing regular training to the workforce specific to the organization and job responsibilities and reinforcing the role of members of the workforce with respect to privacy and security
  • When security incidents occur, incorporate the lessons learned into the security management process.

The post Heritage Valley Health System Pays $950,000 to Settle Alleged HIPAA Security Rule Violations appeared first on The HIPAA Journal.