The Health Insurance Portability and Accountability Act (HIPAA) is divided into five titles. This HIPAA Rules Summary provides an overview of each of these sections. 

Title I of HIPAA ensures and enhances insurance access, portability, and renewability.

  • Under this title, HIPAA provides the following new protections for millions of working Americans and their families:
  • Increases the ability to get health coverage when starting a new job
  • Reduces the probability of losing existing health care coverage
  • Helps workers maintain continuous health coverage when changing jobs
  • Helps workers purchase health insurance coverage on their own if they lose coverage under an employer’s group health plan.

HIPAA Summary

HIPAA Title II is about preventing health care fraud and abuse; administrative simplification; and protecting the privacy and confidentiality of patient records and any other patient identifiable information in any media form.  Administrative Simplification defines rules for transactions, privacy, and security.

Titles III, IV, and V involve the various regulatory agencies that play a role in the American health care delivery and financing. These titles are: Tax-related Health Provisions, Application and Enforcement of Group Health Insurance Requirements, and Revenue Offsets.

When it comes to HIPAA Privacy and Security, we care mostly about Title II, which includes Administrative Simplification.  The Administrative Simplification subpart includes rules covering transactions and code sets, privacy, and security of PHI within health care organizations.  As of February 17, 2010, both Covered Entities and Business Associates are statutorily obligated to meet the requirements of the HIPAA Security Final Rule and The HITECH Act. The goals of the original HIPAA standards are to:

  • Simplify the administration of health insurance claims and lower costs.
  • Give individuals more control over and access to their medical information.
  • Protect individually identifiable medical information from threats of loss or disclosure.

HIPAA 101: What is HIPAA? An Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to improve, “the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information.”

In a nutshell: the HIPAA regulations established standards and procedures within the realm of health information transmission. The regulations had two goals:

  • first to improve the accessibility of health care information
  • and secondly to protect patients’ rights to privacy of this information.

While HIPAAs institution may seem like a bit of a sore spot for health care providers, it’s imperative that we all work together to keep our patients and their personal information safe. Thus, we need to understand what HIPAA means and how it applies to our companies. Hopefully the following information will provide you with a basic understanding of its importance.

Rules Within the Legislation

HIPAA is comprised of a number of rules, a summary of which can be found above. These regulations serve to aid organizations (and individuals) in maintaining compliance standards and safeguard sensitive information.

Specifically, it’s important to note these four aspects of the law and what they mean to you and your organization.

  • Privacy– The privacy rule creates a set of standards with which to protect patient records and personal health related information. It extends to plans, clearinghouses and all other health record keeping entities that utilize electronic data transfer systems. It sets conditions and limits on transmission and use of patient health information, particularly if the patient will be unaware of the disclosure. In addition, it provides patients with certain rights applicable to their records.
  • Security– The security rule helps to ensure integrity, confidentiality and security of patient health records by requiring specific physical, technical and administrative safeguards prior to electronic transmission of said records.
  • Breach Notification– The breach notification rule requires those covered under HIPAA to advise patients when a security breach of their unsecured health information has occurred. All those related to the HIPAA covered entity are also responsible for providing breach notification.
  • The Final Rule– Also known as the enforcement rule, the final rule, imposes financial and criminal penalties on all organizations, businesses and other health care related entities that fail to adhere to the previously stated and outlined rules and regulations.

Why Do These Laws & Regulations Exist?

These laws and regulations exist to protect patient information for privacy and safety reasons. Since medical records often have patient addresses, full names, dates of birth, social security numbers, and billing information they are prime targets for identity thieves.

There is also growing concern over hackers using PHI as part of a cyber terrorism act.

Who Does HIPAA Apply To?

HIPAA applies to any health care provider (covered entity) and their suppliers and vendors (business associates) who “transmit, maintain, access or store” PHI.

What Is Covered?

All health information that is individually identifiable falls under the protection of HIPAA’s privacy rules. In addition, how you provide care for patient health needs and the way you are paid for those treatments must remain confidential.

What Is Required Or Prohibited?

There are six reasons you can share PHI and those are all very detailed and in depth in their descriptions. Therefore, it is imperative that you study what is required and prohibited in an effort to maintain compliance for your organization. However, we will briefly provide you with the six acceptable moments of PHI transference.

  1. To the patient– Obviously you can disclose PHI to the patient.
  2. Payment, health care operations and treatment– You can share PHI within your organization or with another organization dealing with the patient.
  3. When opportunities to agree or object to uses and disclosures are provided– This is only allowed when it is in the best interest of an incapacitated individual or when consent has been obtained.
  4. Incidental uses and disclosures– Maintain a minimum necessary position on PHI provision and ensure that all other safeguards are actively in place.
  5. Benefit activities and public interest– These include, but are not limited to: abuse, law enforcement, judicial proceedings and organ donations.
  6. Limited data sets– This just means you’ve already removed all the pertinent, revelatory information from the records prior to transmission.

There are other procedural issues, in congruence with the previously mentioned acceptable transference moments, to be considered. It’s important to note that these are requirements with which to abide. These demand:

  • A written and implemented policy and procedure
  • Privacy personnel
  • Training and management
  • Mitigation
  • Data safeguards
  • Complaint procedures
  • A policy for retaliation and waiver
  • Record and documentation retention
  • A group health plan exception that’s fully insured

Who Enforces HIPAA?

The Department of Health and Human Services, Office for Civil Rights (OCR) enforces these rules and regulations.

They conduct complaint investigations and will administer periodic compliance audits.

Non-compliance is unacceptable and comes with a number of hefty punishments. There are monetary penalties imposed on all entities that fail to adhere to HIPAA rules and regulations. Specifically, you could be looking at up to $50,000 or more, per violation (committed after 2009).

As if a robust fee isn’t enough, there are also potential criminal penalties as well. If you knowingly share PHI against HIPAA directives, you could spend a year in prison after paying the $50,000. If such a breach occurs with malicious intent, the severity is increased to $100,000-$250,000 and up to 10 years in prison.

HIPAA 101: What is PHI?

PHI stands for Protected Health Information.

In the context of HIPAA, PHI covers a patient’s personally identifiable information and the manner in which it is stored and shared.

Identifiable information includes name, address, social security number, telephone number, key demographics, payment details, or any other piece of information that may result in the indentification of the patient to whom it belongs.

However, a patient’s FERPA (Family Educational Rights and Privacy Act) and employment records are not covered.

Why it’s important to understand PHI

Understanding PHI and patient rights is essential to proper handling of information. Any one working at a health care organization (or one of their providers) should be aware of when, where, and how this information should be “stored or transmitted”.

There are certain situations in which information that is private can be shared. These moments include health care plan and provider requests. In addition, PHI can be also be utilized for the purposes of providing treatment, seeking payment and other necessary health care procedures.

All forms of PHI access should be limited as much as possible and the proper policies and procedures should be in place to ensure that the data is kept safe.

Keep PHI secure and protected

Don’t make the mistake of thinking that PHI is only located on computers, laptops, servers and in paper files. This valuable information can also be found lurking on smart phones, copier and printer memory queues, medical devices and USBs.

More HIPAA Rules Resources:

Need more than a summary of the HIPAA Rules?

Decifering HIPAA compliance can be confusing.  Contact us for more information or consider learning more with one of our HIPAA educational resources.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.