HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that necessitated the formulation of national standards to protect vital and sensitive patient health information from being disclosed without the patient’s authorization or knowledge.
Rules of HIPAA
There are three cardinal rules of HIPAA. They include:
- The Privacy Rule
- The Security Rule.
- The Breach Notification Rule.
To protect sensitive patient’s health information, the US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to enable the implementation of the requirements of HIPAA. The HIPAA Security Rule protects an integral part of information covered by the Privacy Rule.
What are the general rules of HIPAA?
The general rules of HIPPA include:
- Ensuring the confidentiality, integrity, and availability of all electronic – Protected Health Information (e-PHI) they create, receive, maintain or transmit;
- Identifying and protect against reasonably anticipated threats to the security or integrity of the information;
- Protecting against reasonably anticipated, impermissible uses or disclosures; and
- Ensuring compliance by their workforce
What are the main components of HIPAA?
There are five main components of HIPAA. They include:
- Focus on Health Care Access;
- Preventing Health Care Fraud;
- Tax-Related Health Provisions;
- Application of Group Health Insurance Requirements; and
- Revenue Offset for Employees.
HIPAA Privacy Rule
The Privacy Rule standards, also known as “protected health information” address the use and disclosure of individuals’ health information by entities subject to the Privacy Rule. The benefitting individuals and organizations are called “covered entities.”
Furthermore, the Privacy Rule contains standards for individuals’ rights to understand and control how their health information is used.
A major objective of the Privacy Rule is to ensure that individuals’ health information is properly protected. The privacy rule must be ensured even while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
The HIPAA Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.
Does HIPAA apply to everyone?
The Health Insurance Portability and Accountability Act (HIPAA) does not protect all health information. In like manner, HIPAA does not apply to every person who may see or use health information. HIPAA only applies to covered entities and their business associates. What then are the “covered entities and associations”?
Covered entities and their associations are individuals and organizations that are subject to the rules of HIPAA, particularly the privacy rule. The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:
- Healthcare providers: Every are healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Entities that provide or pay the cost of medical care. These health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans. Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.
- Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
- Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
Permitted Uses and Disclosures of protected information
Situations or circumstances where a covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s consent,includes the following:
- Disclosure to the individual: if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual.
- Treatment, payment, and healthcare operations
- Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object)
- Incident to an otherwise permitted use and disclosure
- Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes include the following:
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety
- Essential government functions, and
- workers compensation
- Limited dataset for research, public health, or healthcare operations
While the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. The part covered by the security rule is all individually identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
To comply with the HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce
Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.
What counts as a HIPAA violation?
A HIPAA violation is a failure to comply with any aspect of HIPAA standards. The details of violations are provided in 45 CFR Parts 160, 162, and 164. These among others include – Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Failure to maintain and monitor PHI access logs.
The most common HIPAA violation?
The most common HIPAA violations that have resulted in financial penalties include:
- failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI);
- the failure to enter into a HIPAA-compliant business associate agreement;
- Snooping on Healthcare Records;
- Failure to Manage Security Risks and Lack of a Risk Management Process;
- Denying Patients Access to Health Records/Exceeding Timescale for Providing Access;
- Insufficient ePHI Access Controls;
- Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices;
- Exceeding the 60-Day Deadline for Issuing Breach Notifications;
- Impermissible Disclosures of Protected Health Information;
- Improper Disposal of PHI
Is it a HIPAA Violation to Ask for Proof of Vaccine Status?
It is not a HIPAA violation for an employer to ask an employee’s healthcare provider for proof of vaccination. It would however be a HIPAA violation for the employee’s healthcare provider to disclose that information to the employer, unless the individual had provided authorization to do so.
If an employer is running their own vaccination program and an employee chooses to have their vaccine privately, that individual may have to authorize their healthcare provider to disclose certain information about their vaccine to their employer as proof that they have been vaccinated.
Asking about vaccine status would not violate HIPAA but it is possible that other laws could be violated. For instance, requiring employees to disclose additional health information such as the reason why they are not vaccinated could potentially violate federal laws in some instances, although this would not be a HIPAA violation. It is also possible for states to introduce laws that prohibit employers from asking employees about their vaccine status.
The Equal Employment Opportunity Commission (EEOC) recently issued advice for employers to help them avoid any potential violations of anti-discrimination laws, such as the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) , and confirmed that “there’s no indication that there’s any federal law that would be violated by the employer asking this question.”