What To Know
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed into law to provide more stringent protection in handling the data and information of patients submitted to hospitals and healthcare institutions when they fill out forms.
- One of the most important safeguards provided by HIPAA compliance is the protection of a patient's Personal Health Information (PHI) from any potential or intentional breach of privacy and confidentiality.
HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed into law to provide more stringent protection in handling the data and information of patients submitted to hospitals and healthcare institutions when they fill out forms. It was largely a response to the numerous data breaches that happened when hospital databases were hacked and patient data were stolen.
To protect patients as well as health professionals, the HIPAA was enacted. It outlined specific standards and requirements which have to be met by covered entities such as hospitals and healthcare institutions. They would have to meet the requirements in the HIPAA audit checklist and are subjected to audits by federal health authorities from time to time.
Here are some of the ways by which HIPAA protects patients as well as health professionals:
- Protection Against Intentional Breach Of PHI Privacy
One of the most important safeguards provided by HIPAA compliance is the protection of a patient’s Personal Health Information (PHI) from any potential or intentional breach of privacy and confidentiality. A patient’s PHI contains sensitive information including billing statements, payment methods, medical history, medical examinations, etc.
Here are some of the information included in a PHI:
- The patient’s full name, date of birth, complete address, biometric identifiers, Social Security number, and other information which can identify the patient.
- Any kind of care received by the patient from the hospital.
- Past medical tests, present diagnosis, and future prognosis which states the mental or physical health condition of patients.
- Information about how the patient paid for the care provided by the hospital or healthcare institution such as hospital bills.
Any information which would identify the patient and contain the patient’s health data is covered by the HIPAA rules.
PHI doesn’t cover the following:
- Data that doesn’t provide information that can identify an individual. An example of this is the heart rate or blood pressure collected by your smartwatch.
- The person’s employment and education records covered by the Family Educational Rights and Privacy Act (FERPA).
- Protection From Unintended Leak Or Loss Of PHI
Intentional breach of privacy and confidentiality isn’t the only potential source of unauthorized access to PHI. Indeed, the large databases of PHI of all the hospitals across the United States are the constant target of intentional hacking attempts and operations. The reason for this is that the data contained in PHI is a precious reservoir of information about American consumers and buyers. PHI includes data that can be used for a lot of purposes, both legal and illegal.
For instance, as mentioned, PHI contains the personal information and contact details of Americans down to their street addresses and social security details. This kind of information is usually sold to professional business and marketing companies that employ outbound calling and direct email marketing. PHI also includes credit card details and other payment information. Malicious individuals use these details for fraudulent credit card purchases.
However, intentional hacking and breach of PHI aren’t the only potential cause of leakage of this data. There are other vulnerabilities in the data management network of hospitals and healthcare institutions that can cause an unintended leak of PHI data. For instance, copies of medical test results could be left on the photocopier and picked up by somebody other than the patient.
The HIPAA protects the patients by classifying a leak of PHI as an offense whether it was intentional or unintentional. This is why HIPAA requires all covered entities including hospitals and healthcare institutions to set up safeguards in their data management systems and network. The primary focus of HIPAA rules is to protect the patients and their PHI from unauthorized access, intentional breach, or negligent leakage of their PHI without their consent.
- Protection Of Healthcare Professionals And Institutions
Aside from protecting patients, the HIPAA was also passed to protect healthcare professionals and healthcare institutions. The HIPAA requires not only covered entities but also their business associates to comply with HIPAA rules, standards, requirements, and regulations. Covered entities are usually hospitals and healthcare institutions. But it also includes healthcare professionals such as doctors and physicians who have their own independent clinics.
Without the HIPAA, healthcare professionals can entertain and accommodate all proposals for supply and business contracts from all possible third-party vendors and service providers regardless of their data security practices. But now they can turn down those who don’t comply with HIPAA.
With the enactment of HIPAA into law, healthcare professionals may now demand from their business associates, third-party vendors, and service providers to show proof and certification that they’ve complied with the HIPAA requirements, standards, and regulations. Otherwise, they have the prerogative to turn them down and deal only with those who have complied with HIPAA.
Aside from the compliance aspect, HIPAA is also beneficial for healthcare professionals in the sense that it enables them to gain more of the trust of their patients and clients. A HIPAA certification would inform the patients of a clinic or hospital that the health professionals in that place care about the safety, privacy, and confidentiality of their PHI.
- Protection From Heavy Fines And Lawsuits
Covered entities who violate the HIPAA rules and regulations are subjected to heavy fines and penalties. For example, a clinic that didn’t set up cybersecurity measures to protect PHI might be hacked. When this happens, the doctors who own the clinic will definitely be fined and penalized. These fines could reach up to millions of dollars.
The HIPAA rules have a tiered scheme of penalties for those who commit violations of its standards and requirements. Those who don’t exert any efforts to comply with HIPAA or who willfully neglect protecting PHI and don’t do anything to correct the breach will fall under tier 4. Penalties for tier 4 are the heaviest. The minimum fine for tier 4 is USD$50,000 for each violation.
By contrast, those who have complied with HIPAA and have shown reasonable care to protect PHI would only fall under tier 1 or tier 2 if a breach happens. The minimum fine for tier 1 is USD$100, while tier 2 is USD$1,000 for every violation. In other words, complying with HIPAA protects health professionals from heavy fines and penalties since they can put up the defense that they exerted efforts to protect PHI and thus fall under tier 1 or 2 at worst.
Conclusion
The HIPAA was passed to protect not only the patients but the health professionals and institutions as well. By complying with HIPAA, healthcare professionals are protected from unscrupulous hackers who want to raid their databases. At the same time, they’re protected from heavy fines and penalties if they can show they’ve exerted all the efforts to protect PHI and comply with the rules.