The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules have been in effect since 2002–03. These rules have impacted the healthcare workflow in ways that the regulations' authors hadn't anticipated. HIPAA has been underinterpreted, such that it wasn't adequately implemented and/or not enforced. Conversely, in some cases, HIPAA has been overinterpreted, such that provider organizations have implemented limitations on the ways that they share data with other organizations and individuals that are simply not required by the regulations.
In early 2009, Congress passed a Stimulus Bill—a law that aims to stimulate the economy through investments in infrastructure, unemployment benefits, transportation, education, and healthcare—providing nearly $20 billion to aid in the development of a robust information technology (IT) infrastructure for healthcare and to assist providers and other entities in adopting and using health IT. Within this new law, called the American Recovery and Reinvestment Act of 2009, H.R. 1 (ARRA), there are statutory provisions relating to health IT in a section entitled, "Health Information Technology for Economic and Clinical Health" (HITECH), commonly referred to as the "HITECH Act." The HITECH Act contains many new laws relating to the use and disclosure of protected health information (PHI), including the privacy and security provisions. Here, we'll review how these new laws, and forthcoming related regulations, affect the healthcare workflow.
HIPAA, Public Law 104–191, was enacted on August 21, 1996. Sections 261 through 264 require the Secretary of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy, and security of health information. Collectively these are known as the Administrative Simplification provisions.
HIPAA required the Secretary of HHS to issue privacy and security regulations governing individually identifiable health information. The final HIPAA Privacy Rule was published August 14, 2002.1,2 The HIPAA Security Rule was published February 20, 2003.1
Implementing HIPAA privacy and security requirements has been a challenging endeavor for healthcare organizations. Many years later, the task is still complicated by myths and misinterpretations about the law and its related regulatory requirements. The source of the myths and confusion isn't always clear, but it seems to come from zealous privacy advocates, providers' legal advisors who warn of legal consequences and lawsuits, and vendors eager to sell their "HIPAA compliant" products. Today, the myths may persist because case law and precedent have been hard to come by: there simply hasn't been a lot of actual legal enforcement of the HIPAA regulations. (See Top three myths about HIPAA dispelled for a discussion of some of the most common HIPAA myths.)
As it pertains to nurses and other providers who see patients every day, the authors of HIPAA took great pains to recognize the needs of the healthcare workflow, and that providers should have some discretion to care for their patients the best way they know how. The authors also incorporated flexibility and scalability in the requirements so as to recognize the various delivery models and sizes of healthcare organizations.
At the same time, the authors of HIPAA recognized that some changes in data protection and sharing approaches and culture were needed as healthcare providers made the transition from paper records to electronic records. At the highest level, the HIPAA Privacy Rule requirements are designed to require the providers to be good stewards of the patient's data—to "protect it, think about who you are sending it to and why, and only send the information that is needed." When we talk about a culture shift, that might be best characterized by the provider thinking, "taking care of my patient means taking care of their data."
HIPAA Privacy Rule requirements
The following outline provides practical interpretation of the HIPAA Privacy Rule requirements as they affect provider organizations.1,2
- —the "need to know" principle
- —"minimum necessary disclosure"
- —business associate agreements
- —adherence by subcontractors and temporary staff.
- Covered information
- —individually identifiable health information that's maintained or transmitted in connection with certain administrative and financial transactions.
- Organizational requirements
- —document information practices
- —track disclosures of information
- —provide method for consumer inspection and copying of information
- —formally designate a privacy officer
- —train staff at least every 3 years
- —enforce consistent policies and procedures
- —implement business associate contracts.
- Consumer rights
- —"general consent"
- —disclosure restrictions
- —accounting of disclosures for non-TPO disclosures
- —inspection and duplication of medical records
- —requesting of corrections to medical records
- —receipt of notice of right to complain to entity and HHS.
HIPAA Security Rule requirements
The HIPAA Security Rule safeguard (security protection) requirements impact provider organizations in three main areas: administrative, physical, and technical.1,2
- Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements.
- Physical safeguards: For the most part, these are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards, and unauthorized intrusion. They include restricting access to electronic PHI (ePHI) and retaining off-site computer backups.
- Technical safeguards: Generally, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it's being stored and/or transmitted.
Ongoing compliance pointers
Often, healthcare organizations struggle to find the best way to implement the HIPAA rules and care for their patients. Here's what you can expect your organization to be doing on an ongoing basis to comply with HIPAA.
- Privacy/General: Develop a strategic approach and obtain management commitment. Also, develop and codify organizational policies and procedures. You'll need to allocate adequate resources and budgets and negotiate or renegotiate business associate contracts. Next steps require policy and procedure implementation and employee awareness and training. Also, be sure to perform ongoing monitoring and compliance audits.
- Security-specific: Perform a security risk assessment and use results to choose, and implement, security controls. Next, conduct a compliance assessment for security controls and employee practice. Ensure ongoing compliance through continual monitoring and compliance audits.
The best rule of thumb for each nurse in a care-giving role and her supervisor is to do what seems reasonable, in the best interest of the patient, and necessary at the time. Supervisors should ensure that employees follow documented processes, audit actual employee practice, and document any deviation from current policies and procedures. Employees should be provided all of the resources and support that they need to comply—including education, training, reporting channels, and a place to go or a person to ask questions. Ultimately, awareness is your best tool for complying with privacy and security laws and regulations.
Top three myths about HIPAA dispelled
Myth #1: A healthcare provider may not discuss a patient's condition or care with a family member.
Myth dispelled: Not true.1 In fact, the HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits a healthcare provider to share information that's directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient's care or payment for healthcare.
— if the patient agrees or, when given the opportunity, doesn't object.
— if the provider can reasonably infer, based on professional judgment that the patient doesn't object.
This means that, for example, if the patient is incapacitated, a provider may share this information with the person when, in exercising professional judgment, they determine that doing so would be in the best interest of the patient.
Myth #2: A healthcare provider can't disclose a patient's data to another healthcare provider without a patient authorization.
Myth dispelled: Not true. A healthcare provider may disclose PHI for treatment activities of a healthcare provider without an authorization.
— The provider is required to verify the identity of the person requesting information
— If the identity of the person isn't knownto the healthcare provider, then they must ascertain the authority of such person to have access to the information.
A provider may rely on documentation, statement, or representation that meets the requirement if it's reasonable.
Myth #3: Your patients must sign the HIPAA Notice of Privacy Practices.
Myth dispelled: A provider must provide the notice and make a good faith effort to obtain a written acknowledgment of the patient's receipt of the notice. If the acknowledgment isn't obtained, the provider must document his or her efforts to obtain it.
An introduction to ARRA and the "HITECH Act"
On February 17, 2009, President Barack Obama signed into law the ARRA. The law aims to stimulate the economy through investments in infrastructure, unemployment benefits, transportation, education, and healthcare, providing nearly $20 billion to aid in the development of a robust IT infrastructure for healthcare and to assist providers and other entities in adopting and using health IT.
Within ARRA, the provisions relating to health IT are in a section entitled, "Health Information Technology for Economic and Clinical Health," which is commonly referred to as the "HITECH Act." The HITECH Act contains many new laws relating to the use and disclosure ofPHI. This Act also includes the privacy and security provisions.
New privacy and security statutory requirements in ARRA/HITECH Act
As a result of continued privacy concerns and a widespread perception that HIPAA hasn't been enforced by HHS, Congress included new privacy and security laws in the HITECH Act of ARRA.
Requirements on healthcare providers—The HITECH Act requires the following, which represent new requirements beyond or not addressed in HIPAA ("New"), or a change to what was contained in HIPAA ("Change"):
- Breach notification—This provision requires that healthcare organization must provide a notification to those individuals affected when there's a breach (unauthorized access, disclosure or use) of their health information, and that a report be made to HHS if more than 500 individuals are affected. (New)
- Defines new HIPAA business associates—This provision provides that new entities that weren't contemplated when HIPAA was written (such as PHR vendors, Regional Health Information Organizations, HIEs, and so on) are subject to the same privacy and security rules as providers and health insurers, by requiring Business Associate contracts and treating these entities as Business Associates under HIPAA. (Change)
- Limited data set/minimum necessary—This provision requires CEs to limit the use and disclosure of PHI to a limited data set, or, if needed, to the "Minimum Necessary" to accomplish the purpose of the use or disclosure. It states that the disclosing entity is responsible for the Minimum Necessary determination. (Change) and (New Requirement on HHS to provide guidance on Minimum Necessary)
- Sale/Marketing of Protected Health Information (PHI)—These provisions prohibit marketing of drugs or other healthcare items to individuals, based on information obtained from their health record, unless the patient provides authorization in advance. These provisions also provide additional restrictions on the circumstances under which an entity can receive remuneration for PHI. (Change)
- Enforcement/Penalties—This section of the bill contains several provisions that are aimed at increasing civil and criminal consequences for violating HIPAA as well as providing for increased enforcement activities. (Change)
Patient rights—The HITECH Act provided new rights to consumers/patients. While these do require action on the part of the provider organization, they're written in terms of new patient rights.
- Access—This provision provides an individual the right to be given an electronic copy of all health information about them that's held by the provider in electronic format. (New)
- Accounting of disclosures—This provision gives patients the right to request an accounting of disclosures of their health information made through an electronic health record, even for TPO. (Change)
A quick guide to navigating the privacy and security provisions of the ARRA and HITECH
- Read the statute in its original form and reference back to it as the source of truth.
- Even if you have another trusted source or reference, your best bet is to always check back with the original statutory language to verify your source's consistency with the original bill.
- The following information will help you access the relevant portions of the bill:
- — The text of the entire ARRA bill may be found at: ARRA, H.R. 1
- — The text of the HITECH Act may found at: TITLE XIII: Health Information Technology
- — Within the HITECH Act, the Privacy and Security provisions are contained in: TITLE XII: Health Information Technology, Subtitle D, Privacy.
- Don't depend entirely on abstracts and synopses of the statute.
- Abstracts and synopses published immediately after the passage of the bill may (and often do) contain discrepancies or inaccurate information due to the haste in which they were produced. Look for publications with recent dates and/or that are updated frequently.
- — Healthcare Information and Management Systems Society (HIMSS) maintains an entire section of its website dedicated to helping its members stay abreast of the statutory and regulatory requirements of ARRA: Economic Stimulus for the Healthcare Industry.
- Understand that the ARRA statutory language requires regulations to be written for implementation.
- Many of the provisions in the statute require the development of regulations to specify implementation requirements. The Statute mandates what should occur at a very high level. These mandates are then referred to the appropriate federal department for implementation. The Department of HHS is charged with the development of the regulations and other information that will specify how the requirements should be implemented and with the associated timeline.
- Understand that your organization may soon have new requirements to meet and new obligations to its patients.
- Stay apprised of the activities in your organization to comply with the new requirements. These may include:
- — Creation of new administrative processes
- — Teaching of employees on new processes and how to interact with patients.
- If you don't hear anything about these activities—Ask!
- Abstracted from the HIMSS Quick Guide to Navigating the Privacy and Security Provisions of the American Recovery and Reinvestment Act of 2009. http://www.himss.org/ASP/privacySecurityTree.asp?faid=78&tid=4.
Terms to know
Business associate: Defined in HIPAA as an entity that does business for or on behalf of a HIPAA Covered Entity
Covered entity: Defined in HIPAA as provider, clearinghouse, or health plan
Guidance: A document such as a book, pamphlet, and so on, giving information, instructions, or advice
HIE: Health Information Exchange
PHI: Personal Health Information
PHR: Personal Health Record
Regulation: After Congressional bills become laws, federal agencies are responsible for putting those laws into action, through regulations. The types of regulations include Notices from the Federal Register; Proposed Rules; and Final Rules. Documents such as public comments and supporting materials are often associated with these regulations.
(Rule and) Rulemaking: A type of regulation that establishes a rule, the means by which Congressional laws are implemented.
Rulemaking process: The process federal agencies use to formulate, amend, or repeal a regulation. This process often contains a proposed rule and a final rule, and may accept public comments during specified time periods.
TPO: Treatment, Payment, and Operations, a term used in HIPAA.
Federal Rulemaking Glossary accessed at: http://www.regulations.gov/search/Regs/home.html#glossary.