Medical providers collect a significant amount of information about a person each time a visit occurs. This information includes everything from personal identification to medical histories. That data is sensitive to most people. A person may not be hiding anything, but they don’t want people they don’t know to gain access to their medical records, for example. Doctors’ offices typically store a significant amount of this data to allow them to have a full view of a person’s health. That’s critical in providing continuing care in many situations.
At the same time, patients need to feel comfortable telling their doctor or medical provider everything about their health without feeling as if they have to shield information they are afraid will be shared with others. If a doctor or other medical provider cannot safeguard such information, it may limit a person’s willingness to share due to fear of exposure, embarrassment, harassment, or other repercussions.
HIPAA is the solution to this. This law provides very specific protections for individuals regarding their health, and it structures a way for doctors and other medical professionals to manage health information in a safe, protected, and confidential manner. In addition, this law is designed specifically to protect anyone seeking medical care.
What Is HIPAA?
When it was put in place, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was one of the most profound changes to medical privacy laws. It aims to protect the privacy and security of identifiable health information. It also established numerous individual rights related to a person’s health information. Moreover, HIPPA recognizes the importance of individuals always having access to their health information.
The HIPAA Privacy Rule creates a legal and enforceable right for individuals to see and obtain copies of their medical and other health records whenever they request to do so. Health care providers and health care plans must provide that access within the limitations of the law.
HIPAA also establishes standards for covered entities. This term applies to health care providers of most types along with health care plans. The rule requires these entities to provide access to Protected Health Information (PHI) about that individual in any designated record sets. This rule includes:
- The right to inspect PHI
- The right to obtain a copy of PHI
- The right to direct the covered entity to transmit a copy to a person or other designated entity
- The right to gain access to this information, as long as the covered entity maintains those records, or to an associate, as long as someone maintains a paper or electronic system with that information
These and other set standards aim to ensure that those who need and want access to their personal information, whether to send it to a new medical provider or just to maintain it on hand, can always receive that information.
In addition to providing access, HIPAA sets standards for safeguarding and protecting such information. For example, it limits who can access the records. It also limits how people other than the patient can use that information for decision-making. It also establishes when covered entities can communicate anything in such records with other providers without the patient’s specific authorization.
Who Must Follow HIPAA?
Many people typically have access to protected information. HIPAA aims to protect personal health information as thoroughly as possible. As noted, the law outlines the identities of those covered entities. These are people and groups that must follow these guidelines. These entities must comply with the Privacy Rule’s requirements to protect the security and privacy of that information. They must also comply with the provision of access to information as previously outlined.
Here’s a look at some details about who falls under these rules.
Health plans are insurance products providers or other types of health and wellness programs that may have access to medical information for decision-making purposes. This group includes:
- Health insurance companies
- Company health plans
- Military and veterans health care programs
- Other government programs that pay for health care
Along with those working for them or through them, these companies must maintain all HIPAA standards.
Health Care Providers
Health care providers are all the individuals and their staff who provide medical care or offer advice to a patient formally. These are some examples of people and organizations that fall under the term “health care provider”:
- Nursing homes
There is one limitation here: These individuals and providers must follow HIPAA only if they transmit any information electronically to a transaction that fits this standard.
Health Care Clearinghouses
Clearinghouses are large organizations and groups that gather data and use it for various purposes. These organizations are entities that process nonstandard health information. They typically receive this information from another covered entity. Any organization that processes data in any way must follow these standards.
Consider Business Associates
It’s also important to understand the requirements for business associates. When a covered entity engages a business associate, that individual or group may also fall under these rules. Typically, this person is working to help carry out the covered entity’s health care activities or functions. In addition, this person must have a written business associate contract or some other type of arrangement in place with the original provider.
This contract should establish what the associate engages in. It should also comply with all aspects of the Privacy Rule to protect the security and privacy of the patient. Associates are directly liable for compliance with all HIPAA provisions.
Who Is a Business Associate?
A person working for a covered entity is not considered a business associate. In some cases, a health care provider, health care clearinghouse, or health plan can be an associate of another covered entity. Some activities and functions may establish a business associate. That includes activity or service that requests the disclosure or use of protected health information. This activity may include payment or health care organization activities. Functions may include:
- Benefit management
- Utilization review
- Data analysis
- Claims processing or administration
- Processing of administration
- Practice information
- Repricing (and more)
Some examples of a business associate may include contractors, subcontractors, organizations that access PHI on behalf of covered entities to provide services for those covered entities, and others. It may also include accounting, legal, consulting, management, accreditation, and financial activities provided to the covered entity.
Law firms are considered business associates.
If an entity does not meet the definition of a covered entity under these laws, then that organization or person does not have to comply with HIPAA rules.
Common HIPAA Violations
Covered entities face fines and other consequences if they violate HIPAA. HIPAA violation fines range from $100 to more than $4 million when this does occur, making it a significant financial loss in most cases.
A HIPAA violation occurs when acquisition, access, use, or disclosure of PHI does not happen or results in a significant risk to a patient related to their privacy or security of information.
There are two forms of HIPAA violations: criminal and civil. Here’s a look at both types.
Civil HIPAA Violations: Overview and Examples
Civil HIPAA violations occur when some type of breakage in these rules occurs, but there is no malicious intent. For example, those who did not follow HIPAA rules were acting neglectfully or did not realize their actions did not meet these requirements are not guilty of malicious intent. Here are some examples and potential HIPAA violation fines associated with these kinds of rule violations:
- An individual commits a HIPPA violation. They did not know they were doing so. This violation typically incurs a fine of $100.
- An individual had reasonable cause for their actions, but it was still a violation. The person did not act with willful neglect. The typical fine in these situations is $1,000.
- An individual acted through willful neglect. However, they took some action to fix the problem or cause. This type of violation typically carries a fine of $10,000.
- A person acted with willful neglect but did not fix the underlying cause or problem. The fine is typically a minimum of $50,000.
There are various ranges for such fines. Regulators take each situation seriously. They also use all the factors and facts to determine if willful neglect occurred.
Criminal HIPAA Violations: Overview and Examples
Other situations occur when a violation is committed with some type of malicious intent. When this happens, a person or organization engages in an activity that puts another person’s PHI at risk for security or privacy. This activity leads to criminal penalties. Some examples of criminal HIPAA violations, along with their associated fines, include:
- A person obtains and discloses PHI through a recognized effort. They knew they were not allowed to gather this information. They may face a fine of $50,000 and as much as a year in jail.
- A person violates HIPAA under false pretenses. This violation can lead to a fine of $100,000 and up to five years in jail for the action.
- A person violates some type of PHI with the goal of personal gain, such as selling information or using it to harm the individual. In this case, the fine can be up to $250,000, and it may lead to up to 10 years in jail.
As noted, HIPAA regulators consider all the factors in each situation to determine if criminal activity occurred. Therefore, these fines are just examples and may not include all potential losses and consequences.
Common HIPAA Violations
HIPAA is complex, but following it is critical. Violations occur when any action occurs outside of these privacy and security rules. Here is a look at some of the most common HIPAA violations. This list does not represent a full list of potential violations.
Data Not Encrypted, Hacked, or Phished
HIPAA places the requirement to safeguard personal information on covered entities. One way to do this is through encryption, which includes cybersecurity protections. With encryption, if someone steals data, they cannot use it. All covered entities must use encrypted messaging applications as appropriate.
Other violations include preventing hacks and phishing activities. Hackers can use PHI in various ways, including selling to third-party organizations or applying ransomware tactics. To prevent hacking and phishing, organizations need to:
- Maintain proper antivirus protections
- Use encryption
- Update and change passwords on devices on a routine basis
- Limit access to databases and other devices based on employee status
Unauthorized Access to Data or Data Accessed From Unsecured Location (Personal Devices)
Unauthorized access occurs when a person gains access to data they do not have the right or need to access. This access may occur when someone is curious about something, for example. In some cases, such as in criminal activity, a person may use such information for malicious threats.
To protect against this, organizations typically need to have an authorization system that limits who can access information.
Devices With Medical Information Lost or Stolen
Covered entities must protect against lost or stolen medical devices that provide access or maintain PHI. It may be difficult to prevent the loss of some devices, yet companies need to take action to prevent it whenever possible. Should a theft occur, encryption may help minimize PHI loss.
Unauthorized Sharing of PHI
Another common violation of HIPAA occurs when someone shares confidential information with others. Again, it may seem innocent enough, yet sharing information with colleagues may lead to a violation.
Exceptions to HIPAA Privacy Rule
There are some exceptions to the HIPAA Privacy Rule. These are instances in which information sharing is allowed but based on very narrow margins.
When are uses and disclosures legally permitted or authorized? Every situation is different, but here are some examples.
Emergency situations may warrant the sharing of information to allow for medical providers to manage medical situations. In these situations, the Privacy Rule is not eliminated. Rather, it may allow for sharing to occur in a more streamlined manner to ensure the patient gets the care needed. For example, this may allow for disclosure in situations such as when:
- It’s necessary to provide treatment
- Public health authorities need this information to prevent or control disease, disability, or injury
- Individuals need this information because they may be at risk of disease
- Family or others caring for the individual need the information
- Notifying the public in situations of necessity
- There is imminent danger related to the sharing of this information
- Providing directory-level information about a person in a hospital
Public health authorities may also gain access to this information in some situations. For example, the Privacy Rule may allow for those who are public health authorities, such as the Occupational Safety and Health Administration, Centers for Disease Control and Prevention, and the Food and Drug Administration, to gain access when deemed necessary. It may also include public health departments for public health purposes.
Other exceptions exist as well. Exceptions may include:
- The data is de-identified, meaning the data is shared without personally identifiable information.
- The authorization requirement may be put aside concerning health research using only limited data sets and de-identified data.
Another key concept is the minimum necessary rule. The Privacy Rule allows for covered entities to share data without authorization from the patient to a legal representative or decedent in some situations, including:
- When the disclosure is a legal requirement
- When it is best to do so for the patient’s or public’s interest
- To another covered entity when a relationship exists between the entity and the patient
The Minimum Necessary Rule states that PHI disclosure must be limited to the minimum necessary information for specific, stated purposes. There are exceptions to this, such as when a complete medical history is necessary but not considered a routine disclosure. It may also include situations in which medical records are available for research, marketing, or fundraising.
Requesting Information With HIPAA as a Third Party
A person can authorize a third party to access their medical record. For example, if a person wishes to share information about their health with another provider, it is allowable. As a third party, it is critical to have the person’s correct information. The health care facility providing such information must follow the necessary steps to share such information. Often, they establish steps to follow for information requests like this.
All necessary documentation must be carefully filled out and submitted the first time properly for organizations requesting PHI. Then, it is best to confirm that the organization maintaining those records received the request for the release. Ensuring the organization is processing that information within a time frame for completion that applies to your situation is critical.
The proper request sent to the proper location with all the data, along with confirmation of receipt and processing, helps ensure the organization can quickly share PHI. These steps are necessary for getting medical records fast.
When Information Requests Are Denied
There are situations in which requests for access to PHI do not occur. Denials can happen for many reasons, though they are typically quite limited and often very specific. Aside from inaccurate or missing information on requests, some instances and examples of denials may include the following. (Keep in mind that this data exclusion falls under HIPAA Privacy Rules.)
- Psychotherapy notes
- Pending litigation
- Clinical trials
- Privacy Act protected records
- Information requests under the promise of confidentially when that information is not able to be kept confidential
There may be reviewable grounds for denial. For example, if providing access to that information may endanger the life or physical safety (not emotionally harm them), a denial may be warranted. If that information could cause substantial harm to a person referenced by PHI in any way, the request may be denied. When a third party is requesting information and is reasonably likely to cause harm to the individual or another person, the request may be denied.
State Laws and HIPAA
HIPAA is a federal law. It supersedes all state laws related to the same information and the sharing of access. However, states have the right and ability to expand protections under the law. In short, they cannot remove or change the specifications under HIPAA. However, they can expand or further support HIPAA.
In some situations, state laws (and some local laws) may provide a higher protection threshold for information. Organizations must understand all the rules and applications of these state and local laws upon the request for information. These laws differ from one state to the next and may change over time. HIPAA does not override state laws that are as protective as HIPAA.
Another way to look at it is like this. First, HIPAA sets a baseline of standards. This baseline establishes the minimum level of protection and the rights provided. Then, states can decide the details of PHI, specifically how covered entities store that information, how they access it, and how they can destroy it.
For any covered entities or others requesting this information, it is critical to have a strong understanding of the nuances of the laws in the state you’re working in. If you do not have this information, you may violate HIPAA or other laws and face the consequences as a result.
Differences Between HIPAA and HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened HIPAA security and privacy. It did not change these laws in terms as to which PHI remains protected. However, the act provided financial support to covered entities to move to a better management method.
The goal of HITECH was to put in place funding to support organizations moving to electronic health records to help improve efficiency and patient care coordination between covered entities. In short, it allowed for electronic health records to be created, and it put in place some rules and laws as to how electronic health records could be shared and used. Because the initial cost of implementing this record was high, the act worked to create incentives for organizations to implement the changes.
It also created rules related to breach notifications, when a covered entity must alert a person about their information being breached. It also put a strong penalty structure in place that encourages covered entities to follow specific rules more closely as the fines are heavier.
Getting Help for HIPAA Is Essential
Find out more about our intake services, contract services, or medical records division by speaking with one of our sales associates at (800) 200-CAMG or reach out to us here.