In this part one of our HIPAA foundations blog, we defined key terms to know when reviewing the regulations. In this blog, we will summarize the legislation according to each part, providing an overview of HIPAA’s information security & privacy requirements with the goal of enabling you to meaningfully contribute to healthcare privacy-related discussions at your organization. 

HIPAA-ComplianceHIPAA Part 160

This part specifies legal proceedings and fines, including:

  • How to file complaints to the Secretary
  • How the Secretary conduct compliance investigations
  • How legal proceedings are conducted by the ALJ (the overall process isn’t any different from what you’d expect)
  • Legal appeals process
  • Collection of fines
  • Fines for & factors used to determine civil penalties (i.e., violations of HIPAA):
    • Min: $100
    • Max: $1.5 million

Violations and Fines

In 2009, HITECH updated the fines that can be imposed; however, as some data breaches can go undetected for years and to provide some historical background, we will list the fines applicable violations that occurred before 2009. 

Important Definitions Related to Violations & Fines

As used in this subpart, the following terms have the following meanings:

Reasonable cause

  • An act or omission in which a covered entity or business associate knew (or should have known) was in violation of this act, but in which the covered entity or business associate did not act with willful neglect

Reasonable diligence

  • The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

Willful neglect

  • Conscious, intentional failure or reckless indifference to the obligation to comply with this act

When Fines Can be Levied

  1. If a covered entity or business associate has violated HIPAA, the US Government can impose a monetary fine on the offending organization
  2. If a violation is committed by more than one covered entity or business associate:
    1. Each offending organization can be fined
    2. If a covered entity is part of an affiliated covered entity, the affiliates are jointly liable unless it’s found that a member of the affiliation was responsible for the violation
  3. A covered entity will be found in violation of HIPAA even in situations where the violation was committed by any of the following acting within the scope of the covered entity:
    1. An agent of the covered entity
    2. A workforce member
    3. Subcontractor
    4. Business associate

Factors Considered When Determining Fine Amounts

The US Government considers the following factors when determining the amount of fines:

  • The nature and extent of the violation, including:
    • The number of affected individuals
    • The time period when the violation occurred
  • The nature and extent of the harm caused by the violation, including:
    • If the violation caused physical harm
    • If the violation resulted in financial harm
    • If the violation harmed an individual’s reputation
    • If the violation hindered an individual’s ability to obtain health care
  • Any previous violations, including:
    • If the violation has happened (or appeared to have happened) before
    • If the covered entity or business associate has attempted to correct previous indications of noncompliance
    • If the covered entity or business associate has responded to technical assistance from the Secretary
    • How the covered entity or business associate has responded to prior complaints
  • The financial condition of the covered entity or business associate, including:
    • If the covered entity or business associate has had financial difficulties, affecting its ability to comply
    • If a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide or pay for health care
    • The size of the covered entity or business associate
  • Other matters as justice may require

Fine Amounts

The amount of a fine is subject to the following limitations:

  • For violations occurring before February 18, 2009, the Secretary may impose fines of up to:
    • $100 per violation
    • No more $25,000 for identical violations during a calendar year (i.e., January 1 – Dec. 31)
  • If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another provision, a fine may be imposed for violating only one of the provisions

healthcare_data_breachHIPAA Part 162

This part contains requirements that are not related to information security & privacy.

HIPAA Part 164

The requirements of this part apply to both covered entities and business associates. 

 

 

Security Requirements

Organizations are to:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI, including:
    • An organization’s size, complexity, and capabilities
    • Their technical infrastructure, hardware, and software security capabilities
    • The costs of the security measures
    • The probability and criticality of potential risks to electronic PHI
    • Protect against any unpermitted uses or disclosures that can be reasonably anticipated
    • Ensure compliance with this by the organization’s workforce
    • Flexibility on implementation is allowed depending on:
  • Implement policies & procedures:
    • Risk analysis
    • Risk management
    • Sanction policy (against noncompliant workforce members)
    • Information system activity review
    • Contingency operations
    • Facility security plans
    • Access control and validation procedures
    • Maintain documentation of security-related repairs and modifications to facilities (e.g., hardware, doors, locks, etc.)
    • Unique user identification
    • Emergency access procedures
    • Automatic logoff
    • Cryptography
    • To prevent, detect, contain, and correct security violations, including:
    • Limiting physical access to electronic information systems and the facilities they’re housed in, including:
    • Which workstations can access electronic PHI
    • Governing identity & access management for systems containing electronic PHI, limiting access to appropriate persons and software programs, including:
    • To record and examine activity in systems containing/using electronic PHI
    • As needed to comply with the rest of this Regulation

Privacy Requirements

Covered entities are allowed to use or disclose PHI as follows:

  • To the individual
  • For treatment, payment, or health care operations 
  • Incident to a use or disclosure permitted/required by this part
  • When required by the Secretary

Business associates are allowed to use or disclose PHI only as permitted in their contracts with covered entities (or as required by law). That said, associates must disclose PHI:

  • When requested by an individual
  • When required by the Secretary

Covered entities & business associates may only use or disclose PHI in specific circumstances

Covered entities and business associates cannot sell PHI, except when disclosing PHI:

  • For public health purposes
  • For research purposes (where the only money received is a reasonable cost-based fee to cover the costs to prepare & transmit the PHI)
      • For treatment and payment purposes
      • For the sale, transfer, M&A, or consolidation of all (or part) of a covered entity and for related to due diligence
      • To/by a business associate for activities it’s undertaken on behalf of a covered entity, and the only money received is given by the covered entity for the performance of the activities
      • To an individual when requested
      • Required by law
      • For any other purpose permitted by and in accordance with the applicable requirements of this subpart, so long as the only compensation received is a reasonable, cost-based fee to cover the cost to prepare & transmit the PHI

Health plans may not disclose genetic information for underwriting purposes, except for:

  • Determining eligibility for benefits under the plan, coverage, or policy
  • Computing the premium or contribution amounts under the plan, coverage, or policy
  • Applying any pre-existing condition exclusion under the plan, coverage, or policy
  • Other activities related to creating, renewing, or replacing a health insurance/benefits contract
  • Underwriting does not include determining medical appropriateness when an individual seeks a benefit under a plan, coverage, or policy

Breach Notification

In 2009, HITECH updated HIPAA’s breach notification rules. We will cover these requirements in our future articles: 

  • HITECH | Foundations
  • HIPAA & HITECH | Today’s Health Data Privacy Laws in the USA

Rights of Individuals

Under HIPAA, individuals have the following rights:

  • Right to opt-out of marketing communications
  • Right to access PHI
    • Psychotherapy notes
    • Information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action/proceeding
    • PHI maintained by a covered entity that is
      • Subject to the Clinical Laboratory Improvement Amendments of 1988, to the extent that providing access of PHI to the individual would be prohibited by law
      • Exempt from the Clinical Laboratory Improvement Amendments of 1988
    • Individuals may obtain a copy of their PHI for as long as PHI records are maintained, except for:
  • Right to an accounting of disclosures of PHI
    • Individuals may receive an accounting of disclosures of PHI made by a covered entity in the previous six years

What Your Organization Can Do

In order to comply with HIPAA, your organization should:

  1. Consult with the appropriate experts, including your organization’s legal counsel, to determine if HIPAA applies to your organization
  2. Assess if your organization is currently handling PHI
  3. Implement a process so if your organization begins handling PHI, your organization can be HIPAA compliant the first day it begins handling that information
  4. Have your personnel read our compliance articles on HIPAA & HITECH