Kara Sears
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton on August 21, 1996. The act introduced measures to improve the portability and accountability of health insurance coverage, including the continuity of coverage between jobs, guaranteed coverage for employees with pre-existing conditions, and the prevention of job lock, where employees would be locked into a job to avoid losing health benefits.
HIPAA was enacted in various stages, with some measures effective immediately, others enacted within 90 days, and those relating to the privacy and security of health information taking several years. The HIPAA Privacy Rule, which defines Protected Health Information (PHI) and stipulates permissible uses and disclosures, was published in its final form in August 2002 and became effective in April 2003 for most organizations. The HIPAA Security Rule, which protects a subset of information covered by the Privacy Rule, was enacted in April 2003 and became effective in April 2005.
| Characteristics | Values |
|---|---|
| Date of Enactment | 21st August 1996 |
| Full Form | Health Insurance Portability and Accountability Act |
| Abbreviation | HIPAA |
| Purpose | To improve the portability and accountability of health insurance coverage |
| Introduced By | Ted Kennedy and Nancy Kassebaum |
| Signed By | President Bill Clinton |
| Compliance Date of HIPAA Privacy Rule | 14th April 2003 |
| Compliance Date of HIPAA Security Rule | 21st April 2005 |
| Compliance Date of HIPAA Enforcement Rule | 16th March 2006 |
| Compliance Date of Breach Notification Rule | 23rd September 2009 |
| Compliance Date of Omnibus HIPAA Final Rule | 23rd September 2013 |
What You'll Learn
The Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other identifying health information. It applies to health plans, health care clearinghouses, and healthcare providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual's authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.
The Rule stipulates permissible uses and disclosures of PHI, which include those necessary for treatment, payment, or health care operations, those required by law or for public health activities, and those necessary to avert a serious threat to health or safety. It also gives individuals the right to control how their health information is used and disclosed, to request copies of information maintained about them, and to request corrections when omissions or errors exist.
Covered entities under the Privacy Rule include health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions listed in the Administrative Requirements. Business associates, or persons or organizations that perform certain functions or activities on behalf of a covered entity, may also be required to comply with the Privacy Rule depending on the service being provided.
The Department of Health and Human Services' Office for Civil Rights (OCR) is responsible for enforcing the Privacy Rule. Non-compliance can lead to civil and criminal penalties, including financial settlements and civil monetary penalties for the worst offenders.
The Journey of a Bill to Becoming a Law
You may want to see also
The Security Rule
Covered entities and business associates must comply with three sets of safeguards:
Administrative Safeguards
These cover topics such as risk analyses, workforce clearance, security training, access management, and contingency planning.
Physical Safeguards
These cover topics such as physical access to devices maintaining ePHI, device security, data back-ups, and the secure disposal of data and devices.
Technical Safeguards
These cover topics such as password management, automatic logoff, data encryption, audit controls, and transmission security.
Initiative to Law: Understanding the Legislative Process
You may want to see also
The Enforcement Rule
The authority to investigate complaints related to the HIPAA Privacy and Security Rules, and later the HIPAA Breach Notification Rule, was delegated to the HHS's Office for Civil Rights (OCR). Meanwhile, the authority to investigate complaints related to the Administrative Requirements (Part 162) was delegated to the HHS's Centers for Medicare and Medicaid Services (CMS).
The OCR is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began on April 14, 2003, for most HIPAA-covered entities. Since then, the OCR's enforcement activities have resulted in systemic changes that have improved the privacy protection of health information for all individuals served by covered entities.
Covered entities were required to comply with the Security Rule by April 20, 2005, with the OCR becoming responsible for enforcing it on July 27, 2009. As a law enforcement agency, the OCR does not typically release information to the public about current or potential investigations.
Understanding the Lawmaking Process: Bills to Laws
You may want to see also
The Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities and their business associates to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached"—in a way that compromises the privacy and security of the PHI. A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access it at a covered entity or business associate to another person authorized to access it at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.
Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in writing by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS website and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
Injustice Laws: Resistance, Resilience, and Revolution
You may want to see also
The Omnibus Final Rule
The Rule builds on the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA.
The Omnibus Rule makes important changes to the HIPAA legislation, including:
- Strengthening individual rights while continuing to facilitate competing interests, including those of public health, in greater access to health information.
- Expanding an individual's right to receive an electronic copy of their Protected Health Information (PHI).
- Modifying the definition of a "business associate" to include all entities that create, receive, maintain, or transmit PHI on behalf of a covered entity, making clear that companies that store PHI on behalf of healthcare providers and health plans are business associates.
- Tightening restrictions on the use of PHI for marketing purposes.
- Simplifying HIPAA's consent requirements for research participation.
The Omnibus Rule also addresses gaps in the previous legislation, such as specifying the encryption standards that need to be applied in the event of a breach and amending the definition of "workforce" to include employees, volunteers, trainees, and other persons whose conduct is under the direct control of the covered entity or business associate.
California's HS 11352 A Law: History and Implications
You may want to see also
Frequently asked questions
The Health Insurance Portability and Accountability Act (HIPAA) was enacted at various stages following its passage in 1996. Some measures were effective immediately, others were enacted within 90 days, and those relating to the privacy and security of health information took several years. The HIPAA Privacy Rule became effective in April 2003, and the HIPAA Security Rule in April 2005.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted in 2009 as part of the American Recovery and Reinvestment Act. HITECH incentivized the use of Electronic Health Records (EHRs) by healthcare providers and extended HIPAA Rules to business associates and third-party suppliers of covered entities. It also introduced the Breach Notification Rule, which requires covered entities to notify individuals and the Department of Health and Human Services' Office for Civil Rights of a data breach.
The HIPAA Privacy Rule defines Protected Health Information (PHI), stipulates permissible uses and disclosures, lists the circumstances in which an authorization is required, and gives individuals rights over their PHI. The Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used.
