Compliance HIPAA - US Privacy of Patient Data

HIPAA refers to the Healthcare Insurance Portability and Accountability Act, which is a US law passed in 1996 that relates to the protection of private and therefore personal health data. HIPAA compliance is binding and for this reason healthcare providers and their business contacts must adhere to the specified rules and regulations in order to protect confidential patient data.

At first glance, HIPAA is a regulation that relates to the US, but if we consider the advancing digitalisation and networking of data, companies from German-speaking countries are also affected and must observe the requirements.

How is HIPAA compliance defined?

When one is on the Internet, the decision whether to share personal information is in all cases not up to one user. People are not free to decide whether pictures or other critical information find their way into the Word Wide Web. It is quite possible that they will also be uploaded by other people. It is virtually impossible to control information and its use. Health-related information is also often beyond the patient's control, electronically stored, processed and also passed on. In order to protect this sensitive data and to exclude access by unauthorised persons, HIPAA was introduced and enacted by law. Looking at the compliance guidelines to be followed, HIPAA includes rules and regulations regarding data leaks, breaches, security concepts and general data protection. If the requirements of HIPAA are disregarded, there is the threat of heavy fines and also criminal or civil lawsuits.

What data does HIPAA include?

Patient data is designated as Protected Heath Information (PHI) within the Health Insurance and Accountability Act. This means that the health data obtained is to be defined as worthy of protection. Looking at PHI in general, all data that can offer conclusions about health status, treatment costs and medical care fall into this area. This patient data is used by healthcare and health insurance providers, billing agencies, third-party contractors and clearinghouses to identify the patient. When the data obtained is created, stored, transmitted or obtained by these entities, it is referred to as electronically recorded patient information (ePHI).

Looking at the personal data that is worked with, the following data, for example, is created, obtained, transmitted or stored:

• Address data
• Date of birth
• Date of death
• Telephone and e-mail
• Account numbers
• IP addresses
• Photos
• Findings
• Prescriptions and prescriptions

Who is affected by HIPAA legislation?

HIPAA is designed to protect patient data and is applied to all healthcare organisations that can access private health information. Basically, there are three main categories to which the law applies.

The term Covered Entities refers to directly affected entities, which can be clearinghouses and health and medical insurers. Examples include clinics, doctors, health insurers, nursing homes and caregivers if these groups transmit, store or process patient data.

Business associates are business partners who are not directly involved in the care of the patient, but who can gain access to patient data through cooperation with the institutions. These can be tax consultants, IT service providers, or lawyers, among others.

The last category is subcontractors. These subcontractors are described as companies and individuals who gain access to personal information through their business activities. Shredders or providers in the area of hosting can be mentioned here as service providers.

What are the four basic rules of HIPAA compliance?

To ensure HIPAA compliance in accordance with the law, HIPAA has been divided into four main categories. These rules include technical, physical and administrative measures that must be implemented by all affected subcontractors, partners and the affected facilities. Basically, it must also be ensured that all affected persons are educated about the measures and observe their compliance. The educational work is particularly important and in the German-speaking area, a service provider with the expertise of HEYDATA is often contacted for data protection issues in order to ensure the protection of personal data and to comply with all requirements of the European General Data Protection Regulation.

HIPAA Privacy Rule

The HIPAA Privacy Rule gives patients a say in how outside parties access their personal health information. The affected patient can have a say in how the personal information is used and disclosed and is thus given certain rights and powers.

However, the HIPAA Privacy Rule only applies to covered entities and not to the two other groups, business associates and subcontractors. The HIPAA Privacy Rule must be incorporated into the internal workflow of all healthcare entities. It is imperative to ensure that all employees receive annual training and instruction on the Privacy Rule.

HIPAA Security Rule

The HIPAA Security Rule describes all the standards that must be met to secure electronic personal patient data against unauthorised access and equally to protect it from tampering. The scope of the security rule is divided into three core areas that secure ePHI.

Security measures in the administrative area

These types of security measures include the management, internal policies and procedures that secure electronic health records. These include in particular:

• An internal risk assessment
• Restriction of access rights (especially from third parties).
• Regular training
• Strategies for limiting access to ePHI
• Concepts for the detection of security breaches
• Behaviour in the event of a breach
• Crisis management
• Regular audits and assessments

Security measures in the technical area

Security measures in the technical area refer in particular to the protection of all systems that involve the storage and transmission of ePHI data. In principle, technical and organisational measures (TOM) can also be found in the European data protection regulation. If you as a company would like to find out more about this area, HEYDATA will be pleased to receive your enquiry. Examples of security measures in the technical area would be:

• Access controls
• Data backups
• Security software
• Audit reports
• Tracking of suspicious activities
• Encryption
• Digital signatures
• Logging off unused devices

Security measures in the physical area

When talking about security measures in the physical area, these are security measures on devices used to store ePHI. This includes computers, routers, and storage systems. To protect these devices, the office or facility must be secured. This is especially true for unauthorised use or theft. The following measures should be taken to safeguard against this:

• Security personnel
• Hardware inventory lists
• Rules on workplace use
• Badges and access cards
• Locking technology

Notification of infringements

If all security rules are followed, but abuse of PHI still occurs, one rule of the HIPAA Breach Notification Rule is that all affected individuals must be contacted within 60 days. If it is determined that the number of affected individuals exceeds 500, the local press and the Department of Health must be notified.

HIPAA Omnibus Rule

The HIPPA rules were expanded to include two requirements arising from the Genetic Information Nondiscrimination Act and the Information Technology for Economic and Clinical Health Act. This resulting omnibus rule states that the business partners of covered entities can also be held liable for abuses.

What are the penalties for HIPAA violations?

As with a breach of the European General Data Protection Regulation, a breach of HIPAA can be very costly. Any company affected by a PHI breach can face a fine of up to $1.5 million. Of course, the severity of the breach is assessed here, resulting in four levels of severity.

A distinction is made if the institution is unaware of a breach or if prevention is deemed impossible at the time. In this case, fines of $100 to $50,000 are due. Depending on the degree of severity, the fines increase, and if one considers the fourth level, a maximum fine of 1.5 million euros is due for wilful neglect of the HIPAA rules.