Over the past three decades, society’s transition into a digitized economy has altered how data can be logged, stored, and disseminated. Naturally, this has had sweeping impacts across practically every industry, but nowhere more so than with healthcare delivery.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to account for this digital paradigm shift and ensure the safety of healthcare consumers’ electronic health records (EHR). In the following years, it was later supplemented by additional rules as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.
But what do HIPAA rules entail for the health and life science industries? What are the HIPAA compliance requirements?
What is HIPAA?
When the US Congress first introduced the HIPAA security rule in 1996, its initial purpose was two-fold:
- Install safeguards that would protect private health information and prevent fraud.
- Insure workers who were in between jobs.
Prior to this, most healthcare organization records were fractured between providers and kept as hard copies. Additionally, there were no security standards or federal regulations on the storage or dissemination of private health data. The HIPAA privacy rule, as it was initially envisioned, was meant to solve these issues, improving both security standards and accessibility.
What are the HIPAA titles?
As it was first introduced, HIPAA guidelines could be broken down into five key components, referred to as titles:
- Title I “Health Care Access, Portability, and Renewability” – Was created to ensure that workers who changed or were fired from their job could maintain coverage. It also prevented group health plans from denying individuals with pre-existing conditions coverage.
- Title II “Preventing Healthcare Fraud and Abuse; Administrative Simplification” – Ordered the Department of Health and Human Services to set a national standard for how electronic healthcare transactions and records were processed. It also required covered entities to provide patients easy, digital access to their healthcare records, while ensuring their security.
- Title III “Tax-related Health Provisions” – Outlined tax-related provisions and guidelines for medical care provision.
- Title IV “Application and Enforcement of Group Health Plan Requirements” – Set health insurance provisions for individuals that had preexisting conditions as well as individuals looking for continued healthcare coverage.
- Title V “Revenue offsets” – Installed provisions related to company-owned life insurance and repeals financial institutional interest allocation rules.
Who Needs to be HIPAA Compliant?
It’s important to note that HIPAA guidelines aren’t applicable across all industries or even businesses within the healthcare space. Rather, the law has been restricted to covered entities, which are defined as:
Healthcare providers – Anyone who transmits information in an electronic form in connection with a medical transaction. This includes:
- Doctors
- Surgeons
- Psychologists
- Clinics
- Dentists
- Chiropractors
- Pharmacies
- Nursing homes
Health plans – This includes:
- Health insurance companies
- HMOs
- Company health plans
- Government programs that cover healthcare
Healthcare clearinghouse – Entities that process atypical healthcare information that they may receive or send.
In 2009, further additions were made by the American Reinvestment and Recovery Act, which expanded HIPAA’s coverage to also include business associates, which are defined by Health and Human Services as: “A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
Examples of business associate functions include:
- Healthcare data analysis, processing, or administration
- Healthcare claims processing or administration
- Utilization review
- Quality assurance
- Benefit management
Additional HIPAA Compliance Rules and Regulation
The original HIPAA proposal was simply a starting place—it didn’t offer the robust protections it has today. While it was supposed to protect patient electronic health records, there were little to no enforcement mechanisms within the 160-page bill. To fix this glaring issue, over the next decade, three additional privacy practices were appended to the HIPAA compliance checklist:
HIPAA Privacy Rule
In 2000, Health and Human Services added the first HIPAA regulation of what would eventually be four additional HIPAA rules. This specific HIPAA requirement established the first set of national standards for safeguarding protected health information (PHI), which was defined as information that was “used, maintained, stored, or transmitted by a HIPAA-covered entity or business associate.” Common examples of PHI include:
- Account numbers
- Biometric data
- Certificate numbers
- Device identifiers
- Email addresses
- Full face photos
- Geographic data
- IP addresses
- Medical record numbers
- Social security numbers
- Telephone numbers
- VIN numbers
At its essence, the HIPAA requirement specified that PHI could only be used or disclosed in HIPAA permitted use cases or when authorized by the patient. Permitted use and disclosure cases included:
- Disclosure of the patient in question, or personal representatives (in some instances).
- Internal dissemination by covered entities or in coordination with other covered entities in order to:
- Provide care services
- Obtain payment for said services
- Uphold business operations
- According to public interest cases, such as part of a judicial proceeding or court order.
- Informal permission in cases where the interested individual is unable to consent.
After setting the data protection standards, covered entities and business associates had until April 14th of 2003 to comply, or else face significant civil or criminal penalties.
HIPAA Security Rule and the Four Standards
First proposed in 1998, but not added until 2003, the Security Rule was created to extend the Privacy Rule’s PHI requirements to electronic PHI. Per HHS, covered entities were expected to:
“Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.”
Formally known as the “Security Standards for the Protection of Electronic Health Information” this additional rule included four HIPAA compliance standards that covered entities were required to apply:
Physical safeguards – Physical security measures and procedures to secure electronic information systems, equipment, and buildings that protect said data. Covered entities are expected to maintain a secure perimeter that limits data access to authorized individuals only. The same would apply to clinical trial data sharing.
Administrative safeguards – Administrative-related actions and policies that are meant to manage, secure, and protect health information. This included:
- Installing security management processes
- Designating a security official who’s charged with oversight
- Limiting the use and disclosure of PHI to “minimum necessary”
- Providing supervision and training of employees that handle PHI
Technical safeguards – Policies and procedures for the technology and its usage in order to protect ePHI and its access. Chief areas of focus included:
- Setting access controls
- Unique user identification
- Emergency access procedure
- Automatic logoffs
- Encryption and decryption
- Installing audit controls
- Ensuring the integrity of ePHI with controls that prevent data from being altered or destroyed
- Implementing security measures that prevent unauthorized access to ePHI as its transmitted, typically via encryption
Polices, procedures, and documentation requirements – The final requirement for covered entities is to adopt “reasonable and appropriate policies and procedures” that are in compliance with the standards above. Additionally, records must be maintained for six years after their creation date.
See related: How to Use Big Data Analytics for Clinical Trials
Enforcement rule
This rule was originally included as a subsection of the Privacy Rule but was later codified on its own. It set formal enforcement processes for covered entities and business associates that failed to comply with HIPAA requirements.
While this laid the groundwork for a basic enforcement standard, it was rarely enforced. A 20-year retrospective found that from April 2003 to 2008, more than 35,000 HIPAA privacy violations were reported without a single fine being issued against a healthcare provider.
In response to the repeated failure to enforce HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed. This sought to:
- Remove loopholes and tighten up the language
- Ensure compliance and accountability
- Increase enforcement mechanisms
- Encourage greater EHR adoption
Furthermore, non-compliance penalties were split into four tiers:
- Unknowing violation – Penalty range of $100–$50,000 per violation with an annual maximum of $25,000 for repeat violations.
- Reasonable cause violation – Penalty range of $1,000–$50,000 per violation, with an annual maximum of $100,000 for repeat violations
- Willful neglect (but corrected within the required time period) – Penalty range of $10,000–$50,000 per violation, with an annual maximum of $250,000 for repeat violations
- Willful neglect (but not corrected within the required time period) – $50,000 per violation, with an annual maximum of $1.5 million
In addition to fines, purposeful violations could also result in imprisonment ranging from 1 to 5 to 10 years, depending on the gravity of the breach.
Breach notification rule
A subsection of HITECH, this set of requirements for the reporting of a data breach, specifically in relation to two types of cases:
- Minor breaches (impacting 500 or fewer individuals) – Everyone impacted must be notified of the breach within 60 days of the event.
- Major breaches (impacting 500 or more individuals) – Impacted parties must be notified of the breach within 60 days of the event, in addition to the HHS Secretary and the media.
Complying with HIPAA
There are dozens of ways your employees could potentially breach HIPAA compliance rules and regulations, including:
- Viewing patient files without authorization
- Posting pictures of or information about patients on social media
- Mishandling medical records
- Discussing patient information with other employees
- Lost or stolen work devices
- Sharing patient information over insecure networks or applications
- Exposing PHI on home computers
Because of this, it’s essential that you train your employees about HIPAA and HITECH, install procedures that enforce compliance requirements, and only use technologies that prioritize data security and privacy.
Within3’s insights management platform is built with more than 80 compliance features to help ensure that private data remains secure and scientific conversations remain compliant. Our privacy policy goes into more detail to explain exactly how we collect, use, and share information.
Request a demo today.
