HIPAA guidelines for healthcare professionals

Protecting a patient’s personally identifiable information (PPI) and protected health information (PHI) is essential while transmitting, managing, and storing electronic health records.

Maintaining HIPAA compliance helps establish trust in your healthcare organization and prevents penalties. Meanwhile, patients can have peace of mind that their PPI and PHI are safe with you and your medical practice.

Computer hardware became more affordable in the early 90s, and the internet made accessing and sharing information easier. Medical facilities transitioned from paper to electronic health records (EHRs) for efficiency.

In 1996, with the onset of the electronic transmission of health information, Congress designed a law called the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule was published later.

Congress enacted HIPAA for other purposes, too. An initial goal of HIPAA was to make healthcare distribution more efficient by simplifying administration. Another aim was to enable more Americans to access health insurance coverage through transferable rights in certain circumstances.

Health insurance portability

This portion of the HIPAA law established measures to ensure people retained health insurance coverage between jobs. It guarantees coverage for employees with pre-existing conditions under certain circumstances, including when they

• Leave a job that provided group health plan coverage and move to another job with group health plan coverage

• Lose group health plan coverage, meet the definition of a HIPAA-eligible individual, and want to acquire individual health insurance coverage

• Has individual health insurance coverage and now want to enroll in a new group health plan

This aspect of the HIPAA law does not:

• Allow people to keep their current plan or benefits when losing a job or changing jobs

• Require a new employer to offer health coverage

• Guarantee the benefits will be the same if a person transfers from one plan or policy to another

Administrative simplification

The Department for Health and Human Services (DHHS) nationally standardized electronic healthcare transactions, identifiers, code sets, and operating rules for providers, health plans, and employers. These standards improved the efficiency and effectiveness of healthcare overall because they reduced paperwork and streamlined administrative processes.

Health data protection

Little was known about PHI’s vulnerability when accessed and shared via electronic transmission. Congress asked the DHHS to recommend standards to protect PHI privacy while healthcare providers and plans maintained or shared the information electronically.

The types of data HIPAA protects are sensitive and non-sensitive personally identifiable information (PII) and personal health information (PHI) categories. Medical conditions are an example. These data types are protected to ensure confidentiality and safeguard against unauthorized use and disclosure.

What is PII?

Personally identifiable information is information that, when used alone or with other data, can generally or specifically identify an individual. Non-sensitive PII can include the following:

• Zip code

• Date of birth

• Race

• Gender

Sensitive PII can be used alone or combined with other PII for identity theft. Here are some examples:

• Social security number

• Full name

• Driver’s license number and information

• Financial information

• Medical records

What is PHI?

Protected health information is made up of three types of data under HIPAA:

• Any information related to past, present, or future physical or mental health conditions

• Provisions of healthcare

• Payments for healthcare rendered that is electronically transmitted, maintained, or received by the following:

• Healthcare provider

• Health plan

• Public health authority

• Employer

• Life insurer

• School or university

• Healthcare clearinghouse 

Once these entities are subject to HIPAA standards, they are bound to safeguard PPI and PHI from unauthorized access.

The DHHS created a standard set of codes for different healthcare services and medications to distribute healthcare more efficiently with minimal errors. The DHHS established a national standard of coding for the following:

• Diagnoses

• Procedures

• Services

• Equipment

• Supplies

• Medications

HIPAA standardizes the following five code sets for simplification and efficiency:

• ICD-10—International Classification of Diseases, 10th edition for diagnoses and procedures

• CPT—Current Procedural Terminology for outpatient services and procedures

• Healthcare Common Procedure Coding System (HCPCS) for healthcare equipment and supplies and services not covered by CPT codes

• CDT—Code on Dental Procedures and Nomenclature

• NDC—National Drug Codes

Adopting these HIPAA codes enables healthcare providers and health plans to communicate effectively with one another. At the same time, administrative duties become more efficient with fewer errors.

Not all healthcare providers are subject to HIPAA, although state privacy regulations may apply. Compliance only applies to entities that access and store health records electronically according to the DHHS’ standards. These institutions can be considered covered entities or business associates.

Covered entities

Entities subject to HIPAA standards are health plans, healthcare clearinghouses, and providers who transmit health information related to healthcare financial or administrative activities. These include a first report of injury, eligibility for a health plan, and health plan premium payments.

Business associates

A person or organization can be considered a business associate if they create, receive, maintain, or transmit PHI on behalf of the covered entity but do not work for it. Business associates can include health information organizations or e-prescribing gateways requiring routine access to PHI.

Here are some of the rules set out by the HIPAA legislation:

Privacy Rule

Although the HIPAA law was created in 1996, the final Privacy Rule wasn’t published until 2002.

The Privacy Rule states permissible uses, disclosures, and the circumstances in which authorization is required, and gives patients rights over their PHI.

Security Rule

Published in 2003, the final Security Rule covers administrative, physical, and technical security measures that should be adopted when creating, collecting, using, maintaining, or transmitting PHI electronically.

For example, the rule requires an administrative sanction policy to be put in place for employees who don’t comply with the covered entity’s or business associate’s security policies and procedures.

Implementing policies and procedures that shield facilities and equipment from unauthorized physical access, tampering, and theft is an example of a physical security measure. Assigning a unique name or number for identification while accessing systems or incorporating an automatic logoff after a set time of inactivity are examples of technical security measures.

Breach Notification Rule

The Breach Notification Rule applies to all breaches that occurred in 2009 or after. In this case, a breach means the acquisition, access, use, or disclosure of PHI in a way that’s not permitted under the Privacy Rule.

Once a breach occurs through covered entities or business associates, required notification processes must be activated for the affected individuals, the media, and the Secretary of the DHHS.

Enforcement Rule

The Enforcement Rule encompasses compliance and investigations, the levying of civil financial penalties for a HIPAA violation, and hearing procedures.

This rule sets the standard for filing complaints and how the Secretary of the DHHS conducts investigations or compliance reviews. If investigations or reviews are ongoing, the covered entities or business associates are responsible for cooperating and permitting access to information.

The components of an effective HIPAA compliance program include the following:

• A compliance officer and committee

• Written policies, procedures, and standards of conduct

• Training and education

• Communication

• Responsiveness

• Enforcement

• Internal audits

Appoint a compliance officer and compliance committee made up of people who understand the HIPAA law and accompanying rules. They will help implement written policies, procedures, and standards of conduct relating to your unique situation. Make sure all employees are aware of how they can help HIPAA compliance through training and education.

Develop lines of communication between employees and entities. This will enable breaches to be reported quickly and corrective action to be taken immediately. Ensure everyone is aware of potential disciplinary actions for HIPAA violations. Conduct regular internal monitoring and audits to be sure that compliance efforts are in effect at all times. 

Trust is important between a patient and their healthcare provider. When patients can trust medical professionals with their sensitive personal and healthcare information, there can be an open and honest relationship about their physical well-being. Improved trust means patients are more open about pain and other symptoms, resulting in more efficient health resolutions and improved outcomes.

HIPAA also established a national Health Care Fraud and Abuse Control (HCFAC) program, which coordinates federal, state, and local law enforcement to reduce waste and fraud. When medical professionals work toward HIPAA compliance, they are also improving their medical organization’s profitability.

The DHHS can impose fines for noncompliance. The severity of the violation determines the amounts levied.

For infractions that occurred before 2009, the civil penalty won’t be less than $100 or more than $25,000 for identical offenses.

The penalties increase incrementally for violations after 2009 depending on the degree to which the entity knew about the breach. For example, if the offense occurred because the covered entity or business associate didn’t know and couldn’t have known about the violation, the fine will be between $100 and $50,000 per violation or no more than $1,500,000 per calendar year.

However, if the offense occurred due to willful neglect (the violation was known to have occurred and the offenders did nothing to correct it for 30 days), the civil penalty will be more than $50,000 per violation but not more than $1,500,000 per calendar year.

Civil suits can also arise if the aggrieved party suffered damages because of the HIPAA violation. Your organization’s reputation may suffer, and your practice may sanction you if you are found at fault.

When the DHHS investigates a HIPAA violation, they will consider the whole healthcare practice to be at fault. They will investigate to see what single or multiple events led to the breach.

Ultimately, it’s the practice’s responsibility to ensure compliance. If an employee is at fault, the practice could decide to take disciplinary action against them. The practice should already have a sanction policy, which is required under the Security Rule.

Train and educate your employees on the importance of HIPAA compliance and how to avoid unintentional violations. You will still face consequences even if you didn’t purposely commit an offense.

Here are some tips to prevent unintentional violations:

• Double-check emails and phone numbers to ensure sensitive patient information isn’t sent to the wrong party

• Don’t leave patient information unsecured

• Dispose of patient information properly

• Don’t use unsecured methods to transmit PHI

• Remember to log off or lock your computer screen when leaving a workstation containing sensitive information

• Don’t allow unauthorized individuals to access PHI

• Provide notice of privacy practices, including how patient data is collected, used, and protected and informing patients of their right to access their medical records