The Health Insurance Portability and Accountability Act (HIPAA), 1996 is a legislation passed by the US Congress under President Bill Clinton, aiming at protecting the privacy and storage of medical records of registered insurance patients/customers.Â
This act ensures the accessibility, portability and feasibility of vital health insurance information and sets the standard as to the transmission of information across the US Healthcare System without any fraud. This act has been modified several times, but the core areas remain stringent. The HIPAA mainly focuses on 4 areas of health insurance information which are, privacy of health data, security of health data, notification of health data breaches and the right to get copies of healthcare data.
To ensure these fundamentals of healthcare data management, the HIPAA has set rules in relation with each of these fundamentals.
https://lawaddiction.com/shreya-singhal-v-union-of-india-case-analysis/
The HIPAA Rules and Standards:
There are several rules laid by the HIPAA, out of which 3 are the most important in relation with the management of individual healthcare data:
HIPAA Privacy Rule:
The HIPAA Privacy Rule[1] establishes national standards for insurance in protection of individual’s medical records and other vital healthcare information. It makes it mandatory to have safeguards to protect the privacy of health data and maintain its status quo. It provides the limit that must be prescribed for disclosing patient’s health data without his permission.
Covered Entities under the Privacy Rule:Â
The privacy rule covers certain entities which must abide by the rules it sets forth. The entities covered by the privacy rule are as follows:
- Healthcare Providers:
All healthcare providers, irrespective of the nature of care provided or operational size must abide by the rules of HIPAA. The transactions included in relation with these healthcare providers for insurance must fall within the privacy rules as well.
- Health Plans:
These are entities which pay the costs for individual healthcare by offering attractive healthcare plans as well as insurance. These include healthcare insurers (long term as well as short term), health maintenance organisations, Medicare Organisations etc. They are governed by the Privacy rules and must keep the anonymity of the customers at high standards.
- Healthcare clearinghouses:
These are service providers to healthcare organisations, which help in the transmission of non-standard information into standardised information. They too must comply with the rules of the HIPAA.
- Business associates:
These are individuals other than members of the above entities who have access to public healthcare data and can share it to perform activities for the entities mentioned above.
Disclosure of Information under certain circumstances:Â
In usual circumstances, the entity must obtain the permission of the patient who wants the insurance before disclosing information, but there are circumstances wherein the entity need not obtain the permission of the individual:
- While disclosing information to the individual who is the patient, when it is essential to share such information immediately.
- Information can be disclosed without permission from the individual for a treatment or payment process for the treatment.
- Information can also be disclosed when the individual in subject explicitly states that his permission is not required for disclosing information.
- Information can be disclosed without permission in the public interest. There are 12 national priority situations like workmen’s compensation, law enforcement, legislations, research etc, which have been covered under the HIPAA, where the information can be divulged.
- For government and private research and analysis purposes, information may be shared to a particular extent depending on the study.
HIPAA Security Rule:
The Security Rule[2] comes after the Privacy Rule and protects a subset of information falling under the Privacy Rule. This subset is also part of the protected health information (PHI) which includes electronically protected health information (e-PHI) which is basically the set of information which an accepted entity maintains, transmits or receives. The Security Rule records 3 types of securities, namely:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
Administrative Safeguards:
To ensure security at the administrative level, the following have been stated by the HIPAA:
- The first is a Security Management Process, which identifies and is responsible for managing potentially risky e-PHIs.
- A Security Personnel must be appointed, who is an official responsible for implementing the security policies of the HIPAA.
- The Security Rule further mandates that an entity must ensure that the access granted is a user-based one for the purposes of authorizing the divulgence of the e-PHIs.
- The entity in possession of the e-PHIs must ensure a quality workforce and provide adequate training so as to ensure maximum compliance with all the standard rules and procedures.
- The last process is an Evaluation process which is a periodic assessment of how well the security policies are imposed and followed in accordance with the Security Rule.
Physical Safeguards:
This safety measure involves a 2 fold structure which is that:
- The entities must ensure limited physical intervention while providing the authorized information to others.
- A covered entity must have policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
Technical Safeguards:
Technical safety is the primary focus of ensuring a secure database. To ensure this, the Security Rule lays the following:
- An access control panel which only allows the authorized persons to access the e-PHIs.
- An entity must have a record of all the e-PHIs and a transmission list which is updated to the latest status.
- The entity must ensure that the e-PHIs is not destroyed or misplaced and keep measures for the same.
- Must ensure the anonymity of e-PHIs while in transmission and guard against unauthorized access.
Apart from these rules, the HIPAA also imposes rules and regulations which the covered entity must follow, the source for storing the data, compliance schedules and enforcement planning. All these aspects must be closely followed by the entities and can thereafter proceed with the transmission of the e-PHIs.
HIPAA Breach Notification Rule:
The Breach Notification Rule[3] is an essential rule under the HIPAA which mandates that the covered entities make the individuals aware in a case of a breach of their personal information stored with them.
A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security and privacy of the PHI. This disclosure is a breach unless the covered entities prove that the nature of disclosure was not of substantive value or that the disclosed information was not used or viewed by anyone else. Apart from this, there are 3 identified exceptions to the definition of breach:
- The first is in respect to the unintentional access of information done in good faith for the individual or a workman.
- The second applies in inadvertent circumstances where an authorized personnel from one entity gives access to the information to an authorized personnel from another entity.
- Lastly, if there is a belief in good faith that the disclosed information under normal circumstances would likely be available to the unauthorized individual.
Breach Notification Requirements:
When there is a breach, the entity or business associate is bound to provide a notice to the affected individual, the media (in certain cases) and the Secretary.
- Notice to the Individual:
- The notice must be in written form and delivered either by postal services or if the individual has subscribed to electronic medium, then through an email.
- If the entity does not possess the recent contact information of the affected individuals (10 or more), then they must post the information on their website for at least 90 days and also to other media channels in the locality of the affected individuals. A toll free number should be provided for the same.
- These notices must be served to the affected individuals within a period of 60 days from the breach discovery date.
- The notice must include a brief description of the nature of breach, the amount of information branched, the necessary precautions the individual must take, the steps the entity is taking to secure the information and find the breacher.
- Notice to the Media:
When there is a breach affecting more than 500 individuals in a particular state or jurisdiction, the entities are bound to provide a press release alongside individual notices to prominent media channels. This is also to be provided within 60 days from the discovery of breach.
- Notice to the Secretary:
In addition to the notice provided to the affected individuals and the media (in certain cases), the entities must notify the Secretary of the breach of privileged information. This notification will be done by filling a form on the website of the Health and Human Services. In case of breach affecting more than 500 individuals, the Secretary must be notified within 60 days and in other cases, an annual reporting is enough.
Conclusion:
Even though the Federal Government has been strict in the implementation of the HIPAA, privileged information is leaked quite often. The digital age has proved to be sensitive for the HIPAA as all types of softwares exist which makes it easy to steal and reveal the privileged data. Apart from the covered entities, digital providers like Apple and Fitbit have produced smart bands which calculate and store essential health information of individuals. These companies are not covered under the HIPAA and become easy targets for acquiring vital health data. The ambit and scope of the HIPAA must be increased for a better implementation and delivery mechanism.
References:
[1]Public Health Professionals Gateway, available at: https://www.cdc.gov/phlp/publications/topic/hipaa.html# (last visited December 25, 2020).
[2] Health Information Privacy, available at: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html#:~:text=The%20Security%20Rule%20protects%20a,%E2%80%9D%20(e%2DPHI). (last visited December 27, 2020).
[3]Health Information Privacy, available at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html (last visited December 28, 2020).
BY NAGANATHAN RAMASWAMY IYER | SASTRA UNIVERSITY