Questions About HIPAA That You Were Too Shy to Ask

As a data professional or developer, you will likely have questions about how HIPAA impacts you and your day to day responsibilities. Rebecca Edwards answers common questions about HIPAA that you were too shy to ask

The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996. It is designed to protect patient’s confidentiality. Title II (Administration Simplification) which contains the Privacy Rule, Enforcement Rule and the Security Rule, centres around data management, privacy and protection. To be in breach of HIPAA can be expensive and even earn you some jail time (in the worst cases).

  1. Why HIPAA?
  2. Does HIPAA apply to organisations outside the United States?
  3. What is ‘protected health information’?
  4. What constitutes a breach under HIPAA?
  5. What happens if there is a breach?
  6. Why is data protection suddenly becoming important?
  7. What rights does HIPAA give to the individual?
  8. Does HIPAA affect the way we do development work?
  9. What are the risks i should consider?
  10. Is HIPAA JUST about health data? What about non-medical PII data?

1.Why HIPAA?

The Healthcare Insurance Portability and Accountability Act was originally signed into law to “improve the portability and accountability of health insurance coverage” for employees between work. The Privacy and Security rules were signed in shortly after to protect “any information held by a covered entity which concerns health status, the provision of healthcare, or payment that can be linked to an individual”. Other aims of the HIPAA were to tackle waste, fraud, and abuse of health insurance and healthcare provision.

2.Does HIPAA apply to organisations outside the United States?

In short- no. HIPAA is applicable to healthcare organisations within the US. Their data is mandated by the requirements of the organisation. Even if the people are not us citizens, if they are in a US healthcare system they are also protected. If we consider the reverse, US citizens outside the US, if they are part of a non-us healthcare organisation, they are not covered by HIPAA.

3.What is ‘protected health information’?

Protected Health Information (or PHI) is any “individually identifiable health information” held or transmitted by a covered entity or business associate. This can be in any form- electronic, paper or even oral. This is information that relates to an individual’s past, present or future physical or mental health or condition and the provision of the healthcare to the individual or payments relating to the health care of the individual.

HIPAA lists a number of common “identifiers” to make things a bit simpler:

  • Names
  • Geographic info (this goes into some detail- so for further information on this particular identifier check out this article).
  • Dates
  • Telephone numbers
  • Fax numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers
  • Emails
  • URLs
  • Social security numbers
  • IP addresses
  • Medical record numbers
  • Biometric identifiers (including finger prints/voice prints)
  • Health Plan beneficiary numbers
  • Full face photographs
  • Account numbers
  • Any other unique identifying number, characteristic, code
  • Certificate/license numbers

4.What constitutes a breach under HIPAA?

A breach under HIPAA means the acquisition, access, use, or disclosure of PHI in a manner not complying with HIPAA, which compromises the security or privacy of the PHI. This is an extremely broad definition that might make you feel as though even smelling data could land you in trouble. Some examples of HIPAA breaches include: failing to give patients access to their PHI, unprotected storage of PHI (which can lead to laptops or USB sticks being stolen with unsecured PHI*), not logging off your computer/computer system that includes PHI, violation of the “minimum necessary requirement”, PHI in an email sent over the internet.

*Unsecured PHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorised persons through the use of technology or methodology.

To narrow the scope a bit, HIPAA has specified what’s NOT a breach by listing the three exceptions:

  1. If an unintentional breach (acquisition, access, or use only) of PHI was made in good faith and within scope of authority and does not result in further use or disclosure.
  2. Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed
  3. A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

The only other exemption for a breach is if it can be demonstrated that there is a low probability that the PHI has been compromised based on a risk assessment to which there are four factors: the likelihood of re-identification/types of identifiers, the unauthorized person to whom the breach was made, whether the PHI was actually acquired or viewed, and to what extent the risk to PHI has been mitigated.

5.What happens if there is a breach/violation?

First thing- stop the breach asap. Ensure whatever caused the breach is fixed immediately.

Following a breach, covered entities and business associates must provide notification of the breach to the HSS (U.S Department of Health & Human services), individuals affected and, in some cases, the media. Notifications must be made without unreasonable delay and no later than 60 days following the discovery of the violation.

The penalties for a breach under HIPAA vary depending on the circumstances of the leak, and the volume of violations. For unknowingly violating HIPAA it is $100 per violation, but in the extreme cases covered entities and individuals who violate under false pretences it is $100,000 fine (up to $1.5 MILLION for repeat violations) and up to 10 years in prison.

Fines are issued by the Office for Civil Rights (OCR).

6.Why is data protection suddenly becoming important?

Due to a number of high profile scandals, the public are becoming more and more aware of their rights to protection of their privacy and data. The eventual consequences of those data breaches to the public can in some cases be catastrophic, for example- fraud. As such support for more stringent legislation has dramatically increased, which is why we have HIPAA and others like SOX, GDPR, SHIELD and CaCPA. The age of technology has made it all too easy to share and discover information- so not only can data be found but also lost and circulated faster than ever before.

7.What rights does HIPAA give to the individual?

Ultimately HIPAA is designed so individuals have easy access to their health information and have more control on the decision regarding their health care. Individuals have legal and enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care provider and health plans.

Patients are also able to designate a personal representative (who might already have authority to make health care decisions for the individual) who also then has the right to access PHI.

8. Does HIPAA affect the way we do development work?

The Privacy rule addresses how patient information can be used and disclosed. In the Minimum Necessary Requirement, it states that covered entities are required to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. For development we can assume this means that it is no longer appropriate to be working with real data. Data retention is similarly a key part of HIPAA- individuals have the right to access information at any time. Whilst there is no HIPAA medical records retention period outlined, there is a requirement for other HIPAA-related documents (such as but not limited to; logs recording access to and updating of PHI, Authorizations for the disclosure of PHI, IT Security system reviews) to be kept for a minimum of six years from when the document was created or when it was last in effect. This is outlined in CFR §164.316(b)(1).

9.What are the risks I should consider?

Where is the data being stored, received, maintained or transmitted? Who has access to it? Is it controlled? These questions might seem obvious, but data is the biggest risk to your compliance. Organisations need to be very clear where, why, and how PHI is stored, who has access, and what exactly happens to this data. It’s important to keep an audit trail of all activity around the records to be able to prove your compliance. It is also worth identifying and addressing potential threats to your PHI. Become proactive rather than reactive in those vulnerabilities. Consider your network security, training members of staff and reducing access points to PHI internally.

10. Is HIPAA JUST about health data? What about non-medical PII data?

PHI is any “individually identifiable health information” held or transmitted by a covered entity or business associate. You can refer to the answer in question 3 for more details about what PHI is. The identifiers listed in question 3 include data examples that are not specifically health related (example: names, emails, telephone numbers etc), however when combined with health information about that person, make such information PHI. Therefore, non-medial PII data still needs to be protected under HIPAA.

Please note: HIPAA is a complex piece of legal legislation. Your organisation is responsible for understanding the full requirements. This article summarises some of the details, but further research is always recommended when ensuring full compliance.