Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, or HIPAA, applies to your business if you handle any U.S. health data. To help you understand if you must comply with the Act, here's an overview of HIPAA, how it works, and how to comply with the Act's provisions.
- 1. Introduction to HIPAA
- 1.1. Title II Privacy Rule
- 2. Who Must Comply With HIPAA
- 3. HIPAA Requirements
- 3.1. Understand Patient Rights
- 3.2. Inform Users of Their Rights
- 3.3. Protect Health Information
- 4. How to Comply With HIPAA
- 4.1.1. Introductory Clause
- 4.1.2. Individual Rights
- 4.1.3. Use of Patient Data
- 4.1.4. Patient Data Disclosure
- 4.1.5. Special Situations
- 4.1.6. Contact Details
- 4.1.7. Patient and User Complaints
- 4.2. HIPAA Compliance Program
- 4.2.1. Disclosure Mitigation
- 4.2.2. Data Security
- 4.2.3. Employee Training
- 4.2.4. Risk Assessments
- 5. Penalties for Failing to Comply With HIPAA
- 6. Conclusion
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Introduction to HIPAA
First enacted in 1996, HIPAA helps to regulate how businesses can share and process healthcare information. More broadly, the Act aims to reform healthcare.
The purposes of the Act are as follows:
- Improve the privacy and security of patient health information
- Provide clear, enforceable standards for protecting health data
- Improve health insurance portability which makes it easier for people to switch providers
- Reduce the risks of healthcare and health insurance abuse and fraud e.g. fraudulent claims
In other words, the Act:
- Gives people more control over their private healthcare information
- Sets enforceable standards for businesses to follow if they process or collect health data
- Helps businesses understand how they can better protect health data and ensure patient confidentiality
HIPAA contains five titles:
- Title I: This title protects someone's health insurance coverage if they change or lose their jobs
- Title II: Also known as the "Privacy Rule," Title II is concerned with protecting privacy in electronic healthcare transactions
- Title III: Title III covers tax issues
- Title IV: This title covers some definitions for health insurance reform purposes
- Title V: Finally, Title V concerns life insurance
For our purposes, Title II is most important. However, you should be aware that each title could potentially apply to your business.
Title II Privacy Rule
HIPAA Title II establishes standardized national rules for protecting certain categories of health information. Title II covers "protected health information," or PHI.
PHI means "individually identifiable health information," which is any health data you can use to identify a person.
- Diagnosed mental or physical health conditions
- Health care treatment details e.g. treatment plans
- Health plans e.g. insurance and payment details
- Name, date of birth, address or similar personal information
The Privacy Rule doesn't cover de-identified health data, which is data you can't reasonably use to identify a certain person. For example, this could include anonymized healthcare statistics or results from a study.
When in doubt, though, assume HIPAA applies and treat the data as identifiable health information.
Who Must Comply With HIPAA
Under Section 1172, the following businesses must comply with HIPAA:
- Health plan providers
- Health care providers
- Health care clearinghouses (Companies process nonstandard health data into a standard format e.g. an electronic format)
You should also comply with HIPAA if you provide services to the above businesses, and you need access to health information to provide those services e.g. lawyers and companies who destroy medical records.
Now we're clear on who must comply with HIPAA, here's a summary of what's required of businesses obliged to comply with Title II.
Understand Patient Rights
Under HIPAA, individuals have the right to:
- Know how their health information is shared, and for what purposes
- Correct any errors in their health data
- Ask for (and receive) a copy of health records
- Give permission before a business can use health data for marketing or commercial reasons
- Complain if a business fails to protect their data
As a business owner, you must understand these rights so you can help people exercise them.
Inform Users of Their Rights
Protect Health Information
You must ensure there are sufficient security measures in place to protect any health data you collect, process, share, or destroy.
You should also:
- Limit who can view or access health data
- Perform regular risk assessments
- Provide security and HIPAA training to any employees with health data access
How to Comply With HIPAA
Luckily, HIPAA compliance is more straightforward than it may seem at first glance. To comply with the HIPAA requirements outlined above, you must do two things:
- Design and implement a HIPAA compliance program
Let's consider each of these requirements individually.
Explain what the document is i.e. a Policy disclosing how you process, use, and share health data, and what rights people have over this information.
Here's an example from Fit to Smile. It's short but it explains exactly what the document is and why patients should read it. It's also in bold lettering so it stands out, which is good practice when you're drafting an introductory clause like this:
South End Eye sets out patient rights using bullet points, which makes the clause very readable and easier to understand:
And Fit to Smile sets out longer, more detailed explanations in clearly separated paragraphs for readability:
Use of Patient Data
Explain how you use the health data you collect.
Patient Data Disclosure
You should describe who you share patient data with, and when patients can restrict data sharing.
Dentistry of Colorado, for example, specifies that it might use patient data in health marketing, but it won't do so without express permission:
South End Eye clearly sets out different uses for patient health data. The explanations clearly identify who else might receive health data, and why:
Patients have the right to know who you share data with and why, so make sure you cover as many disclosure situations as possible in your Policy.
Dentistry of Colorado has a detailed clause explaining when it might share data in the public benefit or if required by law:
It doesn't matter where you place the details, so long as they're included.
Patient and User Complaints
Here's an example of a comprehensive clause from Dentistry of Colorado:
South End Eye has a more succinct clause but it's still obvious that people have the right to complain, and there are clear guidelines for doing so:
HIPAA Compliance Program
To design and implement a HIPAA compliance program or plan, you must consider the following points.
Under the "minimum necessary" principle, you should only disclose the minimum amount of data necessary to achieve the intended purpose.
- Develop a policy to limit the sharing and use of health data.
- Limit staff access to health data. Employees should only be able to access what's necessary to perform their duties.
- If patients give consent to using their data for marketing purposes, keep clear records of all written consent forms.
You must ensure all health data is secure. The challenges you face vary depending on the nature of your business e.g. a health app provider faces different challenges than, say, a family physician with a local office.
However, always consider the following:
- Appoint a member of staff to oversee HIPAA compliance
- Introduce sufficient cybersecurity safeguards e.g. firewalls, private networks, software
- Protect offices and data storage locations with e.g. CCTV and secure locks
- Develop a strategy for spotting, remedying, and reporting HIPAA violations
Train all personnel with access to health data and ensure they understand HIPAA. Enforce good security practices such as:
- Encrypting data
- Changing passwords frequently
- Using multi-factor authentication e.g. fingerprint ID on mobile devices which contain business data
- How to spot phishing scams or malicious links
- Using secure networks to access data
Decide how you'll perform risk assessments and how often you'll audit your infrastructure. How you do this will vary depending on, for example, how much data you process and how sensitive the data is.
Make sure you record all risk assessments and address any problems you identify.
You may require external help from a managed services provider to ensure your systems and processes are HIPAA-compliant.
Remember: To achieve HIPAA compliance, you must prioritize patient rights and take all reasonable steps to secure their health data. So, however you design your compliance program, don't forget these overarching goals.
Penalties for Failing to Comply With HIPAA
If you fail to comply with HIPAA, the OCR can compel you to:
- Pay a fine
- Implement a "Corrective Action Plan"
It's not strictly one or the other. You could, for example, be asked to pay a fine and also implement a strategy for ensuring the breach doesn't happen again.
If you're ordered to pay a fine, the amount depends on the severity of the offense and your degree of culpability.
- Accidental violation: Minimum penalty of $120 per violation
- Negligent act corrected within 30 days: Minimum $12,045 fine per violation
- Negligent act and failure to correct: $60,226 minimum penalty per violation
Within those parameters, the amounts payable can vary significantly.
To be clear, HIPAA violations can also constitute a criminal offense. Criminal charges may apply if you're a "covered entity" such as:
- Provider supplying health plans
- Any health care provider who submit or transmit claims in electronic formats
- A Medicare prescription drug card sponsor i.e., you provide drug coverage to those who submit successful Medicare claims
However, even if you're not subject to criminal penalties, be aware that civil HIPAA violations can still be costly.
HIPAA ensures that all businesses that handle healthcare information understand their responsibilities. The Act also empowers individuals to take control of their healthcare data and decide how it's shared.
You must normally comply with the Act if you handle electronic healthcare information of any kind. Failing to comply with HIPAA attracts, in some cases, steep financial penalties, so you must understand how the Act applies to your business.
To comply with HIPAA, you must do the following:
- Understand how the Title II Privacy Rule affects you
- Set out a HIPAA compliance program for your business
- Safeguard any health data in your care e.g. by using appropriate cybersecurity measures
Under HIPAA, people have the right to:
- Access their healthcare data
- Amend any data which is factually incorrect
- Ask for copies of their healthcare data
- Know who their data is shared with
- Reject the sale of their healthcare information for any commercial purpose
As a business owner processing healthcare data, you should ensure your users and/or patients understand these rights. If you're concerned about HIPAA compliance, always seek legal counsel before capturing, processing, or sharing any healthcare information.