What exactly are the many ongoing effects of the federal Health Insurance Portability and Accountability Act (HIPAA) on health information technology (HIT)? We break it all down here.
What is HIPAA
To address the emerging role of health care technology, Congress passed HIPAA in 1996. The U.S. Department of Health & Human Services (HHS) codified the following primary HIPAA rules between 2000 and 2013 to implement and refine the law’s requirements:
- Privacy Rule
- Security Rule
- Final Omnibus Rule (includes Enforcement Rule)
The tie that binds these rules is the protection of personal health information (PHI) by health care plans, clearinghouses and providers (collectively referred to as “covered entities”) and their business associates (BAs). The full range of providers and plans, including those contracted for government, commercial and employer-sponsored services, are included.
HIPAA rules have defined and transformed HIT governance as we know it – preempting state law in many cases where requirements contradict. It is critical for IT firm sales and leadership to make ongoing HIPAA compliance a core strategy to protect sensitive data and avoid potential financial and criminal penalties. The following sections summarize each rule, how they address emerging technologies or don’t and the potential changes coming in 2021.
HIPAA’s 3 core rules
HIPAA compliance is not a once-and-done activity. The HIPAA rule summary below highlights the extended regulatory implementation that has occurred since 2000. Related and proposed governance is covered in the “second wave” section that concludes this article.
HIPAA Privacy Rule
Introduced in 2000 and first finalized in 2002, the HIPAA Privacy Rule provided the nation’s first federal standards for PHI protection, use, disclosure and patient access rights. Ensuring the flow of health data to promote quality care is an important companion piece. Adherence to the rule was required by April 2003 for large health plans and April 2004 for small plans. For providers, HIPAA privacy compliance includes claims, benefit eligibility, referral authorizations and other transactions.
Central to the Privacy Rule is the “minimum necessary” use principle for PHI based on roles and functions with reasonable reliance that standards can be met. Other Privacy Rule PHI use components include:
• Use and disclosure of protected health information for a covered entity’s “own” treatment, payment and health care operations activities
• Opportunities to agree or object to use/disclosure
• Disclosures and notices required to protect personal rights and meeting a variety of governance, health and protective needs
HIPAA Security Rule
Whereas the Privacy Rule addresses PHI, the HIPAA Security Rule specifically covers electronic PHI (ePHI): how it is protected, held and transferred. It supports the Privacy Rule’s confidentiality provisions and was implemented in 2003, with compliance required by April 2005 for large health plans and April 2006 for small plans. The Security Rule includes four specific requirements for covered entities to protect against “reasonably anticipated” threats and prohibited ePHI use/disclosure:
• Confidentiality, integrity and availability
• Anticipated threats
• Impermissible uses or disclosures
• Workforce compliance
The Security Rule includes specific definitions for confidentiality, integrity and availability: 1) provide for allowable data accessibility/usability; 2) protect against unauthorized electronic data availability/disclosure; and 3) help ensure proper data maintenance and authorized alteration/disclosure.
As part of the Security Rule, HHS requires covered entities to perform ongoing risk assessments and identify and document mitigation measures for uninterrupted ePHI protection. BAs contracting with these entities have a similar obligation, and HHS grants flexibility in its rule application. Organizations can apply an addressability standard to items not specifically required based on their size, complexity, infrastructure and risk environment — measured against capabilities and implementation costs. When weighing these factors, entities should consider the full range of HHS-required safeguards (personnel, processes and workplace/physical assets) and the controls needed for ePHI protection.
Final Omnibus Rule
Implied by its title, the Final Omnibus Rule combines and finalizes multiple HIPAA provisions summarized in the table below. Issued in January 2013 after a decade of rule making, Omnibus followed passage of the HITECH Act (Health Information Technology for Economic and Clinical Health), which expanded and incentivized electronic health record (EHR) adoption and introduced “meaningful use” into our national HIT vocabulary. The Omnibus rule confirms prior proposed HIPAA compliance, investigation, violation and civil financial penalty provisions and incorporates HIPAA Breach and Enforcement rules.
Final Omnibus and Enforcement rules summary
• Makes contractors directly liable for select HIPAA Privacy and Security Rule requirements
• Further limits PHI use and disclosure for marketing or fundraising
• Requires individual authorization for PHI data sale
• Expands individual right to electronic health information
• Restricts health plan access to health information where patients pays out of pocket
• Enables research/release of child immunization information to schools
• Requires update and redistribution of privacy practices to individuals
• Grants families access to health information of deceased relatives
• Implements final HITECH Act rules, including enforcing non-compliance due to willful neglect of HIPAA rules
• Established more objective breach notification standards for unsecured PHIT
• Restricts the use or disclosure of genetic information for underwriting by most health plans
HIPAA governance for data and IT
HHS created a Privacy and Security Rule Toolkit that addresses PHI/ePHI use, disclosure, safeguards and other frameworks. Most relevant for IT leaders are the Business Associate Agreement (BAA) guidelines for data collection, use and disclosure, safeguards and accountability, which should:
• Limit PHI access to minimum necessary standards
• Include agreed-upon “reasonable” safeguards
• Define variable needs, including authorizations, data aggregation and standardization and business rules liability
• Address mitigation, including enforcement and penalties for breaches and HIPAA violations
While HIPAA is monolithic and unable to truly keep pace with privacy and security for emerging technologies, HHS does provide some sub-regulatory and partner organization guidance for modern technologies.
HIPAA and the cloud
The government’s cloud computing guidance applies to the covered entities and BAs that use cloud services as well as cloud service providers (CSPs) themselves. While most public clouds are designed for HIPAA compliance, IT managed service providers (MSPs) are responsible for their part. Both CSPs and IT firms can be subject to HIPAA even if they do not hold an encryption key, and cloud data storage outside the U.S. is permitted under HIPAA. More cloud guidelines are located here.
Leading IT channel partner Accenture identifies HIPAA cloud security as a top consideration for CIOs in its 2019 report “The Healthcare Cloud Security Paradox.”
“You need public cloud providers with robust policy enforcement and compliance monitoring built for the specific needs and nuances of healthcare/HIPAA,” say Accenture’s David Wood, managing director and health cloud practice lead, and Kimberly Wolf, senior manager of payer technology advisory.
HIPAA and apps
HHS app guidance includes use-case scenarios and direction on data access, rights and APIs. If your IT firm is a BA for app development with a covered entity — meaning you create, receive, maintain or transmit PHI on the entity’s behalf — you are required to be compliant with certain HIPAA rules but not all. To determine if you are a BA, HHS suggests these questions:
• Who are your clients? How are you funded?
• Were you hired by or are you paid for your service or product by a covered entity? Or another business contracted to a covered entity?
• Does a covered entity (or a BA acting on its behalf) direct you to create, receive, maintain or disclose information related to a patient or health plan member?
For example, if data that a consumer enters into your app automatically becomes part of their provider’s EHR, you are a BA under HIPAA. You are not likely subject to HIPAA if your app involves direct work with or on behalf of consumers (e.g., apps consumers directly download and populate with self-obtained data (e.g., blood pressure measured at home) and/or data from their EHR). There could also be scenarios where you as a BA may hold the same data from two sources, a covered entity and a consumer, with the former subject to HIPAA but not the latter.
Beyond HIPAA, you may still be subject to other laws and regulations. The Federal Trade Commission’s (FTC’s) Mobile Health Apps Interactive Tool can help you determine.
HIPAA and artificial intelligence (AI)
AI pushes the individual data privacy. HIPAA’s premise is that data is either identifiable or not identifiable.
Studies have found, however, that AI can re-identify de-identified data. And when AI is on an open network that allows for re-identification, who is liable?
HIPAA enforcement for data and IT
HIPAA enforcement is serious, and financial penalties can be significant. One of the largest to date — $5.5 million levied against Advocate Health in 2016 — involved a patient data breach from a stolen, unencrypted laptop. HIPAA civil enforcement pertains largely to the Privacy and Security rules and is managed by the HHS Office of Civil Rights (OCR). Enforcement begins with OCR intake to vet and investigate whether a violation has occurred and if so, the required remediation. Criminal violations are referred to the U.S. Department of Justice. The OCR has received over 250,000 HIPAA complaints since 2003, most of which involve improper PHI/ePHI use, disclosure and safeguards and lack of patient access to personal information. While only a fraction of HIPAA complaints proceed to full investigation and corrective action, even the hint of impropriety can hurt an organization.
This can include IT firms acting as HIPAA BAs. There are 226 active HIPAA breach cases that have been reported within the past two years involving BAs. In one OCR investigation, a pharmacy chain and its legal partner did not not have an executed BAA in place to share information. Most covered entities you work with will have standardized BAAs and HHS provides one as well. A service-level agreement (SLA) can then be used to address issues such as:
• System availability and reliability
• Data backup and recovery
• Data return
• Security
• Use, retention and disclosure limitation
Also included should be access, firewall and encryption plus specific controls for data monitoring, reporting and breach notification. Any BAA for any purpose should reflect HIPAA’s minimum necessary standard for data sharing.
HIPAA compliance extends far beyond a properly executed BAA, and you may want to turn to a company that specializes in building HIPAA compliance programs for IT. SAP, SAI Global and Archer are the top-rated firms on Gartner Peer Reviews. Getting there can be a challenge but solutions are available. And they must continue to reflect the latest sets of information privacy and security modifications.
The “second wave”
HIPAA “has mostly been locked in amber since 2009,” said Roy Wyman, partner and privacy and security industry group chair with Nashville, Tennessee-based law firm Nelson Mullins.
A number of updates have been proposed since the 2013 Final Omnibus Rule. Only the Privacy Rule, however, has been updated and was limited to patient access to test reports.
But a “second wave” of privacy and security rules is coming, Wyman said. In some cases, it’s already arrived through global game changers such as the European Union’s General Data Protection Regulations and strong state efforts such as the California Consumer Privacy Act (CCPA). Nationwide, U.S. changes are suggested by two Senate bills and proposed changes to the HIPAA Privacy Rule, released in December with the comment period now extended to May 2021.
The proposed Privacy Rule’s primary goal is to improve care coordination and case management and remove unintentional barriers present in current regulations. The most relevant proposal for IT leaders is the allowable transfer of ePHI to third parties, health apps and among covered entities at patient request.
Wyman is only slightly optimistic, noting that it may take a more radical third wave “to carry us forward into a new understanding of privacy and the role of government.” One that accommodates AI, cloud, edge computing and the other rapidly emerging and advancing technologies that are the core offerings by so many IT firms.
Related articles
• eWEEK: HIPAA
• IT Business Edge: Governance, risk & compliance (GRC) framework
• Datamation: What is cloud compliance | Checklist & services