The sheer density of the Health Insurance Portability and Accessibility Act or as it’s more commonly known, HIPAA is daunting for many who are simply trying to find information about what the laws are all about. The HIPAA website has plenty of information about various topics, but unfortunately it isn’t exactly light reading. In order to help you, we at QBench have compiled a number of common questions and answers so that you have a better idea of what these laws are about and what it means for a lab to be compliant.
What is HIPAA? Passed in 1996, this is a set of laws which were meant to aid in portability (though this means ‘ability to change jobs without fear of losing all health insurance’ rather than simply ‘mobility’), medicaid integrity, protection from fraud, and simplification for management for these steps. It is considered a landmark healthcare decision in the United States and is still a fundamental part of any healthcare setting.
Why was HIPAA passed? It was designed to help with healthcare affordability and to help people changing jobs not be denied insurance due to pre-existing conditions. It also helps to establish a level of privacy with healthcare information.
What is the privacy rule, and who must follow it? The privacy rule, which creates a national standard for health organizations, is one of the backbones of these guidelines. Generally, these rules apply to people who handle protected health information or PHI. This is any information that identifies a person with their health information that is held by a covered entity. Covered entities are considered health plans (like insurance), providers like doctors or nurses, and any business providing a healthcare service, including testing service providers and billing companies for these services.
Do these rules apply to anyone else? These rules can also apply to transactions with contracts approved by the Department of Health and Human Services, DHHS. These partners are known as business associates. A business associate is any outside company who handles PHI under contract with a covered entity. These contracts outline what is expected of these companies in order to comply with HIPAA. This includes Laboratory Information Management Systems (LIMS) such as QBench LIMS.
What is the security rule? The security rule is a set of laws that dictate how to keep this private information secure. In general, it details three different methods by which PHI is intended to be kept secure: physical, technological, and administrative safeguards. This means that companies have physical ways that PHI is safe (like locks or security cameras), technological (encrypted data), and administrative guards (such as implementing training for employees about HIPAA policy). These three rules go hand-in-hand to make sure that PHI remains exactly that, protected.
Is there anyone who doesn’t have to follow these rules? Life insurers, workers compensation carriers, many schools and districts, many state agencies like child protective services, law enforcement offices and many municipal offices. (2) This means that these agencies can get PHI on patients when requested through legal channels.
Is there a set of rules for companies to follow? Yes, there are a set of guidelines that companies follow to keep patient or client PHI private. These rules can be classified as required or addressable. Required means that these rules must be followed very strictly, while addressable means that these rules can be approached from different ways to fulfill the same requirement. A later article will go through the security rule standards to help a facility become HIPAA compliant.
How many guidelines do I have to follow to be compliant? There are 19 that must be followed immediately for even small labs and 42 in total. The rules that must be followed for compliance will be discussed in a later article.
How can our company make PHI compliant with HIPAA? In our future articles we shall go through this more in-depth. There are a number of ways this can be done: one of the most common ways that PHI can become compliant is by de-identifying it, but often times there has to be some form of identification in a laboratory. This makes de-identification impossible but, there are many ways to maintain compliance, and as mentioned, this was gone over in depth in our previous articles.
What do I do if these rules are broken? This is where the enforcement rule comes in. This is where guidelines are set up for breaking these rules and lists the sorts of fines or punishment that could occur as a result of not following them.
What happens when HIPAA laws are violated? Fines (from $100 to upwards of $50,000), as well as a violation of trust and a loss of reputation that can be near-impossible to recover from. Not only this, but individuals can face up to a year in jail time if personally responsible. (1)
My company isn’t a hospital/healthcare provider/healthcare billing company, do I still have to follow HIPAA law? The basic definition of a covered entity (aka companies that must remain HIPAA compliant) is that they provide a healthcare service (be it diagnosis, treatment, consul, or testing) for a fee. This means that even if a company doesn’t seem like a healthcare company, that isn’t necessarily the case.
Is there a single piece of software to download that’s HIPAA compliant? The simple answer is no. There is no single piece of software that is universally endorsed by the Department of Health and Human Services, DHHS, however, there are hundreds of programs available that are compliant. This means that each lab can find or develop software that’s the right fit for their company.
My company is very mobile, and we can’t be tied down to a single computer console. If we use a cloud service provider (CSP), can it still be HIPAA compliant? There are many reasons why a company might be interested in a CSP, including low costs and high mobility. The short answer is yes, you can use a CSP when logging data for your HIPAA compliant labs. This will require your lab to enter a business associate agreement, BAA, (assuming your lab still uses identifiable PHI) with that cloud service provider, but it is possible. CSPs have rules they must follow in order to be HIPAA compliant, which shall also be discussed in a later article.
Can data gathered on patients be used in a case study written by our company? Yes, but there are a many stipulations to this. For one, it requires either individual authorization to use their health information, or a waiver from the privacy board with the name of the person who approved it, date the waiver was approved, and the assurance that PHI will not be used, that it shall remained protected with protocol in case to keep it from being made public, and that a plan has been implemented to destroy identifiers as early as is possible. It could also be approved if a patient allows the use of their data, but only as long as 16 identifiers (turning it into a limited data set, rather than a de-identified set) are removed from the research.
What do I do if I find out a breach occurs? Do I get fined? If a breach occurs, your company has 60 days to inform patients who have PHI with you that a breach has occurred. If more than 500 patients are involved, then congress must be notified as well on the DHHS website. Additionally, there are cases when a company can be fined if a breach occurred if it happened due to negligence on the part of that CE or business associate, BA. After a breach is found, there should be steps taken to help the situation: for example, if a device was stolen that contained credentials for logging into a site with electronic health records or EHR, then there should be immediate steps to make previous credentials no longer valid and thus prevent anyone who has stolen this laptop from viewing patient health records.
What is something I should take away from this article? Hopefully, this article has communicated the importance of patient privacy and your role in keeping PHI protected. By no means is this a simple task, but it is a vital one in the modern healthcare industry. Thankfully, it is possible. In a later article, we’ll discuss the finer points of how you can also become compliant and what it takes to keep your health information secure.
This article should have hopefully cleared up some of the common questions and answers that companies have when first approaching HIPAA. In our later articles, we’ll discuss how individual small labs can become compliant, as well as how a data cloud can be compliant by HIPAA standards. We hope to see you then!
BAA- business associate agreement. This is a contract that a CE makes when entering a contract with a business associate. Business associates are HIPAA-compliant businesses that involve PHI covered by a CE.
CE- covered entity. This is considered to be health plans (like insurance), providers such as doctors or nurses, and billing departments for these services that handle protected health information. This includes verbal, written and electronic PHI. Essentially, these entities are anyone who has given health care service and gives this information with regards to payment.
CSP- cloud service provider, a company that provides a cloud service for storing
De-identification- the process of removing identifying information from PHI or verification of de-identifying by an expert. there are 18 articles of identification: patient name, geographic area, identifying dates like birthday or time of test, phone and fax numbers, email addresses, SSNs, medical record numbers, health plan beneficiary numbers, certificate/license numbers, account numbers, vehicle identification numbers and device numbers, IP addresses, web URLs, biometric IDs like fingerprints or voice prints, full-face images, and anything unique to a patient. The other way a patient can be de-identified is by formal determination by a qualified statician.
DHHS- Department of Health and Human Services. The department that is in charge of HIPAA regulations and the following thereof.
EHR- electronic health records, health records of patients that have been stored on a computer rather than in physical form.
HIPAA- Health Insurance Portability and Accessibility Act, passed in 1996, which establishes data guidelines.
Hybrid entity- a facility that has both the properties of a covered entity and a non-covered entity. An example would be a university.
Limited Data Set- Unlike de-identification, which removes all 18 articles of identification, this one only removes 16. It is one of the methods to allow PHI to be used in research.
PHI- protected health information. This is any identifying information about a given patient as is handled by a covered entity.
Pre-existing condition- any medical condition that a patient has previously gotten treatment, diagnosis, care, or counsel for.
Privacy rule- a national standard for privacy with regards to protected health information. It addresses how this information may be used and disclosed.
Security rule- a law to help standardized the security by which PHI is kept confidential, private and unaltered.
Citations- (1)- Frank-Stromberg, M. Feb 2004 “They’re Real and They’re Here: The New Federally Regulated Privacy Rules under HIPAA” Urologic Nursing, Vol 24, Iss 1 Retrieved from https://www.cbuna.org/sites/default/files/download/members/unjarticles/2004/04feb/14.pdf
(2)- HIPAA rules, retrieved from https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html