HIPAA is Required in Healthcare
HIPAA is not sexy, and it’s often called “a necessary evil” But if you are in the business of healthcare, it’s actually required. And you don’t want to be caught in a scary situation, like being attacked by ransomware, or some other unforeseeable breach, without the protection of a properly implemented and maintained HIPAA Compliance Program.
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) believes a comprehensive Health Insurance Portability and Accountability Act (HIPAA) program provides a baseline for protecting patient privacy and improves the efficiency and effectiveness of the health care system. While HIPAA has made many twists and turns to adapt to advancing technologies, it is vital to know the history and how this became a mandated program for health care providers.
History of HIPAA
HIPAA began in 1996 and included the Administrative Simplification provisions that required HHS to utilize national stands for electronic health care transactions and code sets, unique health identifies, and security. With technology advancing quickly, the vulnerability of the privacy of health information would likely deteriorate. With this information, Congress incorporated a mandate to adoption Federal privacy protections for individually identifiable health information.
The final Privacy Rule was established in December 2000, which was later modified in August of 2002. This rule sets standards for protecting the individually identifiable health information by four types of covered entities. The three types of covered entities affected were health care providers and their business associates, health plans, and health care clearinghouses who conduct transactions electronically. Compliance with the Privacy Rule became required as of April 14, 2003.
HHS published a final Security Rule in February 2003. This rule was established for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005, for health care providers.
With the advancement in technology, necessary standards were needed to address the increased risk of potential breaches of protected health information. Therefore, in 2013 the final Omnibus HIPAA Rule was established. The Omnibus Rule encompassed many provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Omnibus was created as part of the American Recovery and Reinvestment Act of 2009, and the goal was to strengthen the privacy and security protections for health information, which was initially established with HIPAA in 1996.
The Health and Human Services’ Office for Civil Rights is responsible for the enforcement of the HIPAA Privacy and Security Rules. Since the requirement to establish a HIPAA program and standards in 2003, the OCR enforcement activities have obtained significant results in improving the privacy practices of covered entities thru corrective actions. These corrective actions have resulted in systemic change that has improved the privacy protection of health information for individuals. It should be noted that the OCR was tasked with enforcing the Security Rule on July 27, 2009.
In some cases, the OCR investigates corrective action is taken to require the covered entity or the business associate to make changes regarding HIPAA privacy and security policies and procedures. It further instructs for additional training and safeguards. The closure of the corrective action includes the OCR entering into a settlement agreement with a covered entity or business associate. In some cases, OCR settles for a percentage of any applicable civil money penalties OCR could impose and requires entities to correct the underlying root cause for the noncompliance.
During investigations, the OCR is responsible for determining if a violation has occurred. There is a large percentage of violations resolved by covered entities and their business associates after the intake and interview. For those not resolved during the investigative process, these advance to corrective actions leading up to Civil Monetary Penalties. Between April 14, 2003 and December 31, 2019, a study of the results of the UCR investigations revealed:
- Average of 6% of the cases no violation was noted
- Average of 66% of the cases being resolved as part of the intake and interview process
- Average of 31% of the cases referred for corrective action with potential Civil Monetary Penalties
Having a HIPAA compliance program is just good business. Reducing exposure to risk and liability is one of the main reasons to implement and maintain a proper HIPAA compliance program. If a practice implements and follows an active HIPAA compliance program, it demonstrates that the practice has made reasonable efforts to protect individually identifiable health information.
I just think your materials are fabulous. There is a lot of clarity in the printed materials and webinars. Kathy has a way to cut to the heart of the matter by making it clear by simplification.