The Health Insurance Portability And Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a broad-ranging law that, in part, imposes responsibilities on a variety of entities concerning Protected Health Information (PHI). Though beyond the scope of this discussion, there are aspects of the Act that regulate continuity of healthcare plans and benefits (Title I), here our focus is on what is known as the “Privacy Rule” which regulates PHI (Title II).
Protected Health Information (PHI)
Under HIPAA, PHI, the kind of information regulated, consists of individually identifiable information that relates to a person’s past, present, or future:
- Medical condition, including those psychological in nature
- Provision of medical care
- Payments for medical care
The Privacy Rule
When protecting PHI under the HIPAA framework, the Privacy Rule outlines the standards and obligations imposed on covered entities. Specifically, the Rule lays the framework for the usage and disclosure of PHI. The Privacy Rule also affords individuals various rights, including obtaining and correcting the PHI that a covered entity holds. Further, the Security Rule expands on the measures covered entities and business associates must undertake to protect ePHI (Electronic Protected Health Information). The fundamental standard for securing ePHI is one of “appropriate and reasonableness.” Based on this standard, covered entities have varying responsibilities relating to security based on their specific risk profile. In addition, ensuring best practices regarding privacy and security of health information can also be the basis for a competitive differentiator.
“Covered entity” is the term used in the Act to refer to those organizations that are subject to the Privacy Rule.
Covered entities include health plans, health care clearinghouses, and health care providers. Examples of health care providers that are covered entities include doctors, hospitals, clinics, and nursing homes. Also, health insurance companies are deemed to be covered entities.
HIPAA addresses the common scenario where a covered entity conducts business with a third party. When the third party creates, receives, maintains, or transmits PHI on behalf of the covered entity, they are referred to as a “business associate.” Classification as a business associate under the Act creates obligations for both the covered entity and the business associate. Covered entities are required to execute business associate agreements (BAA) to contractually ensure that the business associate follows the requirements outlined under HIPAA. Importantly, BAAs should include terms that detail the permissible uses and disclosures of PHI and the security measures to be implemented to ensure adequate safeguarding of PHI. In some instances, as per a fact sheet from the US Department of Health and Human Services (“HHS”), business associates can be subjected to direct liability. An example of a BAA used by Google can be viewed via this link.
There is much nuance about who is deemed a business associate; for example, an internet service provider transmitting PHI is not considered a business associate.
Breach Notification Requirements
Like other data and privacy-centered laws, HIPAA imposes various notification requirements on entities that experience a breach of their duty to protect the PHI they hold. In the event of a breach, there is a requirement for notification of affected individuals and HHS. HHS maintains a list of breaches reported to the Secretary, which can be viewed here.
The nature of system compromise can sometimes create a gray area as to whether there was a breach that reached the requisite threshold for triggering notification obligations. In the most basic sense, an impermissible use or disclosure of PHI that compromises the security or privacy of PHI constitutes a breach. At the same time, there may be a system intrusion that does not reach the threshold for the notification requirements to come into effect. The distinction between a technical breach not requiring notification and one that does is significant as the ramifications for having to provide notice often incurs high cost and substantial resource allocation.
The Office for Civil Rights (OCR) at HHS enforces the Privacy, Security, and Breach Notification Rules under HIPAA. Enforcement measures range and include both civil as well as criminal penalties. The most common enforcement actions we see revolve around the lack of proper safeguards for PHI that result in some impermissible use or disclosure. By enacting appropriate policies and procedures to protect PHI and ensuring that employees and business associates comply goes a long way toward avoiding an enforcement action.