By Chris Cronin, ISO 27001 Auditor, Partner
HIPAA is a confusing regulation. Since its enactment on August 21, 1996, it has covered topics as diverse as insurance coverage of unemployed people, efficiency of health care administration, data security, and more recently the improvement of healthcare outcomes. HIPAA has had the complicated history of regulatory revisions, clarifications, and guidance documents from various agencies, and it is still largely misunderstood.
In commemoration of HIPAA’s 20-year anniversary, we’ve attempted to provide a novel, yet informative and practical break-down of the regulation including the changes it has undergone throughout the years.
To make the regulation more understandable, HALOCK is presenting a chronology of HIPAA’s regulatory and statutory landmarks to provide readers with a simple breakdown of HIPAA, HITECH, the Omnibus Rule and their related privacy rules. We chose this format to help our readers understand how the regulation has changed over time, and how early ideas informed later evolutions of the regulation. We also provide a glossary of legal terms to ensure that readers share a baseline of legal terms.
For those who wish to read the entirety of HIPAA and HITECH and its current requirements, skip to the end of this post and follow the links under the final Omnibus Rule (2013).
Code of Federal Regulations (CFR): The document(s) that declare the rules that federal agencies use to oversee and enforce regulations. If a statute one day requires that the Securities and Exchange Commission oversee robot accountants, they would write the rules for robot accountant behavior and penalties against malfunctioning robot accountants in a CFR that is reserved for their agency.
Common Law: Processes for reaching judgments in cases, usually by lawyers and judges at trial who interpret the facts of a case in light of other influential cases that have preceded it.
Executive Order: A directive from the president of the United States. An executive order can require executive agencies to change the way they prioritize, oversee, or execute regulations or statutes that are in their scope of authority.
Regulations: Rules that are written by executive-branch agencies, such as the Internal Revenue Service, Securities and Exchange Commission, Department of Health and Human Services, Food and Drug Administration, Department of Commerce, Federal Trade Commission, etc. Regulations are usually put in place to reduce potential large-scale harm to the public that may be caused by negligent or conflicted parties. Federal agencies may actively audit persons or organizations to determine whether they are following regulations, even if there is no evidence that they are violating a rule. They may also levy fines or other punishments if their rules are not being followed. Regulations are also known as “administrative law.”
Statute: A law passed by a legislature. Violations are most often thought of as criminal matters that can lead to a summons, fines, a trial and penalties against a person. We generally don’t get punished for violating a statute unless we are caught violating it. This is in stark contrast to regulations which are actively overseen by executive agencies.
What: Executive Order 12866
Summary: After a presidential election in which his critics expressed concerned that his administration would hurt business, President Bill Clinton ordered his Office of Management and Budget (OMB) to develop a method for overseeing compliance with regulations without being overly burdensome to the government, or to the public. The Office of Information and Regulatory Affairs – under the OMB – began issuing “12866 reviews” of regulations to ensure that they included a cost/benefit analysis as part of their assurance that regulations would be achievable.
Bottom Line: Regulations, including HIPAA, require that organizations conduct risk assessments to be sure that safeguards balance public interest with their burden of providing the safeguards.
What: Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Summary: HIPAA was introduced to accomplish many things, including helping employees keep their insurance plans as they moved from one employer to another and protecting patient health information in the process. Additionally, HIPAA’s “Administrative Simplification Rules” are meant to bring efficiencies to healthcare payers and providers to reduce the administrative costs in healthcare.
The statute called for the Secretary of HHS to design regulations to help meet these objectives. While the statute does not look much like the resulting regulation, it does call for measures to secure patient health information, and analyze the costs of those measures – an important set-up for the cost/benefit evaluations that were to come.
Bottom Line: Congress required that the HHS create and enforce regulations that, among other things, required that health care providers and health insurance plans secure health information.
What: Compliance Date for HIPAA’s Privacy Rule
Summary: HHS had been working on the Privacy Rule for many years, issuing the first version of the rule in 2000. HHS then gathered public comment on that early version and modified the rule accordingly in 2002. The Privacy Rule included concepts such as minimum use and disclosure of ePHI, posting privacy notices, ensuring privacy during payment processing and other administrative handling, and described options for de-identifying ePHI information so medical information could be shared without disclosing patient information. The Privacy Rule was not specifically called for in the original legislation. However, as HHS developed initial HIPAA regulations, they realized that there was no way to regulate the modernization and sharing of medical information without ensuring that the many individuals and parties that handle this sensitive information also knew to keep the information private.
Bottom Line: Do not use or disclose health data about individuals unless for patient care or payment. Tell patients what and how you use their information.
What: Compliance Date for HIPAA’s Security Rule
Summary: The 1996 statute explicitly required that regulations should include methods for securing patient information, and that the costs for safeguards must be considered. Over a several year period, the HIPAA Security Rule was developed with a set of “specifications” that didn’t tell covered entities how to protect ePHI, but generally described the objectives for those security controls. Covered entities were to conduct risk assessments to understand the likelihood and impact of foreseeable threats, and to put safeguards in place for reducing those risks. The term “reasonable and appropriate” was used by the Security Rule to describe the required safeguards. The term aligned with the 1996 statutes, Executive Order 12866, and common law understandings of due care to imply that the burden of safeguards must not be greater than the actual risk to patients. The Security Rule also required policies and documents that should be in place at covered entities. These included “business associate agreements” which require third parties who may access ePHI to assure the covered entities that their security controls over that ePHI were also appropriate.
Bottom Line: Put security controls in place to reduce the risk of compromising ePHI. The controls may not interfere with the mission, objectives, or responsibilities of the covered entity.
What: Compliance Date for HIPAA’s Enforcement Rule
Summary: The Privacy Rule’s compliance date was in 2003, which is when HHS started tracking its enforcement activities. But enforcement was still not a formalized, well-documented, and agreed-upon process. HHS authorized its member organizations, the Centers for Medicare & Medicaid Services (CMS) and Office for Civil Rights (OCR), to audit covered entities for compliance to the Privacy Rule and Security Rule. Even without a formalized Final Rule for enforcement, HHS relied on previous authority and processes to oversee compliance with the regulation, and its audits were relatively few in its early years.
After several years of interim rules and gathering comments from interested parties and experts, the Final Rule was issued in 2005, which provided for financial and other penalties for covered entities that allowed ePHI to become unprotected. The Final Rule also provided an escalating model for fines and culpability on the part of a covered entity that allowed for a breach of information. Lower penalties were levied against organizations that did not respond to a breach, but could not reasonably have known that there was a breach. Higher penalties were levied against organizations that were careless in allowing a breach, and did not respond appropriately to those breaches. The Federal Trade Commission (FTC) also took actions against organizations if they made assurances of HIPAA Security Rule controls, but did not enforce those controls.
Bottom Line: The Enforcement Rule described its processes for HHS’ enforcement of the HIPAA rules, conforming to the model of “due care,” levying higher penalties against organizations that showed lower care for individual privacy protections.
Summary: With the Obama administration came the American Recovery and Reinvestment Act (ARRA). This first major legislation was coordinated by the White House to help stimulate the economy during a serious recession. A significant amount of the ARRA came from draft legislation that had been sitting in queue at congressional committees, sometimes for years. Some of those bills were aimed at increasing the coordination between organizations that shared health information for payment or provision of care, for increasing reliance on Electronic Health Records (EHR) that share patient data among organizations, for encouraging care providers to use metrics to demonstrate improved patient outcomes, and for increasing responsibilities for protecting ePHI. These were all included as provisions in the ARRA. The following are the major components of HITECH:
Meaningful Use – The requirement that hospitals and physician groups demonstrate their use of metrics to demonstrate improved health outcomes. The more of these data-based improvements could be demonstrated, the better reimbursements the care providers would receive from CMS.
Breach Notification Rule – Covered entities and business associates must respond to breaches of ePHI by disclosing the breach to individuals, and to HHS. The Breach Notification Rule has many caveats that include timing of the response, the number of records involved in the response, the parties who gained access to information, potential limits of liability, and other considerations.
Security Rule – Business associates would be responsible for complying with HIPAA to the same degree as covered entities, including requirements for breach notification. Covered entities and business associates were as well required to pay more attention to guidance from HHS on safeguards and risk management.
Privacy Rule – Greater specificity and limitations were imposed on covered entities and business associates to limit their use and sharing of PHI. It also required them to be more accountable to individuals who ask for limitations on sharing and storage of PHI, and for disclosing to individuals the PHI that the organization holds. More detailed guidance was also provided for de-identifying PHI.
Bottom Line: HITECH passed on direct compliance requirements to business associates, and provided increased specificity to the public about how privacy and security were to be handled by covered entities and business associates.
HIPAA Omnibus Final Rule
Summary: As a response to HITECH, HHS created a new, single rule to finalize their implementation of both HIPAA’s accountability acts, and the HITECH Act. The Omnibus rulemaking updated the CFR where HIPAA and HITECH regulations are recorded to amend the following items.
- Business associates were made directly liable for compliance with portions of the HIPAA Privacy and Security Rules, and could be audited by OCR.
- PHI could no longer be sold unless with explicit permission by patients. Other increased limitations on sharing PHI were added.
- Individual rights for receiving electronic copies of their PHI were expanded.
- Increasing the scrutiny for enforcement, including updating the tiered approach to estimating penalties against organizations that violated HIPAA and HITECH.
- More concrete criteria to determine whether “harm” occurred as a result of a breach of PHI.
Bottom Line: With the HIPAA Omnibus Final Rule, HHS now provides a single, definitive document to describe obligations for complying with HIPAA and HITECH. An “unofficial” version of HIPAA can be located at HHS.gov. While this is not the actual CFR, it is authored by HHS for ease of reference to the regulation.
HIPAA is not a simple regulation that can be described in a concise way. In fact, the regulation is one of the most broad-reaching on the daily lives of Americans, so it would be difficult to describe. But there is a little gift to business from the federal government buried in its logic … at least the logic of the Security Rule. If you have clear, consistent guidelines for assessing risk and balancing the potential harm to others against the burden of safeguards to yourself, HIPAA becomes much simpler for most of us, at least in terms of its practicality. Learn more about the HIPAA Security Rule by downloading HALOCK’s “Best Guide to the HIPAA Security Rule Ever.” Have more questions? Please feel free to contact us.