What is HIPAA?

First enacted in 1996, the Health Insurance Portability and Accountability Act or HIPAA is a federal law that sets privacy standards to protect your health plans, medical records, and other private health information (PHI). As technology has changed and information has become more accessible, there have been many revisions to HIPAA, including Privacy and Security Rules to prevent PHI theft and tampering. Regulation and protection of your protected health information, health plans, and medical transactions are key to ensuring patients get the healthcare they need and deserve.

There are several reasons why the Health Insurance Portability and Accountability Act is important, but it all comes down to privacy and confidentiality of protected health information. Since more of our health information is being stored online, HIPAA privacy rules provides a framework that safeguards who has access to that data, while also restricting who it can be shared with. Any organization dealing with PHI must have security measures in place to be compliant.

Having a basic understanding of HIPAA Privacy Rules can be relevant to many careers—including information technology, data security, nursing, health information management, and more—as it forms the basis for how many organizations hold, transfer, and maintain sensitive information.

HIPAA is divided into five sections, also known as titles, that address the requirements and basic protections patients and organizations are afforded under the law. 

Title I: HIPAA Health Insurance Reform

Title I contains requirements that help people keep their health insurance when they lose or change jobs so they don't have a lapse in coverage.

Title II: HIPAA Administrative Simplification

This title includes the Privacy Rule, which sets standards for the use and disclosure of an individual’s PHI, such as health status, treatment, and payment for healthcare. This applies to all forms of PHI, including paper copies and electronic data. It also sets strict penalties for violations against the HIPAA requirements. 

Title III: HIPAA Tax Related Health Provisions

Title III provides for certain deductions for medical insurance and makes other changes to health insurance law.

Title IV: Application and Enforcement of Group Health Plan Requirements

Title IV applies to health insurance companies and addresses issues such as how they have to treat pre-existing conditions. 

Title V: Revenue Offsets

This title covers HIPAA provisions related to company-owned life insurance and treatment of individuals who lose U.S. citizenship for income tax purposes, and repeals the financial institution rule to interest allocation rules.

Nearly all healthcare providers, health plans, and healthcare clearinghouses are considered to be “HIPAA Covered Entities” (CEs). Normally, these are organizations that come into contact with PHI on a regular basis.

Examples of CEs include doctors, nurses, psychiatrists, nurses clinics, pharmacies, and certain healthcare providers—but only if they transmit PHI electronically.

HIPAA Compliance requires adherence to a set of security measures regulated by HHS and enforced by the Office for Civil Rights (OCR). Companies that handle PHI must have these security measures in place and follow them to ensure HIPAA compliance.

There are two primary groups responsible for complying with HIPAA: Covered Entities and Business Associates. Most CEs have direct contact with patients, while Business Associates don’t have direct contact with patients but do have access to their PHI. Some examples of Business Associates include collections agencies, IT consultants, billing companies, and web hosts.

HIPAA outlines the following compliance categories, also known as rules, for CEs and Business Associates:   

The Privacy Rule: establishes national standards for the protection of certain health information and makes sure any individually identifiable information is safe. 

The Security Rule: mandates the security of electronic medical records (EMR). Unlike the Privacy Rule, the Security Rule addresses the technical aspects of protecting EHI. 

Transactions and Code Sets Standards: requires organizations to follow a standard mechanism of electronic data interchange (EDI) when processing or submitting insurance claims.

Unique Identifiers Rule: requires every healthcare entity to have a unique identifier code for communications and transactions. 

When it comes to the rules above, IT professionals, such as health information managers or security specialists, can play a significant role in performing HIPAA compliance functions to ensure their organizations are in adherence to the rules. 

Any breach in an organization’s compliance program that compromises PHI is considered a HIPAA violation. Some examples include: 

• Sending PHI to the wrong patient
  
• A cyberattack or hack, including malware incidents or ransomware attacks 
• Stolen smartphones, laptops, or USB devices
• An office break-in where medical records are stolen 
• A breach of electronic health records 

HIPAA violations can be extremely expensive, ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year. They can also carry criminal charges that result in jail time. 

While the HHS regulates compliance, the Office for Civil Rights (OCR) enforces compliance. However, different entities can assist OCR in the enforcement of HIPAA, including the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), and the Federal Communications Commission (FCC).

The OCR investigates all data breaches reported by Covered Entities and Business Associates if they impact more than 500 individuals. Based on their investigation, they decide if the Covered Entity or the Business Associate of a covered entity was in compliance with the HIPAA security and privacy rule. If the organization is in violation, the OCR can then decide whether to take corrective action and/or a resolution agreement.   

Organizations can help lower their risk of HIPAA violations by having the right professionals in place to ensure healthcare data is secure and accessible. Cybersecurity analysts, ethical hackers, health information managers—all of these jobs play an important role in an organization’s security and enforcing HIPAA rules and regulations.

If you’re interested in exploring any of these career paths, WGU’s online degree programs in information technology management and health information management programs are a great place to start.