For health care data providers and other such services, complying with the specific laws governing the type of data your business relies on is of the utmost importance. These laws, complex though they may be, are in place for a reason – and often, these regulations are as much to protect you as they are to protect the consumers.
Enter HIPAA. HIPAA is perhaps one of the most dense sets of compliance and regulations standards that health care data providers could imagine, which makes it all the more important to understand, as it forms the cornerstone of medical data protection in the United States. While the regulatory and compliance topics are indeed complex, adhering to them can be very simple, and in many cases, so easy to implement that not doing so is as damning as willfully choosing to break them.
But first, before we can dive into what all of these regulations actually mean, we have to dig a bit deeper into what HIPAA is, where it came from, and why it’s necessary. In this, the first piece of our multipart series called “The Ultimate Primer for HIPAA Compliance”, we’re going to discuss the history of HIPAA, and the reasons it came into being. We’ll discuss its application in modern data management, and the punitive measures that it packs to guarantee enforcement.
The History of HIPAA
Though HIPAA governs all aspects of medical data management from paper to digital, the actual cause for its creation was heavily rooted in the new computerized systems of the 1990’s. Faced with the looming threat of an untrained workforce working with medical records no longer stored in bulky folders behind locked doors, but instead of small devices capable of fitting into the palm of your hand, legislators saw a need for medical data reform.
As part of this need, it was also recognized that standards as to the management of health care data were extremely lax. As identity theft became more and more of a problem, the same fears relating to medical data applied to identity data, making providers worried over adopting the new, easy to use and extremely portable data formats that were coming into vogue.
With such a sea change, something had to be done. The United States Congress quickly began drafting a new piece of legislation that would be called the Health Insurance Portability and Accountability Act. The Act would set standards regarding not only the security of health information, but the portability of this data and the establishment of methodologies to ensure compliance.
President Bill Clinton signed the bill into law in 1996, creating a complex series of regulations concerning such diverse topics as “when to generate patient data” to “how employees keep medical insurance after losing employment”. While the legislation was signed in 1996, the actual punitive aspects had a rather slow rollout to allow for training and education to reach a proper stage.
Further revisions came in the following years. In 1999, HIPAA’s Privacy Rule was instituted, and the Transaction and Code Sets Final Rule in 2000 followed. That same year, the Security Rule and the establishment of the Provider Identifiers Rule was put into place. Finally, in 2006, HIPAA was fully completed with the implementation of the Enforcement Rule, governing punitive measurements for non-compliance.
The HIPAA Titles
HIPAA is roughly spread over five basic core features, known as “Titles”. These Titles dictate specific functions, laws, and regulations concerning HIPAA-covered data and entities.
Title I is the Title that protects healthcare for workers who lose their employment benefits. In most states, this is referred to as COBRA, and with its establishment, a prohibition on group health plans denying individuals for pre-existing conditions and specific diseases or disorders was also put into place. Lifetime coverage limits were also removed at this time, allowing for a greater range of services and benefits.
Title II followed, and set in motion the establishment of the U.S. Department of Health and Human Services’ national standards rules. These rules would govern the processing of electronic health information, and would require secure access rules and patient rights to free access.
Title III was primarily focused on tax provisions, establishing a wide range of tax laws governing the health system. More important, this Title also focused on guidelines for medical care. This was the “reform” aspect of this legislation, joined in part by Title IV, which included individual provisions for pre-existing conditions and continuing coverage.
Finally, Title V was established to govern company-owned and mandated medical coverage, life insurance, and how they must function. This Title also oversaw how US citizens who relinquish their rights for tax purposes are treated within the system, and how they go about their tax situation.
HIPAA Violations - Punitive Measures
HIPAA is serious business – one of the many reasons it’s so well known and, honestly feared, is that that it has a bevvy of punitive measures to ensure compliance. While these measures aren’t nearly as bad as many people seem to think they are, they are still bad news – and in cases of major HIPAA violations, are bad enough to stop a business in its tracks.
When there’s a violation of HIPAA law, the first thing that happens is that a patient or a patient advocate lodges a complaint. This complaint is pushed to the Office for Civil Rights, who has been granted authority under HIPAA to not only process that complaint, but to investigate it to the full extent of the law.
The OCR will first investigate based upon written complaints filed by the affected parties. If they find merit to investigate, they will conduct an official investigation to ascertain whether or not the Privacy Rule was violated. If the law has been violated, fines are extremely hefty.
If an individual of a group didn’t know they violated HIPAA, the law is rather forgiving. The first fine levied may be as low as $100, or as high as $50,000. If that sounds extreme, consider this – after being told of the violation, if the same violation is committed in the same calendar year, the fine increases to $1.5 Million USD. If there is a reasonable cause and not willful neglect, but the party at hand knew it was a violation, the initial fine is somewhat increased, but still reasonable, ranging from $1,000 to $50,000.
Willful neglect is extreme. $10,000 to $50,000 is the first time fine if the fault is corrected. If not, the fine is $50,000. All of these fines increase to $1.5 Million USD for repeat offenses.
A Simple Matter of Economics
The simple fact here is that not complying with HIPAA is as expensive as complying. Compliance can often be done for basically no cost with free government training resources, and even if an investment is required, a few thousand to train your staff in data handling versus paying a $1.5 Million USD fine is an obvious economic choice.
We hope this has served as an effective beginning to our HIPAA guide. In our next part, we will dive into exactly what HIPAA standards are, and how they govern data destruction specifically. As you read through this series, please reference back to this first piece and keep in mind that failing to choose the proper tools and failing to adhere to the law can not only harm your patients – it can dramatically harm your bottom line.