HIPAA stands for the Health Insurance Portability and Accountability Act. If you’re not familiar with HIPAA, or you haven’t spent a lot of time in the healthcare industry, you may not realize that spelling “HIPAA” wrong is a running joke. Most people, especially in IT, will have some story about a consultant or vendor delivering a report or sending emails with HIPAA spelled wrong. Just remember it’s not like “hippo” - there’s only one “P”.
What’s interesting about the acronym “HIPAA” is that the “P” in HIPAA does not stand for “privacy” and the “I” does not stand for “information”. It’s interesting because the general perception of HIPAA, which is accurate, is that it’s main purpose to to “protect” health “information”. The reason for this perception is that the protection of health information is essential to avoid financial penalties for breaches and non-compliance with HIPAA.
While much of HIPAA, especially as it is enforced by compliance officers at large healthcare organizations to avoid financial risk, is about securing data and not releasing it unless authorized, HIPAA also sets rules around how data is exchanged between systems and how authorizations are done to allow for access to individual medical records.
The one other essential acronym with HIPAA is PHI. PHI stands for Protected Health Information. PHI is often referred to as “personal health information”, which is an accurate description of PHI. PHI is simple - it’s the combination of a personal identifier (name, DOB, SSN, IP address, email, etc) with some health-related data (condition, medication, lab, encounter, health payment, etc).
The spirit of HIPAA is simple -
- to secure and protect personal health information and
- to enforce standards for electronic transactions in healthcare.
Organization of this tutorial
We adopted this tutorial at Visible Health because we wanted something that we could distribute to all new hires to give them a crash course on HIPAA. While it’s true there are plenty of HIPAA training options, both free and paid, most are not created for employees of modern health technology vendors. As a technology company talks to customers and prospects, they inevitably will get asked the same questions about HIPAA time and time again.
Each section below has multiple subsections, and we provide links to additional resources at the end. There are exercise sprinkled throughout, which are meant force you to actively engage, and break up the passive nature of the training.
Why all the fuss about HIPAA
Well, for three key reasons:
1. It is the right thing to do
2. The cloud
With an increasing move to this amorphous entity called the cloud, with its associated technical complexities, security and privacy guidelines / standards need to be put into place.
3. There are heavy penalties for violating it.
If the Office of Civil Rights finds an organization to be in violation, the following actions may take place:
- Voluntary compliance;
- Corrective action; and/or
- Resolution agreement.
There are monetary penalties associated with HIPAA violations, and the amounts of such violations were raised considerably last year as part of the HIPAA Omnibus Rule included in the HITECH act. The current financial penalties are listed below. Previous to these new rules, the fine associated with each HIPAA violation was capped at $25,000. This number is now $1.5 million per violation.
|Violation Category - Section 1176(a)(1)||Each Violation||All such violations of an identical provision in a calendar year|
|A. Did not know||$100-$50,000||$1,500,000|
|B. Reasonable Cause||$1000-$50,000||$1,500,000|
|C.i. Willful Neglect - Corrected||$10,000-$50,000||$1,500,000|
|C.ii. Willful Neglect - Not Corrected||$50,000||$1,500,000|
In certain extreme HIPAA cases, individuals can be exposed to criminal risk as well. When criminal action is involved with HIPAA, the OCR hands the case off to The Department of Justice. Individuals are at risk of criminal enforcement and penalties if they “knowingly” obtain, disclose, or use PHI “in violation” of HIPAA rules. You can read a very detailed, legal opinion on what constitutes legal vs civil in the case of HIPAA. There is a lengthy discussion of the terms “knowingly” and “in violation” in that document, which is why we put them in quotes.