The Role of HIPAA Regulations in Emerging Telehealth Sector

August 17, 2021

#LIVE2.0 #Review

Health Insurance Portability and Accountability Act commonly known as HIPAA Regulations is federal law that focuses on safeguarding the privacy and protecting sensitive patient health information.

Passed in 1996, the United States Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule whereas the HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

Purpose of HIPAA?

HIPAA regulations have two main purposes, first to provide regular health insurance coverage for people who fall under the cyclical unemployment which in result reduces the cost of healthcare and the second aims to counter acts of abuse, fraud and waste in health insurance and healthcare delivery. Both these purposes serve the bigger goal of improving access to long-term care services and health insurance.

Stakeholders Associated with HIPAA Regulations

Healthcare service providers: Any healthcare service provider, regardless of specialization or field of healthcare that leverages communications technology to share patient health information and other transactions including claims, benefit eligibility inquiries, referral authorization requests, etc.

Healthcare plans: Organizations or corporations that provide healthcare insurance or cover the cost of medical care for individuals who qualify. The healthcare plans include general healthcare, dental, vision care, etc. These may include public and private sector entities such as Medicare, Medicaid, etc.

Business Associates: An individual or entity using or disclosing a patient’s health information to perform or provide services which include claims processing, data analysis, utilization review, and billing.

These regulations were put into practice to establish the legal groundwork for the protected health information (PHI). The Department of Health and Human Services (HHS) is the responsible entity that regulates compliance, whereas the Office for Civil Rights (OCR) enforces the compliance and is also responsible for investigating HIPAA violations.

What is Protected Health Information?

Protected Health Information can be defined as anything or any piece of information that contains your Personally Identifiable Information (PII) and your health information.

It is the combination of an individual’s identifying information i.e. name, address, contact details as well as health information such as medical records or insurance information.

Similarly ePHI which falls under the HIPAA Security Rule stands for (electronic protected health information), and is applicable when health information is shared, stored, or accessed electronically.

Why are HIPAA Regulations Important?

Though HIPAA is important for various reasons, its key objective is to ensure the privacy and confidentiality of any and every individual’s sensitive information.

It also provides patients with access to their respective healthcare data while also ensuring its security and safety. Through these regulations the aim is to reduce fraudulent activity while simultaneously improving data systems.

For organizations and healthcare service providers, HIPAA serves as a framework that safeguards access to health information, by specifying who can view, share or who is restricted from accessing or sharing such sensitive information.

The organization dealing with PHI or subcontractors and any other related business associates must have physical security measures intact to be fully compliant.

These regulations are aimed at protecting individuals and providing them with direct access to their personal medical records along with highlighting different rules and measures for any individual or organization that creates, stores, transmits or uses health information.

Organizations and healthcare entities through these regulations will be accountable and will be required to manage health information in complete compliance with the regulations of the HIPAA law.

Efficient processing of health care claims, and reducing excessive paperwork will contribute towards improved business and systems and has the potential to save billions of dollars of taxpayers money, and will contribute towards improved service to providers, insurers, and the public in general.

Measures To Be Taken In Accordance With HIPAA

Administrative requirements: Rules to ensure that the incorporated patient data is correct and accessible to authorized parties and requires formal privacy procedures in a written document.

Assigned a designated executive to monitor and oversee data security and HIPAA compliance.
List of employees that have access to patient data.
Familiarize and train employees regarding the respective organization’s privacy policy
Formal contracts to be signed for outside parties to comply with HIPAA security rules when accessing protected patient data
Maintaining a backup data repository and an emergency mitigation plan in case of natural or man-made disasters that could result in information loss.
Create technical support staff that identifies and addresses complex IT system problems and fixes them.

Physical security requirements: Rules to help organizations prevent physical theft and loss of devices containing patient information.

Placing the computers away from the access of general public, with limited access and secure desks
Restricting access to secure areas, confidential documents by adding a sign in prerequisite for limited or designated authorities
Exercising caution when upgrading or discarding any hardware and software to prevent any loss of information

Technical security requirements: Measures that protect networks and devices from data breach:

Assigned a designated executive to monitor and oversee data security and HIPAA compliance.
List of employees that have access to patient data.
Familiarize and train employees regarding the respective organization’s privacy policy
Formal contracts to be signed for outside parties to comply with HIPAA security rules when accessing protected patient data
Maintaining a backup data repository and an emergency mitigation plan in case of natural or man-made disasters that could result in information loss.
Create technical support staff that identifies and addresses complex IT system problems and fixes them.

HIPAA Privacy Rule Penalties

Under the HIPAA Privacy Rule any healthcare data breach, or failing to provide patients access to their PHI, could result in a fine from OCR. Though the penalties vary based upon the severity of the infraction, the four main categories are:

Violating HIPAA unknowingly amounts to $100 per violation, and an annual maximum amount to $25,000 for repeat violations.

In case a reasonable cause is found for violating HIPAA the fine charged would be $1,000 per violation, and an annual maximum of $100,000 for repeat violations.

If the violation is corrected within a specific period due to willful neglect of HIPAA, the fine charged can amount to $10,000 per violation, and an annual maximum of $250,000 for repeat violations.

Willful neglect of HIPAA and failing to correct the violation can be fined up to $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.

Though there isn’t any no official HIPAA compliance certification, several training companies as well as learning and development training courses offer certification credentials that indicate if an individual has a proper understanding of the rules and regulations specified in the act.

Corporations and companies however can opt for HIPAA compliance training programs where OCR as a direct stakeholder offers guidance through educational programs on complying with privacy and security rules.

Healthcare providers and organizations have the liberty to create and design their own training programs, which focus on the organization’s current HIPAA privacy and security policies, mobile device management (MDM) processes and other applicable guidelines.