HIPAA law is used in every pharmacy, medical office, health insurance company, and more. But did you know that the original goal of HIPAA was not to protect electronic patient information at all?
How did HIPAA evolve into the laws that govern our protected health information? Why was HIPAA created, if not to hold providers accountable for patient privacy?
Read on to discover the fascinating history of how our legal system has used HIPAA to adapt to the changing face of digital information.
Why Was HIPAA Created?
Though we know that the HIPAA of today deals with governing health privacy regulations, privacy was not the original intent of the HIPAA law.
President Clinton signed the Health Insurance Portability and Accountability Act into law in August of 1996. The intent was to “improve the portability and accountability of health insurance coverage.” The other provisions included sections on waste management, health insurance fraud, and abuse.
HIPAA also created tax breaks for medical savings accounts, pre-existing conditions coverage, and improved health insurance administration.
Only after the passage of HIPAA was there a movement to streamline the digital conversion of patient medical files. These digital files needed protection from privacy violations.
The Evolution of Medical Privacy Laws
After HIPAA became law, the Health and Human Services Department created the first rules for Privacy and Security. As of April 14, 2003, HIPAA Privacy defined PHI (Protected Health Information) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
These privacy laws governed the use and sharing of PHI on a wide scale. Although a young law, HIPAA forever changed the rights of patients and the way providers share information about them.
The guidelines require permission for the use of patient health records. The patient must approve the sharing of their PHI with marketers, researchers, or fundraisers. Patients were also given the right to withhold private funding information from health insurers.
Digital Security in HIPAA
As of April 21, 2005, mandatory Security compliance also went into effect. This section of HIPAA deals with electronic PHI, creating safeguards to protect digital health records.
The three safeguards created by HIPAA Security were physical, administrative, and technical.
Physical safeguards control actual access to data storage areas, protecting against unauthorized access. Administrative safeguards created procedures designed to control how covered entities comply with HIPAA. And finally, technical safeguards govern the communication of PHI information over electronic networks.
The Enforcement Rule
Covered entities were given significant lead times on gaining compliance. Even so, their failure to adopt HIPAA policies led to the creation of the Enforcement Rule as of March 2006.
Enforcement is a tool of the Department of Health and Human services that allows for investigation of non-compliance. Under the Enforcement Rule, fines can be levied against entities who fail to enact the safeguards outlined in HIPAA law.
The Office for Civil Rights can criminally charge offenders who don’t correct violations within 30 days. Individuals can also bring civil charges for “serious harm” due to unauthorized PHI disclosure.
HIPAA laws expanded again in 2009 with the introduction of the Health Information Technology for Economic and Clinical Health Act, or HITECH. HITECH furthered the expansion and use of EHR, or electronic health records.
This provision also led to the creation of the Breach Notification Rule. Businesses and third-party suppliers of the healthcare industry must notify the Department of Health and Human Services if a privacy breach occurs. The BNR covers any breach of over 500 individual records.
In 2013, the most recent HIPAA legislation was created to fill gaps in existing HITECH and HIPAA laws. The Final Omnibus Rule amended several aspects of HIPAA law. It modernized the language to cover technological advances and gray areas.
Some impacts of FOR included updating encryption standards, disposal of electronic PHI, mobile device regulations, and updated procedures. FOR also improved breach notification procedures, legal definitions, and record retention guidelines.
The Omnibus also allowed for new penalties and punishments for HIPAA violators.
HIPAA Compliance Auditing
The Office for Civil Rights began auditing providers in 2011. They wanted to ensure HIPAA regulations were in full compliance. The 2012 results of these audits made it clear that HIPAA violations were still an issue.
As a result, the OCR created programs to help providers reach full HIPAA compliance. With the new penalties from the Omnibus, covered bodies risk serious penalties and sanctions. It is possible for these bodies to lose licensure and even face criminal charges for non-compliance.
Thanks to HIPAA improvements under the Omnibus, organizations under years of non-compliance are now taking action to comply with regulations. New software, encryption tools, and secure communications standards are making it easier for covered entities to follow compliance procedures and protect PHI.
The Omnibus also creates an incentive for companies to invest in compliance. Technology investment is far less costly than the price of HIPAA violations. Meanwhile, the OCR continues to develop auditing procedures that ensure entities are compliant.
Protecting Patient Health Information
Why was HIPAA created?
For the last twenty years, the law has protected the privacy and well-being of individuals under HIPAA law. Not only does the law serve to protect the health of Americans, but also ensure that their constitutional right to privacy evolves. Our privacy needs are always changing to match the advances of the information age.
Without HIPAA, PHI could be used without patient consent in research, sales, and more. HIPAA may be a model for how we deal with private data on platforms such as social media in the future. As our digital reach expands, so too must the laws that govern our rights as citizens.
Do you want to know more about how HIPAA compliance impacts you or your workplace? Visit the HIPAA Compliance Security Blog for more information today.