April 29, 2024 At Abyde, it’s clear that we eat, live, and breathe HIPAA. Let’s take a trip down memory lane as we start this new week. HIPAA has become a staple in championing patient’s rights, but how did we get here? Gather your compass and maps because it’s time to set sail on a compliance cruise because we’re exploring the beginnings of HIPAA. Blast to the Past: The Beginnings of HIPAA We’re going back in our time machine to the 90s. The digital revolution was starting in a time of grunge and oversized flannels. From trading cassettes for shiny CDs to the sweet, sweet sound of screeching dialup, the 90s were defined by innovation. As we were (slowly) getting connected online, so were Covered Entities (CE). As the internet became more common, so did ePHI, or electronic Protected Health Information. Health information went digital, so it was time for some federal rules. Enter HIPAA! HIPAA, or the Health Insurance Portability & Accountability Act, was signed into law on August 21, 1996, by Bill Clinton. HIPAA, or the Kennedy Kassebaum Act, provides the privacy and rights of patients’ data. But hold onto your hats! This was only the beginning of HIPAA legislation. The Privacy Rule: Keeping it Quiet Coming into effect in April of ’03, the Privacy Rule established the standards to protect the privacy of PHI, limiting how PHI is shared. This rule boils down to sharing the bare minimum information. In this, the Minimum Necessary standard is put in place. The Privacy Rule requires that only essential and necessary information is shared regarding taking care of a patient. There are some times when this standard doesn’t apply, including: The Privacy Rule also establishes the Right to Access, giving patients power over their medical records. This lets patients get their medical records fast! The Right of Access, under the Privacy Rule, usually requires patients to receive their medical records within 30 days. Some states are even quicker! The Security Rule: Keeping it Secure Not too long after, the HIPAA Security Rule came into play in April 2005. The Security Rule establishes how the ePHI needs to be protected. This rule sets the standards for all the safeguards to keep patients’ information safe. The categories of safeguards are: The Breach Notification Rule: Keeping it Transparent Fast forward a few years, and HIPAA throws another punch for patient privacy – the Breach Notification Rule! This one landed in September 2009; however, the government was still figuring out the rollout of HIPAA enforcement between the Security and the Breach Notification rules. Monetary penalty enforcement officially began in 2006, but a significant piece still needed to be added to protecting patient data. With all this data protection, patients needed to know if something went wrong, right? That’s where the Breach Notification Rule kicks in. The Breach Notification Rule defines what a small (>500) and significant (<500) breach is and how patients need to be notified when their information is compromised. Patients deserve to understand the scope of what’s going on with their data! The notification should explain the breach, what information was potentially exposed, and how individuals can protect themselves. For the OCR, it all depends on how many people were affected. So, even though a BA might not be working with a patient, the business still has to keep their PHI under lockdown! Omnibus Rule: Keeping it Clear Fast forward to 2013. The final HIPAA Omnibus Rule was created to clarify further and strengthen HIPAA regulations. Some of the new updates included: What’s next? Over the last 30 years, the HHS has updated best practices under HIPAA, ensuring patient data is appropriately secure as innovations arise. Some of the latest guidance released includes marketing tracking tips and significant changes to 42 CFR Part 2. Want to make sure you’re up to date on the latest of all things HIPAA? See the latest on our blog and social media!