The Brief History of HIPAA: How We Got Here and Why it Matters

April 29, 2024

At Abyde, it’s clear that we eat, live, and breathe HIPAA. Let’s take a trip down memory lane as we start this new week. 

HIPAA has become a staple in championing patient’s rights, but how did we get here? 

Gather your compass and maps because it’s time to set sail on a compliance cruise because we’re exploring the beginnings of HIPAA. 

Blast to the Past: The Beginnings of HIPAA 

We’re going back in our time machine to the 90s. The digital revolution was starting in a time of grunge and oversized flannels. From trading cassettes for shiny CDs to the sweet, sweet sound of screeching dialup, the 90s were defined by innovation. As we were (slowly) getting connected online, so were Covered Entities (CE). As the internet became more common, so did ePHI, or electronic Protected Health Information.

Health information went digital, so it was time for some federal rules. Enter HIPAA! 

HIPAA, or the Health Insurance Portability & Accountability Act, was signed into law on August 21, 1996, by Bill Clinton. 

HIPAA, or the Kennedy Kassebaum Act, provides the privacy and rights of patients’ data. But hold onto your hats! This was only the beginning of HIPAA legislation. 

The Privacy Rule: Keeping it Quiet

Coming into effect in April of ’03, the Privacy Rule established the standards to protect the privacy of PHI, limiting how PHI is shared. This rule boils down to sharing the bare minimum information.  

In this, the Minimum Necessary standard is put in place. The Privacy Rule requires that only essential and necessary information is shared regarding taking care of a patient.

There are some times when this standard doesn’t apply, including: 

  • Medical payments
  • Treatment
  • Written Authorization

The Privacy Rule also establishes the Right to Access, giving patients power over their medical records. 

This lets patients get their medical records fast!  The Right of Access, under the Privacy Rule, usually requires patients to receive their medical records within 30 days. Some states are even quicker! 

The Security Rule: Keeping it Secure

Not too long after, the HIPAA Security Rule came into play in April 2005. The Security Rule establishes how the ePHI needs to be protected. This rule sets the standards for all the safeguards to keep patients’ information safe. The categories of safeguards are: 

The Breach Notification Rule: Keeping it Transparent

Fast forward a few years, and HIPAA throws another punch for patient privacy – the Breach Notification Rule!

 This one landed in September 2009; however,  the government was still figuring out the rollout of HIPAA enforcement between the Security and the Breach Notification rules. 

Monetary penalty enforcement officially began in 2006, but a significant piece still needed to be added to protecting patient data. 

With all this data protection, patients needed to know if something went wrong, right? 

That’s where the Breach Notification Rule kicks in. The Breach Notification Rule defines what a small (>500) and significant (<500) breach is and how patients need to be notified when their information is compromised.

Patients deserve to understand the scope of what’s going on with their data! The notification should explain the breach, what information was potentially exposed, and how individuals can protect themselves.

For the OCR, it all depends on how many people were affected. 

  • Breaches impacting less than 500 people must be reported to the OCR within 60 days of the end of the year. 
  • Breaches impacting more than 500 must be reported within 60 days of the event. 
  • States also might have reporting requirements for state-level departments.

So, even though a BA might not be working with a patient, the business still has to keep their PHI under lockdown! 

Omnibus Rule: Keeping it Clear

Fast forward to 2013. The final HIPAA Omnibus Rule was created to clarify further and strengthen HIPAA regulations. Some of the new updates included: 

What’s next? 

Over the last 30 years, the HHS has updated best practices under HIPAA, ensuring patient data is appropriately secure as innovations arise. 

Some of the latest guidance released includes marketing tracking tips and significant changes to 42 CFR Part 2

Want to make sure you’re up to date on the latest of all things HIPAA? See the latest on our blog and social media

 

 

RECENT POSTS

Related posts

Ransomware HIPAA Fines
Fines, HIPAA

The Price of Neglect: Ransomware Fines Hit Healthcare Practices

November 7, 2024 No comments yet

November 7, 2024 Healthcare practices felt quite a scare on Halloween, with over half a million dollars in fines levied on medical practices. These practices were fined for not taking the necessary precautions against ransomware breaches. The two practices impacted on this day of significant fines include Plastic Surgery Associates of South Dakota in Sioux Falls (PSASD), a multi-location organization, and the Bryan County Ambulance Authority (BCAA), an Oklahoma emergency medical services provider. PSASD was fined $500,000, and BCAA was fined $90,000. These significant fines are just the precipice of the future of healthcare breaches, with ransomware breaches increasing 264% since 2018. What Happened? Major ransomware attacks unfortunately impacted both of these healthcare providers. For PSASD, a breach was discovered that infected nine workstations and two servers in July 2017. This breach impacted over ten thousand patients, putting their data at risk. The malicious actors utilized trial and error to hack into the organization’s system. The data was unable to be restored. The investigation revealed significant gaps in their compliance program, including a missing Security Risk Analysis, inadequate policies and procedures for data handling and breach reporting, and insufficient training. This $500,000 penalty also includes two years of monitoring by the Office For Civil Rights (OCR). For the BCAA, its ransomware attack began in November 2021, but wasn’t reported until May of the following year. After a breach, depending on the severity, you must notify the OCR within 60 days. Since this breach impacted over 14,000 patients or over 500 people, it is considered a large breach. Similar requirements, such as a Security Risk Analysis, adequate policies, a risk management plan, and other safeguards, were missing as found in this investigation. It’s $90,000 fine includes a Corrective Action Plan as well. Protecting Your Practice from Ransomware Ransomware attacks will continue to affect our healthcare system. Although complete immunity is impossible, there are many precautions you can take to protect your practice. Implementing the right technical safeguards, such as firewalls, antivirus software, and a qualified IT team is crucial. Additionally, you can streamline your HIPAA compliance by using intelligent software solutions that help identify your compliance needs unique to your practice. In the event of an attack, these solutions can also guide you on how to respond effectively. To learn more about these smart solutions, meet with a compliance expert today.

Patient Record Access HIPAA Fine
Abyde News, Fines, HIPAA

Expensive Oversight: The Importance of Timely Patient Record Access

October 24, 2024 No comments yet

October 24, 2024 There has been a flurry of HIPAA fines in the past few weeks, with over half a million dollars levied in the last month.  Just one example is Gums Dental Care, LLC, a small dental practice in Maryland that was fined for a Right of Access violation. Right of Access violations, which involve failing to provide medical records in a timely manner, are a common HIPAA mistake. Another violation for this was issued in August.   What Happened?  A patient requested her medical records from Gums Dental on April 8, 2019. After not receiving them, she issued a complaint to the OCR in May 2019. The OCR contacted Gums Dental Care for technical assistance and believed the case was over.  This was just the beginning. This case spanned years, with a second complaint filed in August 2019 and the OCR sending several data requests through letters and calls to Gums Dental.  On October 1, 2020, the OCR sent Gums Dental a proposed resolution agreement and corrective action plan. At the end of the month, Dr. Gums wanted to present her case in front of a judge, believing the patient would commit Medicaid fraud with her records. She also said that the complainant didn’t pay a $25 administrative fee to release the medical records through mail. First, patients should always have access to their medical records, regardless of their reasons. Second, the fee would be waived if the patient requested it digitally, not through mail.   In December 2020, the OCR issued a Letter of Opportunity to Gums Dental. At the beginning of the next year, Dr. Gums once again justified her refusal to provide the records since she believed her patient would commit a crime with them. She also believed her website wasn’t secure enough to send them digitally. However, Gums Dental didn’t attempt to send the records at all.  By the time the Notice of Proposed Determination was sent in March 2022, roughly three years after the first medical record request, Gums Dental faced a Civil Monetary Penalty fine as high as $7,676,692. However, the OCR ultimately levied a $70,000 fine, recognizing the smaller size of the dental practice.    How to Protect Your Practice Common HIPAA fines often involve Right of Access violations. At the federal level, practices are required to provide patients with their medical records within 30 days, and some states have an even shorter timeline. Navigating these unique regulations can be challenging, so having an intelligent solution is crucial. Smart software can streamline compliance for your practice by generating policies and procedures tailored to your needs. These solutions also include access to a team of compliance experts who can help answer your questions and ensure that you are interacting with patients in a HIPAA-compliant manner.  To learn more about software solutions, with a compliance expert here.   

HIPAA Guide for Dermatologists
Abyde News, Best Practices, HIPAA

The Dermatologist’s Ultimate Guide to HIPAA Compliance

October 22, 2024 No comments yet

October 22, 2024 Did you know that a dermatology center was fined over $300,000 for violating HIPAA?  HIPAA compliance is not always top of mind when managing your dermatology practice. Administrative tasks can easily take a back seat with a focus on diagnosing and treating skin conditions. Nevertheless, it’s crucial to prioritize HIPAA compliance.  Discover what steps you need to take to ensure the safety of your dermatology practice.   What’s Protected Health Information?  Protected Health Information (PHI) is sensitive data that can personally identify a patient. Examples of PHI include a social security number, birth date, medical records, and even images of skin ailments for dermatologists.  These images can contain personally identifiable information, such as tattoos and unique birthmarks.  When working with patients, it’s crucial to ensure all images and other forms of PHI are encrypted and protected behind essential safeguards to secure patient information.   Social Media 101s When sharing images of your patient’s treatment, such as before-and-after images of acne treatment, it’s important to do so compliantly. While you might think you’re sharing a feel-good story, patient images are considered Protected Health Information (PHI), and sharing them without consent could violate their privacy.  You need the patient’s signed media consent form to share these images and patient reviews on social media compliantly. This form ensures that the patient understands and agrees to use their image and treatment details being shared with the public.    Improper Disposal The largest dermatology HIPAA fines, totaling over $300,000, were imposed due to improper disposal. Some states have even stricter laws regarding discarding old patient files, which must be retained for at least six years on a federal level. These files also need to be encrypted throughout the creation to disposal process.  When getting rid of sensitive information, ensure it is shredded and properly disposed of. Partner with a disposal company specializing in medical paperwork and waste and have a Business Associate Agreement in place.   How Software Solutions Can Help Dermatology helps patients feel comfortable in their own skin, both literally and figuratively. Implementing the appropriate safeguards to protect patients’ data is just as important. By utilizing smart software, you can see where your dermatology practice stands and what you need to do to be compliant. To learn how you can protect your dermatology practice, schedule a consultation with an expert.   

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X