At Abyde, it’s clear that we eat, live, and breathe HIPAA. Let’s take a trip down memory lane as we start this new week.
HIPAA has become a staple in championing patient’s rights, but how did we get here?
Gather your compass and maps because it’s time to set sail on a compliance cruise because we’re exploring the beginnings of HIPAA.
Blast to the Past: The Beginnings of HIPAA
We’re going back in our time machine to the 90s. The digital revolution was starting in a time of grunge and oversized flannels. From trading cassettes for shiny CDs to the sweet, sweet sound of screeching dialup, the 90s were defined by innovation. As we were (slowly) getting connected online, so were Covered Entities (CE). As the internet became more common, so did ePHI, or electronic Protected Health Information.
Health information went digital, so it was time for some federal rules. Enter HIPAA!
HIPAA, or the Health Insurance Portability & Accountability Act, was signed into law on August 21, 1996, by Bill Clinton.
HIPAA, or the Kennedy Kassebaum Act, provides the privacy and rights of patients’ data. But hold onto your hats! This was only the beginning of HIPAA legislation.
The Privacy Rule: Keeping it Quiet
Coming into effect in April of ’03, the Privacy Rule established the standards to protect the privacy of PHI, limiting how PHI is shared. This rule boils down to sharing the bare minimum information.
In this, the Minimum Necessary standard is put in place. The Privacy Rule requires that only essential and necessary information is shared regarding taking care of a patient.
There are some times when this standard doesn’t apply, including:
- Medical payments
- Treatment
- Written Authorization
The Privacy Rule also establishes the Right to Access, giving patients power over their medical records.
This lets patients get their medical records fast! The Right of Access, under the Privacy Rule, usually requires patients to receive their medical records within 30 days. Some states are even quicker!
The Security Rule: Keeping it Secure
Not too long after, the HIPAA Security Rule came into play in April 2005. The Security Rule establishes how the ePHI needs to be protected. This rule sets the standards for all the safeguards to keep patients’ information safe. The categories of safeguards are:
- Administrative Safeguards: The first line of defense. This includes measures like the Security Risk Analysis and thorough training.
- Physical Safeguards: Alarms, locks, and access logs keep ePHI safe, creating safety barriers.
- Technical Safeguards: Encryption, multi-factor authentication, and antivirus software are all standard practices that keep digital information under wraps.
The Breach Notification Rule: Keeping it Transparent
Fast forward a few years, and HIPAA throws another punch for patient privacy – the Breach Notification Rule!
This one landed in September 2009; however, the government was still figuring out the rollout of HIPAA enforcement between the Security and the Breach Notification rules.
Monetary penalty enforcement officially began in 2006, but a significant piece still needed to be added to protecting patient data.
With all this data protection, patients needed to know if something went wrong, right?
That’s where the Breach Notification Rule kicks in. The Breach Notification Rule defines what a small (>500) and significant (<500) breach is and how patients need to be notified when their information is compromised.
Patients deserve to understand the scope of what’s going on with their data! The notification should explain the breach, what information was potentially exposed, and how individuals can protect themselves.
For the OCR, it all depends on how many people were affected.
- Breaches impacting less than 500 people must be reported to the OCR within 60 days of the end of the year.
- Breaches impacting more than 500 must be reported within 60 days of the event.
- States also might have reporting requirements for state-level departments.
So, even though a BA might not be working with a patient, the business still has to keep their PHI under lockdown!
Omnibus Rule: Keeping it Clear
Fast forward to 2013. The final HIPAA Omnibus Rule was created to clarify further and strengthen HIPAA regulations. Some of the new updates included:
- Business Associates (BAs) Definition: Not so fast, Business Associates! This Final Rule established a clear rule on who BAs were and made them directly accountable for mishandling PHI.
- Business Associate Agreements (BAAs): BAAs are written and personalized contracts between CEs and BAs, ensuring each party is on the same page regarding protecting PHI and establishing liability.
- Increased Patient Rights: Now, patients can request documents electronically.
- Enforcement Penalties: The costs of violations got even higher, with maximum fines going into the millions.
What’s next?
Over the last 30 years, the HHS has updated best practices under HIPAA, ensuring patient data is appropriately secure as innovations arise.
Some of the latest guidance released includes marketing tracking tips and significant changes to 42 CFR Part 2.
Want to make sure you’re up to date on the latest of all things HIPAA? See the latest on our blog and social media!