2018 saw the federal Office for Civil Rights issue a record-breaking $28 million in fines for HIPAA violations and, judging by how many hospitals, insurance providers, government health departments, nonprofits and more are already under investigation by the HHS, 2019 could be well on its way to topping that record.
Despite the prevalence of news and updates about HIPAA and its many violations, however, questions may still arise about the law's rules and regulations, who it concerns and how violations can be prevented, all of which is necessary knowledge for healthcare providers hoping to avoid legal trouble and hefty fines.
Here are answers to five of the most common questions about HIPAA.
What is HIPAA and who must abide by it?
The Health Insurance Portability and Accountability Act was enacted in 1996 to protect individuals' private health information (PHI) from fraud and theft, among several other health insurance-related policies. Examples of protected information are medical records, conversations between clinicians about an individual's treatment plan and patient billing information.
Entities required to comply with all HIPAA regulations include health insurance companies, government programs like Medicare and Medicaid, most healthcare providers, billing companies, claims processing firms and any company that stores or destroys medical records.
Parties outside the traditional realm of healthcare must comply with HIPAA, too. New software allowing healthcare organizations to transmit patient information using Amazon's voice assistant Alexa is HIPAA-compliant, as is the Uber Health medical transportation service.
What constitutes a HIPAA violation?
HIPAA requires all covered entities to establish safeguards to protect patients' medical information, procedures to limit who can view and access information and training programs to educate employees about protecting the covered information.
Additionally, under HIPAA, patients have the right to ask for a copy of their health records, issue corrections to the records, request reports of how their records have been or will be used and shared and permit or deny the sharing of PHI for marketing and other purposes.
Potential violations of these rules and regulations are investigated by the HHS' Office for Civil Rights if a complaint is filed or an OCR review finds an entity is not in compliance with HIPAA. Noncompliance is determined to be a civil violation if an unintentional breach is found and the entity does not satisfactorily resolve the matter; a criminal violation, meanwhile, occurs when an entity is found to have knowingly disobeyed HIPAA.
What are the most common causes of HIPAA violations?
No matter how many electronic safeguards a covered entity enacts to comply with HIPAA, numerous violations can still occur due to human error. Citations are commonly issued when, for example, devices containing PHI are lost or stolen, patients' photos are shared on social media, unauthorized employees access records out of curiosity or medical records are mishandled.
Read more about 10 of the most common HIPAA-violating forms of human error — and how they can be prevented — here.
What is the most costly HIPAA violation in history?
The largest individual HIPAA settlement was reached in October 2018, when OCR fined health insurer Anthem $16 million. The violation came about, according to OCR Director Roger Severino, because "Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information."
Between December 2014 and January 2015, cyberattackers breached Anthem's system to steal names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information of almost 79 million individuals, in what OCR has called "the largest health data breach in U.S. history."
How could HIPAA change in 2019?
In December 2018, OCR issued a request for input from stakeholders about ways to modify HIPAA to promote value-based healthcare. At the time, the office expressed its desire to update the law to better allow information sharing that will improve care coordination — especially in the case of patients with substance abuse and mental health issues — and patients' ability to access their own PHI.
The public comment period ended on Feb. 11, just days after the American Medical Association issued a letter imploring OCR not to make any concrete rule changes that could potentially endanger patients' privacy. Though OCR has not yet offered any further information about potential HIPAA updates related to this request for input, on April 26, the HHS announced its decision to implement a tiered system of annual fine caps determined by level of culpability, based on a reinterpretation of the existing Health Information Technology for Economic and Clinical Health (HITECH) Act that amended HIPAA in 2009.
More articles about cybersecurity:
Hospitals can leverage AI to combat cyberattacks, report finds
Virus prevented California medical group from accessing records, exposed 198,000 patients
Baystate Health hit with class-action suit after phishing attack exposed 12,000 patients