Health Insurance Portability and Accountability Act (HIPAA)

PURPOSE

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to make health insurance more available for individuals who change jobs, combat abuses in the health care system, and simplify the administration of health insurance. The act also aims to protect privacy by creating requirements for how personal medical information may be used and disclosed, increasing the security and confidentiality of stored health information, and establishing uniform standards for transmitting health information electronically.

HISTORY

HIPAA was passed in 1996, and rules enforcing HIPAA’s provisions were released thereafter. The first regulations came out in 2000, instituting the Privacy Rule (concerning appropriate uses and disclosures of health information). The Privacy Rule was amended in 2002. The second set of regulations came into force in 2003, establishing the Security Rule, which introduced measures for maintaining the confidentiality of electronic health information. HIPAA was amended in 2009 by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extended the requirement to implement security standards to business associates and established new provisions for notification of security breaches. In 2013, modified HIPAA rules were released—largely in response to the Genetic
Information Nondiscrimination Act of 2008 (GINA) and the HITECH Act.

APPLICABILITY TO BYU–HAWAII

The requirements of HIPAA apply to all “covered entities” and their business associates. A covered entity is defined as (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider that transmits health information electronically to carry out financial or administrative activities related to health care. A business associate is a person who is not part of the covered entity’s workforce who provides services to a covered entity and deals with a covered entity’s protected health information. In hybrid entities (organizations where the entire entity would not be subject to HIPAA if it were separated into parts), only the parts of the entity that would be considered covered entities or business associates by themselves are subject to HIPAA requirements.

HIPAA applies to Brigham Young University because its Health Services is a provider of medical or health services, and transmits health information electronically to carry out financial or administrative activities related to health care. The BYU–Hawaii Student Medical Benefit is also covered by HIPAA. For BYU–Hawaii to be considered a hybrid entity, the university must designate Health Services and any other components of the university that fall under HIPAA as the health care component of the university, and keep a written record of this designation. Only those designated components need to comply with HIPAA rules, but they are also prohibited from sharing protected health information with components of
the university that are not part of the health care component.

REQUIREMENTS

Title I of HIPAA imposes requirements regarding health insurance coverage and access. Title II, known as the administrative simplification provisions, imposes requirements related to the privacy and security of protected health information.

Preexisting Conditions

Under HIPAA, a group health plan may not exclude someone from health insurance coverage due to a preexisting condition if the person seeking coverage received no diagnosis or treatment for that condition in the six months before enrolling in a new health plan. This limitation on preexisting condition exclusions has been amended and enhanced by the Affordable Care Act, which prohibits any exclusion from coverage due to preexisting conditions for both individual and group health plans.

Transmission of Electronic Health Information

HIPAA establishes uniform standards for transmitting health care information electronically.
When conducting certain transactions, covered entities must use data code sets, which are codes for encoding data elements like medical diagnoses and procedures. Covered entities and business associates are required to use the standard code sets to send and receive information in the following transactions:

• Health claims, attachments to health claims, and the status of health claims;
  
• Enrolling in or withdrawing from a health plan;
  
• Transactions regarding eligibility for a health plan;
  
• Advice on health care payment and remittance;
  
• Payments for health plan premiums and any other electronic funds transfers;
  
• The first report of an injury; and
  
• Referral certifications and authorizations.

Covered entities have the option of either sending the data according to the standards or using the services of a health care clearinghouse to encode and send the data in the standard code sets.

Health Information Security

HIPAA requires covered entities and business associates to implement certain security measures to maintain the safety of electronic protected health information (PHI) and protect it against security threats and unauthorized disclosures. Covered entities must also include a requirement to comply with the security rules in any business associate agreements. Those subject to HIPAA must also ensure their employees comply with the security rules.

PHI is any health information created or received by a covered entity that identifies (or reasonably could identify) an individual; PHI may include the following information:

• Demographic information (such as name, address, birthdate, and social security number),
• Information regarding an individual’s past, present, or future physical or mental health
  
• condition,
  
• Information about health care provided to the individual, and
  
• Information about health care payments.

Importantly, PHI does not include education records covered by FERPA, employment records, or student medical records used only in connection with treatment. Additionally, PHI is only protected for fifty years after an individual’s death.

Some of the security measures outlined in HIPAA are “addressable” rather than “required,” meaning

implementation is optional based on an entity’s size, needs, and capabilities (see Appendix A). However, if an entity chooses not to implement an addressable standard, it must document why implementation was not reasonable and appropriate and must subsequently implement an equivalent alternative measure, if appropriate.

Personnel Designations and Training

Covered entities and business associates must designate a privacy official and a security official, who are responsible for developing and implementing policies and procedures related to the security and privacy of PHI. Additionally, HIPAA requires an entity to train all members of its workforce on its policies and procedures regarding PHI within a reasonable time after hiring and within a reasonable time after implementing material changes to its policies and procedures.

Recordkeeping

Entities subject to HIPAA must keep records showing their compliance and make those records available for review by the U.S. Department of Health and Human Services (HHS) if requested. Both covered entities and their business associates must document the policies and procedures they use in order to comply with HIPAA requirements and must retain written records of those policies and procedures as well as compliance activities for at least six years from each document’s creation.

Permitted Disclosures of PHI

A covered entity may use or disclose PHI for treatment or payment purposes, or for other uses with proper authorization from a patient. A business associate may use or disclose PHI only as outlined in its business associate agreement or as required by law. Both covered entities and business associates are required to disclose information to individuals or to HHS when requested. Any disclosures of PHI must be limited to the minimum amount of data and to the minimum number of people necessary.

To be valid, a patient authorization to disclose PHI must include at least the following elements:

• A description of the information to be disclosed;
  
• The name(s) of the people authorizing the disclosure and to whom the information may be
  
• disclosed;
  
• The purpose of the disclosure;
  
• An expiration date/event on the authorized disclosure;
  
• The signature of the individual or their representative and date;
  
• Notice that the individual may revoke the authorization in writing;
  
• Notice that the information disclosed may potentially be re-disclosed by the recipient, and
  
• A statement describing if the covered entity may condition treatment, payment, enrollment, or benefit eligibility on whether the individual signs the authorization and the consequences of not signing.

Written authorization is generally required when PHI is disclosed in the form of psychotherapy notes or marketing communications sent by the covered entity and when PHI is sold.

In contrast, written authorization is not required for disclosures of PHI made for the following purposes:

• Disclosures required by law;
• Public health activities;
• Reports of child abuse, neglect, or domestic violence;
• Health oversight activities;
• Judicial and administrative proceedings;
• Law enforcement;
• Information needed about a deceased person;
• Organ or tissue donation;
• Research (if waiver of consent is approved by institutional review board or other appropriate body);
• Aversion of a serious threat to health or safety;
• Specialized government functions; or
• Workers compensation.
  

Under the exception for public health activities, student immunization records can be disclosed directly from covered entities to schools in a state where proof of immunization is required for enrollment, so long as agreement for the disclosure—which can be oral—is obtained and documented.

Additionally, covered entities may disclose PHI without the patient’s consent in some emergency situations when the patient cannot consent and disclosure is in the patient’s best interest. When the individual becomes able to object, the health care provider must inform the individual of the disclosure and give him or her an opportunity to object.46 Other disclosures of PHI without the individual’s consent may be made to family members or close friends who are involved in paying for treatment. A covered entity may disclose PHI to its business associates. However, the covered entity must have arrangements with the business associate to protect PHI. An appropriate arrangement could be a contract or other agreement. A covered entity may use some limited parts of an individual’s PHI to contact the individual for fundraising purposes. Each fundraising communication must include an opportunity to easily opt out of receiving further fundraising communications.

Prohibited Disclosures of PHI

Regardless of whether it receives authorization, a covered entity or business associate may not disclose genetic information to a health plan for underwriting purposes. Genetic information is defined as an individual’s genetic tests, the individual’s family members’ genetic tests, the manifestation of a disease in the individual or his or her family, as well as requests for genetic services or participation in research which includes genetic services.

Accountability to Patients for PHI

If requested, a covered entity must provide individuals with a written accounting of any PHI disclosures made to third parties within the past six years that were not authorized by the individual or necessary to carry out treatment, payment, and health care operations. The written accounting must include the date of disclosure, name of recipient, description of information disclosed, and the purpose. If the entity maintains electronic records, it only has to provide the last three years of disclosures upon request by the patient, but these disclosures must include information about disclosures during normal treatment and payment operations.

Covered entities must make appropriate amendments to PHI and other records if an individual requests amendment. However, if the information was not created by the covered entity, is not part of the record set, is not normally available to the patient for inspection, or is determined to already be accurate and complete, the covered entity may deny the individual’s request. If a request to amend the record is refused, the individual must be allowed to add a statement of disagreement to their record. Additionally, covered entities must grant individuals’ requests to place restrictions on the disclosure of PHI to a health plan if the disclosure is to carry out payment or health care operations and if the PHI pertains to a service or item for which the individual has paid the entity in full.

When individuals request access to their PHI, the covered entity must provide it to them in the form and format the individual requests, if readily producible, or in a readable hard copy.

However, if an electronic form is requested which cannot be readily produced, the alternative form must also be electronic. Individuals may request that their PHI be electronically transmitted to another person through a signed writing

All requests for access to PHI must be acted on within thirty days of receiving the request.65 If it is not possible to respond to a request within thirty days, a one-time extension of up to thirty days is possible as long as the covered entity gives a timely and written explanation of the delay and a date when the request will be fulfilled.

Notice of Privacy Practices

A covered entity must provide individuals with a written notice of privacy practices (NPP) that describes how it uses and discloses PHI. The notice is required to contain the following header: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.” Additionally, the notice must contain the following information:

• Sufficiently detailed description and at least one example of the situations in which the covered
• entity can disclose PHI for treatment, payment, and health care operations;
• Sufficiently detailed description of when the covered entity can disclose PHI without authorization;
• Description of disclosures requiring authorization (psychotherapy notes, marketing, sale of PHI);
• Statement that other uses and disclosures will be made only with written authorization;
• Statement that the individual may revoke an authorization;
• Statement of individual’s right to request restrictions on uses and disclosures of PHI, including a
• Statement that the covered entity is not required to agree to the restriction unless the PHI relates to health care the individual paid for completely out of pocket;
• Statement of individual’s right to receive confidential communications of PHI, inspect and copy PHI, amend PHI, receive an accounting of disclosures of PHI, and receive a paper copy of the notice;
• Statement that the covered entity is required by law to maintain the privacy of PHI, provide individuals with notice of its legal duties and privacy practices, and notify individuals following a breach of PHI;
• Statement that the covered entity is required to abide by the terms of the notice currently in effect;
• Statement that individuals may complain, without the risk of retaliation, if they believe their rights have been violated and a description of how to file a complaint;
• Contact information of a person to contact for more information; and
• Effective date of the notice.

A covered entity that engages in fundraising, discloses PHI to a health plan sponsor, or uses PHI for underwriting purposes must inform individuals about and describe those activities in the privacy notice. For covered entities that contact individuals for fundraising purposes, the notice must state that individuals may opt out of receiving fundraising communications. Health plans also must include in the notice a statement that genetic information about an individual cannot be used during the underwriting process.

The NPP must be provided to any person upon request and, if a covered entity has a website, be prominently posted on the website. Health plans are required to provide their NPP to new enrollees and notify covered individuals how to obtain the NPP at least every three years.

Health care providers that have a direct treatment relationship with patients need to post the NPP in a prominent place at the site where health care is delivered. A summary of the NPP can be posted instead if it is accompanied by the full NPP in a place where it can be taken by individuals without having to ask for a copy from a receptionist or other employee. Health care providers are also required to provide a copy of the NPP to new patients. In all cases except for emergency treatment, the health care provider must make a good faith attempt to obtain written acknowledgment from the patient that he or she received the NPP. If this acknowledgment is not obtained, the covered entity must document the efforts made to obtain it and the reason it was not obtained.

When an NPP is materially revised, a health plan must prominently post the change on its website and distribute information in the next annual mailing. Likewise, a health care provider must promptly post a revised NPP at its physical service site and have the notice available for patients.

Breach Notification

A breach is defined as the acquisition, access, use, or disclosure of PHI in a way that violates the Privacy Rule, and which compromises the security or privacy of the PHI. The acquisition, access, use, or disclosure of PHI is presumed to be a breach unless a covered entity or business associate demonstrates—using a four-factored risk assessment—that it is improbable that PHI has been compromised. Breaches must be reported to individuals affected without unreasonable delay and within sixty calendar days of the breach’s discovery.84 Breach notifications must include the following information:

• A description of what happened;
• The date of the breach;
• The date the breach was discovered;
• A description of the type of information that was compromised
• What the individual should do to protect himself or herself,
• What the covered entity is doing to investigate, mitigate harm, and prevent future breaches, and,
• Contact information for individuals to ask questions about the breach.

If the breach involves more than 500 people, it must also be reported to HHS contemporaneously with the notification to individuals and to prominent media outlets in the state within sixty days. Breaches involving less than 500 people must be recorded in a log, and HHS must be notified of these breaches annually within sixty days after the end of each calendar year in which they were discovered. Covered entities and business associates must be able to demonstrate that all required notifications were made.

Breach notifications may be delayed if a law enforcement official states that the breach would interfere with a criminal investigation or damage national security. If this is expressed orally, the delay may be a maximum of thirty days. Notifications may be delayed longer than thirty days if a law enforcement official makes a written statement that includes the length of the required delay.

Enforcement

HIPAA has a tiered system of monetary penalties for violations, and the penalties increase depending on the nature and extent of the violation and the harm caused. The least serious level of violation is “did not know,” if the covered entity did not know about the violation, and would not have learned of it through reasonable diligence. The next level is “reasonable cause,” for actions or omissions the covered entity knew, or would have known with reasonable diligence, were a violation of the rules. The third level is “willful neglect,” which is an intentional failure to follow or reckless indifference to the rules.

In all cases except willful neglect, the penalty will be waived if the violation is corrected within thirty days of when the person legally responsible for the violation found out about the failure to comply. For violations due to willful neglect, the minimum penalty will be reduced if the problem is corrected within thirty days. In determining the amount of a penalty, the Secretary of HHS will consider many factors.

COMPLIANCE CALENDAR

Health plans are required to notify covered individuals how to obtain the NPP at least every three years. In the case of a breach of PHI, a covered entity must notify individuals, HHS, and the media according to the deadlines set forth in the section above entitled “Breach Notification.”