Health Insurance Portability and

Accountability Act (HIPAA) of 1996

 What is HIPAA?

The main goal of the Health Insurance Portability and

Accountability Act is to allow individuals to carry their
health insurance from one job to another in order to
avoid lapses in coverage (portability).
It also limits the ability of the health plan of a new
employer to exclude coverage on preexisting conditions
when an individual moves from one health plan to
another.
 Health Insurance Portability and
Accountability Act of 1996
Within the HIPAA law are several rules designed to
standardize how information is used in carrying out the
primary goal.

These rules fall under a section of the Act known as the

Administrative Simplification Subtitle. These rules are:
– Privacy Rule
– Security Rule
– Transactions and Code Sets Standards
– Employer Identifier Standard
– National Provider Identifier Standard
In health care, when we speak of HIPAA, we are
most often referring to the component known as
the Privacy Rule.
Standards for Privacy of Individually Identifiable Health Information
or the

PRIVACY RULE
Privacy Rule
Compliance required as of April 14, 2003
Defines national standards for protecting patients’ health
information.
Addresses use and disclosure of patient’s individual
health information, called protected health information
(PHI).
Provides for protection of patient health information while
allowing for communication of that information necessary
to provide proper patient care.
Privacy Rule
Sets limits and conditions on how patient information may be used
and disclosed
Gives patients rights over their health information, including rights to
examine and obtain a copy of their health records, and to request
corrections
Creates civil and criminal penalties for violations of patients’ privacy
Applies to these persons/groups, known as covered entities.
– Health plans
– Healthcare clearing houses
– Health providers who conduct healthcare transactions
electronically.
Privacy Rule
Covered entities must:
– establish policies and procedures to safeguard patients’ health
information
– reasonably limit uses and disclosures of health information to the
minimum needed to accomplish the intended purpose
– have contracts in place with their contractors and others (called
business associates) ensuring that they also use and disclose patient
health information properly and safeguard it appropriately.
– have procedures in place to limit who can view and access patient
health information
– implement training programs for employees about how to protect patient
health information.
Privacy Rule
Business Associates
– Individuals or organizations who perform functions for a covered
entity involving protected health information (PHI) but are not a
part of the covered entity’s workforce.
– Examples include:
• Medical transcription companies
• Billing/coding companies
• Release of information companies
• Attorneys, accountants, consultants, reviewers/auditors,
vendors, etc. who perform services for a covered entity and
have access to PHI
Privacy Rule
The Privacy Rule also establishes certain patient rights. Patients
may:
– review and get a copy of their health records
– request corrections to be added to their health information
– receive a notice outlining how health information may be used
and shared
– decide whether or not to give permission before their health
information can be used or shared for certain purposes, such as
for marketing
– get a report on when and why their health information was
shared for certain purposes
– file a complaint if they feel that their information is not being
protected, or if their rights are being denied
Privacy Rule
Protected Health Information

The Privacy Rule protects all “individually identifiable health

information,” or protected health information (PHI). This is
information, including demographic data, that relates to:
– the individual’s past, present or future physical or mental health
or condition
– the health care provided to the individual

– the past, present, or future payment for the provision of health

care to the individual, and that identifies the individual
– can be used to identify the individual.
Privacy Rule
De-identified Information

Sharing of de-identified documentation is allowed

under the Privacy Rule. These items must be
removed in order for information to be considered
properly de-identified:
Privacy Rule
Names
All geographic subdivisions
smaller than a state
All elements of dates, except year,
directly related to the individual
(DOB, admission/discharge date,
date of death).
All ages older than 89 years and
dates indicative of that age.
Telephone numbers
Fax numbers
E-mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial
numbers, including license plate
numbers
Device identifiers/serial numbers
Web URLs
IP addresses
Biometric identifiers, such as
finger and voice prints
Full-face photos and comparable
images
Any other unique identifying
number
Security Standards for the Protection of Electronic Protected Health Information

or the

SECURITY RULE
Security Rule
Compliance required as of April 20, 2005
Applies to the security of electronic protected health
information (ePHI).
Addresses security of patient health data in the
administrative, physical, and technical areas
Addresses standards for ensuring that healthcare
systems are only accessible by those with a need to
know.
Security Rule

Covered entities must:

– Ensure the confidentiality, integrity, and availability of
all ePHI they create, receive, maintain, or transmit
– Identify and protect against reasonably anticipated
threats to the security or integrity of the information
– Protect against reasonably anticipated impermissible
uses or disclosures
– Ensure compliance by their workforce
Security Rule
Covered entities must establish administrative, physical, and
technical safeguards to protect ePHI.

Examples of administrative safeguards

– Analyze potential risks to ePHI and implement security
measures to reduce those risks.
– Designation of a security official who will implement security
policies and procedures.
– Establish policies and procedures that will limit access to ePHI
only to personnel who need to know and appropriate to their role
– Authorization and training of workforce in security policies
– Periodic assessment of security policies and procedures
Security Rule
Examples of physical safeguards
– Limitation of physical access to facilities to authorized personnel
– Establish policies regarding proper use of and access to
workstations and electronic media
Examples of technical safeguards
– technical policies and procedures allowing only authorized
personnel access to access ePHI.
– hardware, software, and/or procedures to record and audit
access and activity in systems that contain ePHI.
– ensure that ePHI is not improperly altered or destroyed.
– technical security measures to guard against unauthorized
access to ePHI that is being transmitted over an electronic
network
Privacy and Security Rules – What’s the Difference?

There is a close relationship between the goals of the Privacy

Rule and the Security Rule. Privacy cannot be fully enforced
without proper security measures.
The security standards outlined in the Security Rule define the
administrative, physical, and technical safeguards that
covered entities must implement in order to protect
confidentiality of ePHI as well as prevent unauthorized access
or alteration of that information.
The Privacy Rule addresses how PHI may be used and
disclosed, as well as outlining patients’ rights with regard to
access and disclosure of their health information.
 Who Monitors Compliance?
The Office for Civil Rights (OCR), a division of the
Department of Health and Human Services (HHS), is
responsible for monitoring compliance of the Privacy
Rule and the Security Rule, investigating complaints of
violations, and imposing fines.
All other rules under the Administrative Simplification
Subtitle are monitored and enforced by the Centers for
Medicare and Medicaid Services (CMS).
Health Information Technology for Economic and Clinical Health Act

or the

HITECH ACT
HITECH ACT

Effective as of February 17, 2010

The American Recovery and Reinvestment Act of 2009

(ARRA) was signed into law February 17, 2009. Within
this economic stimulus package was funding to provide
health information technology incentives and to develop
the infrastructure to move toward adoption of an
electronic health record (EHR). This portion of the bill is
called the Health Information Technology for Economic
and Clinical Health Act, or HITECH Act.
HITECH ACT

With the adoption of the HITECH Act comes an increase

in the transfer of electronic protected health information
(ePHI). The rule helps to establish a set of standards for
exchange of health information, reduce costs, reduce
errors, and strengthen the already-established Privacy
and Security Rules.
HITECH Act
IMPACT OF HITECH ON HIPAA

Under the HITECH Act, business associates are now

REQUIRED to adhere to the same standards and procedures
outlined in the Privacy Rule and Security Rule, just as
covered entities
A business associate agreement (BAA) must be made with
the covered entity ensuring that they will comply.
Independent contractors, vendors, etc., who work for a
business associate of a covered entity and have access to
PHI and ePHI are also considered business associates and
must sign a business associate agreement as well. This is a
change from the original Privacy Rule, and extends liability
and culpability for violations to business partners as well as
the covered entities.
 Civil Penalties for Noncompliance
(Before HITECH)

$100 per violation

Maximum of $25,000 per year, per identical
violation
Penalties Under the HITECH Act
Civil penalties are now placed into 4 categories (tiers).
– A violation where the person did not know (and by
exercising reasonable diligence would not have
known)
– violation due to reasonable cause and not to willful
neglect
– violation due to willful neglect (corrected within 30
days)
– violation was due to willful neglect (not corrected)
Penalties Under the HITECH Act

For the lowest tier – “if the covered entity did not know
and with the exercise of reasonable diligence would not
have known of the violation” – there is now a penalty
imposed, whereas previously there was not.
 Civil Penalties (After HITECH)
With this new legislation, there is now a 4-tiered structure for civil penalties:
Violation Minimum Maximum Annual Limit (for
Penalty per Penalty per each year of the
Violation Violation violation) **
Individual did not know (and $100 $50,000 $25,000
by exercising reasonable
diligence would not have
known) of HIPAA violation

Due to reasonable cause and $1,000 $50,000 $100,000

not due to willful neglect

Due to willful neglect but $10,000 $50,000 $250,000

violation is corrected within 30
days

Due to willful neglect and is $50,000 $50,000 $1,500,000

not corrected within 30 days

** Annual limits effective April 30, 2019. Previous interpretation of the Enforcement Rule set
the maximum annual limit at $1.5 million for ALL tiers.
 Types of Criminal Penalties
WRONGFUL DISCLOSURES
– “Knowingly obtain or disclose” PHI
– Fine of not more than $50,000 per offense
– Prison term not more than one year

FALSE PRETENSES
– Fine of not more than $100,000
– Prison not more than five years

INTENT TO SELL, TRANSFER, OR USE

– Fine of not more than $250,000
– Prison term not more than ten years

Criminal violations are prosecuted by the Department

of Justice.
 WHO MUST COMPLY

Under the HITECH Act, it is no longer just the covered

entities that must comply but also any business
associates. These are any persons, subcontractors,
vendors, or organizations who perform functions for the
covered entities where protected health information
(PHI) is accessed.

Covered entities AND business associates are liable for

any civil or criminal violations.
 BUSINESS ASSOCIATE
AGREEMENT

Covered entities must obtain a business associate

agreement with any business associate (an outside
contractor with access to PHI).

The agreement must contain language establishing the

guidelines for accessing PHI; prohibiting unauthorized
access, use, and disclosure; and require the business
associate to establish policies and procedures to
safeguard PHI as well.
WORKPLACE
SECURITY
MEASURES
 Workplace Security

Shred
For shared
any documents
computers,containing
must havePHI
individual
(censususer
forms,
names
etc.)and
passwords
Do not printfor computer access
reports
For individual
Up-to-date computers,
antivirus no one else is to be allowed to use your
software
computer
Do not send PHI via e-mail, unless it is encrypted
Password protect your computer
Lock your computer when you leave it
Screen with PHI should not be visible to others
 E-mail and Fax

The Privacy and Security Rules do not expressly

prohibit the use of e-mail and faxes to send PHI.
The HITECH Act, on the other hand, does
outline safeguards that should be employed
using these methods.
 E-mail and Fax
Fax
– Fax machines should not be located in public areas
– Notify recipient that fax is on its way, and then confirm receipt
– A cover sheet must be used including a privacy statement indicating that
the information contained in the fax is confidential, intended for the
recipient only, and the sender to be notified if the fax is received by the
wrong person.

E-mail
– If patient information must be shared over e-mail, then it should be
encrypted.
– A privacy statement must be included for all e-mails containing PHI,
similar to the fax cover sheet.
A secure workstation is essential, no matter if
you work in an office or work at home.
TRANSACTIONS
AND CODE SETS
STANDARD
 Transactions and Code Sets
A transaction is an electronic exchange of information
between parties, for example when an physician’s office
submits a claim to an insurance company.

Under HIPAA, if a covered entity submits a transaction

electronically, it must use the adopted standards for code
sets.
Code sets exist for diagnoses, procedures, drugs,
employer identifiers, and national identifiers.
 Transactions and Code Sets
Examples of code sets
– The HCPCS (Ancillary Services/Procedures)
– CPT-4 (Physicians Procedures)
– CDT (Dental Terminology)
– ICD-10 (Diagnosis and Hospital Inpatient Procedures, previously
ICD-9)
– NDC (National Drug Codes)

The above are the adopted code sets for procedures,

diagnoses, and drugs. 
EMPLOYER
IDENTIFIER
STANDARD
 Employer Identifier Standard

The Employer Identification Number (EIN) is a standard

national identifier for employers and is issued by the IRS.
The EIN is a 9-digit number with first 2 digits separated
by a hyphen: 12-3456789.
Under the HIPAA rule, all employers must have an EIN
for identification on standard transactions.
Effective date for use of EIN was July 30, 2002.
 Employer Identifier Standard

Employers need to use the EIN when

enrolling/removing employees from the group
health plan.

Health plans use the EIN to identify the

employer on insurance claims.
 NATIONAL PROVIDER
IDENTIFIER STANDARD
National Provider Identifier Standard

The National Provider Identifier (NPI) is a unique 10-digit

number used to identify covered health care providers
(covered entities under HIPAA).
The NPI is used by covered providers, health plans, and
healthcare clearing houses in electronic administrative
and financial transactions.
Numbers are unique and do not carry any information
that would additionally identify the provider, such as
state, specialty, etc.
National Provider Identifier Standard

The NPI has replaced the unique provider identification

number (UPIN) formerly used by Medicare.
NPIs issued beginning October 2006.
Compliance date for use of only NPI was May 23, 2007.
Healthcare providers must apply for an NPI and may
obtain an individual and/or group NPI. Residents,
interns, and even medical students are eligible to obtain
an NPI.
CASE STUDIES
 CASE STUDY #1

You work in the admissions office in a hospital.

You notice that a friend of yours has been
admitted, so you stop by your friend’s room to
“check in on her.”
 CASE STUDY #1 (cont’d)

This is a breach of the patient’s privacy and an

abuse of your access to information at the
hospital. If your friend had informed you of her
admission and invited you to visit, that would not
be a breach; however, this is not the case in this
situation.
 CASE STUDY #2

You work in your hospital’s medical records

department. You have heard rumors about a
coworker’s health. You look at your coworker’s
medical record to see what is going on.
 CASE STUDY #2 (cont’d)

Of course, this a breach. You are not accessing

this information on a need-to-know basis within
the scope of your job, you are simply satisfying
your curiosity. This is not authorized access of
the patient’s health information.
 CASE STUDY #3

You are a transcriptionist, and you find yourself

transcribing a report about someone you know.
You learn that this person has a substance
abuse problem and they are seeking treatment
for this.
 CASE STUDY #3 (cont’d)

Simply transcribing the report is NOT A

BREACH. You are a transcriptionist, and you
are acting within the scope of your job in
transcribing this report.
If you were to divulge any of this information to
anyone, including the patient, then this would be
a breach.
 CASE STUDY #4

You have a home-based position as a

healthcare documentation specialist, and you
have access to hospital records systems and
patient data on your computer.
When you are not working, you let your kids do
their homework on your computer.
 CASE STUDY #4 (cont’d)

This is a breach. As your work computer is used

to access and/or store PHI, it must only be used
by you and never anyone else. It must be
password protected, be locked when you leave
your desk, and must not use file sharing.
 Additional Resources
Privacy Rule (Final Rule) – Office for Human Rights
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/
privacyrule/prdecember2000all8parts.pdf
Security Rule (Final Rule) – Office for Human Rights
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/
securityrule/securityrulepdf.pdf
HITECH Act (Final Rule) – Office for Human Rights
– http://www.hhs.gov/ocr/privacy/hipaa/administrative/
enforcementrule/enfifr.pdfhttp://www.hhs.gov/ocr/privacy/
hipaa/understanding/summary/privacysummary.pdf
 Additional Resources

Nicholls, Kathy, Stedman’s Guide to the HIPAA Privacy &

Security Rules: Baltimore, Maryland, Lippincott Williams
& Wilkins, 2011.
US Department of Justice – HIPAA
– http://www.justice.gov/olc/hipaa_final.htm
Office of the Federal Register -
https://www.federalregister.gov/documents/2019/04/30/2
019-08530/notification-of-enforcement-discretion-
regarding-hipaa-civil-money-penalties