The answer is HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The confusing acronym can sometimes be misspelled HIPPA, even by healthcare professionals.
In the U.S., HIPAA gives patients more control over their health information and sets boundaries about using and releasing their records. Aside from this, it sets out appropriate safeguards to ensure that healthcare providers and others protect personal health information.
Read on if you’ve been asking yourself, “What is HIPAA (or HIPPA)?”
What does HIPAA stand for? Or is it HIPPA?
That confusing acronym, HIPAA, stands for the Health Insurance Portability and Accountability Act of 1996, which is United States legislation that sets data privacy and security provisions for safeguarding medical information, such as medical records and other identifiable health information.
Does HIPAA apply to me?
- A healthcare provider such as doctors, clinics or pharmacies
- A health plan such as health insurance companies, HMOs and company health plans
- A healthcare clearinghouse which processes nonstandard health information it receives from another entity into a standard
Business associates, such as partners, are third-parties that a covered entity can designate to perform certain functions or activities that involve the use of PHI on its behalf. Some examples include:
- A third-party administrator that assists a health insurer with claims processing
- An attorney whose services involve access to PHI
- An email encryption provider like Paubox
Paubox takes the burden out of HIPAA compliant email for you
The HIPAA Act’s five sections (titles)
- Title I protects health insurance coverage for individuals who lose or change jobs and also prevents group health plans from denying or limiting certain coverages.
- Title II gives the U.S. Department of Health and Human Services the power to establish national standards for the health care industry when processing electronic transactions. It also requires health care organizations to secure electronic access to health data to remain in compliance.
- Title III includes tax-related provisions and guidelines for medical care.
- Title IV further defines health insurance reform, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
- Title V includes provisions on company-owned life insurance and treatment of those who lose their U.S. citizenship for income tax purposes.
Most of the news coverage about HIPAA violations are in reference to HIPAA Title II, in particular the sections that contain the requirements for HIPAA compliance and securing patient health data.
However, an undervalued piece of HIPAA Title II is the additional provisions added in 2010 from the Affordable Care Act (ACA) that covered HIPAA transactions.
Known as HIPAA Administrative Simplification, the purpose was to simplify the business side of healthcare. This is key to help interoperability and making sure organizations of all sizes within the health care system can work from the same standards.
Six rules of HIPAA you need to know
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect ePHI
- Enforcement Rule (2006): provides a general guide for compliance, investigation and penalties for violations
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
- Final Omnibus Rule (2013): incorporates HITECH further by improving privacy protections
Do I need a BAA for HIPAA compliance?
In each case, it’s important to have a business associate agreement (BAA) signed to insure the third-party is taking the correct steps to meet the requirements of HIPAA compliance.
HITECH Act and the Omnibus Rule
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law to promote the adoption and meaningful use of technology in health care.
The related incentives, requirements, and regulations have been extremely impactful, and health care is still trying to keep pace. Built within the HITECH Act are stipulations that technologies do not violate HIPAA rules.
The HIPAA Omnibus Rule was put in place by HHS in 2013 to modify HIPAA in accordance with guidelines set by the HITECH Act concerning the responsibilities of business associates of covered entities. It also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
How do I avoid HIPAA violations?
HIPAA violations can prove quite costly for health care organizations.
At its simplest, a HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI, according to the guidelines in the HIPAA Privacy Rule.
Costs can include covered entities and any affected business associates notifying patients following a data breach. In addition to the notification costs, are any fines levied by the Office for Civil Rights (OCR) after HIPAA violations are reviewed.
The HIPAA violation fines themselves can reach $1.5 million and include jail time if there are criminal charges related to the violations.
To avoid violations requires planning. Covered entities and business associates can mitigate risks by making sure staff goes through HIPAA compliance training programs. Consultants can also come on board to make sure the correct processes are in place to avoid and deal with any breaches.
How software can help you stay HIPAA compliant
Although there’s no official seal of approval or certification program for HIPAA compliance, there are a lot of companies that offer credentials that show an organization has taken the right steps to meet the requirements of HIPAA.
HITRUST for HIPAA is the compliance gold standard for the healthcare industry. In fact, more than 85 percent of U.S. health insurers, 80% of U.S. hospitals, and hundreds of other covered entities and business associates leverage the HITRUST Approach in their HIPAA compliance initiatives.
As technology continues to become a part of healthcare, there are always going to be new potential places for a breach to occur. But by keeping in mind HIPAA rules, all organizations can be sure they are doing their best to protect PHI.
What does HIPAA stand for? Or is it HIPPA?
The correct acronym is HIPAA. To avoid the hassle of HIPAA and email compliance, join the Paubox community and get peace of mind by securing your outbound emails to help you send simple emails to patients and covered entities with no guesswork or frustration.