There is a lot of information to know about HIPAA and how to stay compliant. Here's what information needs to be protected, and how to make sure you're protecting any personal information you need to.
All personal healthcare data is legally protected under rules that were put in place to respect patient privacy when it comes to their medical records. This wasn’t always the case, HIPAA wasn’t enacted until 1996 by President Bill Clinton. It was put in place to protect the privacy and confidentiality of a patient’s health data. It also was meant to help employees stay insured even when they were between jobs.
But, even though violating HIPAA comes with some serious consequences, complaints of mishandled information have been increasing. Since 2016, the number of HIPAA complaints filed each year has been increasing, with 28,261 complaints filed in 2019. We’re going to cover what HIPAA stands for, who needs to follow it, what the consequences are for breaking it, and common terms.
What does HIPAA stand for?
The phrase “Health Insurance Portability and Accountability Act” is quite a mouthful so it’s shortened to simply “HIPAA.” As we mentioned, HIPAA is the legislation in place to ensure that health data is kept private and secure. The law was the first of its kind to set national standards for how protected health information could be handled and transmitted electronically. It’s extremely important that any company that needs to be HIPAA compliant acts in accordance.
Who needs to be HIPAA compliant?
Essentially any company that handles protected health information is bound by HIPAA, so if you think your business needs to be HIPAA compliant, it probably does. According to the Department of Health and Human Services, those who need to be HIPAA compliant are:
- Health plans: These include health maintenance organizations, company health insurance plans, and government healthcare like Medicare and Medicaid.
- Health care clearinghouses: These are organizations that collect and process information like billing services and management systems.
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers. These include nursing homes, pharmacies, laboratories, chiropractors, and more.
- Business Associates: These business associates are considered any vendor or subcontractor that handles protected health info in service of the covered entities listed above.
But by that definition, the list is very long, it includes everyone from dentists, psychologists, family doctors, specialists, to pharmacies, and even those businesses that support those entities.
What information must you protect to be HIPAA compliant?
The Privacy Rule under HIPAA covers all "individually identifiable health information” that can be held or transmitted, according to DHHS. That health information can be about a current or former health condition. The rule also covers the care given to the patient or payments they’ve made. All of this applies to identifiable health information, if the information is de-identified then the HIPAA restrictions don’t apply.
Below is a list of identifiers that make health information protected under HIPAA, according to HIPAA Journal:
- Dates (except year)
- Telephone numbers
- Geographic data
- Fax numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers
- Any unique identifying number or code
Common HIPAA compliance strategies for various communication channels
In general, one of the safest ways to ensure HIPAA compliance is to not share any PHI on unsecured channels. This can be done by simply keeping personal information out of any correspondence and pointing patients to a secure portal instead.
“The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used,” according to DHHS. This Privacy Rule applies to all protected health information. The Security Rule is the rule that protects the ePHI or electronic protected health information. “The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,” according to DHHS.
Below we’ll cover some strategies medical professionals or covered entities might employ to help safeguard their patients’s information.
Most email servers and providers aren’t HIPAA compliant. A private entity or business associate can’t definitively verify who’s on the receiving end of their email communication. But doctors and patients still need to be able to have conversations via email for a variety of reasons.
Including any of the 18 items above, like the patient’s name, the exact date of the test, or test type is protected information is considered PHI. Sharing that information in an email can be risky. A safer strategy would be to share no identifying information but to point your patients to a secure portal.
Let’s look at the example of a doctor sharing information about test results that are ready.
This would involve sending an email letting a patient know that they have new test results available in their secure portal. If the doctor included what the test was for, like saying “Your diabetes test results are in,” that information would be considered PHI. Instead, doctors can choose to share test results in a secure portal that they know is safeguarded. The benefit of a portal is also that medical professionals can be sure their patient’s have specifically signed up for and consented to using the portal.
In-App chat communication
Chat platforms for communication between health professionals and their patients are a secure option. They usually require a username and password, and are set up in part by the medical provider, so they’re pretty secure.
Some platforms specialize in HIPAA compliant chat options and are safeguarded as such. Those safeguards include password-protected platforms that offer a way to keep track of doctor-patient communication. They also feature automated log-out after a certain amount of time.
Chat can be a good option for some practices because it requires both the doctor and the patient to log in. This provides an extra layer of security in each party confirming their identity before having access to messages and the communication channel. One drawback though is that patients might need to login to their email to see that they should log in to the app to check their messages. This multi-step communication can be a blocker for patients.
When texting protected information, entities should never use a personal cell phone or device. Doing so would be a violation of HIPAA. Personal devices can and have been stolen and lost with protected health information on them, resulting in HIPAA complaints. Ideally, instead, they’d be using a service, like Textline, that offers the security of HIPAA compliant texting and has safety measures built-in. This makes texting one of the most user-friendly ways to communicate with patients. It’s quick, happens in real-time, and doesn’t require any extra steps like a login.
When texting patients it’s necessary to get their consent and confirm that their phone number is correct before going ahead and sharing any ePHI via texting. An example of this is Textline’s standard consent messaging. Either for the first message, or when requesting consent, the following message will be sent: “[Org Name] complies with HIPAA and wants to exchange text messages with you. Text messaging may not be fully secure. To consent, reply YES.” You’ll need this consent before you can message with your customers.
Other security measures like standard encryption, automatic sign-out, and direct patient communication are all part of Textline’s HIPAA compliance offering.
Standard mail doesn’t offer any high-tech protection necessary for HIPAA compliance like passwords or encryption. But it’s technically allowed for sending PHI because only the intended recipient of the sealed mail is legally allowed to open that piece of mail. Insurance agencies or doctor offices might send bills via the mail, something you’ve probably been on the receiving end of yourself.
But a doctor likely wouldn’t mail any test results via standard mail due to the privacy risk it would pose. While opening mail that is addressed to someone else is illegal, mailing PHI is still risk. This is why doctors might ask a patient to come in, share results via a protected portal, or call them to share test results.
If a patient has provided their phone number, this is considered giving consent for HIPAA related calls. They can however revoke that consent at any time should they wish. Phone calls have plenty of benefits too, they allow for an immediate conversation that can be more in-depth. But it requires the participants take notes if they want a record of the conversation, and it can be very time consuming.
A call to a patient where PHI is mentioned might be in reference to a variety of health information like test results, appointment reminders, pre-op guidelines, and post-discharge follow-ups. But reasonable safeguards still need to be in place. Covered entities need to be sure they’re securing any protected health information.
The safeguards used may vary from doctor to doctor or billing agency to health plan. But there are a few ways these entities might verify identities over the phone. To confirm the identity of the patient over the phone, the medical professional could ask the patient for their name and two pieces of identifying information. This is why sometimes a doctor’s office might ask for your date of birth and address before getting into any personal details.
When an office is calling a patient, the person calling should always check to see who they’ve reached, and clearly explain who they are and why they’re calling before getting into any details.
What happens if you break HIPAA?
Violating HIPAA is a serious offense and depending on the violation potentially punishable with jail time. The most common types of entities that are alleged to violate HIPAA are general hospitals, private practices and physicians, and outpatient facilities. There are hundreds of different ways that HIPAA can be breached, but data breaches are some of the common. Below we’ll cover some of the most common ways data breaches occur.
When HIPAA is violated in a data breach, the organization that committed the violation has to notify all of the people impacted by the violation by mail in a timely fashion, this is called the Breach Notification Rule. There is a 60-day requirement after the breach was discovered.
That notification needs to include a description of the breach, the types of information that were released, and what the patients should do to protect themselves. The party responsible for the breach also needs to detail the steps being taken to investigate the breach and prevent further breaches in the future. In the event that the breach affects more than 500 residents, the media also needs to be notified, according to the American Medical Association.
The punishments for civil violations vary from criminal penalties and each violation comes with levels of severity. Civil violations can come with a penalty fee of $100 all the way up to $1.5 million. But if the violation isn’t a result of willful neglect and is corrected within 30 days, then the civil penalties don’t apply.
Other violations include something as basic as improperly disposing of protected health information or a failure to conduct a risk analysis. Some other types of HIPAA violations include:
- Keeping unsecured records
- Lack of proper employee training
- Unauthorized release of information
- Failure to provide PHI on request
- Failure to implement safeguards
- Patient record theft
Anyone can file a health information privacy or a security complaint with the Office of Civil Rights. There’s an online portal where these complaints can be filed or complaints can be filed in writing and mailed to the DHHS. The more details the better, and the OCR does not investigate complaints that are filed with no name or contact information attached.
Disclaimer: The information in this article is the opinion of the Textline editorial team and is not intended as legal advice.
HIPAA terms to know
Here are some of the terms to know around HIPAA:
HIPAA - Health Insurance Portability and Accountability Act, is the law that helps protect your health information and ensures that health care providers and clearinghouses keep your information secure and private.
Privacy Rule - The privacy rule covers when and how private medical information can be shared.
Security Rule - The security rule requires safeguards around electronic protected health info.
PHI - Protected Health Information is any medical record or data that could identify a person and is used when providing health care.
ePHI - Electronic Protected Health Information is a subset of PHI and its info stored maintained or transmitted electronically
Covered Entity - This is what HIPAA was originally designed for and it includes plans, billing or health info systems, dr offices dentists, home nurse care, etc
Business Associates - Any vendor or subcontractor that handles protected health info in service of the covered entity
Breach Notification Rule - The rule that states how and why organizations that break HIPAA have to notify those who were affected.
BAA - Business Associate Agreement is the agreement between an outside party and a covered entity.