The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

 The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Before 1996, there was not a set of rules and regulations regarding patient privacy in the healthcare setting. The U.S. Department of Health and Human Services (HHS) used the “Privacy Rule” to define and bring into action the “rules” of the Health Insurance Portability and Accountability Acct of 1996 (HIPPA). The privacy rule addresses the use and disclosure of a patient’s health information or “protected health information.” A major goal of the privacy rule, it to ensure patients health information is properly protected while allowing the sharing of the patient health information with providers to provide high-quality patient care and protect the public’s health and well-being. HIPPA was originally created to promote the portability of health insurance but gained additional responsibilities as the key regulator of patient privacy and rights (Hersh & Hoyt, 2018).

Defining HIPPA

HIPPA is made up of the Privacy Rule, Security Rule, and Enforcement Rule. These rules apply to health plans, healthcare clearinghouses, and any health care provider who transfers patients’ health records electronically. The Privacy Rule protects all “individually identifiable health information” used or transferred by any of the organizations the rule applies to. It protects not only electronic information, but also oral and written information. This information is called “protected health information” or PHI (HHS Office of the Secretary, Office for Civil Rights, 2013).

PHI is information including demographics that relate to the individual’s physical or mental health or condition, provisions of healthcare to the individual, and payments for healthcare. The Security rule’s purpose is to enforce the Privacy Rule specifically to protect electronic health information. Not only does HIPPA protect PHI from misuse, but also enables personal health information to be accessed, used or disclosed via interoperability whenever it is needed.

The Department of Health and Human Services and Office for Civil Right (OCR) is responsible for enforcing HIPPA. Violators of the Privacy Rule are subject to civil money penalties and criminal prosecution (HHS Office of the Secretary, Office for Civil Rights, 2013). This enforcement of HIPPA is known as the Enforcement Rule. The OCR began enforcing HIPPA in 2003 and includes the investigation and resolution of patient privacy complaints and investigation breaches in PHI (Hersh & Hoyt, 2018).

History of HIPPA

The Health Insurance Portability and Accountability Act of 1996 (HIPPA) was enacted on August 21, 1996. When HIPPA was enacted, sections 261 and 264 of the law required the secretary of HHS to publicize standards for the electronic exchange, privacy, and security of health information. These are known as the Administrative Implication provisions (HHS Office of the Secretary, Office for Civil Rights, 2013). HIPPA required the secretary to issue privacy regulations regarding health information if Congress did not issue these privacy regulations within three years of passing HIPPA. Congress failed to do this task, therefore, on November 3, 1999, HHS released privacy regulations for public comment and received over 52,000 public comments on the issue. After this, the final regulation, the Privacy Rule, was published December 28, 2000.

These were not the last changes for HIPPA. In March 2002, the department released modifications to the Privacy Rule for public comment and received over 11,000 comments. With these comments, the final changes were published on August 12, 2002.  In February of 2003, HHS published a final Security Rule which sets national standards for protecting the confidentiality, integrity, and availability, of electronically protected health information. Compliance with this rule was mandatory by April 20, 2005.

Once electronic health records (EHRs) started to take off, HHS wanted to be confident that patient privacy was still protected. Therefore, in 2009, HSS implemented the Health Information Technology for Economic and Clinical Health (HITECH) act as a part of the American Recovery and Reinvestment Act of 2009. HITECH implemented new requirements for breach notification and stiffer penalties for non-compliance with HIPPA, as well as adding new patient’s rights to HIPPA (Hersh & Hoyt, 2018). This change is referred to as the Breach Notification Rule and is the final rule added to HIPPA (HHS Office of the Secretary, Office for Civil Rights, 2017).

The formation of the Health Insurance Portability and Accountability Act of 1996 was the first step towards healthcare portability. It also set a standard for protecting patient’s privacy with the threat of legal action if the rules were broken. Exchanging health information and interoperability were made possible by the implementation of HIPPA. I believe that the development of HIPPA set a true standard for healthcare, and the healthcare advances we have today would not have been possible without HIPPA.

Current State of HIPPA

Currently, the federal Privacy, Security, and Enforcement Rules implemented by HIPPA continue to serve as the nation’s foundation for protecting and transferring patients protected health information. Other businesses continue to use the HIPPA electronic transaction and code set standards to exchange health information for administrative purposes like insurance claims. When HIPPA first came out over 20 years ago, the P stood for portability of health insurance coverage, but now as interoperability and electronic health sharing have gone more mainstream, the P can also signify the secure portability of health information across the health ecosystem (Marchesini & Noonan, 2018). With HIPPA and the addition of the Security Rule and HITECH, health information exchanging across electronic health systems and health information exchanges is thriving. HIPPA supports the sharing of health information among health care providers, health plans, and those operating on their behalf for treatment, payment, and healthcare operations while protecting patients’ personal health information. Therefore, HIPPA directly encourages interoperability between health care providers (Marchesini & Noonan, 2018). If HIPPA was not established years ago, we could not have the healthcare system we have today in America.

HIPPA is the foundation of the present state of healthcare and essential for interoperability via Health Information Exchanges, information retrieval, and patient portals. With the use of social media and the internet, HIPPA enforcement is more crucial now than it ever has been. Patient’s privacy can be breached so easily and it takes vigilance by healthcare providers, organizations, and insurance companies to prevent the sharing of personal health information.

Future State of HIPPA

With the changing technology, the future will hold greater portability for health information using HIPPA, which is the foundation for health information exchange. The use of health information technology through HIPPA will allow providers, patients, and insurance companies the ability to more rapidly access, exchange, and use health information electronically. We will continue to see more health care providers allowing patients better access to health information via patient portals. The 21st Century Cures Act directs HHS to address information blocking and promote the trusted exchange of information which can further increase portability and interoperability among providers and patients (Marchesini & Noonan, 2018).

In light of the current opioid epidemic in America, OCR is considering making HIPPA changes that will help fight this crisis. Some of the rules in HIPPA with healthcare sharing without patient’s permission can hinder patients and families form receiving the help they need. This is still under debate as to whether this would be the right way to move forward or if further guidance from OCR would be a better solution (HIPPA Journal, 2019)

With the continued integration of electronic health care systems and interoperability in the years to come, HIPPA will continue to remain the backbone of interoperability and patient privacy. With more individuals and healthcare providers having access to protected patient information, new rules and standards might need to be developed via HSS and OCR to maintain patient’s privacy in the years to come. My hope is that America can use HIPPA to better the overall health of the nation and use this tool to fight problems such as the opioid epidemic.

In conclusion, the past, current, and future state of HIPPA has and will continue to impact healthcare and health information systems. The passing of this law in 1996 was vital for not only protecting patient’s health information but also for healthcare portability. The addition of HITECH when electronic health records became more prominent was another important step to maintaining patients’ privacy with the everchanging technology around us. The stricter enforcement of HIPPA rules that came along with HITECH is crucial due to the emerging social media presence in today’s world. Protecting our patients’ privacy will always be our number one concern as healthcare providers and we must maintain vigilance to assure ourselves and other healthcare providers around us abide by the laws of HIPPA and HITECH. It is our responsibility and obligation to report such breaches to protect our patients’ personal health information for today and the years to come.

References

• Hersh, W. R., & Hoyt, R. E. (2018). Health informatics: Practical guide seventh edition. Informatics Education
• HIPPA Journal. (2019, March 4). New HIPAA Regulations in 2019. Retrieved from https://www.hipaajournal.com/new-hipaa-regulations/
• HHS Office of the Secretary, Office for Civil Rights. (2013, July 26). Summary of the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
• HHS Office of the Secretary, Office for Civil Rights. (2017, June 16). HIPAA for Professionals. Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html
• Marchesini, K., & Noonan, T. (2018, August 30). HIPAA & Health Information Portability: A Foundation for Interoperability. Retrieved from https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/hipaa-health-information-portability-a-foundation-for-interoperability