HIPAA & The Privacy Law
September 04, 2020 | 9 minutes read
HIPAA Protects Patient Privacy
The U.S. Department of Health and Human Services (HHS) moved to bring standards to the handling of private health information (PHI) to protect individuals from the misuse of their personal data. In 1996 Congress moved to adopt the Health Insurance Portability and Accountability Act (HIPAA) as a Federal privacy policy. The results were protections for individually identifiable health information for patients across the country. HHS developed the national standards and procedures to handle electronic health care transactions, code sets, unique health identifiers, and ensure patient data security.
Over the last 30 years, patient records shifted from paper to electronic formats and digital records. The digitization of individual medical histories also meant there was an increase for more individuals to gain access and use personal health data to treat their patients. It also meant more opportunity to have bad actors misuse and disclose sensitive and personal health data of individuals.
Health care providers, understanding their relationships with their patients, and the amount of trust it requires, have always kept to a long-standing tradition to protect patient privacy. Before developing the HIPAA regulations, previous legal protections and regulations to protect patients at the federal, tribal, state, and local levels were deficient and ineffective.
Privacy concerns for patient data were addressed with the development of the HIPAA regulations. HHS developed the privacy standard to give basic protections to patients while still balancing public health and safety needs. The passing of the HIPAA regulations also required employers to offer health insurance coverage (COBRA) to employees who are voluntarily leaving their jobs or even fired.
The legislation developed national standards for electronic health care transactions. These regulations help to ensure patient privacy while also improving their access to quality medical care. Medical records can be shared instantly in an emergency or other health situation, versus waiting days or even until the doctors can converse about their health needs. This instantaneous exchange system allows doctors immediate access to their patient’s records in emergency rooms, thus facilitating better health care.
The Privacy Law – What is it?
As part of HIPAA, Congress added additional regulations in 2000 and updated them in 2003. HHS developed rules that protect the privacy and security of specific health information. Two Rules were enacted that are known as The Privacy Rule and The Security Rule. The Privacy Rule is more formally known as Standards for Privacy of Individually Identifiable Health Information. The Privacy Rule set national standards for the protection of specific health data. The Security Rule is a set of federal rules for protecting detailed health data stored or transferred in electronic form. Both regulations work together to protect patients. The Security Rule puts into operation the protections that are contained in the Privacy Rule by defining the challenges that must be overcome by standardizing technical and non-technical safeguards for the patient’s health data. Another part of HHS, the Office for Civil Rights or OCR, holds the responsibility for enforcing both the Privacy and Security Rules through voluntary compliance and severe civil and criminal penalties for those who violate patient security.
Risk Management
For any time of personal data, companies and health providers alike face risk management procedures. Risk management involves steps to protect the data they store from being breached or hacked. The Administrative Safeguards are requirements in the Security Rule that demand covered entities or health providers to enact risk analysis procedures as part of their security management. HIPAA addresses risk analysis and risk management by encouraging and promoting specific security measures that are considered reasonable and appropriate. For health providers, risk analysis impacts the implementation of safeguards. Risk analysis procedures include the following activities but are not explicitly limited to them.
- Health providers must take time to evaluate the potential and impact of potential risks.
- Providers should be prepared to enact appropriate security measures that address all the potential risks identified in the risk analysis.
- Security measures should be documented and include the rationale for any measures adopted.
- Providers should not only implement security measures but provide and maintain continuous appropriate security protections for their data.
- Risk analysis is an ongoing process and should be done regularly.
- Covered entities should regularly review access and security incidents.
- Providers should periodically have an evaluation of the effectiveness of their implemented security measures. These reviews should also include regular assessments of new and current potential risks to patient data.
Who Does the Law Impact?
HIPAA regulations were enacted to be a multi-tiered approach to improving the health insurance and data system. The laws impact nearly everyone, with different rules depending on if you are on the providing or receiving end of the healthcare system.
- HIPAA assists those individuals who have group insurance plans through their employers or unions.
- The regulations also help those who are self-insured by employers.
- The rules impact healthcare workers. The change includes all health system workers from the cleaning staff, administration, and physicians regarding how patients are approached and how their personal data is handled.
- HIPAA affects insurance companies, healthcare providers, clinics, therapists, and patients.
- ALL healthcare employees and organizations that use, store, maintain, or transmit patient data must maintain compliance with HIPAA regulations.
Congress enacted HIPAA to ensure patient privacy, reduce fraud, and improve the healthcare data system. New regulations or controls are added to the rules for them to continue to remain effective from time to time. By following the rules, the government has estimated that it could save healthcare providers billions of dollars annually.
For providers, knowing about how to prevent security risks that could result in significant penalties for lack of compliance – HIPAA regulations give them the incentive to learn more about maintaining their data. HHS’s additional education and resources help providers learn to keep their data secure and save money. Through the available resources and the help of privacy professionals, providers, and other organizations can put their focus on their profit margin, as they no longer have to fear being audited continually.
Protecting Data – The Rules
The Privacy Rule was created to protect certain information that providers use and disclose to other parties for the patient’s health care. The data is required to be kept safe from disclosure or breaches is called Protected Health Information or PHI. This identifiable health information that is transmitted, stored, or shared through electronic media or other networks.
PHI is data that relates to:
- hThe past, present, or future physical or mental health, health status, or conditions of an individual patient.
- Provisions for the treatment of health care of an individual; or
- information regarding payments for providing health care to an individual.
The data that is stored in the systems are redacted, and de-identified data sets. These are statistical data stripped of individual identifiers. De-identified data does not require privacy protections, and the Privacy Rule does not cover these data sets.
De-identifying data is processed by an adequately qualified statistician or privacy professional that uses analytics to lower the risk to data sets by substantially limiting the data. The elimination of data and making sure specific details are missing, removed, or encrypted reduces the ability for bad actors or breaches that would allow recombination of data points to determine a person’s identity. These combinations are generally done through the ‘safe-harbor method’ in which the business or its cleared employee de-identifies data by removing 18 identifiers. The business or covered practitioner would no longer have the actual original data. It protects the health care provider as well as the patient. In some instances, clinical research and other activities may find that working with de-identified data has limited value.
What are the 18 data points that are removed for de-identifying data through the safe-harbor method? All HIPAA 18 identifiers must be removed before the data is stored. As listed by the HHS, these data points are:
- Name
- Address (all geographic subdivisions smaller than a state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image – Photographic images are not limited to photos of the face.
- Any other characteristic that could uniquely identify the individual
Automated Redaction Saves
How do companies get ahead of the curve? Removing, redacting, or de-identification of data can take hours if done manually by humans. These rules could put the cost of data protection out of reach of most small health care providers or physicians. Using an intelligent redaction system such as CaseGuard can help companies meet all their goals for privacy protection and many other beneficial uses to grow your consumer base.
Automated redactions software is used to locate and redact sensitive information automatically. CaseGuard, an automated redaction software, works on all digital media, including documents, databases, images, audio, and video files. It works by using artificial intelligence and machine learning to create a smooth process of removing restricted identifiers in electronic data. It is designed to fit or integrate with most of today’s business software, hardware, and data management systems. It can be automated to redact personally identifiable information at the time the data file is being created, or it can be used to remove data from previous records, recordings, or images.
Automating the redaction process using artificial intelligence makes the entire redaction process far more manageable, efficient, and accurate. Accuracy is essential as human error, leaving out a single frame in video content can reveal an individual’s identity. It can be far more critical than merely a breach of someone’s identity when concealing data from law enforcement agencies. For example, one lost frame can cost an officer or other informant their lives. For all companies, having the assurance of total accuracy and complete process of the redaction of sensitive data protects their data assets and the company’s well-earned reputation.
The cost savings for companies comes with a reduced workload that requires personnel hours. What once took several hours to do a complete redaction now can be done in minutes. More benefits to the company’s bottom line come with all the additional features included in CaseGuard’s redaction software. Elements that contain translations, transcription and captioning of video data make the redactions system so much more than a data privacy system. Imagine how much further your company’s message will go if your social media posts and video content can be translated into 32 different languages or captioned at the push of a button. Growth. Data protection. Security. Leadership. Companies that choose CaseGuard to protect their data lead the market in their industries. Leadership matters. The benefits provided by CaseGuard’s intelligent redaction software are features that have made CaseGuard the number one leader in privacy and redactions systems.