Health Insurance Portability and Accountability Act (HIPAA) of 1996 was put in action to protect patients’ privacy for medical and healthcare records while streamlining the distribution of health information across different entities. HIPAA is a set of rules that controls businesses that are into healthcare businesses and includes handling patient information. HIPAA is essential to secure the privacy, confidentiality, availability, and integrity of PHI (protected health information).
Companies dealing with PHI should abide by HIPAA compliances in order to keep a person’s health information intact and prevent it from being disclosed while assuring no compromise on the quality of medical practices.
What is PHI?
HIPAA is applied to PHI and it is important to know what PHI consists of. If we go by a rule book HIPAA specifies 18 data types that make the whole entity of PHI. In other words, if any of these attributes are found in a dataset or any of these pieces of information a company deals with, HIPAA compliances are applied for the safety of patient’s medical or health information.
- Dates (except year)
- Telephone numbers
- Addresses (geographic data)
- FAX numbers
- SSN (Social Security Numbers)
- E-mail addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers (including license plates)
- Web URLs
- Device identification and serial numbers
- IP addresses
- Full face photos or comparable photos
- Biometric identifiers (fingerprints, retina scans)
- Any unique identification number or code
The five main HIPAA rules
Primarily, there are five HIPAA rules that companies and organizations in healthcare or medical services need to follow. In several countries such as the US, HIPAA compliances are made mandatory to secure patients’ data. Hence, if you are making a web or mobile application for healthcare, it is essential to sign a deal with HIPAA compliance companies that can help you build solutions that abide by the set of rules.
Here are the five main components set as rules:
#1 HIPAA privacy rule
HIPAA privacy rules set the federal standards to secure the PHI of an individual. These standards are applied to both patients and their medical professionals. The following factors are included in this privacy standards:
- The patient’s right to access PHI
- The medical professional’s right to access a patient’s PHI
- The medical professional’s right to deny access to a patient’s PHI
- MRS (Minimum Required Standards) for any company’s HIPAA compliance and release forms
The HIPAA privacy rule assures that the PHI and other medical records of a patient can have limitations based on specific cases and conditions of disclosures. The access cannot be made available without a patient’s concern. This set of rules also enables patients to acquire a copy of such data and ask for any amendment if required.
#2 HIPAA security rule
Setting the federal standards for managing patients’ ePHI comes under the HIPAA security rule, and it also extends itself to sending ePHI to other entities and healthcare setups. These specific rules are specifically crafted to protect the physical, administrative, and technical aspects of ePHI. This rule is further classified into three safeguard or security levels:
- Administrative safeguard: deals with the HIPAA security compliance team assignments.
- Technical safeguard: deals with authentical methods and encryption of data to control it.
- Physical safeguard: deals with the protection of equipment, data, and electronic systems in any facility or healthcare setup. Risk management protocols for software, hardware, and exchange of data are covered.
#3 HIPAA transaction rule
Diseases and symptoms are given with unique numbers called ICD (International Classification of Diseases) under strict norms and numbering. The HIPAA transaction rule applies to code sets such as ICD-9, ICD-10, CPT-3, CPT-4, HCPCS, and NDC codes, etc. HIPAA assures that the codes are used correctly for the safety, security, and accuracy of medical records such as Personal Health Information.
#4 HIPAA identifiers’ rule
For different entities, HIPAA uses three primary identifiers for financial and administrative operations. Here are these three identifiers:
- NPI (National Provider Identification): a 10-digit number that covers all healthcare providers in HIPAA financial and admin transactions.
- NHI (National Health Plan Identifier): this identifier is used to trace health plans and covered payers under CMS (Center for Medicare and Medicaid Services).
- SUEI (Standard Unique Employer Identification): this identifies other HIPAA transactions, and is quite similar to federal EIN (Employer Identification Number).
#5 HIPAA enforcement rule
Any breach or ignorance observed in patient data or information storing and sharing would attract HIPAA enforcement rules to justify the penalties to businesses and companies dealing with patients’ medical or health data of any kind. This rule is applied in various violations:
- Ignorance in HIPAA privacy and security rule applications
- Apathy in establishing mandatory breach regulations
- Loose rules in marketing and sales
- Mistakes in account disclosure
- Applying business associate compliance to share PHI and ePHI
The violation of HIPAA 5 rules
The Health Insurance Portability and Accountability Act (HIPAA) establishes standards for electronic transactions and code sets, enforcement rules, and national identifiers. Violating HIPAA can have serious consequences for healthcare providers, corporate hospitals, organizations, and even individual practitioners. Depending on the type and severity of the HIPAA 5 rules violation, the consequences can range from civil fines to criminal charges and imprisonment.
Some of the possible consequences of violating HIPAA are:
- Civil monetary penalties: HIPAA 5 rules violation can attract the Office for Civil Rights (OCR) to impose fines ranging from $100 to $50,000 per violation.
- Criminal penalties: The Department of Justice (DOJ) can prosecute HIPAA 5 rules violations for disclosing PHI without permission. It can attract penalties from one year to 10 years in prison, and from $50,000 to $250,000 in fines.
- State penalties: Some states have enacted their own laws. For example, California law allows individuals to sue for HIPAA violations to impose fines of up to $250,000.
- Lawsuits: Individuals victims of HIPAA violation can file a lawsuit against the violator for invasion of privacy seeking compensation for economic and non-economic damages.
- Reputation damage: A HIPAA violation also attracts reputation and credibility compensation. Any negative publicity, loss of business, licenses, contracts, or accreditation will result in penalties of thousands of dollars.
How to save yourself from HIPAA violation?
While the application solution for the healthcare industry is lucrative and has a promising future, keeping it all clear to stay away from legal consequences is important. As you know by now, HIPAA rules violation can put your company in trouble. Hence, your healthcare app development must be executed carefully and go by the rulebook of HIPAA and other compliances for healthcare and medical facilities.