This article is the fifth in our series on compliance and certification. Together these pieces highlight data processing laws and optional independent standards that businesses use as credibility indicators and as guides to implement best practices.
This installment focuses on compliance with the Health Insurance Portability and Accountability Act of 1996:
- What is HIPAA?
- HIPAA Title Information
- Role of Each State’s Government
- How the OCR Enforces HIPAA
What is HIPAA?
HIPAA stands for the federal Health Insurance Portability and Accountability Act of 1996. This law performs the following four functions, as described by the California Department of Health Care Services (DHCS):
- Enables US citizens to maintain their health insurance if their job ends or they switch companies.
- Creates harsher penalties for healthcare deception and mistreatment.
- Defines uniform expectations for medical data passed through billing applications and other systems.
- Establishes guidelines for the safeguarding of consumer protected health information (PHI) through its privacy, security, and breach notification rules (Title II).
HIPAA Title Information
The California agency also describes the various titles contained within the healthcare law, which are as follows:
Title I – Continuation coverage
Title I allows members of the workforce, their spouses, and their children to have continued access to health insurance if they switch jobs or become jobless.
Title II – Standards for data management
This part of HIPAA directs the US HHS department to develop nationwide stipulations for electronic medical payments, and uniform codes for practitioners, insurance companies, and workplaces.
Security and privacy of patient information is also a major point of focus for Title II, by far the most important part of the act for healthcare providers and the technology business associates who serve them. DHCS explains how valuable this section of the regulations is on an institutional level: “Adopting these standards will improve the efficiency and effectiveness of the nation’s healthcare system by encouraging the widespread use of electronic data interchange in healthcare.”
The HHS department, through its Office of Civil Rights (OCR), creates and posts guidelines regarding the adoption of HIPAA compliant strategies. All firms that are either covered entities (healthcare companies) or business associates (service providers to healthcare companies) must meet any parameters established by the OCR within 24 months following their release.
Title III – Tax adjustments
This section of the law allows taxpayers to deduct specified amounts for health insurance and makes a few other pro-consumer changes to the regulation of health insurers.
Title IV – Changes to group health plans
These provisions stipulate the rights of employees with pre-existing conditions to workplace health plans. Also, like Title I, it changes the rules regarding continuation.
Title V – Revenue offsets
This section of the law describes new rules for employer-owned life insurance and income tax rules when employees have their American citizenship revoked. It also removes the code regarding interest allocation for financial institutions.
How the OCR Enforces HIPAA
Similar to the way that police patrol the roadways, the Office of Civil Rights patrols healthcare systems to enforce the privacy, security, and breach notification rules of HIPAA.
One method the agency uses to enforce the law is to respond when patients or other parties submit complaints related to poor PHI protection. Additionally, “OCR may also conduct compliance reviews to determine if covered entities are in compliance,” explains the HHS website, “and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules.”
The OCR is not able to respond to every type of complaint, as described in the agency’s criteria.
If the agency does decide to investigate a submission, it contacts the complaining party and the organization in question. Each of the two entities are requested to send the OCR whatever details and documents they can to demonstrate their side of the incident. As of the HIPAA final omnibus rule that went into effect September 2013, any business handling health data must cooperate with these investigations.
In some cases, complaints suggest criminal wrongdoing (as outlined in 42 U.S.C. 1320d-6), in which case they are forwarded to the Department of Justice.
The OCR checks the materials and statements presented by each side, often determining that patient privacy and security was properly protected. However, if the OCR believes the business may have been noncompliant, they will proceed with one or more of the following:
- Commitment by the business to comply voluntarily;
- Step-by-step tasks required to regain compliance;
- A contract to resolve any problems.
The OCR notes that “most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions.” In other words, despite the various high-profile financial settlements with healthcare systems that have made the news, most investigations are resolved without the need for a civil money penalty (CMP).
If the OCR issues a financial penalty, the company can ask for an appeal in which the case is reviewed by a Health and Human Services judge. All money is paid directly to the US Treasury, not the complainant.
HIPAA compliance certification is just one way that we have proven our expertise through objective, third-party standards. Request a quote today from one of the only hosting services with such a wide range of certifications, including SSAE 16, ISO 9001:2008, ISO 27001:2013, ITIL, HIPAA, FISMA, and Sarbanes-Oxley.
By Kent Roberts