The enactment of “The Health Insurance Portability and Accountability Act” (HIPAA) Act was aimed at making health care affordable to all and also ensuring health insurance coverage to everyone. It didn’t take too much time for the lawmakers to realize that, in doing so, the privacy and confidentiality of patient health information would be jeopardized. But the result was an integral and indispensible part of HIPAA. Although, the health care organizations had to put in additional funds, resources, and efforts to comply with HIPAA, it opened vistas of business opportunities. Along with the security and privacy responsibilities, HIPAA has also created a “Peachy Leeway” for the new innovative business startups. Being an entrepreneur you just have to spot the scope and go for it!
Introduction
HIPAA- A “Double- Edged Sword”
HIPAA was implemented to provide increased healthcare security and privacy for the people, however, it is a “double-edged sword”. For example, a leading health insurance company like Anthem Inc. had to pay a penalty of $1.7 million for a computer security breach in healthcare data. On the contrary, it also played the role of business “ladder” for many successful new healthcare technology startups like Aptible, Flatiron, Misfit, and CardLogix. Along with the security and privacy responsibilities, HIPAA has also created a “Peachy Leeway” for the new innovative business startups. Being an entrepreneur you just have to spot the scope and go for it!
Genesis of HIPAA
Have you ever asked this question, why on earth an Act like HIPAA came into existence? Well, the answer revolves around the fact that till the 1990’s there was deficiency of a convenient system for storage of health records and protection of the health information. To rectify the situation, in the year 1996, Congress passed an act named as “The Health Insurance Portability and Accountability Act” (HIPAA). The Act was an amalgam of five set of titles or rules.
The HIPAA act mainly dealt with three main purposes:
-
To provide healthcare coverage to the maximum population
-
To reduce fraud and abuse cases in the health insurance
-
To digitalize health records and promote its confidentiality and security
Figure 1- Important Components of HIPAA
Although, HIPAA Act was implemented, but there were some existing gaps in the Health Information Privacy Rule. So, in the need to strengthen the HIPAA Act, the Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) in the year 2009. The enactment of HITECH Act was aimed at strengthening of the electronic healthcare documentation system and Health Information Privacy rule. However, implementation of the HITECH Act required several amendments under the HIPAA Act. So, in order to modify certain terms and rules of the HIPAA Act, the Department of Health and Human Services (HHS) and the Office for Civil Rights) issued the Final Omnibus Rule, in 2013.
The Omnibus Rule officially entitled as “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,” was anticipated to augment the privacy rights of patient’s health records.
Amalgamation of the four revised rules led to the birth of the “The Final Omnibus Rule”:
-
Revision of HIPAA Privacy, Security, and Enforcement Rules
-
Revision of Privacy Rule, contemplated in 2010
-
Revision of Breach Notification Rule under the HITECH Act
-
Revision of Privacy rule required for implementation of Genetic Information Nondiscrimination Act (GINA)
The Omnibus Rule brought about certain vital changes in terms of interaction between covered entities and their business associates, and redefinition of terms like electronic storage material to electronic media and maximizing the non compliance penalty to $1.5 million. The origin of Omnibus Rule leads to the enactment of HIPAA amending to the HITECH rule. The Final Omnibus Rule worked as connecting “Puzzle piece” for the HIPAA and HITECH Act.
HIPAA compliance
The HIPAA Act implies certain strict norms of privacy and protection for the companies handling protected health information. The companies dealing with Personal Health Information (PHI) must safeguard it by auditing the status, storage location, network security and visibility. So, if a company complies with all the privacy and security norms, the company can be referred as HIPAA-compliant; a little deviation or breach may lead to noncompliance.
Penalty for Noncompliance
Non-compliance to HIPAA may have significant consequences, in terms of finance as well as reputation. The Office for Civil Rights (OCR) can impose both civil and criminal charges depending upon the extent of noncompliance. The civil penalties for HIPAA noncompliance vary depending upon the intention and level of breach.
Table 1: Civil penalties
Table 2: Criminal penalties