What Is HIPAA?

Employees who aren’t trained in HIPAA can pose an expensive risk to your organization. In June of 2023, Yakima Valley Memorial Hospital paid $240,000 to settle a breach that affected 419 patients. Curious security guards from the hospital violated HIPAA code and accessed private patient information. As a result, the hospital had to completely enhance its HIPAA training programs and work harder to ensure employees know their limits. 

Less paper means less hassle and more efficiency, especially when dealing with large data files like medical records. But, as seen with Yakima, computerization always comes with the potential for security issues. Prior to HIPAA, there was no federal rule to govern or protect the privacy of digital health information, leaving patients vulnerable to frequent privacy breaches.

 

What Is HIPAA? 

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a federal law that demands all organizations protect what’s considered “protected health information” (PHI) from being disclosed to unauthorized persons. Unless the state law is more stringent than federal law, HIPAA overrides state law regarding data privacy. 

What Is Considered Protected Health Information (PHI) Under HIPAA? 

PHI is generally any information found in medical records that can be used to identify an individual. HIPAA considers the following items protected health information:

• Names
• Geographical subdivisions smaller than a state (address, city, county, zip code, etc.) 
• Dates directly related to an individual (birth date, date of death, admission/discharge date, etc.) 
• Phone numbers
• Fax numbers
• Emails
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• certificate/license numbers 
• Vehicle identifiers and serial numbers 
• Device identifiers and serial numbers
• URLs
• IP address numbers
• Biometric identifiers (fingerprints, etc.) 
• Identifiable images/photographs 
• Any other unique identifying numbers, characteristics, or code

According to The HIPAA Journal, employers most frequently run into HIPAA compliance issues due to:

• Impermissible uses and disclosures of PHI
• Lack of safeguards for (non-electronic) PHI
• Failures to provide patient access to PHI
• Lack of Administrative Safeguards for electronic PHI, and 
• Violations of the minimum necessary standard

To maintain HIPAA compliance, employers must adhere to three major HIPAA rules: Privacy, Security, and Breach Notification.

What Is the HIPAA Privacy Rule? 

The HIPAA Privacy Rule requires safeguards to protect the privacy of PHI in any medium and applies to health plans, health care clearinghouses, and health care providers. The rule also sets limits on disclosures that can be made without patient consent and gives individuals rights to examine and obtain their health records at any time. Its goal is to balance the confidentiality, integrity, and availability of private health information. 

What Is the HIPAA Security Rule?

The HIPAA Security Rule protects a subset of information from the Privacy Rule by extending regulations to electronic protected health information, or e-PHI. The Security Rule also describes steps an organization has to take to protect patient data and train employees to maintain security. Organizations are expected to detect anticipated PHI breaches and require workforce HIPAA compliance training. 

What Is the HIPAA Breach Notification Rule? 

The HIPAA Breach Notification Rule, requires HIPAA covered entities and their business associates to notify the secretary following a breach of unsecured protected health information. 

According to the Dept. of Health and Human Services, if the breach affects 500 or more individuals, the covered entity must send the notification no later than 60 calendar days from the date of discovery. 

If the breach affects less than 500 individuals, the covered entity must notify the secretary by submitting a breach notification within 60 days of the calendar year in which the breach was discovered (March 1st). 

Does My Organization Need HIPAA Compliance Training? 

HIPAA training requirements apply to all employers that are HIPAA Covered Entities or Business Associates. Healthcare providers, health plans, and healthcare clearinghouses who transmit PHI are considered covered entities.  

A business associate is anyone who creates, receives, maintains, or transmits PHI for a function regulated by HIPAA or on behalf of a covered entity. This definition of a “business associate” was expanded by the HIPAA Omnibus Rule.  

Any person who works in healthcare or has access to PHI must be trained in HIPAA compliance regardless of their role. So while those curious security guards from Yakima were not dealing with PHI regularly, they still needed HIPAA compliance training. 

If you are a covered entity, each new member of your workforce must receive HIPAA privacy training within a reasonable period of time after they join your organization and when changes in policies or procedures are made. Some states require that training be completed 30 or 90 days from employment, but refresher training is recommended at least annually. 

Both covered entities and business associates who have access to protected health information, or PHI, must receive security awareness training.

According to The HIPAA Journal, HIPAA security awareness training should include

• Periodic security updates,
• Procedures for guarding against, detecting, and reporting malware, 
• Procedures for monitoring login attempts and reporting discrepancies, 
• Procedures for creating, changing and safeguarding passwords. 

This implies that security awareness training should be ongoing. HR pros should keep a close watch on the Department for Health and Human Services for new rules and guidelines that may require implementation of additional HIPAA training. 

HIPAA Standards for Health Coverage

HIPAA also sets standards and regulations on health insurance coverage. HIPAA prohibits employers from offering group benefits that discriminate against individuals based on health factors such as:

• Health status
• Medical condition (including both physical and mental illnesses)
• Claims experience
• Receipt of health care
• Medical history
• Genetic information
• Evidence of insurability; or
• Disability

HIPAA also regulates discrimination in regard to Cafeteria plans (Section 125 plans), which provide employees an opportunity to set aside part of their compensation as pre-tax contributions toward health insurance and other benefits. 

Under HIPAA, group benefits cannot discriminate in favor of highly compensated employees in terms of eligibility, contributions, and/or benefits. Because this is a tax-related law, the Internal Revenue Service (IRS) enforces these regulations.

Penalties for HIPAA violations can range from $100 to $1.5 million dollars depending on the type and frequency of the violation, which makes compliance training essential to the success of your organization. 

Additional Resources

You can stay informed, educated, and up to date with important HR topics using BerniePortal’s comprehensive resources:

• BernieU—free online HR courses, approved for SHRM and HRCI recertification credit
• BerniePortal Blog—a one-stop shop for HR industry news
• HR Glossary—featuring the most common HR terms, acronyms, and compliance
• Resource Library—essential guides covering a comprehensive list of HR topics
• HR Party of One—our popular YouTube series and podcast, covering emerging HR trends and enduring HR topics
• Community—the HR Party of One Community forum, a place devoted to HR professionals to ask questions, learn more, and help others