It's a jungle out there in healthcare, and we want to make sure you have the info you need to cut through some of the jargon. Here's a comprehensive glossary of basic HIPAA terms to define the key phrases you need to understand HIPAA compliance today.
Business Associates
Anyone who has access to patient information, whether directly, indirectly, physically or virtually. Additionally, any organization that provides support in the treatment, payment or operations is considered a business associate, i.e. an IT company or a billing and claims processing company. Other examples include a document destruction company, a telephone service provider, accountant or lawyer. The business associates also have the responsibility to achieve and maintain HIPAA compliance in terms of all of the internal, administrative and technical safeguards. A business associate does not work under the covered entity’s workforce, but instead performs some type of service on their behalf.
Business Associate Agreement
The agreement standard document that clearly defines the roles and responsibilities of a business associate and the covered entity. The other key piece of the Business Associates Agreement is the assurance that businesses will take proper steps to implement the appropriate administrative, physical and technical safeguards.
Covered Entities (CE)
Anyone who provides treatment, payment and operations in healthcare. It could include a doctor’s office, dental office, clinics, psychologist, nursing home, pharmacy, hospital or home healthcare agency. This also includes health plans, health insurance companies, HMOs, company health plans and government programs that pay for health care. Health clearing houses are also considered covered entities.
Electronic Data Interchange (EDI)
The communication or exchange of business documents between companies via computer.
Electronic Health Records (EHR)
Electronic health records are any electronic record of patient health information generated within a clinical institution or environment, such as a hospital or doctor’s office. This may include medical history, laboratory results, immunizations, demographics, etc.
Electronic Protected Health Information (EPHI)
All individually identifiable health information that is created, maintained or transmitted electronically.
Healthcare Clearinghouse
An organization that standardizes health information. One example is a billing company that processes data from its initial format into a standardized billing format.
Health Information
Patient information collected by a health plan, health care provider, public health authority, employer, healthcare clearinghouse or other organization that falls under covered entity.
Healthcare Insurance Portability and Accountability Act (HIPAA)
Developed in 1996, the acronym HIPAA stands for Healthcare Insurance Portability and Accountability Act. Initially created to help the public with insurance portability, they eventually built administrative simplifications that involved electronic, medical record technology and other components. In addition, they built a series of privacy tools to protect healthcare data.
Health Information Technology for Economic and Clinical Health (HITECH)
In 2009, as part of the American Recovery and Reinvestment Act (ARRA), there was an act within that called HITECH, short for The Health Information Technology for Economic and Clinical Health Act. The act included incentives offered to physicians in private practices, as well as institutional practices to implement and adopt electronic medical records.
In addition to incentives, the act included a series of fines to help enforce HIPAA rules. HITECH also mandated that business associates of covered entities, as well as the covered entities themselves, were responsible for the same level of HIPAA compliance.
HIPAA Audit
A HIPAA audit is based off a set of regulations, standards and implementation specifications. The audit is an analysis that helps to pinpoint the organization’s current state and what steps need to be taken to get the organization compliant.
An evaluation is part of the audit - a company must perform an evaluation and undergo periodic evaluations once a year at minimum. As technology changes, different components are added to an organization’s infrastructure and they should be re-evaluated.
While covered entities need to undergo HIPAA audits, third-party business associates also need to comply. This includes any company that might provide services for a covered entity, for example, an application hosted in a cloud and provided to a covered entity.
HIPAA Violations
If a company fails to comply with HIPAA rules, they are subject to both civil and criminal penalties.
Civil Penalties
Established by the American Recovery and Reinvestment Act of 2009 (ARRA), the tiered civil penalty structure below determines the cause and consequences of the HIPAA breaches. The Secretary of the Department of Health and Human Services has the ability to ultimately determine fines and penalties due to the extent of the violation on a case-by-case basis.
Due Diligence
An organization is in violation, but they have taken every possible step they could have foreseen to prevent that.
Minimum fine: $100 per incident with annual maximum of $25,000 for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations
Reasonable Cause
The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect.
Minimum fine: $1,000 per incident with annual maximum of $100,000 for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations
Willful Neglect
There are two types of willful neglect. The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time.
Minimum fine: $10,000 per incident with annual maximum of $1.5 million for repeat violations
Maximum fine: $50,000 per violation with annual maximum of $1.5 million for repeat violations
The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake.
Minimum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations
Maximum fine: $50,000 per incident with annual maximum of $1.5 million for repeat violations
Criminal Penalties
The U.S. Department of Justice established who can be held liable for HIPAA violations due to criminal activity. This includes covered entities and any specified individual working under a covered entity. Anyone who knowingly misuses health information can be fined up to $50,000 including up to a year of imprisonment. More serious offenses call for higher fines and prison time.
Individually Identifiable Health Information
A subset of health information, this includes demographic information about an individual’s health that identifies or can be used to identify the individual. This includes name, address, date of birth, etc.
OCR HIPAA Audit Protocol
Up through early 2012, there was no federal standard for third-party auditors to conduct a HIPAA audit. With the publication of the new Office for Civil Rights audit protocol, auditors are able to gain a more consistent direction on how the OCR will conduct HIPAA audits in the future. The new protocol covers requirements found in the HIPAA Security Rule, Privacy Rule and Breach Notification Rule. Read more here.
Privacy Rule
The part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient’s own right to access.
Protected Health Information (PHI)
This includes any individually identifiable health information collected from an individual by a healthcare provider, employer or plan that includes name, social security number, phone number, medical history, current medical condition, test results and more.
Security Rule
The part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.
Resources:
