Congress passed HIPAA to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. Portability in HIPAA includes patient protections for coverage under group health plans that limit exclusions for preexisting conditions; prohibit discrimination against employees and dependents based on their health status; and allow a special opportunity to enroll in a new plan to individuals in certain circumstances.
Federal HIPAA Rules and Regulations
The
Final Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. Included in HIPAA are the Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. Review then unofficial version of the
Combined Regulation Text (as of March 2013) that presents all the HIPAA regulatory standards in one document. Key provisions are as follows:
Privacy Rule:
HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. The Privacy Rule governs disclosure of patient protected health information (PHI), while protecting patient rights. The Privacy Rule covers the process of protecting PHI while allowing for the secure transfer of PHI in the coordination of a patient’s care. PHI is any information that can be used to identify a patient, which can be electronic, paper, or verbal, and includes (1) common identifiers, such as name, address, birth date, social security number, etc., (2) a patient’s physical or mental health condition, whether past, present, or future, (3) the health care provided to the patient, and (4) payment information for a patient’s health care, whether past, present, or future.
Under the Privacy Rule, covered entities are required to (i) notify patients about their privacy rights and how their information will be used, (ii) adopt privacy procedures and train employees on such procedures, (iii) assign a security officer to ensure proper adoption and compliance with the privacy procedures, and (iv) secure patient records containing PHI so they do not become available to those who do not have a need to see them. The Privacy Rule also provides that patients are allowed access to examine and get a copy of their medical records and to request corrections to their medical records.
In order to facilitate patient care, covered entities may share information with doctors, hospitals, and ambulances for treatment, payment, and health care operations, even without a signed consent from the patient. If a provider feels as if she is acting in the patient’s best interest, the provider may share information about a patient, so long as proper safeguards against breach are taken. Unless a patient objects, the Privacy Rule allows for PHI to be given to family, friends, or anyone else the patient identifies as being involved in their care. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans). The Office of Civil Rights enforces the HIPAA Security Rule.
Breach Notification:
The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The regulations outline the requirements for notifying patients and the Department of Health and Human Services in the event that there is a breach. In some instances, depending on the size and scale of the breach, there may even be a requirement to notify the media. A breach is generally defined as an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a disclosure or unpermitted use has occurred can be determined by a risk assessment that evaluates (1) the nature and extent of PHI involved, (2) the unauthorized individual who used or gained access to the PHI, (3) whether an unauthorized individual actually acquired or viewed the PHI, and (4) the extent to which the covered entity or business associate reduced the PHI exposure risk.
If a breach affects the PHI of more than 500 patients, the covered entity must notify the Department of Health and Human Services without reasonable delay but no later than 60 days after discovery of the breach. In smaller breaches affecting 500 patients or less, the Department of Health and Human Services must be notified on an annual basis.
Security Rule:
HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Security Rule regulations involve the adoption of administrative, technical, and physical safeguards required to prevent unauthorized access to PHI. The Security Rule covers the requirements of how you are to protect PHI, including a patient’s electronic PHI, or ePHI. Under the Security Rule, a covered entity must (1) develop reasonable and appropriate security policies, (2) ensure the confidentiality, integrity, and availability of all ePHI, both while maintaining and transmitting such ePHI, (3) identify and protect against any possible security threats to ePHI, (4) prevent unauthorized uses or disclosures, (5) analyze security risks that may be present in the physical and cyber environments and create appropriate safeguards against such risks, (6) continually review and modify security measures to ensure continuous protection of ePHI, and (7) train all employees on appropriate handing of PHI for HIPAA compliance.
HITECH Act:
The HITECH Act substantially broadens the scope and impact of HIPAA security and privacy rules and addresses the privacy and security concerns associated with the electronic transmission of health information. The Act established breach notification standards that require patients and the US Department of Health & Human Services (HHS) be notified of "unsecured" electronic protected health information (ePHI) leaks and breaches. Under the stimulus bill, several HIPAA security provisions apply to business associates in the same manner as those that apply to covered entities. Further, the HIPAA Privacy and Security Audit Program requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. When a covered entity is developing its HIPAA compliance safety measures, it should take into consideration its size, complexity, and capabilities, its technical, hardware, and software infrastructure, and the costs of its security measures, all while balancing the likelihood and possible impact of risks to ePHI. Review the TMA article on the the federal government's enforcement of data security and privacy standards. For additional information on electronic health/medical records, see our EHR web page. The Office of Civil Rights enforces the HIPAA Security Rule.
Enforcement Rule:
The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules and contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
Electronic Transactions and Code Sets:
The Electronic Transactions and Code Sets requirements involve the transfer of health care information and the adoption of standard formats for processing claims and payments. Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA, if a health plan or health care provider engages in one of the identified transactions, they must comply with the standard for it, which includes using a standard code set to identify diagnoses and procedures. The Standards for Electronic Transactions and Code Sets, published August 17, 2000 and since modified, adopted standards for several transactions, including claims and encounter information, payment and remittance advice, and claims status Any health care provider that conducts a standard transaction also must comply with the Privacy Rule.
HIPAA Part 2 - Confidentiality of Substance Use Disorder Patient Records:
On November 28, 2022, the OCR in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), issued a Notice of Proposed Rulemaking to revise the Confidentiality of Substance Use Disorder Patient Records regulations. The regulations at 42 CFR part 2 (“Part 2”) protect the confidentiality of substance use disorder (SUD) treatment records. Part 2 was modified in Feb. 2024 to align certain aspects of Part 2 with the HIPAA Rules and HITECH and protects “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.
HIPAA Final Privacy Rule to Support Reproductive Health Care Privacy:
On April 22, 2024, OCR issued a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information related to lawful reproductive health care in certain circumstances. The revised HIPAA privacy rules strengthen protections for reproductive health information, imposing limits on its use and disclosure in legal contexts. In essence, the HHS guidance emphasizes strict adherence to legal requirements for disclosing PHI and restricts disclosures beyond what is legally mandated, particularly concerning sensitive reproductive health information. While the new HHS privacy rule enhances the protection of reproductive health care information, it does not conflict with or negate the existing regulations prohibiting information blocking that facilitate the sharing of medical information among physicians and patients to ensure proper treatment and care coordination. Healthcare providers should update their practices to comply with these regulations, which include:
• Revising privacy notices to reflect the new requirements.
• Ensuring that reproductive health information is not disclosed to law enforcement without a court order. General Rule: The Privacy Rule allows but does not mandate the disclosure of Protected Health Information (PHI) to law enforcement if required by a legal mandate enforceable in court.
- Without Court Order: PHI cannot be disclosed to law enforcement if requested without a court order or legal mandate. Such unauthorized disclosures would be considered a breach of PHI.
- With Court Order: PHI may be disclosed if a court order mandates it, but the disclosure is limited to what the order specifically requires.
- Abortion-Related Disclosures: Providers in states with abortion bans cannot disclose information about a patient’s intention to travel out-of-state for an abortion to law enforcement, as this would violate the Privacy Rule.
Entities receiving requests for reproductive health PHI should obtain a signed attestation confirming the use is not for prohibited purposes, such as health oversight, legal proceedings, law enforcement, or disclosures to coroners and medical examiners. The HHS Office for Civil Rights provides a model attestation form for this purpose, which is optional and can be signed electronically.
Texas Laws
HB 300 (2011) and its 2013 amendment amended the Texas Health and Safety Code Section 181 with privacy requirements that are more stringent than the federal privacy requirements of HIPAA. The law imposes requirements regarding training, electronic health records access, sales of protected health information, notice and authorization for electronic disclosures, enforcement and disciplinary actions, and audits of covered entities. This law was effective on Sept. 1, 2012. In the legislative session of 2013, the law was further amended to change some of the requirements and timetables for training.
HB 4390 (2019) amended the Texas Business and Commerce Code Section 521.053, effective Jan. 1, 2020, by making it more restrictive than federal HIPAA laws. HB 4390 amends the code by defining a deadline by which businesses must provide notice to affected individuals, requiring notice be provided without unreasonable delay, but no later than 60 days after discovering a breach has occurred. Businesses are also required to provide notice to the Texas attorney general within 30 days after a breach is discovered if the breach involves the sensitive personal information (SPI) of 250 or more Texas residents (see SB 768 below).
SB 768 (2023) amended the Business & Commerce Code Section 521.053, effective Sept. 1, 2023, by changing the timeframe to report a breach to the Texas attorney general to 30 days from the date the breach was discovered if at least 250 state residents were involved. The notification must be submitted electronically via the attorney general ’s online breach report. The breach will be placed on a publicly available list by the attorney general. Failure to comply could result in a fine of up to $50,000 for each violation, among other consequences.
Resources