HIPAA (Health Insurance Portability and Accountability Act of 1996) is a big law which covers a whole host of things in the realm of healthcare in the U.S. Although the phase-in of its many parts are almost complete, the changes are still rippling across the country. Why a topic for this blog? I recently worked at a healthcare company and got to learn a whole lot of about it and its impact on privacy, security and IT.
Why Should I Care?
If you are alive in the U.S. HIPAA affects you. Most people have very little idea of what it is and what those affects (both public and behind the scenes) are, so I thought I would share what I learned.
HIPAA has a number of sections, divided into two Titles (I) Health Care Access, Portability, and Renewability and (II) Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform. Title II is further broken up into a number of rules (1) Privacy (2) Transactions (3) Security (4) NPI and (5) Enforcement.
Generally (I) and (II,1) are what the general public sees. Everywhere you go you need to give permission for people to look at and access your healthcare information; and finally you can take your healthcare coverage with you when you switch jobs (provided you follow the rules) and not be denied coverage. At my local pharmacy for example you can't stand in line direct behind someone picking up a prescription (so you can't see what they are getting).
The key term for this type of private healthcare information is called "PHI", which means Protected Healthcare Information, and is relatively well defined. This type of data is anything relating to your health care and any information which might tie you to your healthcare (even such details as phone numbers or your geographical information, and certainly stuff like your SS number). Access to this type of information is restricted to those (1) you give explicit permission to (2) or those who have implicit access, name entities like Insurance companies and clearinghouses (more on those later). Even with either permission, there are many rules on where and how and how much access is enough and what must be done to protect it.
If it sounds onerous, you are right, it's supposed to be. It's your personal information of a nature you really don't want anyone to casually have access it. Before HIPAA, all of your medical and personal information could be accessed by anyone anywhere in any fashion without any real consequence. The wild, wild west of the 1850's had more law that this.
The law however goes way beyond simple portability and privacy: the other major part of this was to standardize how medical information was transmitted and shared electronically. Before HIPAA everyone was free to describe health care information in any way they felt like; filing a claim with an insurance company was an exercise in futility as every one had different forms, different codes and even then you were lucky it didn't change without any notice. Electronic (EDI) claims were basically a joke unless the doctor or hospital limited coverage to very few plans.
HIPAA provides (1) a standardized set of transactions for different uses (2) a defined (and continuously updated) set of codes to define virtually anything in a consistent way (like a diagnosis or test or explanation). The upshot of all this is that a healthcare Provider can now file and interact with a Payer either directly or more generally, via a Clearing House) electronically and mostly be assured of success in the transaction.
One further addition that only recently became required (for the most part) is NPI, the National Provider Identifier, which uniquely identifies all entities using electronic communications. Think of it as an IP address for healthcare. Note that the NPI defines the entity, there may still be additional identifiers such as a DEA number for a drug prescriber.
You might think, I don't care really, I just go to the doctor and get well, and get irritated by all those blasted forms I have to fill out giving permission. That's where the other parts of HIPAA affect you, even though you don't see them. It's called the Security rule (and its brother, the Enforcement rule).
An electronic healthcare claim (I was working on the validation engine at a clearinghouse) is a wealth of personal information, highly suitable for (1) identify theft (2) blackmail (3) job loss (4) fraud and (5) mischief. Being a standardized coded chunk of information (generally in the X12 EDI format) in plain text it can be ripe for criminal usage. Protecting it during processing, storage and transmission is crucial otherwise there is nothing keeping it from becoming your worst nightmare. The Security rule covers a number of safeguards which must be followed to (hopefully) ensure that these nuggets of gold don't become someone's idea of a profit center. The rule covers (1) Administrative (2) Physical and (3) Technical safeguards, basically having procedures to protect the data from various forms of theft or attack.
Remember there are both explicit and implicit access to this data. Generally you give explicit permission to healthcare Providers (like your doctor or dentist), but Covered Entities (as they are official known under HIPAA) such as clearinghouses and insurance companies are granted implicit permission. Imagine if everyone who touched a healthcare claim had to obtain a consent form; the whole electronic system would collapse. So the law allows these folks to handle your PHI with the big requirement that they must follow all of the Security rule or face the Enforcement rule.
Insurance companies and HMOs are people everyone knows (and generally dislike as well). Clearing houses are not something most people even know about. Since HIPAA made electronic claims and other transactions available, most of this traffic is handled by thousands of these entities (from huge to one person places) who act as the intermediaries between the Providers and the Payers. Think of them as routers. Often a claim will move from a provider through multiple clearing houses before finally winding up at a Payer; then responses (such as rejections or notices of payment) flow the opposite way. The whole system is like a HipaaNet!
So what keeps your information safe? It's the Enforcement rule and is both really scary and really wimpy at the same time.
Generally each HIPAA violation can get an individual violating the basic rules a $100 fine up to $25,000 which doesn't sound all that bad. However the real teeth is knowingly violating the more serious rules which are considered a criminal felony, which can result in a year in jail and $50,000 fines for each violation. The documents I have read discussing how this applies seems to show that the government, if it cannot determine a precise number of violations, will use statistical calculations to come up with a number (e.g. you knowingly allowed someone to steal an unknown amount PHI from claims in your database with no audit trail, you processed 1M claims last year, we'll pick some percentage and thats the violation). Violations in a Covered Entity are supposed to be the higher penalties since they have the highest need to protect the information, and the penalties would fall to the corporate officers if no individuals can be found to blame.
For any healthcare provider, payer or clearinghouse, the penalties are pretty scary, and in the worst (and not unlikely) case a business-ender if convicted. So far it seems that the Provider community, which is generally liable for the lesser fines, has gone out of their way to be careful. So far very few prosecutions have actually happened, and that's the sad part, as there are no actual requirements for specific audits, and the government office responsible for enforcing HIPAA (CMS, the horribly named Centers For Medicare and Medicaid Services) will only investigate if a formal complaint is received. Violations of the privacy portion are handled by yet another agency (Office for Civil Rights).
Thus your HIPAA healthcare privacy and the security is tightly controlled yet loosely enforced. Are you at risk? Probably, at least until some major violators are prosecuted and publicly whipped. Like so many things in security (and even personal things like backing up your hard drive) nothing much happens until something really bad happens. Ask TJX about security and bad publicity.
HIPAA is a massive but generally well written law which was badly needed; it has made healthcare privacy, portability and transactability possible and public. How effective it is remains to be seen.
In a following post, I want to cover what a health care claim technically looks like.