Abstract
The enactment of “The Health Insurance Portability and Accountability Act” (HIPAA) Act was aimed at making health care affordable to all and ensuring health insurance coverage to everyone. It didn’t take too much time for the lawmakers to realize that, in doing so, the privacy and confidentiality of health information would be jeopardized. As a result, an important amendment made health information security, an integral and indispensible part of HIPAA. Although, the health care organizations had to put in additional funds, resources, and efforts to comply with HIPAA, it opened vistas of business opportunities. These prospects demand the health entrepreneurs to explore it further and think ‘out-of-the-box’ to make the maximum out of it.
The enactment of “The health Insurance Portability and Accountability Act” aka HIPPA Act was aimed to extend the healthcare security to the common people. Howbeit the HIPAA Act increased the responsibilities of the healthcare providers. As you know “Every coin has two sides,” so does HIPAA. With all the rules and regulations HIPAA provided new horizon for the rising of many new business scope in the healthcare and healthcare technology sector. The crux of this article is centralized to equip the healthcare entrepreneurs with understanding about the key specks of HIPAA and also to give an insight of new “Out of the box” business scope booming in the healthcare industry. This piece of scoop may help the healthcare technology startups to flourish and “Corner the market”.
Keywords: HIPAA Act; HITECH Act; Final Omnibus Rule; EHRs; Smart Cards; Cloud Technology
At a glance
1. HIPAA- A “Double- Edged Sword”
2. Genesis of HIPAA
3. HIPAA compliance
4. Penalty for Noncompliance
5. HIPAA – Who all need to comply?
6. HIPAA Risk Analysis Process
7. HIPAA- The Healthcare Technology Leeway/ The Opportunities Galore
8. HIPAA- The growing healthcare market
9. When in Healthcare Business, Act with HIPAA!
Introduction
HIPAA- A “Double- Edged Sword”
HIPAA was implemented to provide increased healthcare security and privacy for the people, however, it is a “double-edged sword”. For example, a leading health insurance company like Anthem Inc. had to pay a penalty of $1.7 million for a computer security breach in healthcare data. On the contrary, it also played the role of business “ladder” for many successful new healthcare technology startups like Aptible, Flatiron, Misfit, and CardLogix. Along with the security and privacy responsibilities, HIPAA has also created a “Peachy Leeway” for the new innovative business startups. Being an entrepreneur you just have to spot the scope and go for it!
Genesis of HIPAA
Have you ever asked this question, why on earth an Act like HIPAA came into existence? Well, the answer revolves around the fact that till the 1990’s there was deficiency of a convenient system for storage of health records and protection of the health information. To rectify the situation, in the year 1996, Congress passed an act named as “The Health Insurance Portability and Accountability Act” (HIPAA). The Act was an amalgam of five set of titles or rules.
The HIPAA act mainly dealt with three main purposes:
- To provide healthcare coverage to the maximum population
- To reduce fraud and abuse cases in the health insurance
- To digitalize health records and promote its confidentiality and security
Figure 1- Important Components of HIPAA
Although, HIPAA Act was implemented, but there were some existing gaps in the Health Information Privacy Rule. So, in the need to strengthen the HIPAA Act, the Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) in the year 2009. The enactment of HITECH Act was aimed at strengthening of the electronic healthcare documentation system and Health Information Privacy rule. However, implementation of the HITECH Act required several amendments under the HIPAA Act. So, in order to modify certain terms and rules of the HIPAA Act, the Department of Health and Human Services (HHS) and the Office for Civil Rights) issued the Final Omnibus Rule, in 2013.
The Omnibus Rule officially entitled as “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,” was anticipated to augment the privacy rights of patient’s health records.
Amalgamation of the four revised rules led to the birth of the “The Final Omnibus Rule”:
- Revision of HIPAA Privacy, Security, and Enforcement Rules
- Revision of Privacy Rule, contemplated in 2010
- Revision of Breach Notification Rule under the HITECH Act
- Revision of Privacy rule required for implementation of Genetic Information Nondiscrimination Act (GINA)
The Omnibus Rule brought about certain vital changes in terms of interaction between covered entities and their business associates, and redefinition of terms like electronic storage material to electronic media and maximizing the non compliance penalty to $1.5 million. The origin of Omnibus Rule leads to the enactment of HIPAA amending to the HITECH rule. The Final Omnibus Rule worked as connecting “Puzzle piece” for the HIPAA and HITECH Act.
HIPAA compliance
The HIPAA Act implies certain strict norms of privacy and protection for the companies handling protected health information. The companies dealing with Personal Health Information (PHI) must safeguard it by auditing the status, storage location, network security and visibility. So, if a company complies with all the privacy and security norms, the company can be referred as HIPAA-compliant; a little deviation or breach may lead to noncompliance.
Penalty for Noncompliance
Non-compliance to HIPAA may have significant consequences, in terms of finance as well as reputation. The Office for Civil Rights (OCR) can impose both civil and criminal charges depending upon the extent of noncompliance. The civil penalties for HIPAA noncompliance vary depending upon the intention and level of breach.
Table 1: Civil penalties
HIPAA Violation | Penalty |
The violation is committed unintentionally. | An amount of $100-$50,000 per violation, with the annual maximal amount up to $1.5 million. |
The violation is committed with plausible cause rather than willful neglect. | An amount of $1,000-$50,000 per violation, with the annual maximal amount up to $1.5 million. |
The violation is caused owing to willful neglect but rectified within the mandatory time period. | An amount of $10,000-$50,000 per violation, with the annual maximal amount up to $1.5 million. |
The violation is caused owing to willful neglect but not rectified. | An amount of $50,000 or even more per violation, with the annual maximal amount up to $1.5 million. |
Table 2: Criminal penalties
HIPAA Violation | Penalty |
The covering entities or person knowingly obtained or revealed unique traceable health information. | Fine up to $50,000, as well as maximum imprisonment of one year |
The violation is committed with the intention of false pretenses. | Fine up to a $100,000 , with maximum five years imprisonment |
The violation is committed for personal profit and malicious motive | Fine up to a $250,000, and maximum imprisonment of ten years |
HIPAA – Who all need to comply?
The HIPAA Security rule imposes compliance requirements to healthcare organizations involved in providing, gathering, organizing or transferring of protected electronic health information. The organization includes:
- People providing medical and healthcare services, transmit or transcript electronic health information
- The entities involved in health management system or handling health information for billing or re-pricing
- People providing health insurance or dealing with health plans, Medicare and Medicaid plans
- Prescription Drug Card sponsors
Figure 3: Array of entities compliant to HIPAA
HIPAA compliance: The IT affair
The healthcare organizations require a breach risk management program to avoid monetary and legal penalties caused by non compliance. For any breach risk management, the IT department plays a vital role by ensuring the security status of the systems containing electronic Protected Health Information (ePHI). The IT takes care of the health information security and networking of systems. A well-established IT system is indispensible to HIPAA compliance.
Some other important IT protocols to be followed for HIPAA compliance:
- The ePHI should be encrypted properly to assure the privacy and integrity of the medical records.
- The security of the network used for data transfer should be regularly checked.
- Proper auditing of the visibility of critical data is essential.
- Cautious handling of removable devices containing confidential medical records.
Nowadays, the use of Control Objectives for Information and related Technology (COBIT) as a reference scheme amongst the IT industries is gaining popularity. COBIT defines the control guidelines and security standards for critically important data.
One cannot become a successful health entrepreneur, without becoming aware of HIPAA compliance and the importance of IT in compliance. It is the responsibility of the healthcare organizations to implement standard protocols and invest capital for external audits. In present day situation, another option becoming popular with healthcare organization is the collaboration with HIPAA compliant data centers. These centers have their standards of physical, technical, and administrative setup according to the Healthcare Security Service (HSS).
Essentials of a HIPAA compliant data center
Physical standards– It involves authorization-based limited access of data, and strict rules for usage of electronic devices for transfer and disposal of PHI.
Technical standards– These standards involve unique IDs, automatic log off system and standard encryption and decryption process. Hardware and software activity tracking for finding the origin of any security breach is a must.
Technical codes standards– These data centers should have emergency recovery and backup programs for proper data retrieval.
Network security standards– The data centers should have high network security standards including Firewall for interception and forbidding of unauthorized access to mails and clouds.
All the above-mentioned points about the HIPAA compliant Data center can be helpful for removing the non compliance risks but it is important for the healthcare organization to audit risk analysis regularly and try to eliminate the potential noncompliance risks.
HIPAA Risk Analysis Process
Although HIPAA might appear as an additional responsibility for the healthcare technology industry due to the additional rules and regulations implied by it, but it is known that “Every cloud has a silver lining”. The same applies for HIPAA where along with the responsibility of compliance, new scope for innovation and business comes into picture.
HIPAA- The Healthcare Technology Leeway/ The Opportunities Galore
“Necessity is the mother of all invention”, but in the business world, it says “With every problem comes scope for new business”. The scope of new technology and devices has increased tremendously, with the implementation of the Final Omnibus Rule.
1. Electronic Health Records (EHR)
The EHRs are becoming more and more a standard in health care organizations. These are the electronic forms that help to capture patient-related health data. The integral process of an EHR requires encipherment of the sensitive health records to chaperon it from unauthorized access. Apart from ciphering of at least 128 bit, the usage of other data security setups like firewall and log management systems also may be helpful to restrict the unauthorized access. Auditing of the systems for risk analysis can also be implemented. After the implementation of the HITECH Act, the protocols for the EHR developers have been upgraded, and the focus is more on the development of new stark encryption technologies.
2. Smart Cards
Smart Cards are amongst the unique and whiz innovations of the modern world. They are considered as the utmost trusted tools for safekeeping of the sensitive health records. Nowadays, with the rising urgency for heightened data security the smart cards are becoming “in vogue”. The smart cards are rated according to their level of intricacy and data immunity provided by it. The smart cards are helpful for providing absolutely controlled authorized data accession and authenticated access to the network.
The HIPAA Act has unlocked a vast scope for the new IT companies to provide efficient smart cards for the healthcare organizations for secure data storage.
3. Healthcare Analytics
With time, the healthcare sector in not limited to the healthcare providers, but it has extended to many innovative businesses. The healthcare analytics is one such new field which can provide an improved assistance to the healthcare provider for handling the diverse patients more efficiently.
Accompanying the implementation of “Affordable Care Act” in 2010, the predicament of the healthcare providers has increased. So, to reduce the burden of the healthcare providers, the healthcare predictive analytics can play a vital role. They can help the hospitals to recognize the group patients requiring medical follow up to reduce the amount of readmissions.
The new HITECH Act includes provisions for the healthcare provider to acquire compound authorization of patients to use the patient health data for future studies. The analytics experts can use the same data for preparing models but only after removing all the personal identifiable data. But reassurance of the HIPAA compliance should be checked strictly when usage of PHI is concerned.
4. Cloud Technology
The storage of the Protected Health Information by the cloud technology is gaining popularity amongst the healthcare organization. However, for the organization involved in Cloud servicing, HIPAA compliance is a serious headache and all the service providers should be aware of all aspects of HIPAA compliance. The healthcare organizations should check for certain points about the Cloud Service providers which include standard encryption system, risk analysis audits, and high level data accession security.
5. e-Health
The advancement of healthcare technology is acting as a boon for both the healthcare industry and the patients. The increasing availability of smartphones and notepads has started a unique trend in the healthcare, termed as e-Health or Mobile Health or Telemedicine.
The online medical consultancies are helping in transit of the healthcare services to the patients residing in outlying areas. The e-Health is also playing a key role in making the healthcare facilities more convenient for the patients and also providing assistance to the healthcare providers to amplify their scope of pursuit. But the main query is how to avoid noncompliance. Well, the most appropriate solution to this is – Finding the right guy.
According to the Final HIPAA Omnibus Rule both the business associates and healthcare providers are responsible for the secure transfer and recording of the data. Being the e-Health partner, there are certain protocols needed to be followed for a proper business odyssey:
- Acquisition of clean chit for HIPAA compliance
- Signing Business Associate Agreement (BAA) with the healthcare associate
- Guaranteeing high level of data cipher system and security measures
e-Health can be very useful for the healthcare providers, but a little attention to HIPAA compliance will work wonders for the business.
6. Mobile Apps
If an entrepreneur is starting a company related to healthcare-based mobile apps or softwares, they should be aware of all the rules and regulation regarding PHI and HIPAA compliance. However, the HIPAA rules are not applicable to all healthcare apps rather to the apps which gather, compile and transmit PHI with covered entities. But there are certain contemplating specks about risks factors associated with healthcare mobile apps developer should keep in mind.
- All the gadgets like notepad, tablets and smartphones can be misplaced or lost which will generate a risk of data copout.
- The security of data saved in these devices is a big question as it is easily accessible to any person coming in contact with the device.
- The user might knowingly or unknowingly post data in the social media which will cause HIPAA noncompliance.
It is true that all the above mentioned risk factors are out of the application developer’s control, but they should be given attention to for HIPAA compliance.
7. Wearable Technology and other Innovative Devices
The key rule for any business is “Demand and Supply”. With the increasing demand for brisk healthcare delivery, the innovative healthcare technology devices are helping in the speedy delivery of the health information. The devices like wearable devices, stretchable devices and microchips are contributing to the supply of personalized health data like blood pressure, heart rate, pulse rate and body temperature.
But all the device manufacturers should enquire about the applicability of HIPAA compliance as storage and transmission of personal health data are involved and take appropriate measures accordingly to avoid penalty.
8. Medical Devices
The medical devices are the backbone for the healthcare industry and as the scope in healthcare is “Souping Up”, the new upgraded medical devices are introduced. But, one of the major problems faced by medical device manufacturers is the confusion regarding the applicability of HIPAA. The HIPAA compliance is mainly applicable only to companies manufacturing medical devices involved in storing PHI like unique identifying points and health data.
Any company involved in procuring health information and transmission of the data to healthcare entities should be HIPAA compliant. On contrary to this, the medical device companies involved in manufacturing devices for sale only does not require HIPAA compliance. So the most crucial step for any medical device developers to decide – Whether HIPAA compliance is applicable or not?
HIPAA- The growing healthcare market
The US healthcare market has crossed a record breaking value of $6.5 trillion in year 2014. And with the all new innovative business startups the healthcare technology sector is skyrocketing. According to market forecast by the year 2020, the market size for the healthcare technology sector will grow to a booming record of $228.7 billion.
Table 3: Comparative Market Value and Annual Growth Rate of different Healthcare Technology domains in 2015
New Healthcare Technology Domains | Market Value (in 2015) | Compound Annual Growth Rate (CAGR) in % | Notable Game Changing Startups |
Medical Devices | $137 billion | 35 | MedWand, AdhereTech, Butterfly Network |
Mobile Health Technology | $38 billion | 33.4 | League, iCouch.me, Doximity |
Wearable Technology | $20 billion | 21.30 | LumoBack, Spire, Scanadu, Misfit Wearables, SkinVision |
Healthcare Analytics | $11.8 billion | 12.2 | BridgeCrest Medical, Care at Hand |
Smart Card Technology | $10 billion | 8.3 | CardLogix, CompetechSmartCard Solutions |
Mobile Application Technology | $7.8 billion | 13.4 | Pager, MotherKnows, drchrono iPad Patient Care Platform |
Cloud Computing Technology | $5 billion | 20.5 | Aptible, CareCloud, Flatiron |
EHR Technology | $3.73 billion | 20.7 | Augmedix, PracticeFusion |
Source: MarketsandMarkets, Forbes, IDTechEx
Figure: Healthcare Technology Market Forecast up to 2020 (in billions)
Source: MarketsandMarkets, Statista
When in Healthcare Business, Act with HIPAA!
No business in healthcare, can survive without HIPAA. It has opened new avenues for health entrepreneurs who want to explore and experiment. This Act with its opportunities takes the healthcare revolution to another level. When these opportunities materialize at the ground level, the healthcare delivery will become more accessible and affordable, and undoubtedly, effective. With the IT and healthcare working hand-in-hand, the future of healthcare industry seems to be bright, and all sunshine!
References
- Solove, Daniel J. “HIPAA Turns 10: Analyzing the Past, Present and Future Impact.” Journal of AHIMA 84, no.4 (April 2013): 22-28.
- J. Konieczka. “Case Study: Mobile Healthcare Solution Yields Better Outcomes.” Caring: Annual Telehealth Issue, pp. 21-22. Oct. 2013.
- C. Brady and S. Force. “Case Study: Lee Memorial Health System: The Role of the Telehealth in an Integrated Health Delivery System.” Caring, pp. 29. Oct 2013.
- Hodge JG Jr, Gostin LO, Jacobson PD. Legal issues concerning electronic health information: Privacy, quality, and liability. Journal of the American Medical Association.1999; 282(15):1466–1471.
- http://www.hhs.gov Accessed on 5th December 2015.
- http://www.marketsandmarkets.com Accessed on 5th December 2015.
- http://www.hipaajournal.com/hipaa-history/ Accessed on 5th December 2015.
- http://www.cisbydeloitte.com/cis-compliance-blog/pharma-compliance/hipaa-101-a-brief-history-lesson/ Accessed on 5th December 2015.
- http://library.ahima.org/xpedio/groups/public/documents/ahima Accessed on 5th December 2015.
- http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00WhatisHIPAA.aspx Accessed on 5th December 2015.
- http://www.statista.com/statistics/387867/value-of-worldwide-digital-health-market-forecast-by-segment Accessed on 5th December 2015.