In the medical industry, especially research and practice, privacy, confidentiality, and ethics are deeply engrained concepts. Their primary function is to provide benefits to both the individual and society alike. For instance, in medical research, the privacy of participants is not just an ethical obligation but also a measure to protect their interests (Guraya et al., 2014). On the other hand, collecting personally identifiable information for health research, especially population health, also benefits society. This paper is a discussion on the Health Insurance Portability and Accountability Act (HIPAA) and the role it has played in America’s health care industry.
History of HIPAA
HIPAA was signed into law in 1996 as an attempt to reform the country’s health care system on a national scale. It was introduced with two objectives. First, HIPAA was originally intended to help Americans keep their health insurance between different jobs (Edemekong et al., 2020). The first objective is the Health Insurance Portability part. The second objective, also known as the accountability section, was introduced to ensure the privacy, security, and confidentiality of patient information, also known as personally identifiable health care information (Edemekong et al., 2020). This objective was achieved by standardizing the storage, viewing, and transmission of patient data, which includes medically relevant information as well as financial data (Gaia et al., 2020). Over the last 24 years, however, HIPAA has been slowly amended.
Delegate your assignment to our experts and they will do the rest.
For instance, two years after HIPAA’s introduction, Health and Human Services (HSS) proposed an amendment known as the security rule. The purpose of the security rule was to increase the protection of confidential patient information when it is shared between stakeholders, such as hospitals and other companies. (Vanderpool, 2012). However, the security rule fully came into effect after five years to give organizations time to adapt, implement it, and become compliant.
Another important HIPAA amendment was the privacy rule. According to Brown & Tijerina (2014), the privacy rule was proposed in 1999, and its purpose was to increase the safety standards around protected health information (PHI). The privacy rule defines protected health information as any information in an individual’s medical record that could be used to identify them, and it was held by covered entities (Edemekong et al., 2020). The other purpose of the privacy rule was to make it easier for patients to access their health information. After its finalization, the privacy rule led to the handing over of the responsibility to enforce HIPAA to The Office for Civil Rights (OCR), an agency under HSS.
Unfortunately, the introduction of the privacy and security rules was not enough to ensure compliance. As a result some covered entities had yet implemented the recommended safeguards that evidenced compliance. In 2005, the HIPAA Enforcement Rule was introduced that enables HSS to investigate covered entities that were not compliant and fine them for breaches of PHI and ePHI (Electronic Protected Health Information), provided that the investigations proved that the violations were avoidable under the provided safeguards (Evans, 2014). The Enforcement Rule also gave OCR the power to enforce financial penalties against covered entities that were non-compliant (Evans, 2014). For instance, if a patient’s information was shared without their consent, and it resulted in serious harm, the patient could file civil legal action against the responsible entity.
The Importance of HIPAA
The biggest beneficiaries of HIPAA are patients because the law has ensured all covered entities, including but not limited to health care providers, clearinghouses, insurance companies, and other third parties implement the required safeguards to protect patient information. It is ethically negligent to expose patient medical data as well as protected health information, intentionally or unintentionally. Without HIPAA, these organizations are not legally required to do so (Glenn & Montieth, 2014). Additionally, if they failed to implement the safeguards, there would be no penalties. Besides, there are financial costs to safeguarding patient information, a cost that most health care organizations would forego as it could impact profit margins. These costs include the implementation and maintenance of the information systems recommended by HIPAA and they come out of the covered entity’s pockets. On the other hand, should health care organizations and their stakeholders take patient privacy as an ethical obligation, even without HIPAA, the safeguards they implement would be diverse. The outcome would create more problems for the patient as institutional differences and procedures would impact the sharing and transmission of patient information when needed. Therefore, the standardization feature in the safeguards enforced by HIPAA adds another layer of protection while ensuring quality health care delivery.
On the other hand, HIPAA has given patients greater control than they previously had and made them active participants in making decisions about their health care needs by giving them the freedom to decides who gets access to their health data. It is part of the HIPAA doctrine that access to health care data is privileged information. Therefore, there are restrictions on who can view the information as well as individuals and entities that are given sharing privileges. The creation, disclosure, transmission, and storage of protected health information is done in a secure, standard, and systematic manner.
Besides, health care organizations are not infallible and are bound to make mistakes in the creation, storage, and updating of health care data. Therefore, by giving patients free access to their health data, they can act as watchdogs, check for errors, and make sure they are corrected. Additionally, if a patient wants to switch treatment from one organization to another or if they are seeking a second opinion on a diagnosis, HIPAA makes it easier for the sharing of information, which is to the benefit of the patient.
Possible Safety Concerns by not Following HIPAA Regulations
HIPAA regulations are a packaged intervention and have the characteristic of ignoring the human element within the system. HIPAA regulations work at organizational levels and determine what covered entities should do to be compliant. Though the regulations effectively protect patient privacy, it is essential to understand that the human element of the health care system is the biggest safety concern. According to Cannon & Caldwell (2016), the violations occur when employees disclose patient information when chatting, gossiping, texting, and emailing, among others, with friends and co-workers. The violations also occur when an authorized device, belonging to someone who has access to PHI is lost or stolen. Ozair et al. (2015) documented cases where health care professionals violated HIPAA regulations by illegally downloading patient information then losing the devices, potentially risking patient safety and privacy should the information end up in the wrong hands.
The human element, however, does not answer why patients should be concerned about covered entities not following HIPAA regulation. A good concern, therefore, is a financial motive. According to OZair et al. (2015), Laurie Napper was a health care worker at a hospital who used her access to protected health information for over 1.5 years and sold it to undisclosed third parties. These third parties are the safety concern. Consider that the third part is politically motivated and targets a candidate in an election. By buying the health data (say the candidate was a former drug addict), they can use the privileged information in a smear campaign. Additionally, the demand and market for health data are continuously growing on the dark web. According to Gehl (2018), medical records sell for as much as $1000 USD on the dark web. Health care workers are not the only stakeholders with an incentive to disclose patient information and violate HIPAA. According to HIPAA Journal (n.d.), the OCR in 2016 received a complaint from a patient against Elite Dental Associates who had violated HIPAA regulations after the patient reviewed the practice on Yelp. Further investigations revealed that publicly revealed the patient’s last name, health conditions, treatment plan, insurance details, and the cost of the visit. Additionally, OCR discovered similar violations in response to the respective patient’s reviews on Yelp. Therefore, patients should be concerned, on selfish, business, and financial grounds, about individuals and covered entities that are not compliant with HIPAA regulations.
Potential Ramifications for Non-compliance Including Innocent and Malicious Violations
A HIPAA violation can be innocent or malicious. Besides, all HIPAA disclosure provisions operate on the principle of least privilege. Therefore, an innocent violation might be an overshare were too much PHI is revealed when the least privilege could have served the purpose. Financial penalties, which serve as deterrents, can be issued for innocent, also known as unintentional violations.
On the other hand, malicious violations include the deliberate delaying of the breach of notification letters that exceed the allowed sixty days after the discovery of the breach to issue notifications. The case of Laurie Napper, as well as Elite Dental Associates, are examples of malicious violations of HIPAA provisions. Inarguably, penalties for deliberate violations are much higher than unintentional violations.
Therefore, to penalize HIPAA violations, the OCR uses the following penalty structure. Tier 1 is the violations that the covered entity is unaware of and could not have avoided realistically (Ahlstrom et al., 2019). These are penalized a minimum fine of $100 - $50000 per violation. Tier 2 violations occur when the covered entity should have been aware and could not have avoided, even with a reasonable amount of care (Chang, 2013). These a given a minimum fine of $1000 - $50000 per violation. Tier 3 violations occur due to willful neglect of HIPAA rules (Ahlstrom et al., 2019). These suffer a minimum fine of $10000 – 50000 per violation. Finally, tier 4 violations occur when even after wilful neglect, the covered entity failed to make corrections (Chang, 2013). These are given a minimum fine of $50000 per violation.
Conclusion
In conclusion, this paper has comprehensively discussed the different aspects of the Health Insurance Portability and Accountability Act (HIPAA) with a special focus on its importance and potential ramifications. As notable in OCR’s penalty structure, HIPAA violations are serious offenses. The primary function of these penalties, especially financial penalties, is to deter the covered entity from future violations. Additionally, the tiered penalty structure has the side effect of ensuring accountability within the organizations at all levels of the health care industry. Therefore, as an entrant or profession in the medical industry, familiarity with HIPAA is not enough. Instead, HIPAA regulations should be internalized such that the OCR would be obsolete as it is the ethical way to practice health care.
References
Ahlstrom, J., Tait, C., & Zoline, K. (2019). Healthcare cyber security and HIPAA assurance with business associates. Cyber Security: A Peer-Reviewed Journal , 3 (2), 145-158.
Brown, B., & Tijerina, D. (2014). 2013 HIPAA/HITECH Amendments: How the Changes Impact the eDiscovery Process. Health Law. , 27 , 21.
Cannon, A. A., & Caldwell, H. (2016). HIPAA violations among nursing students: teachable moment or terminal mistake—a case study. J Nurs Educ Pract , 6 (12), 41-48.
Chang, J. L. (2013). The dark cloud of convenience: How the HIPAA omnibus rules fail to protect electronic personal health information. Loy. LA Ent. L. Rev. , 34 , 119.
Edemekong, P., Annamaraju, P., & Haydel, M. (2020). Health insurance portability and accountability act (HIPAA). StatPearls .
Gaia, J., Wang, X., Yoo, C. W., & Sanders, G. L. (2020). Good News and Bad News About Incentives to Violate the Health Insurance Portability and Accountability Act (HIPAA): Scenario-Based Questionnaire Study. JMIR Medical Informatics , 8 (7), e15880.
Gehl, R. W. (2018). Weaving the dark web: legitimacy on freenet, Tor, and I2P . MIT Press.
Glenn, T., & Monteith, S. (2014). Privacy in the digital world: medical and health data outside of HIPAA protections. Current psychiatry reports , 16 (11), 494.
Guraya, S. Y., London, N. J. M., & Guraya, S. S. (2014). Ethics in medical research. Journal of Microscopy and Ultrastructure , 2 (3), 121-126.
HIPAA Journal. HIPAA Violation Cases . HIPAA Journal. Retrieved 13 August 2020, from https://www.hipaajournal.com/hipaa-violation-cases/.
Ozair, F. F., Jamshed, N., Sharma, A., & Aggarwal, P. (2015). Ethical issues in electronic health records: A general overview. Perspectives in clinical research , 6 (2), 73.
Vanderpool, D. (2012). Hipaa—Should I Be Worried?. Innovations in Clinical Neuroscience , 9 (11-12), 51.
