The Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996 by the U.S. Congress to protect everyone’s personal health and data. Nationwide compliance is maintained and managed by the U.S. Department of Health and Human Services. According to that department, from April 2003 through February 2020, 229,983 HIPAA complaints were received, and 3,087 remain open as of this publication.
Although HIPAA is specific to the healthcare industry, it’s not the only data privacy regulation healthcare companies must adhere to.
These laws ensure companies across all industries take measures to protect personally identifiable information (PII). It becomes vital in a more connected world, where patients use wearables, telemedicine, and other remote health technology. Properly securing ETL database platforms is key to maintaining HIPAA compliance.
In this article, we’ll discuss what HIPAA is, why it’s important, and how to maintain data security in a modern connected world.
Table of Contents
What is HIPAA?
When it was initially drafted and proposed into law, HIPAA had four main goals to focus on:
- Help American citizens continue or transfer health insurance after an employment change.
- Regulate fraud and abuse of the health care system.
- Create best practices for electronic health care data, including procedures for collection, storage, and transfer.
- Enact industry-wide patient confidentiality protection standards.
The standards of privacy set by HIPAA addresses how an individual’s health information can be accessed and disclosed. Organizations like healthcare providers, insurance companies, and anyone else dealing with patient data must comply with the privacy rules laid out. It creates a balance between protecting and using information.
HIPAA has five titles that regulate this data.
Title I: Health Insurance Reform Provisions
The Consolidated Omnibus Budget Reconciliation Act (known as COBRA) predates HIPAA, being enacted back in 1985. This law requires employers to provide continued health insurance for employees and dependents who are no longer eligible.
HIPAA Title I reinforces the availability of COBRA plans for the recently unemployed and others who drop from eligibility. In addition, a government-regulated health insurance marketplace is available for independent contractors, self-employed, and others to obtain insurance.
Title II: Simplification of Administrative Processes
The DHHS standardizes electronic health care across health plans, healthcare providers, and employers. It sets exact minimum requirements and specifications for data privacy to create a secure environment for electronic data exchanges.
HIPAA Title II empowers the DHHS to write, publish, and implement these standards. Everyone is responsible for adhering to the published regulations.
Title III: Health-Related Tax Requirements
Medical insurance can be expensive, especially for the elderly and other high-risk categories of people. The average cost is estimated at $15,375 per person in 2020, which represents a 5% increase from the previous year. Tax relief is the only way it can be made affordable for everyone.
HIPAA Title III provides important tax provisions for medical insurance, while also making related laws more consumer-centric. Health insurance laws stemming from this are an important part of the country’s infrastructure.
Title IV: Group Health Plan Rules
Group health insurance covers a group of people versus an individual. This is how large organizations, like corporations, are able to afford expensive health plans for their employees. Group plans essentially provide a wholesale discount on insurance when purchased in bulk.
HIPAA Title IV outlines specifications that must be met to qualify for a group health plan. This includes people with pre-existing conditions and those with continuing medical coverage.
Title V: Offset of Revenue
Both life insurance and health insurance providers play a careful game of balancing premiums received with claims paid. During something like a global pandemic, these rules are going to be even more important.
HIPAA Title V focuses on company-owned life insurance, patients who lose U.S. citizenship, and other unusual circumstances. Traditional rules for financial institutions related to interest allocation were repealed by this title.
With stakes this high, companies need a technology-based solution that provides enhanced data protection.
Why Is HIPAA Important
HIPAA provides important safeguards for patient privacy. It was, however, written before the age of big data. It envisioned a time when hospitals and universities were the main collectors of health information. It did not predict a time when de-identifying patient data might become difficult. In the current framework, there may be private organizations that must comply with HIPAA but have an interest in retaining as much of the raw data as possible.
ETL and HIPAA Security Importance
HIPAA mandates the protection of personally identifiable information (PII) when that information is combined with the health information of an individual. Health information includes payment information for health care, provision of health services, among other information types. PII includes name, phone number, photos, license plate number, or indeed anything that may be used to identify a person.
Not following the HIPAA rules -- either through an inadvertent or deliberate action -- has huge repercussions. These are classified as civil violations or criminal violations, as follows:
These penalties range from $100 to $1.5 million, based on the covered entity's knowledge and the number of repeated violations. Here are the upper and lower range penalties:
- Lowest: an entity that unknowingly violates HIPAA is subject to a penalty of $100 to $50,000 per violation.
- Highest: an entity guilty of willful neglect, combined with a failure to correct the violation within the requested time period, is subject to a penalty of $50,000 per violation up to an annual maximum of $1.5 million.
These penalties increase in severity according to the method and intent behind the disclosure of the PII:
- Individuals such as the employees, directors or officers of the covered entity face a fine of up to $50,000 and one year's imprisonment for knowingly obtaining or disclosing PII;
- If false pretenses were involved, the fine increases to $100,000 and prison time goes up to a 5-year maximum;
- If the intent is to sell, transfer or use PII for commercial or personal gain, the fine is as much as $250,000 with a 10-year maximum prison term.
Clearly, HIPAA is a law with a great deal of muscle. It is something all covered entities who have PII must take seriously.
Robust Security Offers the Best Defense Against HIPAA Violations
For organizations that hold large amounts of data, it can be time-consuming to find and mask PII using a manual process. It can also introduce errors into the data encryption process, leading to an unintended breach or disclosure of health data.
An automated ETL process improves accuracy and efficiency. Organizations can find PII in a data lake, data warehouse, or indeed at any stage of the ETL process and encrypt that information accordingly. The process is scalable to ensure compliance across multiple ETL jobs.
Xplenty for HIPAA Compliance
When even an unknowing data breach comes with penalties under HIPAA, it is essential to have the most robust security safeguards possible. Xplenty goes above and beyond to achieve these:
- Field-level encryption means PII and personal health information are protected at the source before they are added to a data lake, warehouse, or another internal system;
- Xplenty is cloud-based. That means not even Xplenty's team members have access to client data.
Xplenty's processes comply with HIPAA business associate standards. We become a party to business associate agreements, as per the HIPAA guidelines. This provides further reassurance to our client partners that our platform not only makes their work easier and more efficient, but it also safeguards the important data with which they have been entrusted. This is on top of Xplenty's superior security protocols, including SSL/TLS encryption, physical security of infrastructure, network and system security.
Want to learn more about how Xplenty can help your organization comply with HIPAA? Contact us to schedule a demo and experience the Xplenty platform for yourself.