Over the past years, one of the most pivotal changes seen in the healthcare industry has been a growing interest in the security of health information.
Before introducing the Health Insurance Portability and Accountability Act (HIPAA) in 1996, most health records were in paper form; protecting privacy and security of health information was a challenging issue.
Countless medical staff must have access to a patient’s health information for various purposes such as health insurance, billing, research, etc. But because these individuals shared medical records which created risks for patients’ privacy to be violated.
Due to the staggering concerns regarding the privacy and security of health data, HIPAA was signed into law by then-president Bill Clinton on August 21, 1996. The original intent of HIPAA was to streamline administrative processes to reduce costs and improve the privacy and security of patient health information.
HIPAA specifically tasked the Department of Health and Human Services (HHS) to create industry-wide privacy and security standards to regulate covered entities, health plans, and healthcare clearinghouses. As HHS created HIPAA standards, it became clear that an organization devoted to the protection of citizens’ privacy was needed.
The need for discretion to protect sensitive health data created the Office for Civil Rights.
Since the 1970s, the United States Congress has passed several privacy statutes that protected certain documents, such as school records, phone records, driver’s license information, and even cable TV receipts. There was even a federal law regulating the privacy of video rental records — but none to regulate the privacy of health records.
Congress eventually recognized the need to protect the public’s most sensitive records, their health information. But because of the overwhelming number of individuals and organizations that collect, use, and disclose health information, Congress tapped the HHS to propose regulations to protect health data privacy.
HHS responded by establishing the Office for Civil Rights or OCR that enforces certain regulations issued under HIPAA to protect the privacy and security of protected health information (PHI).
HHS’ OCR implements federal civil rights laws, conscience and religious freedom laws, HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
OCR protects health information privacy by:
- Providing information to health and social services workers about civil rights laws on health information confidentiality and protection
- Educating communities about civil and health information privacy rights
- Investigating complaints on health information privacy violations and taking action to correct issues
Initially proposed in 1999, OCR’s enforcement of the Privacy Rule was finalized and began on April 14, 2003. The Privacy Rule defines and governs the use and disclosure of PHI. All covered entities must comply with HIPAA processes in using, receiving, storing, and sharing PHI. The rule also sought to give patients better access to their health data.
In April of 2005, HIPAA required its covered entities to comply with the Security Rule, which establishes the security standards for patient information stored or transferred electronically. OCR became responsible for enforcing the Security Rule in July 2009.
OCR reports HIPAA complaints and compliance reviews.
Since implementing the Privacy Rule in 2003, OCR has received over 275,871 HIPAA complaints and has initiated over 1,103 compliance reviews as of September 2021, per HHS. So far, OCR has resolved 269,886 cases and has settled or imposed civil monetary penalties totaling $131,060,482.
Most of OCR’s investigations on HIPAA complaints indicate non-compliance by the covered entity or their business associate and require changes in their privacy practices.
OCR has also intervened early and provided technical assistance to HIPAA-covered entities, business associates, and individuals to exercise their rights under the Privacy Rule without the need for an investigation.
OCR found no HIPAA violation incurred in 13,359 filed complaints.
Most of the PHI-related complaints included:
- Unauthorized use and disclosure of PHI
- Lack of security measures to protect PHI
- Lack of patient’s access to their PHI
- Lack of administrative security to protect electronic PHI or ePHI
- Use or disclosure of more than the minimum number of PHI
OCR’s crucial role in telemedicine HIPAA compliance is enforcement.
HIPAA’s journey to create uniform rules and regulations to protect health information hasn’t reached its full potential yet. The HIPAA that existed in 1996 is in a very different form today. The law and implementation of regulations have been amended several times and will continue to provide the most rightful and beneficial regulations.
As medical technology and telemedicine in Georgia has become more prevalent, the need to proactively protect PHI has grown. New risks emerge and HHS and OCR must standfast to support providers’ efforts and enforce HIPAA standards across the industry. OCR’s Privacy and Security Rules enforcement has matured along with industry knowledge and capacity to meet the standards.
Curogram helps covered entities to be HIPAA-compliant and avoid OCR penalties.
Over the years, healthcare organizations and providers have become more apprehensive about using and disclosing PHI because of HIPAA compliance and its complications when not met. To overcome their trepidation, covered entities adopt HIPAA-compliant software such as Curogram so they won’t have to worry about breaking HIPAA rules and regulations. Other than protecting PHI, Curogram adds additional layers of security to ensure full HIPAA compliance.
Curogram has the Compliancy Group Seal of Compliance, a recognition given to an organization or company for completing the federal HIPAA requirements. This achievement is a testament to how Curogram values being HIPAA-compliant and the protection of health information.