When it comes to healthcare law, HIPAA is one of the most commonly recognized statutes. Short for the Health Insurance Portability and Accountability Act of 1996, HIPAA is a collection of federal standards to prevent “covered entities,” like healthcare providers and health plans, from disclosing a patient’s protected health information (PHI) without the individual’s consent or knowledge.
Regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR), HIPAA can be broken down into four primary rules:
HIPAA Privacy Rule
HIPAA Privacy Rule refers to standards for patients’ rights to understand and control how covered entities (namely care providers and health plans) use their patient PHI, patients’ rights to access their own PHI, and providers’ rights to deny access to others PHI.
HIPAA Security Rule
HIPAA Security Rule refers to the administrative and technical standards for the secure transmission and maintenance of electronic protected health information (ePHI) for both covered entities and business associates, like electronic health record (EHR) partners.
HIPAA Breach Notification Rule
HIPAA Breach Notification Rule refers to the standards covered entities and business associates must follow in the event of a data breach containing patient PHI or ePHI, including notifying the HHS OCR of the data breach.
HIPAA Omnibus Rule
HIPAA Omnibus Rule is an addendum to the 1996 HIPAA regulation that was passed to apply such guidelines to business associates as well as covered entities, as well as create Business Associate Agreement (BAAs) contracts before transmitting any PHI or ePHI.
There are select instances in which HIPAA permits a covered entity to use or disclose PHI without explicit authorization. Such instances include when required by law enforcement, when the patient is the victim of abuse or domestic violence, or when the patient has a workers’ compensation claim.
However, any instance that compromises the integrity of patient PHI or ePHI, particularly if the disclosure was the result of an ineffective, incomplete, or outdated HIPAA compliance program, can be considered a HIPAA violation. A violation is a direct breach of an organization’s HIPAA policies.
How to report a HIPAA violation
If you believe that a HIPAA-covered entity (like a healthcare provider or health insurer) or its business associate (like its billing company or EHR partners) has violated a patient’s right to privacy or committed another HIPAA violation, you can file a complaint with the HSS Office for Civil Rights.
Your report can be filed in writing by fax, mail, or email or through the OCR Complaint Portal. You must include the name of the covered entity or business associate responsible for the complaint, describe how the breach occurred, and explain why you believe it was a HIPAA violation. Bear in mind, you must submit your complaint within 180 of when you knew the breach occurred.