Also known as the Kassebaum–Kennedy Act, the Kennedy-Kassebaum Act, the “Act To amend the Internal Revenue Code of 1996 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.” 1 and as “HIPPA”
HIPAA is the granddaddy of health data laws. HIPAA is probably the most widely known, and also misunderstood healthcare law of all. The idea that it was illegal to share patient information with the wrong person has leveraged fear, inaction, and information blocking at the expense of patient care for almost 25 years. Ironically, the first 15 of those years saw very little enforcement until robust changes to the law were made in 2009. Those who have slept through a decade or more of mandatory HIPAA training may be surprised that HIPAA is actually not a law stuck in time, -at least not anymore. It has been frequently updated and is as relevant now than ever.
Initially, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Signed by Clinton) was primarily designed to protect health insurance coverage for people when they change jobs, including limited provisions for protecting electronic health data. Future HIPAA updates regulate privacy and security in more detail. HIPAA was updated in 2000, 2002, 2003, 2009, and 2013.
See for yourself
- US Department of Health and Human Services combined all of the various HIPAA regulations into one document called the “HIPAA Administrative Simplification. ” Which is 115 pages, BTW.
- A really great history, objective, and implication paper on HIPAA by Edemekong, Annamaraju, and Haydel hosted at the National Library of Medicine
Although HIPAA is organized into 5 sections called ‘Titles’, it is simpler to discuss the Health IT policies using the HHS-defined ‘Rules’.(see below) Most health IT rules are found in “Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform.”
The HIPAA Privacy Rule only applies to Covered Entities and Business Associates, which are defined there as well.
Covered Entities are defined in HIPAA as “(1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.” This is most often interpreted as any health plan, clearinghouse, or provider who charges for service. Covered entities can be institutions, organizations, or persons. 2
Business Associates are entities and persons who do not work for the Covered Entity, but has access to individually identifiable health information. For example, Business Associates could be claims processing companies, legal and accounting consultants, accreditation organizations, even IT companies that store clinical data for a Covered Entity. 3
Protected Health Information
Protected Health Information (HIPAA-PHI) is defined within the Privacy Rule and represents the information being protected and regulated by HIPAA. HIPAA-PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed to a covered entity and/or their business associate(s) in the course of providing a health care service.
HIPAA-PHI within the Privacy Rule includes data that is written on paper, spoken, or electronic.
Common Misunderstandings about HIPAA-PHI, CEs, and BAs
The Five HIPAA Rules
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
- Individuals have the right to access all health-related information including PHI (except psychotherapy notes) from a Covered Entity
- Covered Entities may disclose PHI to law enforcement
- A covered entity may share PHI to facilitate treatment, payment, or health care operations without a patient’s written authorization
- Any disclosures of PHI that is not #1, #2, or #3 (above), require prior written authorization from patient. (including disclosure to relatives)
- A Covered Entity must share only the minimum necessary information
- Covered Entities must correct inaccuracies in PHI identified by the individual
- Covered Entities must notify individuals of PHI disclosure and use
- Covered Entities must protect PHI for 50 years after death
- The HIPAA Privacy Rule and its protections may be waived during a natural disaster
Transactions and Code Sets Rule
The following standards and vocabulary code sets MUST be used, and must replace all local nonstandard and proprietary codes
- Standard Vocabularies
- International Classification of Diseases, 10th Edition, Clinical Modification (ICD-10-CM)
- Current Procedural Terminology (CPT-2020)
- HCFA Common Procedure Coding System (HCPCS)
- Code on Dental Procedures and Nomenclature. (CDT-2).
- National Drug Codes (NDC).
- Content and Exchange Standards
- Electronic Data Interchange (EDI) standards define both content and exchange process using X-12 standards
- Required for claims submission, Eligibility, Referral, Claims status, Payment, etc.
- Applies only to Electronic PHI
- Administrative safeguards such as written policies, backups, audits, etc. are required.
- Ongoing HIPAA PHI training is required
- Access to PHI must be restricted to only those who need it
- Physical access to computers (and computer components) that have PHI must be enforced
- Monitor screens should not be easily viewable by unauthorized persons
- Data integrity and system trust frameworks are required
- PHI must be protected from intrusion and breach
Unique Identifiers Rule
- National Provider Identifier (NPI) must be used to identify covered healthcare providers
- Violations and HIPAA non-compliance can be investigated by the US Department of Health and Human Services Office for Civil Rights and State’s Office of Attorney General.
- A range of civil penalties, criminal penalties, and remedial action can be enforced, including:
- Unknowingly violates HIPAA: $100 fine per violation with annual maximum of $25,000
- Violation due to willful neglect, with violation corrected: $10,000 penalty per violation, an annual maximum of $250,000
- Willfully and knowingly disclose HIPAA-PHI: up to $50,000 and imprisonment up to 1 year.
- Intent to sell or use HIPAA-PHI for personal gain or to do malicious harm: penalty is up to $250,000 with imprisonment up to 10 years
- Unsecured HIPAA-PHI of more than 500 individuals is publicly listed on the DHHS OCR Breach Portal.
More on PHI, PII, and PIE
Personally Identifiable Information (PII) are data (such as name or phone number) that could be used to identify an individual. Although not defined in HIPAA, policies such as OMB Memorandum M-07-1616 define PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other … information”.
‘Protected Health Information’ or PHI is legally defined in HIPAA, but the term PHI is also commonly used to indicate any sensitive health information. To avoid confusion, I try to use the combined term HIPAA-PHI when possible.
Policies on Record Retention and Destruction
In the USA, there is no single, comprehensive federal law pertaining to how long you must keep medical information, and what conditions must be met to destroy it. Instead, bits and pieces of records retention laws are hidden all over the federal register, like a million-page word search game made by illiterate blindfolded naked mole rats. There are several dozen rules that may apply depending on the care setting, type of information, medical condition, and other factors. Health information management professionals to the rescue again, try to keep an organized reference. See the following Table for a few examples:
TABLE – Federal Retention Law Examples
|Type of Documentation||Retention Period||Citation/Reference|
|Abortions and related medical services documentation||Maintain for three years.||42 CFR 50.309|
|Clinics, rural health||Six years from date of last entry and longer if required by state statute.||42 CFR 491.10 (c)|
|Patient locator file (VAMCs)||Destroy 75 years after last episode of care and/or only after perpetual medical record is destroyed.||Records Control Schedule (RCS) 10-1, General and Administrative Service, Item # 71|
|End Stage Renal disease (ESRD) services||In accordance with 42 CFR 164.530(j)(2), all patient records must be retained for 6 years from the date of patient’s discharge, transfer, or death.||42 CFR 494.170 (c) 42 CFR 441.40|
|Hearing aid devices, dispensers||The dispenser shall retain for three years after dispensing of a hearing aid a copy of any written statement from a physician or any written statement waiving medical evaluation.||21 CFR 801.421 (d)|
|Home Health agencies||Five years after the month the cost report to which the records apply is filed with the intermediary, unless state law stipulates a longer period of time.||42 CFR 484.48 (a)|
Other Retention Considerations
- HIPAA Covered Entity – 6 years
- CMS Medicare Managed Care Providers – 10 years
- FDA regulated Medical Devices – the estimated life of the device.
Not to be outdone by piles of federal bureaucracy, states also demand their own Records Retention rules. For example, the Commonwealth of Virginia (my current home) requires physicians to keep adult patient data for 6 years after the last patient contact, and keep minor patient data for 6 years after the last patient contact or until the patient reaches age 18 (or becomes emancipated), whichever time period is longer. 18 Va. Admin. Code § 85-20-26(D) (2008). Why do states need to add unnecessary complexity? Because why not. ONC has helped us out by funding a report on State Medical Record Laws: Minimum Medical Record Retention Periods, although it is stuck in 2008. Local chapters of AHIMA can be invaluable here. Various State organizations (e.g. Idaho, California Hospital Association, Texas, Medical Society of Virginia, etc.) also keep consolidated references on retention laws.
All accreditation agencies care that your organization is following federal and local records retention laws. However, some accreditation agencies also impose additional guidelines. for example the Community Health Accreditation Program (CHAP) requires: “Records of adult patients must be retained for at least five years from the date of service and patient records for minors must be retained for seven years beyond the age of majority….The records of occupationally exposed patients must be kept for 30 years.”
It is not just clinical data that needs to kept by healthcare organizations, either. The following (and much more) all have specific retention periods:
- Record destruction records (oh yes they did)
- Housekeeping Cleaning Records
- Medical waste treatment and handling
- Material safety data sheets (from Environmental Services)
- Incident Reports
- Local Inspection Reports
- Provider Credentials
- Bank Statements
- Affirmative Action Program Records
- Employee Polygraph Records (employment+ 10 years in case you are wondering)
- Much much more.
In the 1980s-1990s, computer storage of all types was relatively expensive, fragile, and had limited capacity. Surging IT Hardware costs provided an economic incentive to archive, delete, and finally destroy the archives of outdated records as soon as possible. However the first decade of the 21st century brought ultra cheap data storage and fast networks to move data around when needed. Therefore, the record retention policy in practice at large organizations was “Incremental Forever“, -in other words, they only increased in data, never recognizing the need to decrease.
During the 2010s, two new forces would bury Incremental Forever data retention policies:
- HIPAA Security Rules and Privacy Rules were updated, massively increasing penalties and lowering the bar for data breech violations. Keeping data with no associated value was literally adding risk with no associated value.
- Healthcare data got big. It went from “keeping a storage engineer busy” big, to “5 petabytes per year and growing” big. In case you are wondering, imaging data and other machine-generated data like real time telemetry data is the main culprit. No matter how cheap storage is per unit, that adds up quick. In 2019, the Healthcare Industry spent $2.8 Billion dollars (USD) on data storage.
When you are ready to destroy data, there are rules for that as well described in the 2009 HITECH Act. Your options depend on what media the data is stored on. These record destruction methods are not explicitly required, but documenting that you follow them puts you in a “safe harbor” situation where they won’t blame you if something does go wrong and a breach occurs.
- Paper, film, or other hard copy media have been shredded or destroyed such
that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is
specifically excluded as a means of data destruction.
- Electronic media have been cleared, purged, or destroyed consistent with NIST
Special Publication 800-88, “Guidelines for Media Sanitation,” such that the PHI
cannot be retrieved.
You must document the destruction of health records and keep this documentation permanently. The following information is retained:
- Date of destruction
- Method of destruction
- Description of the records
- Dates of records
- Attesting statement that the records were destroyed in the normal course of business (and not lost or inadvertently destroyed)
- Names of individuals supervising the destruction
Record Retention Planning
The number of pertinent laws grows with the complexity of the organization. An organization that has more service lines, care settings, does research, crosses state lines, etc. must satisfy more legal requirements than less complex organization. If fact, very complex organizations may need a small army of lawyers, compliance officers, and HIM professionals to 1) research the numerous laws applicable to their organization, 2) develop a record retention policy and 3) execute the policy. Both large and small healthcare organizations could outsource some of this burden is various ways. Specialty Information Management companies like Iron Mountain can provide services ranging from enterprise data management to small scale data removal. Larger organizations may be positioned to take advantage of partnerships with these large service providers. However, the popularity of cloud-hosted EHR systems presented another opportunity available even to small providers: The EHR Vendor and/or cloud hosting provider can often help you with you record retention policy.
A Data Retention Schedule is a more specific policy document based on your retention policy, detailing the WHO, WHAT, WHEN, WHERE related to data retention. A sample Data Retention Schedule is as follows.