The HIPAA Privacy Rule provides national standards that protect individuals’ personal health information. Specifically, the HIPAA Privacy Rule:
Under the HIPAA Privacy Rule, what are referred to as “covered entities” must comply with the privacy standards. These entities include:
Health care providers are required to do the following to meet compliance:
Under the Privacy Rule, covered entities are permitted to charge reasonable cost-based fees for copying patients’ medical records. The fees should be charged to cover the cost of copying the medical records and postage (if the patient requests medical records to be mailed) only. “Labor costs” associated with searching for, compiling, and copying files cannot be charged for.
Under the HIPAA Privacy Rule, an individual’s personal representative is treated as the individual for both an adult or an emancipated minor. A personal representative may access the individual’s medical records and is authorized to make health care decisions on behalf of the individual. However, there is an exception to this provision – Covered Entities are permitted to use professional judgment and decline to a personal representative as an individual if the entity believes that doing so would not be in the best interest of the individual. A good example of this is if an individual is subject to domestic violence, abuse, or neglect. If the personal representative may be involved, the covered entity can choose not to grant the personal representative access or share information with them.
Under the HIPAA Privacy Rule, individuals have the right to revoke their authorization at any time. The individual must submit a written revocation to the covered entity in order to do so. The written revocation is effective as soon as the covered entity receives it.
Covered entities are not required to obtain an individual’s authorization for any of the following disclosures:
Covered Entities are permitted but not required to voluntarily obtain patient consent for uses and disclosures of protected health information for the purposes of treatment, payment, and health care operations. “Authorization” is required for uses and disclosures of protected health information that is not permitted by the Privacy Rule. Finally, when the Privacy Rule requires patient authorization, a voluntary patient consent is not sufficient to satisfy the requirement of a valid authorization.
Covered Entities are not required to eliminate all risk of incidental use or disclosures. However, the Privacy Rule does require covered entities to implement reasonable safeguards to reduce the likelihood of incidental uses or disclosures.
A Covered Entity can hire a Business Associate to dispose of PHI, so long as the Business Associate enters into a contract with the Covered Entity. The contract should require that the Business Associate dispose of the PHI in accordance with Federal and state laws.
Covered Entities are required to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. This applies to all forms of PHI. Under the HIPAA Privacy and Security Rules, Covered Entities are not permitted to abandon PHI or dispose of any such information in a way that will render it accessible to the public or to unauthorized individuals. Covered Entities are required to train their workforce on the proper disposal of PHI. Note that under federal standards, the “workforce” includes volunteers. Covered Entities are expected to determine for themselves what steps are reasonable in the disposal of PHI in order to comply with the HIPAA Privacy and Security Rules.
HIPAA established Federal standards for the security of electronic protected health information (e-PHI). The Security Rule was created to ensure that every Covered Entity has safeguards in place to protect the confidentiality, integrity, and availability of e-PHI. Created as a response to the increase in the exchange of e-PHI between Covered Entities, as well as non-Covered Entities, the Security Rule aims to protect an individual’s health information without hindering access and use of that information by health care providers, clearinghouses, and health plans. The standards established by the Security Rule are considered to be the bare minimum of protection required. State laws often provide more stringent standards, which should be applied over and above the new Federal security standards.
The Security Rule uses two types of implementation specifications to address how the administrative, physical, and technical safeguards should be met. When a specification is described as “required,” that specification is considered mandatory. When the rule states that the specification is “addressable,” a Covered Entity has some flexibility with respect to how they choose to comply with the standard. A Covered Entity may choose to follow one of the following options in order to meet addressable implementation specifications:
The Security Rule applies only to e-PHI – which includes telephone voice response and fax-back systems, as these systems can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes, video teleconferencing, or messages left on voice mail, as the information being exchanged did not exist in electronic form before transmission. However, the requirements of the Privacy Rule apply to all forms of protected health information, including written and oral.
HIPAA Security compliance varies from organization to organization, and is an ongoing and ever-changing process. Due to the high degree of flexibility needed to accommodate each individual organization, the Security Rule does not outline any single strategy that is designed to fit all Covered Entities. However, Section §164.306 of the Security Rule contains guidance that organizations can use to determine how best to comply with the standards and implementation specifications. In general, organizations can fulfill the requirements of the Security Rule by:
No. The Security Rule standards are “technology neutral”. This allows Covered Entities to use technologies that meet their individual organizational needs. As the various technologies and software used by the health care community continue to be rapidly developed, improved, and changed, the Security Rule aims to avoid tying Covered Entities to the use of a specific system that might quickly become ineffective or obsolete.
No. There is no standard or implementation specification outlined in the Security Rule that requires a covered entity to “certify” compliance. The Security Rule evaluation standard does, however, require covered entities to perform a periodic technical and non-technical evaluation to test whether their security policies and procedures meet security requirements. These evaluations can be performed internally or externally. Organizations may decide to use an external organization such as a consulting company to perform the evaluation, as these companies may have more Security knowledge and are able to provide an outside and unbiased view of operations.
The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR).
Risk management is the process of implementing required security measures in order to reduce an organization’s risk of losing or compromising its e-PHI. The Security Rule, however, defines risk analysis as the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of e-PHI, as well as the overall likelihood of a security incident occurring. When conducting a risk analysis, organizations may want to:
When looking at each system, Covered Entities should consider all relevant losses that would be expected if the security measures were not in place. Losses to consider include
By identifying potential sources of threats, the probability of each threat occurring, and the impact that would have on the confidentiality, integrity, and/or availability of e-PHI, Covered Entities can determine where to focus their risk analysis. The National Institute for Standards and Technology (NIST) categorizes threats into three common categories:
The HIPAA Security Rule defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Each Covered Entity is required to develop and implement policies and procedures that outline how to deal with potential security incidents, including:
Physical safeguards are defined as physical measures, policies, and procedures that an organization uses to protect its electronic information systems, buildings, and equipment from both natural and environmental hazards, and unauthorized access or intrusion. These standards must be implemented on systems housed on the Covered Entity’s premises, as well as those housed at another location. The Security Rule physical standards are broken down into the following categories:
OCR defines encryption as a method of converting an original message of regular text into encoded text, by means of an algorithm. The Security Rule categorized encryption as “addressable”. However, where an organization determines, that encryption is a reasonable and appropriate safeguard in its risk management processes, encryption should be used. When a Covered Entity decides that the use of encryption is not reasonable and appropriate, that decision and reasoning must be documented, and an equivalent alternative measure must be put in place, presuming that the alternative is reasonable and appropriate.
Yes. Covered Entities are required to have appropriate safeguards in place to protect the organization’s data, regardless of where the employee is working (in office, at home, remotely).
Covered Entities may send e-PHI over an open network as long as it is adequately protected. The Security Rule standards clearly state that Covered Entities must develop appropriate policies and procedures that restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. As such, before sending emails with e-PHI, a Covered Entity should:
No. The Security Rule requires that all covered entities, regardless of size or type, assign a unique name and/or number for identifying and tracking user identity of each employee who uses a system that maintains e-PHI. This allows a Covered Entity to identify and track system access and activity by each user.
Yes, if certain steps have been taken to remove the e-PHI that was stored on the computer or electronic device. The HIPAA Security Rule contains specific requirements that address the disposition of ePHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA), was signed into law on February 17, 2009. The HITECH Act was intended to promote the adoption and meaningful use of health information technology. The HITECH Act is responsible for the following:
The HITECH Act breach notification requirements make it mandatory for Covered Entities and their Business Associates to provide notification following a breach of unsecured protected health information (PHI). When a breach occurs, Covered Entities must promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. There are specific timeframes for notification, as well as content and methodology required for each notification.
According to the HITECH Act, a breach is defined as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” In addition, there are three types of scenarios that are an exception to the breach definition:
Before the HITECH Act, Covered Entities used Business Associate Agreements (BAA) to impose requirements on their Business Associates. Now, the HITECH Act requires all Business Associates to comply with the HIPAA Security Rule administrative, physical, and technical safeguards regardless of whether a BAA is in place.
They were released in summer 2012.