Understanding HIPAA
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that gives patients the right to keep their medical records private and secure. Only authorized healthcare workforce members (covered entities and business associates) who need to know patient details should be allowed to view the records. The resulting HIPAA rules have improved security and privacy, but they have also created many complicated regulations to which those in the healthcare field must adhere in order to remain HIPAA compliant.
HIPAA Privacy Rule
The HIPAA Privacy Rule institutes safeguards for the control of personal health information (PHI), regardless of its format (oral, written or electronic). The HIPAA Privacy Rule sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data. The HIPAA Privacy Rule includes, but is not limited to the following patient rights:
- Gain access to and, if desired, obtain a copy of his/her own health records
- Request corrections of errors that the patient finds or include the patient’s statement of disagreement if the covered entity believes the information is correct
- Receive an accounting of how their health information has been used, including a list of the persons and organizations to whom/which it has been disclosed
- Request limits on access to, and additional protections for, particularly sensitive information
- Request confidential communications, by alternative means or at alternative locations, of particularly sensitive information
- Complain to the organization’s privacy officer if there are issues and pursue the complaint with the US Department of Health and Human Services’ Office of Civil Rights if the issues are not satisfactorily resolved.
HIPAA Security Rule
The HIPAA Security Rule dictates the administrative, physical and technical controls necessary to secure electronic protected health information (ePHI), whether it is created, maintained, stored or in transit. Covered entities and business associates must conduct risk assessments and prevent against unauthorized access. The Security Rule covers:
Administrative Safeguards
Administrative safeguards are administrative actions, policies and procedures put in place to manage the selection, development, implementation, and maintenance of security measures. These protect electronic protected health information (ePHI) and manage the conduct of the organization’s workforce in relation to the protection of that information.
Physical Safeguards
Administrative safeguards are administrative actions, policies and procedures put in place to manage the selection, development, implementation, and maintenance of security measures. These protect electronic protected health information (ePHI) and manage the conduct of the organization’s workforce in relation to the protection of that information.
Technical safeguards
Technical safeguards are the technology and the policy and procedures put in place to protect ePHI and control access to it.
Organizational Requirements
Contains four standards (plus additional Implementation Specifications) contained at 45 CFR § 164.314 and § 164.316 that must be implemented to achieve compliance
Compliance is required for all aspects of the Organizational Requirements that do apply.
Breach Notification Rule
A breach is generally defined as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.”
Should a breach occur, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. Business associates must also notify covered entities that a breach has occurred. Notification requirements include:
- Individual Notice: Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.
- Media Notice: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, and must include the same information required for the individual notice.
- Notice to the Secretary: In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.
- Notification by a Business Associate: If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required by the covered entity in its notification to affected individuals.
- Omnibus Rule changes require business associates to comply with all aspects of the HIPAA security requirements, including conducting and documenting a risk assessment of their information technology systems, and implementing the specific administrative, technical, and physical safeguards specified in the Security Rule. Ultimately, St. Luke’s is responsible for ensuring business associates handle PHI as agreed to in the Business Associate Agreement, and in compliance with HIPAA and HITECH.