HIPAA Privacy and Security Rules

By Kimberly Connella   |   November 12, 2020   |   0 Comments

HIPAA Privacy and Security Rules

 

 

 

 

HIPAA Privacy Rule

What is the HIPAA Privacy Rule?

HIPAA Privacy Rule Summary

The HIPAA Privacy Rule is a set of HHS guidelines that hold organizations that control Personal Health Information (PHI) responsible for its protection. Also, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.

Furthermore, the Privacy Rule requires that certain precautions be met in order to put limits and conditions on the uses and disclosures of such information that may be made without patient agreement. The HIPAA Privacy Rule was created to provide people with certain rights to their health information, such as the ability to examine and acquire a copy of their health data, as well as the right to request corrections.

Why was the HIPAA Privacy Rule created?

The HIPAA Privacy Rule arose from the necessity of insufficient Federal and State Laws that permitted PHI to be shared without knowledge or authorization for reasons unrelated to a patient’s medical treatment or health care reimbursement. Before the HIPAA Privacy Rule, for example, patient information held by a health care provider could be passed on to a lender, who could then deny the patient’s application for a home mortgage or a credit card, or to an employer, who could use it when making hiring decisions, unless otherwise barred by state or local law. Furthermore, they could do so without patient permission or notice.

As a result, the confidentiality of such information is protected by the HIPAA Privacy Rule. Furthermore, with information increasingly being stored and transmitted electronically, the HIPAA Privacy Rule provides clear standards for the protection of PHI in today’s cyber landscape.

HIPAA Privacy Rule History

The HIPAA Privacy Rule was first proposed on November 3, 1999. Since the final rule was put in place, it has been revised a few times.

For a list of the full history of the HIPAA Privacy Rule, please see below:

• December 14, 2018 – Modifying the HIPAA Rules to Improve Coordinated Care – Request for Information (https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf – PDF)

• January 6, 2016 – HIPAA Privacy Rule and the National Instant Criminal Background Check
  k System (NICS) – Final Rule – PDF

• February 6, 2014 – Patients’ Access to Test Reports Under the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) Program – Final Rule – PDF

• January 7, 2014 – HIPAA Privacy Rule and NICS – Proposed Rule – PDF

• April 23, 2013 – HIPAA Privacy Rule and NICS – Advance Notice of Proposed Rulemaking – PDF

• January 25, 2013 – Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act, and Other Modifications – Final Rule – PDF (The “Omnibus HIPAA Final Rule”)

• September 14, 2011 – Patients’ Access to Test Reports Under the HIPAA Privacy Rule and CLIA Program – Proposed Rule – PDF

• May 31, 2011 – HIPAA Privacy Rule Accounting of Disclosures Under the HITECH Act – Proposed Rule (https://www.govinfo.gov/content/pkg/FR-2011-05-31/pdf/2011-13297.pdf – PDF)

• July 14, 2010 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the HITECH Act – Proposed Rule – PDF

• May 3, 2010 – HIPAA Privacy Rule Accounting of Disclosures Under the HITECH Act – Request for Information (https://www.govinfo.gov/content/pkg/FR-2010-05-03/pdf/2010-10054.pdf – PDF)

• October 7, 2009 – HIPAA Privacy Rule; Modifications Under the Genetic Information Nondiscrimination Act – Proposed Rule – PDF

• August 14, 2002 – Modifications to the HIPAA Privacy Rule – Final Rule  (PDF – PDF)

• March 27, 2002 – Modifications to the HIPAA Privacy Rule – Proposed Rule  (PDF – PDF)

• February 28, 2001 – Request for Comments on December 28, 2000, Final HIPAA Privacy Rule  (PDF – PDF)

• February 26, 2001 – Correction of Effective and Compliance Dates of the Final HIPAA Privacy Rule  (PDF – PDF)

• December 29, 2000 – Technical Corrections to the Final HIPAA Privacy Rule  (PDF – PDF)

• December 28, 2000 – HIPAA Privacy Rule – Final Rule  (PDF – PDF)

• November 3, 1999 – HIPAA Privacy Rule – Proposed Rule  (PDF – PDF)

Who is covered by the HIPAA Privacy Rule

The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form for transactions. Commonly referred to as covered entities.

For help determining if you are covered, check out this decision tool.

Furthermore, The Rule expanded in 2009 to include Business Associates. As a result, not only covered entities but also organizations that conduct business with covered entities must adhere to a set of guidelines.

For more information about HIPAA BAA compliance, you can find our checklist here.

What information is protected?

The HIPAA Privacy Rule safeguards sensitive health information.. Which includes all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.

The Privacy Rule specifically protects the following information:

• Health care provisions for the patient
• The patient’s past, present, or future physical or mental health and conditions
• The patient’s past, present, or future payment towards health care.

“Identifiable health information” is any data that may include the name, address or address, birthday, and/or social security number of a patient.

De-identified health information, which neither identifies nor provides a reasonable basis to identify an individual, has no restrictions on use or disclosure.

HIPAA Minimum Necessary Rule

HIPAA Minimum Necessary is a central component of the HIPAA Privacy Rule that requires covered entities to follow a “minimum necessary” standard for the use and disclosure of PHI.

Specifically, the Minimum Necessary standard states that a covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

As a result, a covered entity must develop and implement policies and procedures to reasonably limit the uses and disclosures to the minimum necessary.

HIPAA Privacy Rule Administrative Requirements

Covered entities must meet the following administrative criteria:

Privacy Policies and Procedures:

A covered entity must develop and implement a written privacy policy that is consistent with the Privacy Rule.

Privacy Personnel:

A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Workforce Training and Management:

Workforce members include employees, volunteers, trainees, and all others whose conduct is under the direct control of the entity. Additionally, a covered entity must train all workforce members on its privacy policies and procedures. Furthermore, a covered entity must have and apply appropriate sanctions against employees who violate its privacy policies and procedures.

Mitigation:

A covered entity must mitigate any harmful effect caused by the use or disclosure of protected health information by its workforce or business associates.

Data Safeguards:

A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. For instance, some examples of data safeguards could include shredding documents containing PHI before discarding them, securing medical records with a lock and key or passcode, and limiting access to keys or passcodes.

Complaints:

A covered entity must have procedures for individuals to file complaints about its compliance with its privacy policies and procedures.

Retaliation and Waiver:

A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or other authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. Also, a covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, or benefits.

Documentation and Record Retention:

A covered entity must maintain, until six years after the later of the date of its creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires documented.

Additionally, ensuring compliance with the above administrative requirements is time-consuming. aNetwork’s HIPAA Compliance package covers all the requirements set forth by HIPAA. Contact us today to get started.

Who enforces the HIPAA Privacy Rule?

The Department of Health and Human Services, Office for Civil Rights (OCR) enforces HIPAA requirements and conducts complaint investigations and compliance reviews.

Also, OCR will seek the cooperation of covered entities and provide technical assistance to help them comply voluntarily with the Privacy Rule.

Enforcement and Penalties for Noncompliance

Covered entities that fail to comply voluntarily with Privacy Rule standards can be subject to civil money penalties and criminal prosecution.

Civil Money Penalties:

OCR can impose penalties on covered entities that fail to comply with any of the requirements outlined in the Privacy Rule.

Additionally, penalties vary significantly depending on factors such as:

• the date of the violation.
• whether the covered entity knew or should have known of the failure to comply.
• whether the covered entity’s failure to comply was because of willful neglect.

Infractions may lead to penalties for incidents that took place on or after February 18, 2009:

Penalty amount: $100 to $50,000 or more per violation

Calendar Year Cap: $1,500,000

Before OCR imposes a penalty, it will notify the covered entity and provide them with the opportunity to present written evidence of circumstances that would reduce or bar the penalty.

As a result, covered organizations must not only meet compliance standards but also demonstrate compliance.

Criminal Penalties:

A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.

Moreover, the criminal penalties increase to $100,00 and up to five years imprisonment if the wrongful conduct involves pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.

How to comply with the HIPAA Privacy Rule

Complying with HIPAA Privacy Rule can be a tough but necessary burden, but you don’t have to do it alone.

aNetwork’s offers an all-inclusive HIPAA Compliance package that does the work for you. Furthermore, we ensure you have all the bases covered and are audit-ready.

If you want to hear about our compliance package, then contact us.

Likewise, if you would like to do the hands-on work yourself but could benefit from consulting services to help you get the ball rolling, we offer customizable packages depending on the level of assistance you require.

Our consultations are FREE. Call us today at 855-459-6600.

HIPAA Security Rule

The HIPAA Security Rule requires health care companies to take certain preventive measures to protect PHI. It requires businesses to develop and maintain security policies. Additionally, these policies protect the PHI they create, receive, maintain, or transmit. Simply put, each company must assess its risks to online PHI in its environment and formulate a plan around it.

Specifically, companies that adhere to HIPAA must:

• First off, ensure all ePHI is confidential, available, and unaltered.
• Secondly, identify and protect against threats that jeopardize the security or integrity of ePHI.
• Thirdly, protect against anticipated, impermissible, uses, or disclosures of ePHI.
• Fourth off, ensure the workforce is HIPAA compliant.

When companies are considering how to develop and implement safety measures that comply with HIPAA Privacy and Security Rules, they should consider the nature of their company. Likewise, the security measures should match with the potential risk. If your company doesn’t have the resources to assess your risks and develop security policies, then it should partner with a security provider for an assessment.

Finally, there are specific security measures you can take to avoid PHI data breaches.

How to Prevent a HIPAA Breach

Health care data breaches happen with shocking regularity. Also, the sensitive information health care organizations store is valuable to cybercriminals. As a result, health care organizations need to take precautions. Moreover, a single data breach can cost you your practice.

However, there are affordable ways to mitigate the risks of HIPAA data breaches.

Specifically, HHS recommends the following ten practices to comply with HIPAA Privacy and Security Rules:

• Firstly, email protection systems.
• Secondly, endpoint protection systems.
• Thirdly, access management.
• Fourthly, data protection, and loss prevention.
• Fifthly, asset management.
• Sixthly, network management.
• Seventhly, vulnerability management.
• Eighthly, incident response.
• Ninthly, medical device security.
• Tenth, cyber security policies.

---

---