HIPAA law was created to ensure that patient’s sensitive information is protected. Protected health information (PHI) must be secured in the form of administrative, physical, and technical safeguards. It’s better that before continuing to read this post, first read our previous post about HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) was originally passed by the US Congress in 1996 during the Clinton administration. HIPAA is actually about medical security.
Three Main Rules of HIPAA
- Privacy rule
- Security Rule
- Breach Notification Rule
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. This Rule applies only to covered entities (CEs) and it details how PHI can be used and disclosed. These entities must adhere to the “minimum necessary rule” which states that organizations should access only the PHI they need to perform their job functions.
As required by Congress in HIPAA, the Privacy Rule covers:
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative transactions electronically.
This rule established patient rights in regards to their PHI. Organizations falling under the incidence of HIPAA are required to answer such patient access requests within 30 days. These rights include:
- Notice of Privacy Practices (NPP): An NPP describes patient rights in terms of their PHI and it must be written in a clear manner that patients can easily understand.
- Request Access to Medical Records: patients have the right to request their medical records. Patients must fill out an authorization form to do so.
- Request an Amendment to Medical Records: Patients have the right to request an amendment of PHI when they believe there has been an error on their record.
- Request Special Privacy Protection for PHI: patients have the right to restrict the disclosure of PHI. However, CEs are not required to agree to the request.
- Parents Access to Minor’s Medical Records: in most cases a parent or legal guardian can access a minor’s medical records. (1) The minor consents to care where parental consent is not required. (2) A court decides that a minor must receive care. (3) A parent agrees that the minor and covered entity have a confidential relationship
HIPAA Privacy Rule does these things:
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their health information.
The law does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits. See our business associate section and the frequently asked questions about business associates for a more detailed discussion of the covered entities’ responsibilities when they engage others to perform essential functions or services for them.
A Few Brief Points about Privacy Rules
- Privacy Rule also protects genetic information because genetic information is also health information.
- This Rule does not require covered entities to document any information, including oral information that is used or disclosed for treatment, payment or health care operations.
- Covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act.
- The Privacy Rule does not create a government database.
- Under HIPAA, HHS has the authority to modify the privacy standards as the Secretary may deem appropriate. However, a standard can be modified only once in a 12-month period.
HIPAA Security Rule
The HIPAA Security Rule created industry standards for the handling, maintenance, and transmission of PHI. This rule applies to both CEs and Bas. This rule has three areas:
- Administrative: Policies and procedures must be tailor-made for each organization. Employees must be trained on the policies and procedures to ensure that they are properly handling PHI.
- Physical: Areas in which PHI is stored must be locked to prevent unauthorized individuals from accessing it. An alarm system is also recommended to secure an organization’s physical site.
- Technical: It is imperative that organizations have adequate technical safeguards to prevent and mitigate the consequences of a breach. Technical safeguards may include encryption, firewalls, and data backup.
A Few Brief Points about Privacy Rules
- The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access. The scope of access will depend on the authority granted to the personal representative by other law.
- Except with respect to decedents, a covered entity must treat a personal representative as the individual only when that person has authority under other law to act on the individual’s behalf on matters related to health care.
- With respect to personal representatives of deceased individuals, the power of attorney would have to be valid after the individual’s death to qualify the holder as the personal representative of the decedent.
- If an individual is deemed incompetent under State or other law to act on his or her own behalf, covered entities may decline a request by a personal representative for protected health information if the individual objects to the disclosure (or for any other reason), and the disclosure is merely permitted, but not required, under the Rule.
- If a child receives emergency medical care without a parent’s consent, parents can get all information about the child’s treatment and condition. Of course, this would not be so when the parent does not have authority to act for the child.
- The Security Rule does not apply to written and oral communications.
- The use of encryption isn’t mandatory in the Security Rule.
- The Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI).
- The Security Rule does not expressly prohibit the use of email for sending e-PHI but the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.
- The Security Rule does not require the use of electronic or digital signatures. However, electronic or digital signatures could be used as a security measure if the covered entity determines their use is reasonable and appropriate.
- The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
- There is nothing in the Security Rule that prohibits the networking of computers, whether inside the same company, or between two unrelated companies who conduct business together. However, the covered entity must document that it has established all of the safeguards (technical, physical and administrative) that would serve to reasonably protect the information that is exchanged along the network. That will include an assessment of everything from the firewall to the designation and training of the individuals who have access to the data.
- The Security Rule doesn’t permit a covered entity to assign the same log-on ID or user ID to multiple employees.
- In physical safeguards, the standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls.
HIPAA Breach Notification Rule
Organizations that experience a breach, must report the incident to the Department of Health and Human Services (HHS) and affected individuals. The HIPAA Breach Notification Rule requires covered entities to notify patients in case of a data breach that included their PHI as well as the OCR and the media if the breach affects more than five hundred patients.
There are two types of breach:
- Meaningful Breach: affecting 500 or more individuals, a meaningful breach must be reported within 60 days of discovery. Organizations must notify the HHS, affected individuals, and the media. When patients are notified of the breach, they must be informed what they can do to protect themselves from potential harm.
- Minor Breach: affecting less than 500 individuals, a minor breach must be reported by the end of the calendar year. Organizations must notify the HHS and affected individuals. These breaches must be reported through the OCR web portal.
If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI”, the covered entity generally is obligated to notify the individual and HHS of the breach.
For writing this post, we made extensive use of the content on the https://www.hhs.gov. Sometimes we have copied the content from the above website, and sometimes we have put the summary of that content in this blog.
And other sources: