By Bill Minahan | November 12, 2020 | 1 Comment
HIPAA Privacy Rule Summary
The HIPAA Privacy Rule is a set of requirements put in place by HHS that holds organizations that control Personal Health Information (PHI) responsible for its protection. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.
The Privacy Rule requires that certain safeguards must be met to set limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The HIPAA Privacy rule was set forth in order to give patients certain rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.
The HIPAA Privacy Rule was created out of necessity due to the inadequate Federal and State Laws that allowed PHI to be distributed—without either notice or authorization—for reasons that had nothing to do with a patient’s medical treatment or health care reimbursement. For instance, unless otherwise forbidden by State or local law, before the HIPAA Privacy Rule, patient information held by a health care provider could be passed on to a lender who could then deny the patient’s application for a home mortgage or a credit card, or to an employer who could use it when making hiring decisions. Furthermore, they could do so without patient permission or notice.
As a result, the HIPAA Privacy Rule was created to protect the confidentiality of such information. Furthermore, with information increasingly being stored and transmitted electronically, the HIPAA Privacy Rule provides clear standards for the protection of PHI in today’s cyber landscape.
The HIPAA Privacy Rule was first proposed on November 3, 1999. Since the final rule was passed, it has been amended several times. For a list of the full history of the HIPAA Privacy Rule, please see below.
The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form for transactions. Commonly referred to as covered entities.
For help determining if you are covered, check out this decision tool.
Furthermore, The Rule expanded in 2009 to include Business Associates. As a result, not only covered entities but organizations that do business with covered entities are required to follow a set of guidelines.
For more information about HIPAA BAA compliance, you can find our checklist here.
Protected health information is protected by the HIPAA Privacy Rule, which includes all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Specifically, the following information is protected under the Privacy Rule:
“Identifiable health information” refers to any and all data that could be used to identify a patient, such as names, addresses, birthdays, and SSNs.
De-identified health information, which neither identifies nor provides a reasonable basis to identify an individual, has no restrictions on use or disclosure.
HIPAA Minimum Necessary is a central component of the HIPAA Privacy Rule that requires covered entities to follow a “minimum necessary” standard for the use and disclosure of PHI.
Specifically, the Minimum Necessary standard states that a covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
As a result, a covered entity must develop and implement policies and procedures to reasonably limit the uses and disclosures to the minimum necessary.
Covered entities are required to comply with the following administrative requirements:
Privacy Personnel: A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Workforce Training and Management: Workforce members include employees, volunteers, trainees, and all others whose conduct is under the direct control of the entity. A covered entity must train all workforce members on its privacy policies and procedures. Furthermore, a covered entity must have and apply appropriate sanctions against employees who violate its privacy policies and procedures.
Mitigation: A covered entity must mitigate any harmful effect caused by the use or disclosure of protected health information by its workforce or business associates.
Data Safeguards: A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. For instance, some examples of data safeguards could include shredding documents containing PHI before discarding them, securing medical records with a lock and key or passcode, and limiting access to keys or passcodes.
Complaints: A covered entity must have procedures for individuals to file complaints about its compliance with its privacy policies and procedures.
Retaliation and Waiver: A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or other authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, or benefits.
Documentation and Record Retention: A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires documented.
Ensuring compliance with the above administrative requirements is time-consuming. aNetwork’s HIPAA Compliance package covers all the requirements set forth by HIPAA. Contact us today to get started.
The Department of Health and Human Services, Office for Civil Rights (OCR) enforces HIPAA requirements and conducts complaint investigations and compliance reviews.
OCR will seek the cooperation of covered entities and provide technical assistance to help them comply voluntarily with the Privacy Rule.
Covered entities that fail to comply voluntarily with Privacy Rule standards can be subject to civil money penalties and criminal prosecution.
Civil Money Penalties: OCR can impose penalties on covered entities who fail to comply with any of the requirements set forth in the Privacy Rule. Penalties vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was because of willful neglect.
For violations occurring on or after 2/18/2009 the following penalties can be given:
Penalty amount: $100 to $50,000 or more per violation
Calendar Year Cap: $1,500,000
Before OCR imposes a penalty, it will notify the covered entity and provide them with the opportunity to present written evidence of circumstances that would reduce or bar the penalty.
As a result, it is critical covered entities not only meet compliance standards but document their compliance.
Criminal Penalties: A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
The criminal penalties increase to $100,00 and up to five years imprisonment if the wrongful conduct involves false pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
Complying with HIPAA Privacy Rule can be a tough but necessary burden, but you don’t have to do it alone.
aNetwork’s offers an all-inclusive HIPAA Compliance package that does the work for you. We ensure you have all the bases covered and are audit-ready.
If you want to hear about our compliance package, then contact us.
Likewise, if you would like to do the hands-on work yourself but could benefit from consulting services to help you get the ball rolling, we offer customizable packages depending on the level of assistance you require.
Our consultations are FREE. Call us today at 855-459-6600.
The HIPAA Security Rule requires health care companies to take certain preventive measures to protect PHI. It requires businesses to develop and maintain security policies that protect the PHI they create, receive, maintain, or transmit. In short, each company must assess its risks to online PHI in its environment and formulate a plan around it.
Specifically, companies that adhere to HIPAA must:
1. Ensure all ePHI is confidential, available, and unaltered.
2. Identify and protect against threats that jeopardize the security or integrity of ePHI.
3. Protect against anticipated, impermissible, uses, or disclosures of ePHI.
4. Ensure the workforce is HIPAA compliant.
When companies are considering how to develop and implement safety measures that comply with HIPAA Privacy and Security Rules, they should consider the nature of their company. Likewise, the security measures should match with the potential risk. If your company doesn’t have the resources to assess your risks and develop security policies, then it should partner with a security provider for an assessment.
Finally, there are specific security measures you can take to avoid PHI data breaches.
Health care data breaches happen with shocking regularity. The sensitive information health care organizations store is valuable to cyber criminals. As a result, health care organizations need to take precautions. A single data breach can cost you your practice.
However, there are affordable ways to mitigate the risks of HIPAA data breaches.
Specifically, HHS recommends the following ten practices to comply with HIPAA Privacy and Security Rules:
1. Email protection systems
2. Endpoint protection systems
3. Access management
4. Data protection and loss prevention
5. Asset management
6. Network management
7. Vulnerability management
8. Incident response
9. Medical device security
10. Cyber security policies