By Bill Minahan | November 12, 2020 | 2 Comments
The HIPAA Privacy Rule is a set of HHS guidelines that hold organizations that control Personal Health Information (PHI) responsible for its protection. Also, the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.
Furthermore, the Privacy Rule requires that certain precautions be met in order to put limits and conditions on the uses and disclosures of such information that may be made without patient agreement. The HIPAA Privacy Rule was created to provide people with certain rights to their health information, such as the ability to examine and acquire a copy of their health data, as well as the right to request corrections.
The HIPAA Privacy Rule arose from the necessity of insufficient Federal and State Laws that permitted PHI to be shared without knowledge or authorization for reasons unrelated to a patient’s medical treatment or health care reimbursement. Before the HIPAA Privacy Rule, for example, patient information held by a health care provider could be passed on to a lender, who could then deny the patient’s application for a home mortgage or a credit card, or to an employer, who could use it when making hiring decisions, unless otherwise barred by state or local law. Furthermore, they could do so without patient permission or notice.
As a result, the confidentiality of such information is protected by the HIPAA Privacy Rule. Furthermore, with information increasingly being stored and transmitted electronically, the HIPAA Privacy Rule provides clear standards for the protection of PHI in today’s cyber landscape.
The HIPAA Privacy Rule was first proposed on November 3, 1999. Since the final rule was put in place, it has been revised a few times.
The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form for transactions. Commonly referred to as covered entities.
For help determining if you are covered, check out this decision tool.
Furthermore, The Rule expanded in 2009 to include Business Associates. As a result, not only covered entities but also organizations that conduct business with covered entities must adhere to a set of guidelines.
For more information about HIPAA BAA compliance, you can find our checklist here.
The HIPAA Privacy Rule safeguards sensitive health information.. Which includes all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
The Privacy Rule specifically protects the following information:
“Identifiable health information” is any data that may include the name, address or address, birthday, and/or social security number of a patient.
De-identified health information, which neither identifies nor provides a reasonable basis to identify an individual, has no restrictions on use or disclosure.
HIPAA Minimum Necessary is a central component of the HIPAA Privacy Rule that requires covered entities to follow a “minimum necessary” standard for the use and disclosure of PHI.
Specifically, the Minimum Necessary standard states that a covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
As a result, a covered entity must develop and implement policies and procedures to reasonably limit the uses and disclosures to the minimum necessary.
Covered entities must meet the following administrative criteria:
A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Workforce members include employees, volunteers, trainees, and all others whose conduct is under the direct control of the entity. Additionally, a covered entity must train all workforce members on its privacy policies and procedures. Furthermore, a covered entity must have and apply appropriate sanctions against employees who violate its privacy policies and procedures.
A covered entity must mitigate any harmful effect caused by the use or disclosure of protected health information by its workforce or business associates.
A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. For instance, some examples of data safeguards could include shredding documents containing PHI before discarding them, securing medical records with a lock and key or passcode, and limiting access to keys or passcodes.
A covered entity must have procedures for individuals to file complaints about its compliance with its privacy policies and procedures.
A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or other authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. Also, a covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, or benefits.
A covered entity must maintain, until six years after the later of the date of its creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires documented.
Additionally, ensuring compliance with the above administrative requirements is time-consuming. aNetwork’s HIPAA Compliance package covers all the requirements set forth by HIPAA. Contact us today to get started.
The Department of Health and Human Services, Office for Civil Rights (OCR) enforces HIPAA requirements and conducts complaint investigations and compliance reviews.
Also, OCR will seek the cooperation of covered entities and provide technical assistance to help them comply voluntarily with the Privacy Rule.
Covered entities that fail to comply voluntarily with Privacy Rule standards can be subject to civil money penalties and criminal prosecution.
OCR can impose penalties on covered entities that fail to comply with any of the requirements outlined in the Privacy Rule.
Additionally, penalties vary significantly depending on factors such as:
Infractions may lead to penalties for incidents that took place on or after February 18, 2009:
Penalty amount: $100 to $50,000 or more per violation
Calendar Year Cap: $1,500,000
Before OCR imposes a penalty, it will notify the covered entity and provide them with the opportunity to present written evidence of circumstances that would reduce or bar the penalty.
As a result, covered organizations must not only meet compliance standards but also demonstrate compliance.
A person who knowingly obtains or discloses individually identifiable health information in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one-year imprisonment.
Moreover, the criminal penalties increase to $100,00 and up to five years imprisonment if the wrongful conduct involves pretenses, and to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain or malicious harm.
Complying with HIPAA Privacy Rule can be a tough but necessary burden, but you don’t have to do it alone.
aNetwork’s offers an all-inclusive HIPAA Compliance package that does the work for you. Furthermore, we ensure you have all the bases covered and are audit-ready.
If you want to hear about our compliance package, then contact us.
Likewise, if you would like to do the hands-on work yourself but could benefit from consulting services to help you get the ball rolling, we offer customizable packages depending on the level of assistance you require.
Our consultations are FREE. Call us today at 855-459-6600.
The HIPAA Security Rule requires health care companies to take certain preventive measures to protect PHI. It requires businesses to develop and maintain security policies. Additionally, these policies protect the PHI they create, receive, maintain, or transmit. Simply put, each company must assess its risks to online PHI in its environment and formulate a plan around it.
Specifically, companies that adhere to HIPAA must:
When companies are considering how to develop and implement safety measures that comply with HIPAA Privacy and Security Rules, they should consider the nature of their company. Likewise, the security measures should match with the potential risk. If your company doesn’t have the resources to assess your risks and develop security policies, then it should partner with a security provider for an assessment.
Finally, there are specific security measures you can take to avoid PHI data breaches.
Health care data breaches happen with shocking regularity. Also, the sensitive information health care organizations store is valuable to cybercriminals. As a result, health care organizations need to take precautions. Moreover, a single data breach can cost you your practice.
However, there are affordable ways to mitigate the risks of HIPAA data breaches.
Specifically, HHS recommends the following ten practices to comply with HIPAA Privacy and Security Rules: