HIPAA Basics for Providers

Health Insurance Protection and Accountability Act of 1996 (HIPAA), as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) protect medical information within the United-States healthcare industry. HIPAA does not preempt stricter state privacy laws. The Privacy Rule standards address the use and disclosure of individuals’ health information – called “protected health information (PHI)” by organizations subject to the Privacy Rule – called “covered entities.” The Security Rule operationalizes “the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within the Secretary of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. 

The Privacy Rule protect the privacy of PHI. The Privacy Rule generally requires a covered entity to provide a detailed privacy notice at the date of first service delivery. The Privacy Rule authorizes the use and disclosure of PHI for essential healthcare purposes: treatment, payment and operations, as well as for certain other established compliance purposes. A covered entity may not require an individual to sign an authorization as a condition of receiving treatment or participating in a health plan. Only the minimum necessary PHI in order to accomplish the intended purpose must be disclosed by a covered entity. 

Covered entities must designate a privacy official who is responsible for the development and implementation of privacy protection, and as the point of contact for any privacy related issues. Under the Privacy Rule, individuals have the right to access and copy their own PHI from a covered entity or a business associate. Individuals have the right to receive an accounting of certain disclosures of their PHI that have been made. Covered entities must implement administrative, physical and technical safeguards to protect the confidentiality and integrity of all PHI.  

The Security Rule requires both covered entities and business associates to implement administrative, physical, and technical safeguards for e-PHI. The Security Rule aims to prevent unauthorized use or disclosure of ePHI. Covered entities must maintain the integrity and availability of ePHI. Furthermore, covered entities must maintain data backup and disaster recovery.

The Privacy Rule does not apply to information that has been “deidentified” – information that does not actually identify an individual and where there is no reasonable basis to believe that the information can be used to identify an individual. The Privacy Rule provides two methods for deidentifying data: (1) remove 18 data elements listed in the rule, or (2) have an expert certify that the risk of reidentifying the individuals is very small. Research is permitted on deidentified information. If an unauthorized access to PHI occurs, a breach is presumed to have occurred and the covered entity must monitor, contain and if necessary, provide notice to relevant parties.

Published by apollocompliance

Jean-Marc is a law student interested in cybersecurity and data privacy law.

Leave a Reply

Your email address will not be published. Required fields are marked *