HIPAA BASICS FOR PROVIDERS: PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES
Business Associates
A business associate is a person or organization, other than an employee of a covered entity, that performs certain functions on behalf of, or provides certain services to, a covered entity that involve access to PHI. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. Business associates provide services to covered entities that include: ● Accreditation ● Billing ● Claims processing ● Consulting ● Data analysis ● Financial services ● Legal services ● Management administration ● Utilization review NOTE: A covered entity can be a business associate of another covered entity. If a covered entity enlists the help of a business associate, then a written contract or other arrangement between the two must: ● Detail the uses and disclosures of PHI the business associate may make ● Require that the business associate safeguard the PHI
Who must comply?
Covered entities and business associates, as applicable, must follow HIPAA rules. If an entity does not meet the de nition of a covered entity or business associate, it does not have to comply with the HIPAA rules.
Examples
● Settlement: Two covered entities inadvertently posted ePHI for 6,800 individuals on the web, including patient status, vital signs, medications, and laboratory results. The investigation found that neither entity made efforts to assure the security of the server hosting the ePHI or con rm it contained adequate software protections. Neither entity developed an adequate risk management plan that addressed potential threats and hazards to ePHI. The entities agreed to pay a combined settlement of $4.8 million and enter into corrective action plans. ● Criminal prosecution: A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for personal gain. He faced up to 10 years in prison.
HIPAA Privacy Rule establishes standards for the protection of PHI held by:
♦ Health plans ♦ Health care clearinghouses ♦ Those health care providers that conduct certain health care transactions electronically ♦ Their business associates
Health-care Clearing House:
A public or private entity that processes another entity's health care transactions from a standard format to a non-standard format, or vice versa, such as: ♦️ Billing services ♦️ Community health management information systems ♦️ Repricing companies ♦️ Value-added networks
Health plan
Any individual or group plan that provides or pays the cost of health care, such as: ♦️ Company health plans ♦️ Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans' health care programs ♦️ Health insurance companies ♦️ Health maintenance organizations (HMOs)
Covered Health-Care Provider
Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard, such as: ♦️ Chiropractors ♦️ Clinics ♦️ Dentists ♦️ Doctors ♦️ Nursing homes ♦️ Pharmacies ♦️ Psychologists
The Privacy Rule
Gives patients important rights with respect to their health information, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.
Breach Notification rule
Requires covered entities to notify affected individuals, U.S. Department of Health & Human Services (HHS), and in some cases, the media of a breach of unsecured PHI.
HIPAA Breach Notification Rule
The HIPAA Breach Noti cation Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. Noti cations of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Noti cation Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.
Privacy rule
Sets national standards for when protected health information (PHI) may be used and disclosed.
Security rule
Specifies safeguards that covered entities and their business associates must implement to protect the con dentiality, integrity, and availability of electronic protected health information (ePHI).
Enforcement
The HHS Of ce for Civil Rights enforces the HIPAA Privacy, Security, and Breach Noti cation Rules. Violations may result in civil monetary penalties. In some cases, criminal penalties enforced by the U.S. Department of Justice may apply. Common noncompliance issues include: ● Impermissible PHI uses and disclosures ● Lack of PHI safeguards ● Lack of patients' access to their PHI ● Use or disclosure of more than the minimum necessary PHI ● Lack of administrative ePHI safeguards
HIPAA SECURITY RULE
The HIPAA Security Rule speci es safeguards that covered entities and their business associates must implement to protect the con dentiality, integrity, and availability of ePHI. Covered entities and business associates must develop and implement policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. Each entity must analyze the risks to ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate depends on the nature of the entity's business, as well as its size, complexity, and resources. Speci cally, covered entities must: ♦ Ensure the con dentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit ♦ Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI ♦ Protect against reasonably anticipated, impermissible uses or disclosures ♦ Ensure compliance by their workforce
HITECH Act Enforcement Interim Final Rule
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing: ♦️ Four categories of violations that reflect increasing levels of culpability; ♦️ Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and ♦️ A maximum penalty amount of $1.5 million for all violations of an identical provision. It also amended section 1176(b) of the Act by: ♦️ Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and ♦️ Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. This interim final rule conforms HIPAA's enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions. This interim final rule will become effective on November 30, 2009. HHS has invited public comments on the interim final rule, which will be considered if received by December 29, 2009.
HIPAA
The Health Insurance Portability and Accountabilty Act: privacy, security, and breach notification rules protect the privacy and security and security of health information and provide individuals with certain rights to their health information.
Protected Health Information
The Privacy Rule protects individually identi able health information, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes information that relates to all of the following: ♦ The individual's past, present, or future physical or mental health or condition ♦ The provision of health care to the individual ♦ The past, present, or future payment for the provision of health care to the individual PHI includes many common identi ers, such as name, address, birth date, and Social Security number.
HIPAA SECURITY RULE
The Security Rule does not dictate security measures but requires covered entities to consider all of the following: ♦ Size, complexity, and capabilities ♦ Technical, hardware, and software infrastructure ♦ The costs of security measures ♦ The likelihood and possible impact of risks to ePHI Covered entities must review and modify security measures to continue protecting ePHI in a changing environment.
Omnibus HIPAA Rulemaking
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights announces a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).