CHAPTER 5 HIPAA AND HITECH
Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule)
This is the title of an extensive body of regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The fundamental purpose of the Privacy Rule is to define and limit the circumstances in which an individual's personal health information (PHI) may be used or disclosed by a covered entity or its business associates. A covered entity may use or disclose PHI only when the Privacy Rule requires or permits it, or when the affected individual has given his or her written authorization.
Business associate
A person or organization (other than a covered entity's own employees) who do work or provide services for a covered entity that involve the use or disclosure of individually identifiable health information. Examples of business associate services are claims processing, data analysis, utilization review, and billing.
Protected health information (PHI)
The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This applies to information that relates to an individual's physical or mental health or condition, the provision of health care to the person, and the payment for that health care. It includes demographic data.
Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
The HITECH Act created Medicare and Medicaid Electronic Health Record (EHR) Incentive programs that offer incentive payments to eligible professionals and hospitals that adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology. The incentives continue until 2015, after which time penalties will be assessed for failing to demonstrate such use. The HITECH Act also established the Breach Notification Ruler under HIPAA, required DHHS to conduct periodic audits to ensure covered entities are complying with the HIPAA rules, and strengthened civil and criminal enforcement of those rules.
Covered entities
The Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) apply to "covered entities". These include three types of organizations - health care providers (e.g., physician practices, hospitals), health plans, and health care clearinghouses.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
This Act was enacted to protect against the privacy and security threats presented against the widespread and growing use of sensitive personal health care information throughout the health care industry. The Office for Civil Rights within the DHHS implements the Act through four rules. The Privacy Rule sets standards for individual privacy rights and the use and disclosure of their health information by health care providers and plans. The Security Rule sets national standards for the security of electronic protected health information. The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information. The confidentiality provisions of the Patient Safety Rule protect identifiable information being used to analyze patient safety events and improve patient safety.
Breach Notification Rule
This is a requirement under HIPAA that covered entities, and their business associates provide notification following a breach of unsecured protected health information (PHI). A breach is an impermissible use or disclosure that compromises the security or privacy of the PHI enough to pose a significant risk of financial, reputational, or other harm to the affected individual. Under different circumstances, the notification must go to the affected individual, the DHHS, and media outlets.
Unsecured PHI
Under the Health Insurance Portability and Accountability Act (HIPAA), a variety of health care entities are required to provide notification in the event of a breach of unsecured protected health information (PHI). Unsecured PHI is health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology like encryption or destruction.
Security Standards for the Protection of Electronic Protected Health Information (the Security Rule)
Under this rule, covered entities must: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit 2. Protect against threats or hazards to the security or integrity of the information, 3. Protect against uses or disclosures of the information that are not permitted or required, and 4. Ensure compliance with these terms by its workforce. To accomplish this, the rule describes a multitude of safeguards, standards, and specifications that must be implemented.