HIPAA
A person who believes a covered entity or business associate is not complying with the administrative simplification provisions of HIPAA may file a complaint with the Secretary of Health and Human Services (HHS).
A complaint must be filed in writing, either on paper or electronically. A complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable administrative simplification provision(s). A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred (this time limit may be waived by the HHS Secretary if there is good cause). Compliance violations are further investigated by the HHS Secretary, who will then decide if a civil penalty is appropriate.
Examples of administrative safeguards include:
Active review and audits of Information System (IS) activity Employee confidentiality agreements Employee security clearance policies and procedures Employee disciplinary policies Data backup and disaster recovery plans Risk and vulnerability assessments
Before the HITECH Act, the Privacy Rule did not govern business associates directly. However, the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates and creates direct liability for non-compliance by business associates with regard to those Privacy Rule requirements. The HITECH Act creates direct liability for uses and disclosures of PHI by business associates that do not comply with its business associate agreement (BAA) or other arrangement under the Privacy Rule.
Any Privacy Rule limitation on how a covered entity may use or disclose protected health information automatically extends to a business associate.
Some examples of physical safeguards are:
Controlling building access with a photo-identification/swipe card system Turning away computer screens displaying PHI Minimizing the amount of PHI on desktops Locking offices and file cabinets containing PHI Shredding unneeded documents containing PHI
The Health Information Technology for Economics and Clinical Health (HITECH) Act went into effect on February 18, 2009. It promotes the safe and meaningful use of health information technology. It addresses the privacy and security issues associated with electronic transmission of PHI and enacts civil and criminal enforcement of HIPAA regulations. It proposed:
Four levels of violation penalties, with increasing penalties per increasing neglect A maximum violation penalty of $1.5 million USD for all violations of the same kind Increased business associate liability The Breach Notification Rule, which outlines a response for unauthorized PHI disclosure
In addition to the HIPAA Privacy Official, each covered entity must have a
HIPAA Security Official. This may or may not be the same person. You should know the name and contact information for your facilities' Privacy and Security Official(s).
What Information is Protected?
HIPAA protects ALL personal health information of a patient, including physical and mental health information, payment information, and demographic information. It applies to all oral, written, and electronic forms. Collectively, the information is referred to as protected health information, or PHI. PHI can be used and disclosed by covered entities and business associates as long as they remain compliant with HIPAA.
The HIPAA Security Rule went into effect February 20, 2003. It secures the confidentiality of patients' electronic health data by regulating:
How electronic protected health information (ePHI) is used To whom ePHI is disclosed How and where ePHI is maintained
The Privacy Rule details the specific patient information that needs to be removed from PHI for it to qualify as de-identified. Some examples include:
Names Dates, such as birthdays Geographic locations more specific than states Telephone numbers Social security numbers Medical record numbers Full face photos or comparable images
Covered entities are required to provide patients with a
Notice of Privacy Practices (NPP) and to revise the NPP whenever there is a material change to any privacy practices. The purpose of the NPP is to enable a patient to understand what happens to their PHI. The NPP tells patients why their PHI is needed and how it is being used. The NPP should state what information is being collected, how it is being used, disclosed, and stored, and who should be contacted with questions or complaints.
Examples of physical safeguards include:
Storing ePHI on cloud and network hard drives only Limiting use of portable media, such USBs Restricting ePHI to non-personal devices Properly disposing of electronic media by wiping data on hard drives, or by physically destroying portable media
Under the HIPAA Privacy Rule, PHI regulations apply to all forms, including oral, written, and electronic communications.
The HIPAA Privacy Rule: Requires reasonable security measures to protect patients' health information Establishes accountability for use and release of PHI Gives patients rights regarding their health information
The Omnibus Rule bolstered patients' rights through the following modifications:
The sale of PHI without patient authorization is prohibited. Patients' rights to receive electronic copies of their health information are expanded. Disclosures are restricted to a health plan concerning treatment when the patient has paid for the treatment entirely out-of-pocket. Redistribution of a covered entity's Notice of Privacy Practices (NPP) are required if changes are made. Patient authorization is modified to:Facilitate research and disclosure of child immunization proof to schoolsEnable access to decedent information by family members or others
ePHI includes all physical and mental health information, payment information, and demographic information stored in an electronic format. Some examples of ePHI include:
Workstations Laptops Tablets Mobile devices USB drives Cloud storage Email messages
When PHI is de-identified, it is no longer considered protected. De-identified health information should be used whenever
patient identification is unnecessary.
A HIPAA covered entity refers to a
person, agency, or practice that provides treatment, payment, and operations in healthcare. Covered entities include: Health plans (such as health insurance companies) Healthcare clearinghousse (such as billing companies) Healthcare providers (such as doctors, hospitals, laboratories, and pharmacies) Covered entities need to access, use, and disclose protected health information (PHI) in order to perform their job duties. Therefore, they must be compliant with HIPAA.
The Privacy Rule also requires covered entities to develop processes to handle complaints. The covered entity must identify
where individuals can submit complaints. They must advise that complaints can also be submitted to the Secretary of Health and Human Services (HHS), without fear of retaliation for submitting the complaint.
A business associate is a
separate entity that provides services to or on behalf of the covered entity that may involve the use and disclosure of PHI.
The Privacy Rule limits the
the use and disclosure of PHI and establishes patient rights.
The Privacy Rule allows covered entities to analyze
their own needs and to implement programs based on their own environment. However, it requires that all new privacy policies and procedures are compliant with the Privacy Rule and monitored at least annually.
The Privacy Rule permits covered entities to use and disclose PHI for
treatment, payment, and health care operations (TPO) without obtaining specific authorization.
"Minimum necessary" means that the
laboratory will use and disclose only the minimum PHI necessary to accomplish its intended purpose, such as resulting the requested test. The regulation recognizes that there are situations when all of the PHI on a patient can be released. These include when: Releasing PHI to another covered entity for treatment Releasing PHI to the patient who is the subject of the information A patient has signed an authorization to release the PHI Required by law
The covered entity is then required to notify HHS of the breach within a certain allotted time, which is determined according to when
the business associate (if acting as an agent of the covered entity) discovered the breach. There are differences in reporting based on the number of affected patients:
The intent of the HIPAA Privacy Rule is to protect
the privacy of patients seeking health care while simultaneously permitting important uses of health information.
Technical safeguards refer to technical policies and procedures that control access and use of computer systems. These include computer system, password, anti-viral software, and email security regulations.
Computer system access must be regulated by: Controlling the level of access to computer system Granting only minimum and necessary access based on job responsibility Logging off users automatically if there is no activity after a certain period of time Requiring users to log off when leaving workstations
The Privacy Rule requires that reasonable safeguards are in place to protect PHI. There are three categories of Privacy Rule safeguards:
Physical Administrative Technical The following pages will show examples of each category.
Your IT department has a system in place to protect against viruses and other threats. However, you can help keep your network clean by following these rules:
Do not disable workstation anti-virus protection. Never open suspicious email or email attachments. Do not download or install unauthorized software such as games and utilities. Don't visit websites unrelated to department business. Close pop-up windows by clicking on "x" rather than "no." Report problems promptly
Technical safeguards generally refer to security aspects of information systems. Examples include:
Systems that track and audit employees who access or change PHI Different computer security levels that allow viewing versus amending of reports Automatic log-off from the information system after a specified time interval User authentication, with log-on and passwords Pre-programming fax machines and confirming transmittal after each fax
A business associate agreement (BAA) must be in place between
covered entities and their business associates. This contract defines the processes that will be implemented and outlines the permissible uses and disclosures of PHI by the business associate. A business associate may use or disclose PHI only as permitted or required by the BAA or as required by law. If the business associate has a subcontractor, then that subcontractor must also have and adhere to a BAA with the covered entity.
The HITECH Act requires a business associate to notify the covered entity when it discovers a breach of unsecured PHI. If the business associate acts on behalf of the covered entity, the business associate must notify the
covered entity as soon as possible and no later than 60 days following the discovery of a breach.
There are four tiers of increasing penalty amounts that correspond to the levels of culpability associated with the HIPAA violation:
(lowest category) Situations where the covered entity or business associate did not know and would not have known without exercising reasonable diligence Violations due to reasonable cause and not to willful neglect Violations due to willful neglect corrected within a certain time period (highest category) Violations due to willful neglect that are not corrected Thecivil penaltyis determined by theHHSSecretary, who will investigate the complaint and determine how to handle the HIPAA violation. Within one year, there is a maximum violation penalty of $1.5 million USD for all violations of the same kind.
The HIPAA Privacy Rule went into effect
April 14, 2003. It protects the confidentiality of patients' health data by regulating: How PHI is used To whom PHI is disclosed How and where PHI is maintained
The Omnibus Rule modified the Privacy and Security Rules to reflect PHI protection required in the digital age:
Business Associate Liability Business associates of covered entities are directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements. Business associate subcontractors are liable and must agree to the same restrictions and conditions that apply to the business associate, if the subcontractor creates or receives PHI.A subcontractor may not use PHI in any way that is not permitted by the business associate agreement (BAA) between the primary business associate and the covered entity.The BAA between the business associate and the subcontractor must be at least as stringent as the BAA between the covered entity and the business associate. Limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes are strengthened.
If a breach affects more than 500 patients,
Covered entities are required to notify HHS immediately. The term "immediately" is interpreted by 45 CFR Part 164 as, "without unreasonable delay but in no case later than 60 calendar days following discovery of a breach." For example, if a breach affecting more than 500 individuals occurred on December 5, 2018 and was discovered on January 1, 2019, the covered entity would have until March 1, 2019 (60 calendar days) to report the breach to HHS.
f a breach affects fewer than 500 patients,
Covered entities must notify HHS no later than 60 days after the end of the calendar year in which the breach was discovered (not when the breach occurred). For example, if a breach affecting fewer than 500 individuals occurred on December 5, 2018 and was discovered on January 1, 2019, the covered entity would have until March 1, 2020 (60 days after the end of the calendar year in which the breach was discovered) to report the breach to HHS. It is very important that business associate agreements (BAA) cover how and when the business associate will notify the covered entity of a suspected breach.
A covered entity may disclose PHI to other covered entities that provide services to the primary covered entity.
Each entity must have or have had a relationship with the patient who is the subject of the PHI being requested. E.g. a reference laboratory that performs tests for a clinical laboratory The service that the other covered entity provides must fall within treatment, payment, or health care operations (TPO). A covered entity may disclose PHI to another covered entity for the payment activities of the entity that receives the information. If the service provided does not fall within TPO, an authorization is generally required. An authorization form must state the specific disclosures of PHI to be made and for what the information will be used. It must be signed and dated by the patient.
The Privacy Rule includes these administrative requirements:
Every covered entity must designate a Privacy Official / Officer. You should know who your Privacy Official is and how to contact them. All staff must participate in HIPAA training. Safeguards must be in place to protect PHI. A complaints process must be in place to handle patient complaints about PHI handling. A discipline procedure must be in place to penalize employees who do not comply with privacy policies.
The Omnibus Rule, also known as the
Final Rule, went into effect on March 26, 2013. It strengthens the privacy and security protection for individuals' health information, including genetic information, that is maintained in electronic health records and other formats. It added additional protection to the HIPAA Privacy and Security Rules. Rather than contain new information, the Omnibus Rule enforces the changes provided by the HITECH Act. The Omnibus Rule: Bolsters patients' rights and PHI security Enforces business associate liability with direct penalties Expands breach notification practices
What is HIPPA
It is short for Health Insurance Portability and Accountability Act. Passed by Congress in 1996, HIPAA is a United States federal law that protects the privacy and security of health information.
Access to computer systems must be password protected. Please read and understand the password recommendations below:
Keep passwords secret; do not share them with others. Memorize passwords to avoid having to write them down. Create strong passwords which:Are at least 7 characters long.Are not dictionary words or easily recognizable proper nouns.Include upper and lower case letters, numbers, and special characters. Change passwords regularly. Never select "remember my password" if prompted to do so. You must follow your own facility's specific password policies and procedures.
The Security Rule requires that reasonable safeguards are in place to protect ePHI. This mostly applies to storage and disposal of electronic storage media, such as hard drives and cloud storage. There are three categories of Security Rule safeguards:
Physical Administrative Technical
safeguards
Physical, administrative, and technical safeguards for both Rules are required. Safeguards are required to be incorporated by covered entities and business associates. Safeguards extend to the subcontractor level.
Examples of administrative safeguards include:
Policies and procedures Staff training programs Auditing and monitoring compliance with policies and procedures Employee confidentiality agreements
A breach is any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule, unless
a risk assessment demonstrates that there is a low probability the PHI was compromised. Patients must be informed of a breach of their unsecured PHI.
A covered entity may use or disclose PHI without getting a patient's authorization in order to:
Perform requested tests and treatments Bill for the services performed Perform essential operations, including quality assessment, accreditation, and compliance Meet legal reporting requirements, including those mandated by public health departments, workers' compensation, law enforcement agencies, and the U.S. Department of Health and Human Services Other uses and disclosures require written authorization.
HIPAA provides for the following patient rights:
Right of NoticePatients have the right to know why PHI is being collected and to whom it may be disclosed. Right of AccessPatients may access their own PHI upon request.Patients may obtain an electronic copy of their PHI, if the PHI is maintained electronically. If the electronic PHI is not readily producible in the requested format, the covered entity must provide a copy of the PHI in another readable electronic form, such as a PDF, rather than a hard copy.Covered entities must respond to all requests within 30 days, unless the covered entity is granted a one-time 30-day extension. Right to Accounting of DisclosuresPatients have a right to know to whom PHI is disclosed. Right to AmendPatients may request a change to their PHI. Right to Request RestrictionsPatients may request that PHI be withheld from specific parties.Patients have the right to restrict disclosures to a health plan concerning treatment when the patients have paid for the treatment entirely out-of-pocket. Patients may have additional rights under state law.
Standard email provides no security for PHI. Many facilities would choose not to allow transmission of PHI via email at all. If email is necessary, some facilities may allow transmission of PHI via secure end-to-end encrypted email, where the sender and the recipient are the only users able to access the email contents. If PHI files need to be sent, extra security measures may involve password-protected email attachments, where the files require a password to be opened. Additional encryption software should be used to ensure that emails and files are secure.
You must comply with your facilities' policies and procedures regarding any use or disclosure of email and attachments for PHI.
Health information is considered de-identified if it cannot be used to identify an individual. Other terms for de-identified health information are
anonymous, aggregated, and scrubbed.