HIPPA applies to health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form. It can be divided into two sections the Privacy Rule and the Security Rule. This will discuss each in turn.
Protected Health Information
HIPPA protects “Protected Health Information” this is often referred to as PHI. PHI is defined as:
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual”
Basically, any information that can be used to identify a particular person should be thought of as PHI. Note that there are no restrictions on the use or disclosure of de-identified health information. To de-identify information either, (1) have a formal determination made by a qualified statistician that the information is de-identified; or (2) removed specified identifiers of the individual and the individual’s relatives, household members, and employers. This is adequate only if the covered entity has no actual knowledge that the remaining information could be sued to identify the individual.
Basic Principle: The privacy rule covers how a person’s PHI may be used or disclosed. PHI can only be used or disclosed as the Privacy Rule permits or requires or as the individual who is subject to the information [or their personal representative] authorizes in writing.
Required Disclosures: You must disclose PHI in only two situations. 1. When and individual [or their personal representative] specifically askes access to or an accounting of the disclosures of their PHI. 2. If you receive a request from Health and Human Services in relations to an investigation or review, or enforcement action.
Permitted Uses and Disclosures: A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.
Authorization: A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not permitted or required by the Privacy Rule. All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.
Minimum Necessary: A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.50 A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
The minimum necessary requirement is not imposed in any of the following circumstances: (a) disclosure to or a request by a health care provider for treatment; (b) disclosure to an individual who is the subject of the information, or the individual’s personal representative; (c) use or disclosure made pursuant to an authorization; (d) disclosure to HHS for complaint investigation, compliance review or enforcement; (e) use or disclosure that is required by law; or (f) use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.
Notice and Other Individual Rights:
Notice: Except for a few exceptions a covered entity must provide notice of its privacy practices.
Individual Rights: An individual shall have the right to have access to their own PHI. They shall have the right to have their PHI amended if they believe it is wrong. If a covered entity does not approve of an amendment, they must send a written denial and allow the individual to send a statement of disagreement with the record. An individual shall have the right to an accounting of the disclosures of their PHI. An individual shall have the right to restrict the sue of the PHI. Finally, an individual has the right to request an alternative means of receiving communications of PHI outside of the means the covered entity typically employs.
HIPPA requires certain administrative actions by a covered entity. These include having written privacy policies and procedures, designating a privacy official responsible for those procedures, training their workforce about their privacy policies, mitigating harm in the case of a disclosure in violation of policy, having data safeguards, having a way for individuals to complain about compliance with its privacy policies, not retaliate against anyone for exercising their rights provided by the rule, and maintain all related documents for at least six years.
Fully-Insured Group Health Plan Exception. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services the group health plan.
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce
The rule does not dictate what measures to use. Instead, an entity must consider:
- Its size, complexity, and capabilities,
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to e-PHI
- Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
- Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
- Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Required and Addressable Implementation Specifications
- Covered entities are required to comply with every Security Rule “Standard.” However, the Security Rule categorizes certain implementation specifications within those standards as “addressable,” while others are “required.” The “required” implementation specifications must be implemented. The “addressable” designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.2
- Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
- Business Associate Contracts. HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.