The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required theSecretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information
What is HIPAA?
A provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that sets standards for the privacy of health information that can identify an individual.
What is HITECH?
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. It was also fundamental in driving the adoption of Meaningful Use.
Who oversees it?
The U.S. Department of Health and Human Services and the Office for Civil Rights.
Who does it apply to?
Healthcare Providers, Health Plans, Health Clearinghouses, and Business Associates.
How does it impact IT Professionals?
Many Information Technology (IT) companies fall under the umbrella of the definition of a business associate. For the purposes of HIPAA, a business associate is any person or organization that is not a member of a covered entity’s workforce that performs functions or activities on behalf of a covered entity who has access to or discloses Protected Health Information (PHI).
This means that if you provide remote administration or off-site backup of client equipment housing PHI data, your company needs to be covered by a business associate contract. However, if you do not have access to the systems and services that house PHI, you are not required to be covered by a business associate contract.If you have any questions about whether or not you need to be covered by a business associate contract, you should consult your legal counsel.
What is Protected Health Information (PHI)?
Protected Health Information is a classification of data that includes all individually identifiable health information that is held or transmitted by a covered entity (doctor’s office, health plan, billing office, etc.) or its business associate, in any form or media, whether electronic, paper, or oral.
Individually identifiable health information is any information, including demographic data, which relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
- and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
- Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
What do your clients need to be HIPAA compliant?
There are three major types of safeguards that must be adopted by your clients in order to be HIPAA compliant. These three categories are: administrative safeguards, physical safeguards, and technical safeguards.
Security Management Process: Your client must be able to prove that they have a process in place for managing their security process, which includes identifying and analyzing potential risks to PHI and implementing security measures that limit risks and vulnerabilities to a reasonable level.
Security Personnel: Your client must designate a security official who is responsible for overseeing and maintaining the Security Management Process.
Information Access Management: The PHI rule states that disclosures of PHI be limited to the minimum access necessary to perform business functions. Users should only have access to the information required for their role in the organization.
Workforce Training and Management: Client employees with access to PHI must be trained and educated in security policies and procedures. A document must define appropriate sanctions against employees who violate the established policies and procedures.
Evaluation: Perform a periodic risk assessment that identifies how well the existing security policies and procedures meet the requirements of the HIPAA security rule.
Facility Access and Control: Access to the client facility must be limited to those with authorized access.
Workstation and Device Security: Clients must implement a policy for use and access to workstations and electronic media. This includes a requirement to document a security policy regarding the transfer, removal, disposal, and reuse of electronic media.
Access Control: Ensure that technical safeguards are in place to allow only authorized personnel to access PHI.
Audit Controls: Implement procedural mechanisms to record and examine access and other activity on systems that contain or use PHI.
Integrity Controls: Implement policies and procedures to ensure that PHI is not improperly altered or destroyed. Employ electronic measures to provide monitoring and alerts in the event that PHI is improperly altered or destroyed.
Transmission Controls: Implement technical security measures that guard against authorized access to PHI that is being transmitted over a data network.
What Constitutes a Data Breach?
For the purposes of HIPAA/HITECH, a breach is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. Any impermissible use or disclosure of PHI is considered a breach unless the covered entity or business associate can prove there is a low probability that the PHI has been compromised based on a risk assessment including:
- The nature and extent of the PHI involved
- Likelihood of re-identification
- Who made use of or disclosed the PHI
- Whether the PHI was actually accessed or viewed
- The extent to which the risk of PHI has been mitigated
There are three exceptions to the definition of a breach:
- Unintentional and good faith access or acquisition of PHI during the course of business by an authorized employee
- Unintentional disclosure of PHI by an authorized person
- Good faith belief that an unauthorized person to whom PHI was disclosed would be unable to retain the information.
Breach Notification Rules
HIPAA/HITECH includes specific provisions for data breach notification. These requirements are as follows:
Individual Notice: Covered entities must notify affected individuals following discovery of a breach of unsecured PHI. Individual notice must be provided by first-class mail, or email if the individual has accepted such notices electronically. If a covered entity has out-of-date or insufficient contact information for 10 or more individuals, public notice of the breach must be provided on the home page of their website for at least 90 days, or by providing the notice to major print and broadcast media where the individuals likely reside.
Media Notice: In the event that a breach affects more than 500 residents of a State or jurisdiction, in addition to individual notification, the covered entity must issue a press release announcing the data breach to media outlets serving the affected area.
Notice to the Secretary: In addition to individual and media notification (where applicable) covered entities must notify the Secretary of the Department of Health and Human Services of breaches of unsecured PHI.
What are the dangers of not being HIPAA Compliant?
- Up to $50,000 fine per incident
- Up to a 1.5 million dollar civil penalty based on the extent and negligence of the violation
- Criminal penalties of up to $250,000 and imprisonment for up to ten years
- The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules
Interested in more information about HIPAA Violations and Enforcement?