HIPAA privacy and security

Scope

In general, privacy is about who has the right to access personally identifiable health information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. Covered entities include health plans, health care clearinghouses, and health care providers who conduct health care transactions electronically. Employers, in their activities as employers, are not considered covered entities. When they sponsor health care plans, they are involved because the plans are covered entities.

Regulatory citations

• 45 CFR 164 — Security and privacy

Key definitions

• None

Summary of requirements

Privacy. Title II of the Act includes a section, Administrative Simplification, requiring improved efficiency in healthcare delivery by standardizing electronic data interchange, and protection of confidentiality and security of health data.

Employers are covered by the privacy rule when they:

• Self-insure; or
• When they have entered into an insurance agreement but they receive, manage, or disclose protected health information as a group health plan; or
• Are not self-insured, but perform certain record-keeping functions, such as transmitting individuals’ health records to a group plan.

Protected health information (PHI) is that which identifies an individual’s physical or mental health condition, the health care that the individual has received, or payments for such care. In contrast, summary health information, which excludes individuals’ names and identifying information, may be disclosed to, and used by, employers — without consent — for certain functions such as obtaining bids for insurance coverage.

The privacy standards:

• Limit the non-consensual use and release of private health information;
• Give patients/plan participants rights to access their medical records and to know who else has accessed them;
• Restrict most disclosure of health information to the minimum needed for the intended purpose;
• Provide for criminal and civil sanctions for improper use or disclosure; and
• Provide for requirements for access to records by researchers and others.

Actions employers may want to take include the following:

• Be aware of the rule and its requirements;
• Share the information with key managers and officers;
• Review any group health plan documents;
• Review vendor (business associate) contracts;
• Develop appropriate policies, with measures taken for violators;
• Appoint a privacy officer;
• Develop procedures for obtaining authorization; and
• Train applicable managers and supervisors about their responsibilities.

Individuals may authorize the disclosure of their PHI. Authorizations are an individual’s signed permission to allow a covered entity to use or disclose the individual’s PHI that is described in the authorization for the purpose(s) and to the recipient(s) stated in the authorization. Authorizations allow additional, specific uses of health information beyond treatment, payment, and health care operations to be released.

Notices. Covered entities must provide notice of patient’s privacy rights and the privacy practices to affected individuals. The notice must explain how you may use and disclose PHI. The notice also needs to contain the individuals’ rights with respect to the PHI, how the individuals may exercise their rights, your legal duties with respect to PHI, and who individuals can contact for further information. The notice must also have an effective date.

Security. Security is an important part of the privacy provision. The health care industry has been moving away from paper processes and relying more heavily on the use of computers to pay claims, answer eligibility questions, provide health information, and conduct a host of administrative functions. Under HIPAA, health plans that engage in electronic health care transactions, and/or maintain electronic PHI (EPHI) need to ensure their systems provide reasonable security from unauthorized access, alteration, deletion, and transmission.

The security rule provides for ensuring that the confidentiality, integrity, and availability of EPHI created, received, maintained, used, or transmitted is protected. The security rule gets more technical than the privacy rule, as it involves information technology.

Breaches. The American Recovery and Reinvestment Act of 2009 (ARRA) included some HIPAA privacy requirements addressing breaches of PHI. In general, The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of ARRA, required that covered entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI must notify each individual whose PHI has been or is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach.

Unsecured PHI. All these breach requirements deal with what is known as “unsecured protected health information.” This is defined as PHI that is not secured through the use of a technology or methodology specified by the U.S. Department of Health and Human Services (HHS) that will render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

Notification. You have a few methods to use to make to notify individuals of a breach:

• In writing using first class mail at the last known address or by email if the individual prefers. The notification may be provided in one or more mailings as information becomes available.
• If you don’t have adequate contact information for providing written notice, you may provide a conspicuous posting on your website. This posting must include a toll-free phone number for individuals to use to learn whether or not his or her PHI is included in the breach.
• You may also use post the notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. This would also need to include a toll-free number to obtain more information.
• In urgent situations (imminent misuse of PHI), you may call individuals in addition to providing notices as above.

If the breach involves more than 500 residents of a state or jurisdiction, you need to provide notice to prominent media outlets service the state or jurisdiction. If the breach involved more than 500 individuals, you must immediately notify the HHS. If it involved fewer than 500 individuals, you may maintain a log of the breach and annually submit the log to the HHS.

The HHS has posted a list on its website of covered entities involved in breaches involving 500 or more individuals.

Content of notification. Breach notices need to include the following information:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
• A description of the types of unsecured PHI that were involved in the breach (such as full name, SSN, date of birth, home address, account number, or disability code).
• The steps individuals should take to protect themselves from potential harm resulting from the breach.
• A brief description of what you are doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
• Contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, Web site, or postal address.

Fines. Noncompliance with HIPAA privacy and security rules calls for severe civil and criminal penalties. The American Recovery and Reinvestment Act of 2009 increased the penalties, and added tiers. The original $100 per violation with a related cap of $25,000 for multiple violations of the same requirement is still in place. The tiers are as follows: