Health Insurance Portability and Accountability Act (HIPAA)

---

Health Insurance Portability and Accountability Act (HIPAA) provides U.S. federal protections for protected health information (PHI) and gives patients’ rights with respect to their health information.

• Est. 1996
• enacted to improve
  • sharing of data among providers and insurers
  • the process of switching health plans
  • security and privacy of medical information
  • etc.

Scope

• HIPAA applies to certain covered entities and to certain healthcare transactions
• 3 categories of covered entities:
  • Health Insurance Plans
    • includes health insurance companies, HMOs, employer health plans, and government health plans (e.g., Medicare)
  • Healthcare Clearinghouses
    • organizations that help to manage the sharing of healthcare information by converting healthcare data into formats that can be read by differing health information systems
  • Healthcare providers
    • include: doctors, hospitals, mental health professionals, dentists, long-term care facilities, pharmacies, and more
• also extends to third-party business associates of covered entities if they meet certain conditions
  • is any third-party individual or organization that works with a covered entity to fulfill healthcare-related functions and that has access to PHI or ePHI
  • HIPAA requires business associate agreements (BAA) between them
    • require the business associate to conform with HIPAA

Title II

• Lays out requirements for safeguarding protected health information (PHI) and electronic protected health information (e-PHI)

Requirements

• Ensure the confidentiality, integrity, and availability of any information handled or stored
• Protect PHI from threats and unauthorized disclosure
• ensure workforce is compliant with rules

Privacy Rule

• HHS Centers for Medicare & Medicaid Services (CMS) provides the rules and standards for organizations subject to HIPAA
• HIPAA Privacy Rule lays out guidelines for protecting privacy of PHI
  • established by HHS in 2000
  • does the following:
    • requires implementation of information privacy practices
    • limits use and disclosure of data without patient authorization
    • gives patients additional rights with respect to their medical information
      • right to view and correct their medical records
  • all covered entities and business associates are subject to Privacy Rule
  • HHS Office for Civil Rights (OCR) is responsible for implementing and enforcing
    • can impose monetary penalties for violations
• applies to all PHI

Information Privacy Practices

• Privacy Rule requires covered entities to implement standards and practices to safeguard PHI
  • must be written in privacy policy and procedures documentation
  • required to retain any records related to privacy policies and related activities for six years
    • including complaints and public notices
• requires designating a privacy official responsible for:
  • privacy policy
  • implementing a process for addressing privacy complaints
  • training employees on privacy practices
  • implementing privacy safeguards
• cannot retaliate against anyone filing a privacy complaint
• cannot ask patients to waive rights as a condition of care or coverage

Use and Disclosure

• Privacy Rule regulates use and disclosure of PHI

  • blocks covered entities from
    • selling PHI to advertisers
    • sharing PHI with prospective employers

• Regulations on use ensure PHI is only used for intended purposes and access is not intentionally or inadvertently abused

  • HIPAA defines use of PHI as:

    “…the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information”

• Regulations on disclosure are intended to prevent organizations for sharing PHI with third parties

  • not all disclosures are illegal
  • instead, regulates when and how disclosure is done
  • defines disclosure as:

    “Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

• requirements ensure that:

  • patients know how PHI is used and shared
  • PHI is only used to for healthcare services
  • and that patients must provide authorization before PHI is used

Security Rule

• HIPAA Security Rule is intended to apply the protections of the Privacy Rule to ePHI by providing standards for data security
  • established by HHS
  • applies to covered entities and business associates
  • enforced by the OCR
  • applies only to ePHI
• covered entities must attempt to foresee cybersecurity threats and risks of unauthorized PHI disclosure to a reasonable degree
• organizations must
  • protect information
  • put controls in place to address threats
  • include employee training in information security practices
• require implementation of risk-based information security controls
  • must include:
    • information security management program that identifies employees responsible
    • employee training
    • controlled access to ePHI
    • ongoing program evaluation
    • physical security of facilities and workstations
    • technological controls

Resources

• Health Information Privacy Home
• Summary of the HIPAA Privacy Rule
• Your Rights Under HIPAA