• HIPAA (Health Insurance Portability and Accountability Act) • Passed in 1996 • Enacted to protect health information • transaction standards for the exchange of health information • security standards • privacy standards • Protects “protected health information” • means individually identifiable health information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium • there are certain exclusions such as education records and employment records held by a covered entity in its role as employer
• Applies to “covered entities” • Covered entity means (1) A health plan, (2) A health care clearinghouse, (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter • Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, . . .employer, . . . and (2) Relates to the past, present, OR future physical or mental health or condition of an individual; the provision of health care to an individual; OR the past, present, or future payment for the provision of health care to an individual.
• Also applies to the “business associates” of covered entities • Business associate means broadly, a person who “performs, or assists in the performance of . . . a function or activity involving the use or disclosure of individually identifiable health information” • including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing • Broadly, this means that if you use or receive PHI, then you are either a covered entity or a business associate
• HITECH (Health Information Technology for Economic and Clinical Health) • Signed into law on February 17, 2009 • Provides for the adoption of electronic health records • Also adds new breach provisions • "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information"
HITECH Breach• Who is under Obligations? • Covered Entity • Business Associate • Subcontractor Requirements
HITECH Breach• Who is under Obligations? • Covered Entity • Business Associate • Subcontractor Requirements• What are an entity’s Obligations? • Investigate, give notice, reprimand, record/notify Secretary of Health and Human Services • If over 500 individuals affected, then must report to the Secretary • As of September 26, 2011, 330 reports (several organizations more than once), impacting more than 11 million records
Getting out of Breach Notification• Only provide the required notification if the breach involved unsecured protected health information • Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance
Getting out of Breach Notification• Guidance available: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificatio nrule/brguidance.html (and is to be updated annually) • Data at Rest: NIST • Data in Motion: