Chapter 5
HIPAA and HITECH
Learning Objectives
Understand HIPAA Privacy and Security Rules
“Covered entity” and “business associate”
Permitted and prohibited disclosure of PHI
Individuals’ rights to own PHI
Application of Breach Notification Rule
Safeguards, standards, and specifications of the Security Rule
Civil and criminal penalties under HIPAA
Introduction
HIPAA protects against threats to security and privacy of personal health information (PHI)
HIPAA expanded by HITECH Act
Under HIPAA authority, DHHS issued the Privacy and Security Rules
Who Is Covered By HIPAA
“Covered entities’ and “business associates”
Covered entities – health care providers, health plans, and health care clearinghouses.
Business associate – persons or organizations doing work for covered entities involving use of individually identifiable health information (e.g., claims processing, utilization review).
Covered entities may be held liable for violations by their business associates.
HIPAA Privacy Rule
Balance the protection and the free flow of personal health information.
Use and disclosure of PHI by covered entities.
Patients’ rights to understand and control their PHI is used.
Implemented and enforced by Office for Civil Rights within DHHS.
Information Protected By Privacy Rule
All “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This is called “protected health information” (PHI).
No restrictions on use or disclosure of information that does not identify an individual.
What the Privacy Rule Prohibits
A covered entity may use or disclose PHI only when the Privacy Rule requires or permits it, or when the affected individual has given his or her written authorization.
Example: AUTHORIZATION FOR RELEASE OF (PHI) PROTECTED HEALTH INFORMATION
http://www.uclahealth.org/workfiles/documents/privacy/release-of-health-info-english.pdf
7
Required Disclosure of PHI
#1 When the affected individual specifically requests access to or disclosure of his or her PHI.
#2 When the DHHS seeks access in the course of a compliance investigation or review, or an enforcement action.
Permitted Disclosure of PHI
Disclosure to the subject of the information.
For use in treatment and payment activities.
When individual can agree with or object to the disclosure.
Disclosure is incidental, “minimum necessary”, and privacy safeguards exist.
For “national priority purposes”.
In the form of a “limited data set”.
“Minimum Necessary” Principle
Whether disclosure is required, permitted, or authorized, a covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish its intended purpose.
Notice of Privacy Practices
Each covered entity must provide a notice of its privacy practices, including ….
ways in which the entity may use or disclose the PHI
entity’s d ...
1. Chapter 5
HIPAA and HITECH
Learning Objectives
Understand HIPAA Privacy and Security Rules
“Covered entity” and “business associate”
Permitted and prohibited disclosure of PHI
Individuals’ rights to own PHI
Application of Breach Notification Rule
Safeguards, standards, and specifications of the Security Rule
Civil and criminal penalties under HIPAA
Introduction
HIPAA protects against threats to security and privacy of
personal health information (PHI)
HIPAA expanded by HITECH Act
Under HIPAA authority, DHHS issued the Privacy and Security
Rules
Who Is Covered By HIPAA
“Covered entities’ and “business associates”
Covered entities – health care providers, health plans, and
2. health care clearinghouses.
Business associate – persons or organizati ons doing work for
covered entities involving use of individually identifiable health
information (e.g., claims processing, utilization review).
Covered entities may be held liable for violations by their
business associates.
HIPAA Privacy Rule
Balance the protection and the free flow of personal health
information.
Use and disclosure of PHI by covered entities.
Patients’ rights to understand and control their PHI is used.
Implemented and enforced by Office for Civil Rights within
DHHS.
Information Protected By Privacy Rule
All “individually identifiable health information” held or
transmitted by a covered entity or its business associate, in any
form or media, whether electronic, paper, or oral. This is called
“protected health information” (PHI).
No restrictions on use or disclosure of information that does not
identify an individual.
What the Privacy Rule Prohibits
A covered entity may use or disclose PHI only when the Privacy
Rule requires or permits it, or when the affected individual has
3. given his or her written authorization.
Example: AUTHORIZATION FOR RELEASE OF (PHI)
PROTECTED HEALTH INFORMATION
http://www.uclahealth.org/workfiles/documents/privacy/release-
of-health-info-english.pdf
7
Required Disclosure of PHI
#1 When the affected individual specifically requests access to
or disclosure of his or her PHI.
#2 When the DHHS seeks access in the course of a compliance
investigation or review, or an enforcement action.
Permitted Disclosure of PHI
Disclosure to the subject of the information.
For use in treatment and payment activities.
When individual can agree with or object to the disclosure.
Disclosure is incidental, “minimum necessary”, and privacy
safeguards exist.
For “national priority purposes”.
In the form of a “limited data set”.
4. “Minimum Necessary” Principle
Whether disclosure is required, permitted, or authorized, a
covered entity must make reasonable efforts to use, disclose,
and request only the minimum amount of PHI needed to
accomplish its intended purpose.
Notice of Privacy Practices
Each covered entity must provide a notice of its privacy
practices, including ….
ways in which the entity may use or disclose the PHI
entity’s duties to protect privacy
privacy rights of individuals
contact for seeking more information and making complaints
Individuals’ Rights to Their PHI
Review and obtain a copy of their PHI
Request that a covered entity amend their PHI if they think it is
inaccurate or incomplete
An accounting of the disclosures of their PHI by a covered
entity or its business associates
Request that a covered entity restrict its use or disclosure of
5. PHI; entity need not acquiesce
Implementation of the Privacy Rule
Appropriate privacy policies and procedures
Designate official to oversee them
Train employees in policies and procedures
Sanctions against employees violating privacy policies
Safeguards to prevent disclosures that violate privacy policies
Facilitate complaints about privacy compliance
Breach Notification Rule
Notification required following breach of unsecured PHI
“Breach” – impermissible use/disclosure that compromises
security/privacy and poses risk of harm (reputation, financial)
to individual
Three exceptions to “breach” definition
Mandatory notification to affected individual, media outlets,
and DHHS
HIPAA Security Rule
Applies to same entities as Privacy Rule
Applies only to electronic PHI
3 categories of “safeguards” – administrative, physical, and
6. technical
Within each category, there are “standards”
For most standards, there are “specifications”
Security Risk Analysis
HIPAA acknowledges that each organization must take a unique
approach to security protection. It recommends a risk analysis
to determine the appropriate security measures.
Identify areas of high security risk for E-PHI
Evaluate likelihood and impact of the risks
Implement security measures to address the risks
Document the measures and their rationale
Safeguards – Administrative Standards
Security Management Process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Evaluation
7. Safeguards – Physical Standards
Facility Access Control
Workstation Use
Workstation Security
Device and Media Controls
Safeguards – Technical Standards
Access Control
Audit Controls
Integrity Controls
Person or Entity Authentication
Transmission Security
Enforcement of the Privacy Rule
Civil Money Penalties: Starting at $100 per violation,
depending on level of culpability, may rise as high as $50,000
for each failure to comply with a HIPAA requirement.
Criminal penalties: Simple violation may lead to a $50,000 fine
a 1 year imprisonment. False pretenses and malicious intent may
increase this to $250,000 and 10 years in prison.