5. HIPAA – Key Definitions
“Covered Entity” means (1) health plans,
(2) healthcare clearinghouses, and (3)
health care providers that transmit
protected health information in an
electronic format.
6. HIPAA – Key Definitions
“Protected Health Information” or “PHI”
means individually identifiable
information that is transmitted by
electronic media; maintained in any
electronic media; or transmitted or
maintained in any other form or medium.
7. HIPAA – Key Definitions
“Individually Identifiable Health
Information” means information collected
from an individual that (1) is created or
received by a health plan, a health
provider, an employer, or a health care
clearinghouse;
8. HIPAA – Key Definitions
“Individually Identifiable Health
Information” (continued) (2) relates to the
past, present, or future mental or physical
health of an individual, the care provided
to an individual, or the past, present, or
future payment for the care of an
individual; and
9. HIPAA – Key Definitions
“Individually Identifiable Health
Information” (continued) (3) identifies the
individual or there is a reasonable belief
that the information could be used to
identify the individual.
10. HIPAA – Key Definitions
Common identifiers of health information
include names, social security numbers,
addresses, and birth dates.
11. HIPAA – Key Definitions
A key concept under HIPAA is “minimum
necessary.” Most uses and disclosures of
PHI, even internally, must use or disclose
PHI only as minimally necessary to
accomplish the use or disclosure.
12. HIPAA – Privacy Standards
The HIPAA Privacy Standards generally
prohibit a covered entity from using or
disclosing PHI, unless the use or
disclosure fits within a particular
exception.
13. HIPAA – Key Exceptions to the Privacy
Standards
Among other uses or disclosures,
covered entities may use or disclose
PHI:
• For payment, treatment, or
healthcare operations.
14. HIPAA – Key Exceptions to the Privacy
Standards (continued)
• To the individual that the PHI
pertains to or to his or her
designated representative.
• As directed by an individual’s
written authorization.
• As required by law.
• To a business associate.
15. HIPAA – Business Associates
A business associate is a person or entity
that performs services for a covered entity
which involve PHI.
16. HIPAA - Business Associates
PHI can be provided to a “business
associate” only if the PHI is a necessary
component of the services provided by
the business associate to the covered
entity and an appropriate business
associate agreement is in place.
17. HIPAA - Business Associates
Business associates can include billing
companies, IT providers, consultants,
attorneys, etc. Other covered entities
are not business associate unless non-
clinical services are involved.
18. HIPAA – Business Associates
With the HITECH Act, business associates
now have direct liability under HIPAA.
Covered entities remain liable for the
actions of their business associates.
19. HIPAA – Individual Rights
The HIPAA Privacy Standards establish
several individual rights relating to PHI,
such as the following:
• Notice of privacy practices from a
covered entity
• Request for restrictions on use of PHI
20. HIPAA – Individual Rights (continued)
• Request for reasonable handling of
the manner of communications
• Access and amendments to PHI
• Accounting of disclosures of PHI
21. HIPAA – Security Standards
The HIPAA Security Standards apply to all
PHI maintained or used electronically
(known as “ePHI”). A covered entity must
evaluate each Security Standard and
determine the extent to which each must
be implemented, based on various
factors.
22. HIPAA – Risk Assessment
This process is known as conducting a risk
assessment.
• Must be performed regularly.
• Also a “core requirement” for
meaningful use payments.
23. HIPAA – Risk Assessment (continued)
• A covered entity risks a mandatory
repayment or loss of future
meaningful use payments if it cannot
produce written risk assessments for
each year that meaningful use
payments are claimed.
24. HIPAA – Security Standards
The Security Standards fall under three
main categories:
• Administrative Safeguards (e.g., plans,
policies, protocols, training, etc.)
25. HIPAA – Security Standards (continued)
• Physical Safeguards (e.g., media and
physical access controls, workstation
requirements, etc.)
• Technical Safeguards (e.g., data and
entity authentication, network
control, etc.)
26. HIPAA – Data Breaches
A data breach consists of the
impermissible acquisition, access, use, or
disclosure of unprotected (i.e.,
unencrypted) PHI (whether electronic or
otherwise).
27. HIPAA – Data Breach
The prior harm standard has been
replaced with a test of whether PHI has
been “compromised.” The regulations
create a general presumption that the
data has been compromised.
28. HIPAA – Data Breach
Upon a suspected data breach, a covered
entity must, within 60 days, either
immediately notify affected individuals
and DHHS (and possibly the media) or
undertake an analysis of whether an
actual breach has occurred and then
notify as necessary.
29. HIPAA – State Law Preemption
State law provisions that are more
stringent preempt applicable HIPAA
requirements.
30. HIPAA – Applicable Michigan Law
Under Michigan law, physicians are
broadly prohibited from disclosing
treatment information. Disclosure thus
requires consent, court order, or a specific
legal mandate.
31. HIPAA - Enforcement
Prior to HITECH, enforcement was
complaint-driven with limited penalties
except for intentional violations, with the
main goal being compliance. HITECH
authorized HIPAA enforcement audits and
increased the amount of fines for
violations.
32. HIPAA - Penalties
Penalties for HIPAA violations fall under
four tiers:
• Tier A – Did not know of the violation
– fines between $100 and $50,000 for
each violation
33. HIPAA – Penalties (continued)
• Tier B – Reasonable cause for
violation rather than willful neglect –
fines between $1,000 and $50,000 for
each violation
34. HIPAA – Penalties (continued)
• Tier C – Violation due to willful
neglect but corrected – fines
between $10,000 and $50,000 for
each violation
• Tier D – Violations due to willful
neglect but not corrected – fines of
$50,000 for each violation.
35. HIPAA – Penalties (continued)
Cap of $50,000 fine per violation and
$1.5 million annually for the same type
of violation.
36. • Updated notice of privacy practices
• Updated business associate
agreements in place
• Appropriate policies and procedures
• Regular workforce education
HIPAA – Main Compliance Steps
37. • Encryption protection for electronic
PHI
• Other electronic and physical
safeguards
• Risk assessment
• Appointment of HIPAA privacy and
security officer
HIPAA – Main Compliance Steps
(continued)
38. • Model privacy notice from DHHS:
http://www.hhs.gov/ocr/privacy/hip
aa/modelnotices.html
• Sample business associate
agreement provision from DHHS:
http://www.hhs.gov/ocr/privacy/hip
aa/understanding/coveredentities/c
ontractprov.html
HIPAA - Resources