In March of this year, The Office for Civil Rights of the Department of Health and Human Services issued a letter addressing the recent cybersecurity incident impacting many health care entities, primarily Change Healthcare, a unit of UnitedHealthcare Group (read the letter here). This incident was a great reminder of the constant vigilance required to protect patient health information in the age of remote healthcare, telehealth, and electronic health records.
In the wake of these recent cybersecurity events, safeguarding patient information has become paramount, prompting heightened scrutiny of HIPAA compliance. HIPAA, or the Health Insurance Portability & Accountability Act, provides for a series of rules relating to the protection of protected health information, or PHI. These rules apply to all covered entities and their business associates. As any provider knows, HIPAA compliance can become complicated and confusing. This article provides a high-level overview on three major components covered by HIPAA: The Privacy Rule, The Security Rule, and the Breach Notification Rule.
Privacy Rule
The Privacy Rule covers the process of protecting PHI while allowing for the secure transfer of PHI in the coordination of a patient’s care. PHI is any information that can be used to identify a patient, which can be electronic, paper, or verbal, and includes (1) common identifiers, such as name, address, birth date, social security number, etc., (2) a patient’s physical or mental health condition, whether past, present, or future, (3) the health care provided to the patient, and (4) payment information for a patient’s health care, whether past, present, or future.
Under the Privacy Rule, covered entities are required to (i) notify patients about their privacy rights and how their information will be used, (ii) adopt privacy procedures and train employees on such procedures, (iii) assign a security officer to ensure proper adoption and compliance with the privacy procedures, and (iv) secure patient records containing PHI so they do not become available to those who do not have a need to see them. The Privacy Rule also provides that patients are allowed access to examine and get a copy of their medical records and to request corrections to their medical records.
In order to facilitate patient care, covered entities may share information with doctors, hospitals, and ambulances for treatment, payment, and health care operations, even without a signed consent from the patient. If a provider feels as if she is acting in the patient’s best interest, the provider may share information about a patient, so long as proper safeguards against breach are taken. Unless a patient objects, the Privacy Rule allows for PHI to be given to family, friends, or anyone else the patient identifies as being involved in their care.
Security Rule
The Security Rule covers the requirements of how you are to protect PHI, including a patient’s electronic PHI, or ePHI. Under the Security Rule, a covered entity must (1) develop reasonable and appropriate security policies, (2) ensure the confidentiality, integrity, and availability of all ePHI, both while maintaining and transmitting such ePHI, (3) identify and protect against any possible security threats to ePHI, (4) prevent unauthorized uses or disclosures, (5) analyze security risks that may be present in the physical and cyber environments and create appropriate safeguards against such risks, (6) continually review and modify security measures to ensure continuous protection of ePHI, and (7) train all employees on appropriate handing of PHI for HIPAA compliance.
When a covered entity is developing its HIPAA compliance safety measures, it should take into consideration its size, complexity, and capabilities, its technical, hardware, and software infrastructure, and the costs of its security measures, all while balancing the likelihood and possible impact of risks to ePHI.
Breach Notification Rule
The Breach Notification Rule outlines the requirements for notifying patients and the Department of Health and Human Services in the event that there is a breach. In some instances, depending on the size and scale of the breach, there may even be a requirement to notify the media. A breach is generally defined as an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a disclosure or unpermitted use has occurred can be determined by a risk assessment that evaluates (1) the nature and extent of PHI involved, (2) the unauthorized individual who used or gained access to the PHI, (3) whether an unauthorized individual actually acquired or viewed the PHI, and (4) the extent to which the covered entity or business associate reduced the PHI exposure risk.
If a breach affects the PHI of more than 500 patients, the covered entity must notify the Department of Health and Human Services without reasonable delay but no later than 60 days after discovery of the breach. In smaller breaches affecting 500 patients or less, the Department of Health and Human Services must be notified on an annual basis.
Conclusion
This high-level overview of three major HIPAA components is just the tip of the iceberg, and each rule referenced could even have several articles diving into its complexity and nuance.