HIPAA History and Background
That was the first post on this topic and we quoted an article by Daniel J. Solove that is an excellent resource on HIPAA. In this post we start putting the pieces of HIPAA together and we begin by asking the question:
What is HIPAA?
The acronym stands for Health Insurance Portability and Accountability Act of 1996. And nothing makes the case for protecting the health information of the public as their own preamble to the HIPAA Privacy Rule which states:
“According to the American Health Information Management Association (AHIMA), an average of 150 people “from nursing staff to X-ray technicians, to billing clerks” have access to a patient’s medical records during the course of a typical hospitalization. While many of these individuals have a legitimate need to see all or part of a patient’s records, no laws govern who those people are, what information they are able to see, and what they are and are not allowed to do with that information once they have access to it.”
An average of 150 people look at your medical records when you’re hospitalized
Did you know that? I didn’t! But ending up in the hospital has happened to me on more than a couple of occasions. And because my personal health information (PHI) has already been breached (once that I know of) I’m glad that the legislators in Washington D.C. finally did something about protecting me.
The primary role of HIPAA
In layman’s terms, the goal of HIPAA is to: http://health.state.tn.us/hipaa/
• make it easier for people to keep health insurance from job to job
• protect the confidentiality and security of healthcare information
• control administrative costs
• restrict health plans from requiring pre-existing conditions
Notable Dates of HIPAA
Privacy Rule - Enacted in April 2003, this rule addressees protected health information (PHI).
Security Rule – Enacted in February 2003, this rule deals with electronic health information (ePHI) which is essentially a subset of what the Privacy Rule encompasses. In terms of actual regulatory text, the Security Rule only spans approximately 8 pages, but it is highly technical in nature.
Administration Simplification – Provisions enacted in 2006 that required the Department of Health and Human Services (HHS), to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.
HITECH Act/Breach Notification - Enacted in 2009, is the Application of Security Provisions, Application of Civil and Criminal Penalties and Annual Guidance.
Omnibus Rule/Final Rule – Enacted in 2013, the Final Rule strengthens the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
What Does HIPAA Regulate?
HIPAA regulates “covered entities” that consist of healthcare providers, healthcare plans, and clearinghouses that process health data in the electronic format specified in the HIPAA statute. With the release of the Omnibus Rule, “Final Rule”, HIPAA now includes “business associates” or entities that contract with covered entities and that receive, create, transmit or maintain protected health information (PHI).
The HIPAA Privacy Rule governs PHI, which is any “individually identifiable health information” - a broad definition including paper records.
The HIPAA Security Rule is narrower, applying only to “electronic” PHI, or e-PHI.
Bird’s eye view of HIPAA includes:
• Privacy Program - HIPAA mandates that covered entities designate a privacy official to develop and implement policies for protecting privacy and handle questions and complaints. HIPAA also requires training of personnel.
• Limitations on Disclosure and Use - HIPAA requires that people authorize disclosure of their PHI unless an exception applies, such as a legal requirement or to report abuse, or for treatment, payment, or healthcare operations. The “minimum necessary rule” requires that only the minimum necessary PHI be accessed and used.
• Patient Rights - HIPAA provides a set of rights to patients, including a right to be given a notice about the privacy practices of a covered entity, a right to access PHI, and a right to file a complaint alleging a HIPAA violation without retaliation.
• Security Safeguards - For e-PHI, the HIPAA Security Rule provides a detailed series of administrative, physical, and technical safeguards.
• State Law - HIPAA did not preempt stronger state law protections, so any state law that is more protective remains in effect.
The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for the civil enforcement of HIPAA. There are also criminal penalties for certain wrongful disclosures of PHI. However, HIPAA does not have a private right-of-action, meaning that people whose HIPAA rights are violated cannot sue for damages - though they can still sue if state law is violated.
In our next post we’ll continue talking about: each of the major HIPAA provisions in more detail.
FREE BUSINESS ADVISORY GUIDE
If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery. You’ll learn what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:
• The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
• 7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these criteria.
• Where tape backups fail and give you a false sense of security.
• The #1 cause of data loss that most businesses don’t even think about until their data is erased.
This guide explains in plain every day English what you need to know about data backup, security and disaster recovery.
And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.
Have you started your HIPAA compliance initiative?
With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that HIPAA compliance for small health care practices is daunting. As a business associate we’re going through it ourselves. We’re actually doing it, not just writing about it.
Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?
Give us a call at 503.359.1275. We’re always happy to chat!
For more information visit: https://dtsinfotech.com/hipaa-compliance-for-small-health-care-practices
Dedicated to your success,
General Manager & Compliance Officer
DTS InfoTech . . . computer networks that work