HIPAA’s Major Provisions
This is the third post in our series HIPAA History and now that we’ve explained the structure of HIPAA, let’s look at some of HIPAA’s major provisions in more detail.
What is the Privacy Rule?
Proposed in November 1999 and enacted April 2003, the privacy rule provides for the protection of individually identifiable health information that is created, received, transmitted or maintained in any form or medium.
The Privacy Rule establishes national standards and applies to:
Health care clearinghouses.
Health care providers that conduct certain health care transactions electronically.
The Privacy Rule requires appropriate safeguards to:
Protect the privacy of personal health information.
Gives patients’ rights over their health information.
Patients can obtain a copy of their health records and request corrections.
What health information is protected?
HIPAA protects an individual’s health information and his/her demographic information. This is called “protected health information” or “PHI.”
The PHI can relate to past, present or future physical or mental health of the individual. PHI describes a disease, diagnosis, procedure, prognosis, or condition of the individual and can exist in any medium – files, voice mail, email, fax, or verbal communications.
HIPAA defines information as protected health information if it contains the following information about the patient, the patient’s household members, or the patient’s employers:
Dates relating to a patient, i.e. birthdates, dates of medical treatment, admission and discharge dates, and dates of death.
Telephone numbers, addresses (including city, county, or zip code) fax numbers and other contact information.
Social Security numbers.
Medical records numbers.
Finger and voice prints.
Any other unique identifying number.
What can a patient do if they feel their HIPAA rights have been violated?
A patient has the right to submit a complaint if he believes that the health provider has:
Improperly used or disclosed their PHI.
Concerns about their HIPAA Privacy policies.
Concerns about the provider’s compliance of its privacy policies.
The patient may file the complaint with either of the following:
The provider’s Chief Privacy Officer.
The US Department of Health and Human Services, Office of Civil Rights, www.hhs.gov/ocr/hipaa.
March 2006 - Is the establishment of a set of standards for receiving, transmitting and maintaining healthcare information and ensuring the privacy and security of individual identifiable information.
General Rule – Is part of Administrative Simplification (see below).
The American Recovery and Reinvestment Act (ARRA), contains:
Incentives related to health care information technology.
Creation of a national health care infrastructure.
Specific incentives designed to accelerate the adoption of electronic health record (EHR) systems.
March 26, 2013 - Omnibus means: numerous objects or items at once, submitted to a legislature.
“The Department published a notice of proposed rule making (NPRM) on July 14, 2010, (75 FR 40868) to implement many of the remaining privacy, security, and enforcement provisions of the HITECH Act.
The public was invited to comment on the proposed rule for 60 days following publication. The comment period closed on September 13, 2010. The Department received about 300 comments on the NPRM.”
Effective date - March 26, 2013 for Covered Entities (CE). Business Associates (BA) must comply by September 23, 2013.
Quoted from the National Archives and Records Administration . . .
“The Department of Health and Human Services (HHS) . . . is issuing this Final Rule to:
Modify HIPAA Privacy, Security and Enforcement Rules.
Implement statutory amendments under the HITECH Act, of 2009.
Strengthen the privacy and security protection for individuals’ health information.
Modify the rule for Breach Notification.
Modify the HIPAA Privacy Rule to strengthen the privacy protections for GINA (Genetic Information Nondiscrimination Act).
Make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules).”
From the perspective of acquiring a "big picture" view of the HIPAA Security Rule the General Rule is critical. It contains some guiding "flexibility" principles that are foundational to understanding how a "good story" may be developed, especially from the perspective of the small provider.
Until the HITECH Act was enacted into law of February 17, 2009, a BA’s compliance with HIPAA regulations was mandated only as part of the business associate agreement (see CFR 164.504(e)(1) with its respective CE. Now, under HITECH and the Final Rule (Omnibus) a BA is “directly on the hook” (i.e. via statutory authority) for complying with the following sections of the Security Rule:
Administrative Safeguards CFR 164.308.
Physical Safeguards CFR 164.310.
Technical Safeguards CFR 164.312.
Organizational Requirements CFR 164.314.
Policies and Procedures and Documentation Requirements CFR 164.316.
In short, a BA must comply with the five sections above in the same way a CE is required to comply, and must also comply with any additional HITECH security requirements imposed on a CE.
Finally, any additional HITECH security requirements must be incorporated into the contract between the respective parties. Under the Final Rule (Omnibus) a similar requirement is imposed on the relationship between a BA and its Sub-contractor.
In our next post we’re going to address: business associates (BA) and their task of complying with HIPAA.
FREE BUSINESS ADVISORY GUIDE
If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery. You’ll learn what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:
The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these criteria.
Where tape backups fail and give you a false sense of security.
The #1 cause of data loss that most businesses don’t even think about until their data is erased.
This guide explains in plain every day English what you need to know about data backup, security and disaster recovery.
And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.
Have you started your HIPAA compliance initiative?
With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that HIPAA compliance for small health care practices is daunting. As a BA we’re going through it ourselves. We’re actually doing it, not just writing about it.
Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?
Give us a call at 503.359.1275. We’re always happy to chat!
For more information visit:
Dedicated to your success,
DTS InfoTech . . . computer networks that work