The U.S. Department of Health and Human Services (“HHS”) enacted the HIPAA in 1996. The Act includes a set of national standards for the protection of individuals’ health information. One of its objectives is to maintain the confidentiality of health information as well as to preserve peoples’ privacy while ensuring that the information is transmitted to the appropriate entities in order to provide quality health care. The HIPAA also aims to prevent fraud and abuse of health care systems.
Protected health information or “PHI” concerns an individual’s state of physical or mental health, the provision of health care as well as health care payments. In addition, this information must be individually identifiable using a factor such as a name, address, social insurance number, etc.
Covered entities include health care centers, health care providers that transmit electronic health information in regard to transactions for which the HHS has adopted a standard (e.g. physicians, psychologists, dentists, home care nurses, etc.), as well as organizations that provide a health plan (e.g. health insurance companies, a government program that pays for health care, such as Medicare, etc.). Furthermore, business associates that assist covered entities with their health care services must be contractually bound in order to respect the information protection rules. In fact, these partners are responsible for certain HIPAA provisions.
Here is a brief overview of the privacy, security and breach notification rules as well as all the transaction standards:
Privacy Rule (summary of the “Privacy Rule”)
The first section of the privacy rules concerns the use and disclosure of protected health information and applies to organizations that are subject to the HIPAA. It includes the following:
- Provide information to patients about their privacy rights
- Adopt clear procedures for privacy compliance
- Train and educate employees to ensure they understand the privacy procedures
- Designate a person who will be responsible for ensuring compliance with these procedures
- Secure patient records containing personal health information, in order for them to be accessible solely to individuals as required for the performance of their duties.
Security Rule (summary of the “Security Rule”)
Includes a set of safeguards divided into three categories: administrative (§ 164.308), physical (§ 164.310) and technical controls (§ 164.312). The implementation of certain safeguards is required (mandatory) or addressable. An addressable safeguard isn’t necessarily optional; it must be evaluated to determine if it is reasonable and appropriate in the context of an organization’s environment. Should an assessment confirm that the implementation of a safeguard is inappropriate and unreasonable, then the organization must document everything with appropriate justifications. In addition, an equivalent alternative measure must be implemented.
Breach Notification Rule (summary of the “Breach Notification Rule”)
The obligation to report breaches or leaks affecting the security of protected health information (e.g. unauthorized use, confidentiality breach, etc.) by covered entities and business associates.
Set of transaction standards
It involves using standardized codes for Electronic Data Interchanges (EDI) in health care transactions between various entities. For example, a transaction involving a claim, payment, eligibility request, approval, etc. in regard to health care or services.
Ultimately, organizations subject to the HIPAA must take appropriate risk management measures allowing them to adequately protect the availability, integrity and confidentiality of the information created, received, stored and transmitted. Since 2009, the HITECH “Health Information Technology for Economic and Clinical Health” Act imposes harsher penalties for organizations that do not comply with the HIPAA rules. Organizations must demonstrate compliance with these rules and act with reasonable diligence with auditors.
For more information, please consult:
- https://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
- https://www.privacyrights.org/fs/fs8a-hipaa.htm
- https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/index.html?redirect=/hipaageninfo/
Note: Security awareness and training is part of the 10 administrative safeguards to implement respecting the HIPAA. To this end, Terranova offers training and awareness services on information security as well as on HIPAA and HITECH compliance.
By Patrick Paradis, Information security advisor