HIPAA Rules and Regulations

When reviewing HIPAA regulations, there are two parts. Title 1 is the Health Care Access Portability and Renewability Section and it helps to ensure that individuals are able to maintain their health insurance between jobs. This has been successfully implemented nationwide. The second part, Title 2, is Preventing Health Care Fraud and Abuse. This is the accountability section of the law. It is designed to ensure the security and confidentiality of PHI or ePHI. It mandates standards for electronic data transmission of administrative and financial data, relating to patient health information, and establishes rules that practice’s insurance companies and clearinghouses must follow to protect PHI.

 

Next, let’s review the rules. Keep in mind, these rules are also subject to proposed and finalized changes. So, you need to ensure that you monitor any changes that occur or have occurred in the past. First, we have the Privacy Rule, Security Rule, Enforcement Rule, Omnibus Rule, and the Breach Notification Rule.

 

The Privacy Rule Standards address the use and disclosure of individuals’ health information by entities subject to HIPAA. This rule also contains standards for individuals’ rights to understand and control how their health information is being used. The main objective of the Privacy Rule is to ensure PHI is properly protected, while still allowing the flow of healthcare information to promote high-quality healthcare nationwide.

 

While the HIPAA Privacy Rule safeguards protected health information, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic form. Of course, this information is called ePHI. The Security Rule does not apply to PHI transmitted orally or in writing.

 

The Enforcement Rule provides standards for enforcing all rules within HIPAA. The regulations within this rule establishes how HHS regulators will determine liability, and calculate fines for healthcare providers who have been found to have violated any of the HIPAA rules following investigation and administrative hearing. Privacy complaints are investigated by regulators from the HHS office for civil rights.

 

The Omnibus Rule implements several provisions of the HITECH Act that strengthen the Privacy and Security for health information established within HIPAA. This led to finalizing the next rule we will discuss. The Omnibus Rule was necessary because while the HITECH Act of 2009 addressed privacy, the requirements for notifying patients of data breaches had to be updated. This rule also covers the liability of business associates, such as technology providers, and brought to light the business associate agreements.

 

The Breach Notification Rule requires covered entities and their business associates to provide notification for any breach of unsecured PHI. Following a breach of unsecured PHI, covered entities must provide notification of the breach to the affected individuals, the Secretary of State, and in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

 

What is a breach? A breach is impermissible use or disclosure that compromises the security of PHI. Any type of disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of the following factors:

 

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated

 

You can find additional guidance on the requirements at www.hhs.gov. If a breach occurs, the following notification requirements must be followed:

 

1. Covered Entities must notify the individual in written form by mail or email. If the CE is unable to get in contact with the individual, for 10 or more individuals, the CE must provide notice by posting on their landing page of their website, or by notifying in major local media. For fewer than 10 individuals that were affected, the CE may be able to provide notice by an alternative written notice, telephone, or other means. The CE must contact immediately, and absolutely no later than 60 days, following the identification of a breach. And, they must also provide contact information, a description of the breach, the type of information that may have been involved, and the steps taken to correct and prevent future breaches.
2. If the breach involves more than 500 residents of a state or jurisdiction, which can happen, the CE is also required to provide notice to popular media outlets in the area in form of a press release, alongside the written individual notifications. Once again, this notification must be provided without unreasonable delay and definitely no later than 60 days after discovering a breach.
3. The CE must also submit a notification to the Secretary of State by visiting the HHS website and submitting a breach report form. If a breach affects 500 or more individuals, the CE must notify the secretary of state within 60 days. If fewer than 500 individuals are affected, then the CE must notify the secretary on an annual basis, within 60 days after the end of the calendar year in which the breaches are discovered.
4. And last, if the breach occurs at the business associate level, the BA must notify the CE within 60 days of the breach occurring, as well as provide identification of the individual’s PHI that have been affected. It is so important that in the case of a breach, the CE maintains information and proof of all required notifications provided or documentation that the disclosure did not constitute a breach. Written policies and procedures regarding breach notifications, as well as proper training on policies and procedures in your practice, must be held within your HIPAA privacy manual.