HIPAA in a Nutshell: HIPAA Privacy Rule
As a healthcare organization, by the nature of your work, you most likely use and disclose PHI. It is permitted to use and disclose PHI (without patient authorization) for the purposes of treatment, payment, and healthcare operations. As part of the HIPAA Privacy Rule, healthcare workers should only have access to the PHI that they need to perform their job functions, known as the minimum necessary standard. As such, to ensure HIPAA compliance, healthcare organizations are required to issue unique login credentials for each employee, enabling them to designate different levels of access to PHI based on the employee’s job role. Additionally, access to PHI must be tracked and documented with audit logs to ensure adherence to the minimum necessary standard, and minimize the risk of insider breaches.
The HIPAA Privacy Rule also establishes patient rights in regards to their PHI. This includes the HIPAA right of access which requires healthcare organizations to provide patients access to their medical records within 30 days of the request. It also prohibits organizations from overcharging patients for access to their medical records. The HIPAA right of access has become more prominent as of late, as the HHS’ Office for Civil Rights (OCR) has issued nine right of access fines in 2020 so far.
So now that we have discussed the permitted uses and disclosures of PHI, and how you can control and monitor access to PHI, you may be wondering how you can protect PHI from unauthorized access. This is where the HIPAA Security Rule comes into play.
HIPAA in a Nutshell: HIPAA Security Rule
The HIPAA Security Rule requires you to:
◈ Ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit;
◈ Identify and protect against reasonably anticipated threats to the security or integrity of the information;
◈ Protect against impermissible uses or disclosures of ePHI that are reasonably anticipated; and
◈ Ensure compliance by their workforce.
This is accomplished by implementing administrative, technical, and physical safeguards to secure PHI.
Administrative. Administrative safeguards require you to conduct self-audits to identify gaps in your security measures, and to address those gaps with remediation efforts. This also requires you to have documented policies and procedures that dictate how your organization will follow the HIPAA Rules. To ensure a culture of compliance within your organization, employees must be trained annually on your organization’s policies and procedures, and HIPAA basics.
Technical. Technical safeguards ensure that your electronic protected health information (ePHI) – PHI stored electronically – is secure. This is accomplished through access controls (unique login credentials), audit controls (audit logs that track access to ePHI), integrity controls (policies and procedures), and transmission security (encryption).
Physical. Physical safeguards ensure the security of your physical location, and your paper PHI. This includes installing alarm systems, locking cabinets or rooms that store PHI, and installing CCTV cameras.
Since every organization has different security requirements, when implementing security measures, you must consider the following:
◈ Your size, complexity, and capabilities;
◈ Your technical hardware, and software infrastructure;
◈ The costs of security measures; and
◈ The likelihood and possible impact of the potential risk to ePHI.