The Health Insurance Portability and Accountability Act (HIPAA) established several rules that covered entities (CEs) and business associates (BAs) must follow in order to be compliant.
A covered entity (CE) is anyone who is directly involved in the treatment, payment, or operations; while a business associate (BA) is a vendor that a CE hires to complete a service, that comes into contact with protected health information (PHI) as part of their job. Introduced in 2003, HIPAA Privacy and Security Rules are at the forefront of HIPAA law.
HIPAA Privacy Rule
The HIPAA Privacy Rule created regulations on how protected health information (PHI) can be used and disclosed. This safeguards PHI to ensure that only authorized individuals have access. It also requires the disclosure of PHI to a patient upon request.
Protected health information (PHI) is any identifying information on a patient such as name, Social Security numbers, credit card information, address, and date of birth, to name a few. The HIPAA Privacy Rule also mandates that healthcare organizations need the permission of a patient before they can release PHI to third party. However, if the third party is involved in the treatment, operation, or payment for service, prior authorization isn’t required. In addition, the HIPAA Privacy Rule established the ‘Minimum Necessary Rule,’ healthcare workers must access and disclose only the minimum necessary PHI for completing their jobs.
HIPAA Security Rule
Meanwhile, the HIPAA Security Rule is meant to protect electronic PHI (ePHI). It established national standards on how ePHI is created, received, used or maintained. The Security Rule requires appropriate safeguards be in place to maintain the integrity, availability, and confidentiality of ePHI. Healthcare organizations must implement Physical, Technical, and Administrative safeguards. However, the HIPAA Security Rule leaves it up to entities to determine what safeguards are necessary for their organization.
- Physical Safeguards: protect the physical security of your offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is stored.
- Technical Safeguards: protect the cyber-security of your business. Technical cyber-security safeguards must be implemented in order to protect the ePHI that is maintained by your business. Examples of technical safeguards include firewalls, encryption, and data back-up.
- Administrative Safeguards: ensure that staff members are properly trained in order to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.
HIPAA Privacy and Security Rules Summary
In conclusion, HIPAA Privacy and Security Rules are among the most important aspects of HIPAA law. It is imperative that healthcare organizations are diligent in their efforts to protect patient PHI. If your organization is audited by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR), and you don’t have the proper safeguards protecting PHI, you could potentially be facing large fines.