ELI5 Series: HIPAA

Health

Insurance

Portability

&

Accountability

Act

a lot

Privacy Rule

The privacy rule protects PHI by:

Applying safeguards (ex. minimum disclosure, communication preferences such as not calling at work, etc.)
Enacting limits and conditions on the uses and disclosures without patient authorization
Allowing patients to examine and obtain a copy of their health records
Allowing patients to request corrections to health records

The rule applies to:

Health care
Health care providers
Health plans
Health care clearinghouses
Health care providers that conduct certain health care transactions electronically
Health Insurers
Independent contractors of covered entities who fit within the definition of "business associates"
Hybrid entities that perform both covered and non-covered functions as part of its business operations

To comply, health organizations (or covered entities) must:

Notify individuals of uses of their PHI
Keep track of disclosures of PHI and document privacy policies and procedures
Appoint a Privacy Official and a contact personresponsible for receiving complaints
Train all members of their workforce in procedures regarding PHI

PHI may be disclosed under the following situations:

The very minimum PHI may be disclosed to facilitate treatment, payment, or health care operations without a patient's express written authorization
As required by law (court orders, court-ordered warrants, subpoenas)
To identify or locate a suspect, fugitive, material witness, or missing person

Security Rule

Administrative

Development of a written plan outlining privacy procedures
Designating an individual as a privacy/HIPAA compliance officer
Ensuring employees who only have a "need to know" have access to PHI
A process for authorizing , establishing, and modifying access for employees, as well as how to terminate access to information
Offering ongoing training
Ensuring third-party compliance
Contingency plan development
Internal audits
Security breach response plan

Technical

Data encryption
Unauthorized change alerts
Data corroboration and methods to check data integrity
Authenticating users
Documented practices & procedures
Configuration setting tracking & management
Risk analysis & management plans

Physical

Proper disposal of equipment
Proper scanning of equipment prior to addition to network
Limiting, controlling, and monitoring of authorized users access to hardware and software
Signing in of all visitors
Development of a physical security plan
Ensuring devices and screens are placed out of view by passerby's

Breach Notification Rule

What a Breach Is and Is Not

does not have to be reported

The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.

60 days

Individual Notice
Media Notice
Notice to Secretary
Posting on HHS Public Website

From http://en.wikipedia.org/wiki/File:Hipaa_Violations_by_Type_-_Pie_Chart.png
Acronym Roundup
HIPAA - Health Insurance Portability and Accountability Act

PHI - Personal Health Information

EPHI- Electronic Personal Health Information
Advanced Resources:

HIPAA Privacy Rule

Who does the privacy rule apply to?

HHS Breach Definition