- The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) is hardly a new concept in the healthcare industry. However, as technology evolves, it is important that facilities of all sizes continue to adhere to HIPAA and are able to keep sensitive information protected, whether it is being stored electronically or in paper form. There are two key aspects of the federal rule that entities need to keep at the forefront of their privacy and security plans: The HIPAA Privacy Rule and the HIPAA Security Rule.
Healthcare organizations need to not only follow the HIPAA Privacy and HIPAA Security rules, but also understand them. Each Rule has its own safeguards that facilities need to adhere to in order to keep patients’ protected health information (PHI) secure.
The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) has still not nailed down an exact date for when the 2015 HIPAA audits will take place, but that does not mean that organizations can treat privacy and security as a secondary issue. On the contrary, it will be more beneficial to ensure that a facility understands both the HIPAA Privacy and HIPAA Security rule so they can properly follow each.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was designed to protect an individual’s health information that is held by HIPAA covered entities and their subsequent business associates (BAs). Moreover, the Rule gives patients numerous rights with respect to that information. It is also important to remember though, that the Privacy Rule also permits the disclosure of health information necessary for certain reasons, including patient care.
The Privacy Rule specifically protects “individually identifiable health information” that relates to a person’s past, present or future physical or mental health or condition. Additionally, that individual’s provision of healthcare and any past, present, or future payment for providing healthcare is protected information, according to HHS.
“A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.”
Should a covered entity fail to comply with the HIPAA Privacy Rule, it may be required to pay a civil monetary penalty. These fines can range anywhere from $100 per violation all the way up to $50,000 per violation (for violations that occurred on or after Feb. 18, 2009).
“Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect,” HHS states on its site.
The HIPAA Security Rule
The HIPAA Security Rule established “a national set of security standards for protecting certain health information that is held or transferred in electronic form,” according to HHS. It is an important partner to the Privacy Rule in that it discusses the different safeguards that covered entities must establish to secure individuals’ electronic protected health information (e-PHI).
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.
The Security Rule breaks the types of safeguards that organizations must use into three main categories: Administrative, Physical, and Technical. For a more thorough breakdown of each safeguard, click on the corresponding links.
There is also the risk management and risk analysis aspect of the Security Rule. This is actually part of the HIPAA Administrative Safeguards requirement, and ensures that covered entities are regularly maintaining the necessary security measures. Risk analysis calls for organizations to conduct regular reviews and periodically evaluating the effectiveness of established security measures. There must be proper documentation and any potential risks should be noted.
“A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level,” according to HHS.
A failure to meet these requirements will result in federal fines. Moreover, lackluster security measures could lead to a healthcare data breach, which will create even more issues for the covered entity in question.
Staying updated with continuous reviews
The HIPAA Privacy and Security Rules were not designed to make daily operations more difficult for covered entities. Healthcare organizations are responsible for storing, transferring and using sensitive information. It is essential that facilities of all sizes remain current on the best ways to keep that data protected.
By performing regular security risk assessments, and ensuring that all new technology and systems continue to abide by the Privacy and Security Rules, covered entities will make major strides toward avoiding data breaches.