A Little About HIPAA
The Privacy Rule
The Privacy Rule mandates restrictions on the use and disclosure of protected health information4, creates individual rights, and imposes administrative requirements.
Generally, the Privacy Rule prohibits all uses and disclosures of protected health information unless the use or disclosure specifically is required or permitted under HIPAA. Accordingly, covered entities must take great care to make sure protected health information only goes to the correct person for the correct purposes.
In addition to the general proscriptions on the flow of protected health information, the Privacy Rule grants individuals rights with respect to their protected health information5.
The administrative procedures include: designation of a privacy official and contact person; privacy training for employees; safeguards to prevent intentional or accidental misuse of protected health information (which often is referred to as the "mini security rule"); sanctions for employee violations of those requirements; prohibitions on retaliation or requiring waiver of HIPAA rights; and duty to mitigate any harm resulting from any inappropriate use or disclosure. Again, safeguarding of protected health information and responding appropriately in the face of a privacy breach are critical.
The Security RuleThe overarching requirements of the Security Rule are that a covered entity must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under HIPAA.
- Ensure compliance with HIPAA by its workforce6.
The Security Rule identifies numerous "standards" under the general topics of administrative safeguards, physical safeguards, technical safeguards, and organizational requirements. Under most of the standards are "implementation specifications." Some of these implementation specifications are "required," in which case the covered entity must implement them as written. Other implementation specifications are considered "addressable" that allow the covered entity some flexibility over the approach. The covered entity still must analyze the implementation specification and implement the specification, if reasonable. If deemed not reasonable, the rationale must be documented and an alternate measure must be implemented in its stead.
These pages provide general information and are not intended to be legal advice.
4 Protected health information generally is information, including demographic information, that: relates to the past, present, or future physical or mental health of an individual, the provision of health care of an individual, or the past, present, or future payment for the provision of health care; is created by a health care provider, health plan, employer, or health care clearinghouse; and identifies or could be used to identify the individual. 45 CFR § 160.103.
5 The individual rights include giving individuals the right to: receive a notice of privacy practices; access their health information; request amendment of health information; receive an accounting of disclosures; request restrictions on uses and disclosures; and request alternate methods of communicating health information. 45 CFR §§ 164.520 to 164.528.
6 45 CFR § 164.306(a). The Security Rule recognizes a flexible approach to compliance allowing covered entities to use any security measures that allow the entity to reasonably and appropriately implement these standards and implementation specifications of the Security Rule. Accordingly, a covered entity may take into account such factors as the size, complexity, and capabilities of the covered entity and its technical capabilities as well as the costs of security measures and the probability and criticality of potential risk to electronic protected health information. 45 CFR § 164.306(b).
|« Overview||What can you do? »|