The HIPAA Privacy and Security Rules

HIPAA Privacy and Security Rules

HIPAA requires particular privacy standards when “covered entities” and “business associates” handle private health information (PHI). It also provides administrative, physical, and technical security requirements, notification requirements in the event of a data breach, and standardized practices for processing health care claims.

Search for AdvisorsJoin as an Advisor

HIPAA Privacy and Security Rules

Health care professionals and businesses are required by federal law to protect identifiable health information through the Health Insurance Portability and Accountability Act (HIPAA). This law includes a complicated regulation structure that has the tendency to baffle even the savviest health professionals. 

HIPAA Overview

Congress passed HIPAA in 1996 to organize and simplify the law on privacy, security, and electronic transactions of health information. Any health care provider that submits insurance claims electronically is subject to HIPAA. The Affordable Care Act and the Department of Health and Human Services altered HIPAA law and regulatory policy in the areas of portability, privacy, security, and enforcement.

HIPAA requires particular privacy standards when “covered entities” and “business associates” handle private health information (PHI). It also provides administrative, physical, and technical security requirements, notification requirements in the event of a data breach, and standardized practices for processing health care claims.

Is Your Business Required to Comply with HIPAA?

HIPAA requires “covered entities” and their “business associates” to implement privacy protections for individually-identifiable health information. A business associate or covered entity in HIPAA include:

  • Health care providers that use electronic health information;
  • Health plans;
  • Health care clearinghouses; and
  • Any business associates that use or store protected health information (PHI). Business associates must contractually obtain a clearance to use or store PHI supplied by the health entity. 

Health care providers include most hospitals, clinics, doctors, therapists, chiropractors, nursing homes, dentists, and pharmacists. Health plans typically include employer-sponsored health programs, health insurance companies, health maintenance organizations (HMOs), and government sponsored healthcare (such as Medicare and Medicaid). Health care clearinghouses are companies that codify health information into established electronic formats.

Entities that are not subject to HIPAA include employers, workers compensation, life and disability insurers, schools, state agencies, and law enforcement agencies. These entities, however, may be required to comply with HIPAA indirectly.

What Information Is Subject to HIPAA?

Under HIPAA, PHI covers nearly all information created, held, or distributed by a health care provider or supplier. PHI also covers electronically stored information.

The requirements for “individually identifiable health information” include information that:

  • Originated or was accepted by a health provider, health plan, health care clearinghouse, employer, or other covered entity; and
  • Communicates either:
  1. A person’s physical or mental health condition, whether past, present, or future;
  2. Information relating to an individual’s health care; or
  3. The payment, whether past, present, or future, for an individual’s health care.

What Are the Privacy and Security Requirements Under HIPAA?

HIPAA Privacy Rule

The HIPAA Privacy Rule governs the disclosure and use of protected health information (PHI). PHI as described above is subject to the privacy regulations of HIPAA. If PHI is used for any purpose outside of the treatment, payment, and health care operations of the individual, the entity disclosing the information must secure the patient’s express authorization. Covered entities can only disclose PHI without patient consent under specific circumstances, such as if the disclosure is required by law for judicial or administrative proceedings. 

All covered entities are required to adhere to additional privacy guidelines, which include:

  • The appointment of a HIPAA Privacy officer to monitor compliance;
  • The maintenance of organizational HIPAA policies and procedures;
  • Training employees on HIPAA policies and procedures; and
  • Maintaining business associate agreements with any association that provides PHI-related services on behalf of the covered entity.

HIPAA Security Rule

The HIPAA Security Rule was created “to assist covered entities in understanding and properly using the set of federal information security requirements” under HIPAA. It safeguards electronically stored PHI, otherwise known as EPHI. EPHI is used frequently in the maintenance of health records, the billing procedure, and laboratory records systems.

HIPAA requires strict security standards for the creation, use, and distribution of PHI in electronic form. All covered entities are required to adhere to additional security guidelines, which include:

  • The appointment of a HIPAA Security Officer to monitor security protocols (this individual may not simultaneously serve as the HIPAA Privacy Officer);
  • The maintenance of security HIPAA policies and procedures;
  • Training employees on HIPAA policies and procedures; and
  • Completion of a Security Risk Analysis, thoroughly identifying and addressing security risks within the entity.

Do Patients Have Rights Under HIPAA?

HIPAA guarantees patients’ rights relating to their PHI. Specifically, individuals are given the right to:

  • Access, amend, and correct any portion of PHI that is incorrect or incomplete;
  • Access and copy PHI that is deemed part of the patient’s health record;
  • Obtain records of financial accounts relating to their PHI;
  • Control the communication methods of their PHI; and
  • Control restrictions on uses and disclosures of PHI.

What Are the Penalties for Violating HIPAA?

Federal regulations provide steep penalties and demanding remedies for violations of HIPAA. The Department of Health and Human Services has enforced punishments that have resulted in costly litigation and high-profile settlements.

Some of the common HIPAA compliance violations that have resulted in penalties include:

  • Business associates using and disclosing PHI before obtaining a legal agreement;
  • Unsecured technology access points to PHI;
  • Covered entities:
  1. Failing to implement a broad HIPAA risk assessment;
  2. Failing to properly protect and secure PHI in situations of error or theft;
  3. Ignoring the breach notification protocol;
  4. Failing to restrict access to PHI when employees’ roles change or are terminated;
  5. Failing to securely destroy or contain PHI; and
  6. Failing to reduce PHI disclosures to the minimum necessary information.

What Can Perla Do for My Health Care Business?

Perla allows you to immediately connect with HIPAA lawyers.  And, it is free to search for and contact attorneys using Perla. 

Everyone needs legal help to get through tough times and prepare for the future. Don’t wait for days to get a referral from a friend or get stuck with the wrong attorney for lack of options. Instantly connect with a growing number of healthcare lawyers to add to your team.  And, sleep well knowing your healthcare lawyer will fight for the best possible outcomes for you or your business.  

HIPAA lawyers can assess your business’s compliance with HIPAA’s privacy, security, and breach notification requirements. Whether as a preventative measure or as a response to an ongoing investigation by HHS, HIPAA lawyers know how to assess, reduce, and control HIPAA risks. A HIPAA lawyer can give you the tools you need, such as a risk management plan, mitigation procedures, HIPAA policies and procedures, evaluation and training materials, and best practices regarding the access, storage, and termination of PHI to assist you in managing the constantly changing HIPAA requirements.

HIPAA lawyers and healthcare attorneys can also defend you in investigations for breach notification and HITECH Act violations before State agencies, such as the State Health Professional Boards or in Federal investigations, such as before the Office of Civil Rights.

How to Find A Healthcare Attorney

You need a healthcare attorney that’s geared toward your line of work and industry.  Because of the complex nature of health laws, healthcare attorneys are specialized in different niches and an attorney which specializes in federal payer reimbursement does not necessarily understand privacy compliance or  HIPAA breaches at long-term care facilities!

So, it is difficult to actually find a healthcare attorney that provides the exact services that you require in the type of practice that you have. In fact, you should consider using the Perla platform and services which will allow you and your healthcare business to find qualified experts and advisors with experience and knowledge in the healthcare industry, such as a healthcare attorney.

 Perla is a private networking platform that connects healthcare professionals and entities directly with expert advisors and consultants with experience in the healthcare industry. Get started in your FREE search today by visiting our website to find a trusted advisor with experience in the healthcare industry!

Search for AdvisorsJoin as an Advisor

Take Your Practice to the Next Level

Get started with Perla platform and grow your practice.

Find an Advisor