There are four HIPAA rules any one working with ePHI should know about. They are:
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Business Associates, like SecureVideo, are directly accountable for uses and disclosures of ePHI that go beyond what’s covered under their BAA or the Privacy Rule itself.
The Privacy Rule asks BAA to do the following:
1. Not allow any off limit uses of ePHI.
2. Provide breach notification to the Covered Entity.
3. Provide either the individual or the Covered Entity access to ePHI.
4. Disclose ePHI to the Secretary of Health and Human Services, if obligated to do so.
5. Provide an accounting of disclosures.
HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.
There are two types of implementation specifications: “required” and “addressable.” Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.
The HIPAA Security Rule is by far the meatiest. We’ve devoted a whole article to this rule in a previous blog post. You can find a quick link to the article here.
HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective action obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve. HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.
For reference: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/
OCR enforces the Privacy and Security Rules in a few different ways:
1. By investigating filed complaints
2. Conducting compliance reviews
3. Outreach and education to encourage compliance with HIPAA requirements
HIPAA violations are costly, ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year on the same infraction. Violations may also carry criminal charges that can develop into jail time.
Violations worsen if there is willful neglect and go uncorrected. To give you a picture, this table shows how much penalty amounts range by level of awareness:
A large majority of breaches are due to lost or stolen data that was unencrypted. Please remember that addressable HIPAA regulations do not mean they are optional. Most are best practices in the field, anyway. You still have to implement those standards, only you have the flexibility to create them to tailor fit your workflows.
Employee training and adherence to protocol is very important. Breaches have occurred through employees losing unencrypted portable devices, or accidentally sending vendors sensitive information and it winding up on social media networks. These instances could’ve been avoided.
Data Stored on Devices
Be mindful of your laptops, smartphones, external hard drives, etc. Theft has resulted in about half of all breaches.
Be choosy about your partners. About two-thirds of all breaches had a business associate involved and some of the largest reported breaches at that.
Not all data breaches result in a fine, luckily. The key is to make sure you are putting forth reasonable effort to comply with HIPAA laws.
The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule also requires the entities to immediately notify HHS if there is any breach of unsecured ePHI, as well as notify the media and public if the breach affects more than 500 patients.
For reference: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
In summary, HIPAA asks you to do the following:
- Establish protections to safeguard ePHI.
- Fairly check that sharing and use of ePHI to a minimum, only enough to accomplish the expected outcome.
- Establish your Business Associate Agreements (BAAs) to ensure that your service providers will also preserve ePHI and only use it properly.
- Put your policies and procedures in place to restrict who has access to ePHI. Enroll yourself and your employees in a training program around ePHI safety. Periodically review your procedures to assess how you are maintaining your ePHI secure.
There you have it! It’s a lot to take in. If after you’ve sat with this information you have questions, please email us at [email protected] We’re happy to help.