The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes several key rules stipulating how healthcare organizations and their business associates use and disclose the private healthcare information of their patients. Prior to the introduction of HIPAA, there was no industry-wide standard for handling patient information, and rapid advances in technology were potentially threatening the security of sensitive information. Congress introduced HIPAA as a way of targeting these challenges and standardizing practices in the healthcare industry. Although controversial, the Rules have greatly changed the way that healthcare organizations deal with patient data, with the aim of increasing efficiency and improving patient experience.
The Privacy Rule
The Privacy Rule of 2003 was introduced to regulate the use and disclosure of protected healthcare information (PHI) held by “covered entities” (CEs) and their business associates (BAs). The term “covered entity” does not only cover healthcare organizations, but other related facilities such as healthcare clearinghouses and providers of healthcare plans. The Privacy Rule was created with the goal of protecting the private information of healthcare patients from access by unauthorized individuals while simultaneously allowing for the efficient disclosure of PHI to parties with permission to use it.
The Privacy Rule aims to protect what is known as “Individually Identifiable Health Information”; information which can be used to reveal the identity of the patient. This covers a wide range of data; names, addresses, date of birth, Social Security numbers, credit card and billing information, vehicle registration plate numbers, examples of a patient’s handwriting, and videos and images of the patients’ injuries which may show an identifiable body part.
According to the Privacy Rule, healthcare information may only be disclosed to third parties after receiving the patient’s permission to do so. This Rule covers all cases, except when the disclosure to a third party is related to a healthcare operation, treatment, or payment for a service. Even when PHI is disclosed to another party, those offering the PHI must abide by the “Minimum Necessary Rule” and only disclose just the PHI necessary for the task at hand.
The Security Rule
The HIPAA Security Rule was introduced in 2003 to deal specifically with electronic PHI (ePHI), although it still pertains to physical PHI. It was created to establish national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (CE). The Security Rule stipulates that appropriate safeguards should be used by CEs to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule does not introduce rigorous and strict guidelines that all CEs must adopt; it allows for each organization to assess their own situation and determine what safeguards are most appropriate for their practices and customers.
The Security Rule breaks down the types of safeguards which must be adopted into three categories; administrative, physical, and technical safeguards. Administrative safeguards pertain to policies and procedures designed to clearly show how the entity will remain HIPAA compliant. Physical safeguards require the physical protection of data such that it may not be accessed by unauthorized individuals. Technical safeguards include controlling access to computer systems and the protection of communications containing PHI which is being transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
The Breach Notification Rule
The Breach Notification Rule of 2009 covers the requirement of HIPAA CEs to provide notification following a breach of PHI. A breach may be defined as an unauthorized individual compromising the security of PHI. Following a breach, the Breach Notification Rule states that covered entities must provide notification of the breach to affected individuals, the Secretary, and, if the breach is of a significant scale, to the media. The Rule also covers business associates, who must notify covered entities if a breach occurs at or by the business associate.
The Breach Notification Rule requires those affected by the breach to be notified that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has occurred. If a significant number of individuals cannot be contacted, then the breach must be advertised on the company’s website for 90 days after its discovery. If the breach occurs at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. If the breach affects more than 500 individuals in a State or jurisdiction, then the media must be notified of the breach.