Understanding the HIPAA Patient Privacy Rule
The HIPAA Patient Privacy Rule lays out the details of how your organization should manage, use, and protect your PHI. In fact, these rules are the foundation of HIPAA regulations.
Your organization, or a covered entity that accesses your business’s PHI, can use these rules to explain how or when you’re allowed to use that sensitive data.
The regulatory standard has to be properly documented in your business’s HIPAA policies and procedures, and for greater security, it’s best if you have all employees undergo annual training on these policies.
In order to make your organization’s PHI available to other parties, the law requires you to sign a HIPAA PHI release form.
Information Protected by the Patient Privacy Rule
- Medical records
- Social Security Numbers
- Finger and voice prints
- Contact information
- Location information
- Birth, death, and treatments dates
Understanding the HIPAA Security Rule
This rule defines the minimum standards necessary to meet in order for covered entities to handle, maintain, and transmit electronic PHI (ePHI).
The rule says, “The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.”
Below are key ideas expressed in that rule:
- Security Management Process — States that covered entities have to create policies and procedures that effectively contain, correct, prevent, and detect security violations. Before implementing new policies, make sure you assess the overall risk of your current policies.
- Assigned Security Responsibility — States that someone in your organization has to be assigned as the designated security official. This person will be responsible for the development and implementation of your HIPAA Security Rules.
- Workforce Security — In order to maintain security in your workforce, your organization must determine which employees will require access to PHI or ePHI. Efforts should be made to regulate control over that access.
- Information Access Management — Emphasizes that, once your organization has determined which personnel will have access to your PHI and ePHI, access should be restricted from all other parties.
- Security Awareness and Training — Your company must train your workforce on the relevant rules and security policies related to HIPAA compliance regulations.
- Security Incident Procedures — Guides your company through the process of creating policies that address what to do in the event of a data breach. Your organization should report said breaches and any other security violations. Setting up alerts to spot these breaches can go a long way in this endeavor.
- Contingency Plan — If a breach or security violation occurs, your company should have a backup plan or disaster recovery plan to appropriate response to the event. Your MSP or IT team should be able to take care of this when it comes to ePHI.
- Evaluation — This emphasizes that your organization should regularly review and evaluate your HIPAA security policies and procedures to make sure they are effective and up-to-date.
- Business Associate Contracts — In order to prevent 3rd party contractors from leaking your PHI or ePHI, you should create business associate contracts and other relevant arrangements.
- Facility Access Controls — This falls into general best practices for IT security. Make sure that facilities that contain ePHI data, such as your server rooms, are locked. Limit which personnel have access to these facilities.
- Workstation Use — Any workstation and device that accesses ePHI should be properly managed and secured. For instance, only personnel who are authorized to handle ePHI should be allowed to use these workstations.
- Workstation Security — As the name implies, your company should make an effort to securely manage any devices that access ePHI.
- Device and Media Controls — Typical devices like your laptops and computers aren’t the only things that need to be secured. If ePHI is transferred via USBs or other forms of removable storage, they should be properly secured as well in a designated storage area.
- Access Control — Set up appropriate authentication measures for users that need to access ePHI.
- Audit Controls — Your organization needs to provide thorough audit trails of any data breaches that occur so that the OCR will be able to understand precisely how the breach occurred in the first place.
- Integrity — In order to maintain HIPAA compliance, your company will have to be able to prove that the PHI and ePHI that you manage is properly protected from internal and external threats, no matter how big or small.
- Person or Entity Authentication — This states simply that the people you allow to access PHI and ePHI are who they say they are, whether a patient or a user. This can be accomplished via biometrics, two-factor authentication, and other more sophisticated password security best practices.
- Transmission Security — When your company transfers PHI data to other business partners, you must be able to prove to the OCR that only authorized individuals had access to the sensitive data.
Understanding the HIPAA Enforcement Rule
This rule clarifies what your company needs to do in the event of a HIPAA violation.
If a data breach occurs and PHI was involved, your organization must report it to the Office for Civil Rights (OCR). They will then investigate and review the violation to determine whether or not your company was negligent.
Your organization will need to provide an audit trail and have to figure out what caused the breach and deal with the relevant PHI data to make sure it’s safe.
If the OCR determines that the actions your company takes to respond to the violation are insufficient, you’ll be subject to a fine, which we detail in a later section.
Understanding the Omnibus Rule
This rule is perhaps one of the most important changes to HIPAA regulations. The rule made a number of notable updates that clarified and broadened the definition of business associates, which thus expanded HIPAA to cover several other organizations and individuals.
Civil penalties were also increased for HIPAA violations as a result of this rule, and the penalties themselves became tiered (as you’ll read about later on in this article). The Omnibus rule also prohibited companies from utilizing PHI for marketing purposes.
Understanding HIPAA Breach Notifications
HIPAA Breach Notifications is a rule that requires your organization to send a notification of a breach or improper access to your PHI or ePHI within 60 days.
If over 500 PHI records are improperly accessed, the Department of Health and Human Services (HHS) must be notified and your organization will be required to do a press release regarding the breach.
In your company’s report of the HIPAA violation, you must mention a few details, including:
- Any information you have on the unauthorized person or persons who accessed your PHI data.
- A list of the PHI that was made available.
- A list of all mitigation steps your company has taken to respond to the breach.
- Confirmation that the unauthorized person or persons actually viewed the PHI.
If the breach impacts less than 500 PHIs, your company can simply report the violations once per year, as mentioned in the Breach Notification Rules.
Keeping Your Company’s Private Data Secure
If your company works with personal health information (PHI), it’s important that you see HIPAA compliance as more than just a law you must abide by.
Your PHI is data that your organization is responsible for, and the protection and security of your data is critical to thriving in the modern digital age.
If you’re uncertain of your business’s security or compliance, gain clarity with Commprise. With our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.
An in-depth understanding of your IT environment will allow you to clearly document and improve any potential security weaknesses that might get in between you and maintaining compliance.