Understanding the HIPAA Patient Privacy Rule

The HIPAA Patient Privacy Rule lays out the details of how your organization should manage, use, and protect your PHI. In fact, these rules are the foundation of HIPAA regulations.

Your organization, or a covered entity that accesses your business’s PHI, can use these rules to explain how or when you’re allowed to use that sensitive data. 

The regulatory standard has to be properly documented in your business’s HIPAA policies and procedures, and for greater security, it’s best if you have all employees undergo annual training on these policies. 

In order to make your organization’s PHI available to other parties, the law requires you to sign a HIPAA PHI release form.

Information Protected by the Patient Privacy Rule

Understanding the HIPAA Security Rule

This rule defines the minimum standards necessary to meet in order for covered entities to handle, maintain, and transmit electronic PHI (ePHI). 

The rule says, “The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.”

Below are key ideas expressed in that rule:

Understanding the HIPAA Enforcement Rule

This rule clarifies what your company needs to do in the event of a HIPAA violation.

If a data breach occurs and PHI was involved, your organization must report it to the Office for Civil Rights (OCR). They will then investigate and review the violation to determine whether or not your company was negligent.

Your organization will need to provide an audit trail and have to figure out what caused the breach and deal with the relevant PHI data to make sure it’s safe. 

If the OCR determines that the actions your company takes to respond to the violation are insufficient, you’ll be subject to a fine, which we detail in a later section. 

Understanding the Omnibus Rule 

This rule is perhaps one of the most important changes to HIPAA regulations. The rule made a number of notable updates that clarified and broadened the definition of business associates, which thus expanded HIPAA to cover several other organizations and individuals. 

Civil penalties were also increased for HIPAA violations as a result of this rule, and the penalties themselves became tiered (as you’ll read about later on in this article). The Omnibus rule also prohibited companies from utilizing PHI for marketing purposes. 

Understanding HIPAA Breach Notifications

HIPAA Breach Notifications is a rule that requires your organization to send a notification of a breach or improper access to your PHI or ePHI within 60 days. 

If over 500 PHI records are improperly accessed, the Department of Health and Human Services (HHS) must be notified and your organization will be required to do a press release regarding the breach. 

In your company’s report of the HIPAA violation, you must mention a few details, including: 

If the breach impacts less than 500 PHIs, your company can simply report the violations once per year, as mentioned in the Breach Notification Rules. 

Keeping Your Company’s Private Data Secure 

If your company works with personal health information (PHI), it’s important that you see HIPAA compliance as more than just a law you must abide by. 

Your PHI is data that your organization is responsible for, and the protection and security of your data is critical to thriving in the modern digital age. 

If you’re uncertain of your business’s security or compliance, gain clarity with Commprise. With our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.

An in-depth understanding of your IT environment will allow you to clearly document and improve any potential security weaknesses that might get in between you and maintaining compliance.