HIPAA Rules

The Health Insurance Portability and Accountability Act rules which detail the standards which covered entities must uphold. Here, we discuss five of the most important rules.

The Privacy Rule of 2003

The Privacy Rule outlines how CEs and their BAs may use and disclose protected healthcare information (PHI). The Privacy Rule creates standards which prevents unauthorised third-parties from accessing the private information of healthcare patients while simultaneously allowing for the efficient disclosure of PHI to parties with permission to use it.

The Privacy Rule also protects “Individually Identifiable Health Information”; information which can be used to reveal the identity of the patient. This definition covers a wide range of data; names, addresses, date of birth, Social Security numbers, credit card and billing information, vehicle registration plate numbers, examples of a patient’s handwriting, and videos and images of the patient’s injuries which may show an identifiable body part.

The Privacy Rule stipulates that healthcare organisations must receive the patient’s permission to disclose information to third parties. Some exceptions to this rule include when the disclosure to a third party is related to a healthcare operation, treatment, or payment for a service. The CE must follow the “Minimum Necessary Rule” and only disclose just the PHI necessary for the task at hand.

The Security Rule of 2005

The Security Rule addresses issues associated with electronic PHI (ePHI). However, it is important to note that its rules still apply to physical PHI. The Security Rule created national standards for the protection of ePHI that a CE creates, receives, uses, or maintains. The Security Rule mandates CEs use ‘appropriate safeguards’ to protect the confidentiality, integrity, and security of ePHI. The Security Rule is flexible enough to allow each organisation to assess their situation and determine what safeguards are most appropriate for their practices and security needs.

The Security Rule breaks down the types of safeguards which must be adopted into three categories:

Administrative safeguards: policies and procedures that assist an organisation in being transparent in their HIPAA compliance efforts.

Physical safeguards: the physical protection of data such that unauthorised individuals may not access it.

Technical safeguards: may include controlling access to computer systems and the protection of communications containing PHI which is being transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.

The Breach Notification Rule of 2009

This rule addresses how CEs should respond following a breach of PHI. HIPAA defines a breach as an unauthorised individual compromising the security of PHI. The Breach Notification Rule states that covered entities must provide notification of the breach to affected individuals, the Secretary, and, if the breach is of a significant scale, to the media. The Rule also covers business associates, who must notify covered entities if a breach occurs at or by the business associate.

CEs should notify the affected patients that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has occurred. If the CE cannot contact a ‘significant number’ of individuals, then the breach must be advertised on the company’s website for 90 days after its discovery. If the breach occurs at or by a BA, while the covered entity is responsible for notifying individuals. The CE may delegate the responsibility of providing individual notices to the BA. If the breach affects more than 500 individuals in a State or jurisdiction, then the media must be notified of the breach.

The Enforcement Rule of 2006

The Enforcement Rule gave the Department of Health and Human Services’ Office for Civil Rights (OCR) the power to investigate complaints made against CEs for failing to comply with the Privacy Rule. If OCR discovered a security breach occurred as a result of a CE failing to comply with the Security Rule, the Enforcement Rule granted the HSS power to fine the CE in question for the violation.

The Rule also introduced legislation allowing authorities to bring criminal charges against CEs who repeatedly violated HIPAA and failed to introduce corrective measures within 30 days of an offence being highlighted.

The Final Omnibus Rule of 2013

The most recent HIPAA update did not introduce any new legislation but removed any ambiguity in existing HIPAA and HITECH regulations. For example, the Final Omnibus Rule specified encryption standards. It also introduced new administrative standards to acknowledge that technological advances have changed how PHI is transmitted and shared between healthcare professionals.

The Rule included several definitions to improve the clarity of the language used in the Act. For example, the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business Associate, is under the direct control of the covered entity or Business Associate.