State:

National
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) require the Department of Health and Human Services (HHS) to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. They also require that HHS adopt regulations to protect the privacy and security of healthcare information. These standards are intended to improve the efficiency and effectiveness of the nation's healthcare system by encouraging the widespread use of electronic data interchange in health care.
In January 2013, the HHS released final regulations that, according to the HHS, represented “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” The regulations reflected changes brought about by the Health Information Technology for Economic and Clinical Health (HITECH) Act (enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA)) and the Genetic Information Nondiscrimination Act of 2008 (GINA).
Group health plans with fewer than 50 participants that are administered solely by the employer are exempt from the HIPAA privacy, electronic transaction, and security standards (45 CFR 160.103).
The HIPAA Privacy Rule creates national standards to protect individuals' medical records and other personal health information and to give patients more control over their health information. It sets limits on the use and release of health records. It provides for safeguards that covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must implement to protect the privacy of health information.
The Privacy Rule provides that, in general, a covered entity may not use or disclose an individual's protected health information (PHI) without specific authorization, except as permitted or required by the Privacy Rule (45 CFR 164.502). If a use or disclosure is permitted or required, covered entities and business associates must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request (45 CFR 164.502(b)).
The Privacy Rule requires many healthcare plans to do the following:
• Notify participants about their privacy rights and how their information can be used;
• Adopt and implement privacy procedures;
• Train certain employees so that they understand the privacy rules;
• Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed; and
• Secure PHI so that access is not available to those who do not need the information.
Important: Health plans may disclose PHI to plan sponsors only for plan administrative purposes and only if the sponsor certifies that it will use the information in accordance with the standards. Plan documents must be amended to provide that disclosure will be limited to permitted uses (45 CFR 164.504).
Warning: A plan may never disclose PHI to the plan sponsor for the purpose of employment-related actions or decisions, or in connection with any other benefit or employee benefit plan of the plan sponsor.
The HIPAA Privacy Rule sets out numerous specific policies, procedures, documents, and personnel appointments that a covered entity must implement in order to comply. In addition, the rule sets out several ways that a group health plan can reduce its compliance burden.
Privacy notice. The HIPAA Privacy Rule requires that group health plan participants be provided with adequate notice of the uses and disclosures of their PHI that may be made by a covered entity and of their privacy rights and the plan's legal duties with respect to PHI (45 CFR 164.520). Generally, a group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or a health maintenance organization (HMO) does not have to provide a notice. However, if such a plan receives more than summary health information and/or enrollment information from the insurer, it must have a notice prepared that must be provided upon request to any person who has a right to a notice. A self-insured group health plan must distribute the notice itself.
Privacy notice availability reminders. The HIPAA privacy regulations require group health plans to notify plan participants at least once every 3 years of the availability of the privacy notice and how to obtain it.
Note:The regulations require covered entities to describe certain uses and disclosures of PHI, detail when separate statements for certain uses or disclosures are required, state that they are required to notify affected individuals following a breach of unsecured PHI, and describe the procedure that a health plan must follow if there is a material change to the notice.
Administrative requirements. The Privacy Rule imposes certain administrative requirements on covered entities (45 CFR 164.530). However, the requirements are designed to be flexible to allow a covered entity to evaluate its own needs and implement solutions that are appropriate for its particular organization. The administrative requirements address:
Personnel designations. A covered entity must designate a privacy officer responsible for developing and implementing required policies and procedures and a contact person responsible for receiving complaints and providing information about matters contained in the notice of privacy practices.
Training. A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions, and must document that training has been provided.
Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. It must also reasonably safeguard PHI to protect it from any intentional or unintentional use or disclosure in violation of the Privacy Rule and to limit incidental uses or disclosures as required by the Privacy Rule.
Complaints. A covered entity must provide a process for individuals to make complaints about the covered entity’s privacy policies and procedures or its compliance with the Privacy Rule. A covered entity must also document all complaints it receives and their disposition.
Sanctions. A covered entity must have and apply appropriate sanctions against its workforce members who fail to comply with its privacy policies and procedures or the requirements of the Privacy Rule.
Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known of a use or disclosure of PHI by the covered entity or its business associate in violation of its policies and procedures or the requirements of the Privacy Rule.
Retaliation. A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of the individual’s rights under the Privacy Rule, including filing complaints.
Waiver. A covered entity may not require an individual to waive his or her rights under the Privacy Rule as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Policies and procedures. A covered entity must implement policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy Rule. The policies and procedures must be reasonably designed, taking into account the size and type of activities undertaken by the covered entity that relate to PHI. Thus, a very big organization with many employees handling large volumes of PHI will have to adopt much more elaborate policies and procedures than a small organization with few employees handling a small volume of PHI.
Documentation. A covered entity must maintain its privacy policies, procedures, and such communications, writings, actions, activities, or designations that are required to be documented by the Privacy Rule in written or electronic form for a period of 6 years from the date of its creation or when it was last in effect.
A group health plan is exempt from several compliance requirements if it provides health benefits solely through an insurance contract with a health insurance issuer or an HMO, and the only PHI it receives or creates is either summary health information or enrollment information. However, such an exempt plan does have to refrain from intimidating and retaliatory acts, may not require a waiver of rights, and must comply with the documentation requirements.
A group health plan generally does not have to be amended before it is permitted to share information with the plan sponsor if it or its health insurance issuer or HMO discloses only limited information to the plan sponsor (45 CFR 164.504). The information that may be provided without activating the amendment requirement falls into two categories.
The first is summary health information that the plan sponsor requests for the limited purposes of:
• Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or
• Modifying, amending, or terminating the group health plan.
The second category is information on whether an individual is participating in the group health plan or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
The HIPAA Security Rule is a corollary to the Privacy Rule and specifies a series of administrative, technical, and physical security procedures for covered entities and business associates to use to ensure the confidentiality, integrity, and availability of PHI in electronic format. The standards require covered entities and business associates to implement basic safeguards to protect electronic PHI from unauthorized access, alteration, deletion, and transmission (45 CFR 164.306). The security standards do not require use of specific technologies and were designed to be “technology neutral” in order to facilitate using the latest and most promising technologies that meet the needs of different healthcare organizations.
The various standards may have either "required" or "addressable" implementation specifications. If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities and business associates additional flexibility with respect to compliance with the security standards. A covered entity or business associate will have to decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as the entity's risk analysis, risk mitigation strategy, security measures already in place, and the cost of implementation. The decisions that a covered entity or business associate makes regarding addressable specifications must be documented.
Covered entities and business associates have some flexibility in designing the security measures they will implement, but they cannot assume that those measures will always remain “reasonable and appropriate.” Thus, covered entities and business associates are required to periodically review their security measures and modify them when necessary.
There are quite a few administrative safeguards that covered entities and business associates are required to implement (45 CFR 164.308). More specifically, they are required to:
• Implement security management policies and procedures to prevent, detect, contain, and correct security violations;
• Identify a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule;
• Implement workforce security policies and procedures to ensure that all members of the workforce have appropriate access to electronic PHI and to prevent giving access to those workforce members who are not authorized to have access;
• Implement information access management policies and procedures for authorizing access to electronic PHI;
• Implement security awareness and training so that all members of the workforce (including management) are aware of and trained about security issues;
• Implement security incident procedures to address security incidents;
• Establish and implement, as needed, policies and procedures for responding to an emergency or other occurrence that damages systems that contain electronic PHI;
• Perform periodic evaluations to establish how well an entity’s security policies and procedures meet the requirements of the Security Rule; and
• Allow business associate contracts and other arrangements to permit a business associate to create, receive, maintain, or transmit electronic PHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will properly safeguard such information. (Additionally, a business associate may allow a subcontractor to create, receive, maintain, or transmit electronic PHI on its behalf only if the business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.)
Covered entities and business associates are also required to implement certain physical safeguards (45 CFR 164.310). They are required to:
• Implement facility access controls to limit physical access to electronic information systems, and to the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed;
• Implement workstation use policies and procedures to specify the proper functions to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI;
• Implement physical safeguards for all workstations that access electronic PHI to restrict access to authorized users; and
• Implement policies and procedures to regulate the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility and the movement of those items within the facility.
Finally, covered entities and business associates are required to implement various technical safeguards (45 CFR 164.312). They must:
• Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access;
• Implement audit controls that record and examine activity in information systems containing or using electronic PHI;
• Implement integrity policies and procedures to protect electronic PHI from improper alteration or destruction;
• Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed; and
• Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.
Requirements for group health plans. Unless a plan discloses only limited electronic PHI to the plan sponsor, the plan documents must be amended to provide that the plan sponsor will reasonably and appropriately safeguard electronic PHI created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan (45 CFR 164.314).
Many of HIPAA’s requirements apply to covered entities and their “business associates.” Generally, a business associate is any person or entity that performs some function for a covered entity that involves handling PHI. The formal definition includes any person or entity that:
• On behalf of a covered entity or certain organized healthcare arrangements, creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA (e.g., claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, certain patient safety activities, billing, benefit management, practice management, and repricing); or
• Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity (or certain organized healthcare arrangements), when the provision of the service involves the disclosure of PHI (45 CFR 160.103).
Additionally, a business associate would include any “subcontractor that creates, receives, maintains, or transmits [PHI] on behalf of the business associate.” This provision greatly expands the group of organizations that covered entities and their direct business associates must ensure are contractually obligated to comply with the Privacy Rule and Security Rule.
Business associate contracts. Under the Privacy Rule, a covered entity must enter into written agreements with business associates (often referred to as “business associate agreements”) that contain certain terms. For example, the business agreement must:
• Establish the permitted and required uses and disclosures of PHI by the business associate;
• Set certain limitations and obligations for the business associate; and
• Authorize the covered entity to terminate the contract if the covered entity finds out that the business associate violated a material term of the contract (45 CFR 164.504(e)(2)).
Additionally, HIPAA regulations require that business associate contracts must provide that the business associate will:
• Comply with the applicable requirements of the Security Rule;
• Ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of the business associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement; and
• Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI (45 CFR 164.314).
These contract requirements also apply to the contract or other arrangement between a business associate and a subcontractor.
Direct application of the privacy and security rules to business associates. Under the HITECH Act, a lot of the privacy and security rules apply directly to business associates in the same way that they apply to covered entities, including the civil and criminal penalties for violations (42 USC 17931 and 42 USC 17934).
The Privacy Rule provides individuals with the right to receive an accounting of certain disclosures of the individual's PHI made by a covered entity in the 6 years before the request for the accounting (45 CFR 164.528). One of the exceptions to this requirement is disclosures to carry out treatment, payment, and healthcare operations. However, under the HITECH Act, individuals have the right to request an accounting of such disclosures made through an electronic health record during the 3 years before the request (42 USC 17935).
Requests for electronic health records. If a covered entity uses or maintains electronic health records that contain PHI, an individual may request a copy of the record in electronic format or have the covered entity send a copy to another entity or person (42 USC 17935).
HIPAA was amended in 2009 to require notification by covered entities and their business associates of breaches of unsecured protected health information (UPHI) (42 USC 17932). If a covered entity discovers that UPHI that the entity accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses has been breached, the entity must notify each individual whose UPHI has been, or is reasonably believed by the entity to have been, accessed, acquired, or disclosed as a result of the breach. A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses UPHI must notify the covered entity if the business associate discovers such a breach of the privacy of the UPHI. The notice must identify each individual whose UPHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.
"Breach" defined. The term “breach” means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information (45 CFR 164.402).
Exceptions. A breach does not include the following:
• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further impermissible use or disclosure;
• Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized healthcare arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further impermissibly used or disclosed; or
• A disclosure of PHI where a covered entity or business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information (45 CFR 164.402).
An acquisition, access, use, or disclosure of PHI in an impermissible manner is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
The regulations also note that UPHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS guidance.
Securing PHI. The HITECH Act requires the HHS to issue (and annually update) guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor and, thus, result in covered entities and business associates not being required to provide the notification otherwise required in the event of a breach. However, while adherence to this guidance may result in covered entities and business associates not being required to provide the notifications in the event of a breach, covered entities and business associates still must comply with all other federal and state statutory and regulatory obligations that may apply following a breach of PHI, such as state breach notification requirements, if applicable, as well as the obligation of covered entities to mitigate, to the extent practicable, any harmful effect that is known to the covered entity as a result of a breach of PHI by the covered entity or business associate.
Technologies and methodologies that make PHI unusable, unreadable, or indecipherable. HHS guidance provides that PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:
• Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key," and such confidential process or key that might enable decryption has not been breached. If encryption is used, the encryption keys must be stored on a separate device from the information being encrypted or decrypted.
• Paper, film, or other hard copy media on which the PHI is stored or recorded have been shredded or destroyed so that the PHI cannot be read or otherwise reconstructed. (Redaction, in lieu of destruction, is not acceptable.)
• Electronic media have been cleared, purged, or destroyed consistent with National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization, so that the PHI cannot be retrieved.
For more information, visit http://www.hhs.gov/ocr/privacy.
Notice requirements. A breach is to be treated as discovered by a covered entity or by a business associate as of the first day on which the breach is known by any person, other than the individual committing the breach, that is an employee, officer, or other agent of the entity or associate, or should reasonably have been known to such entity or associate to have occurred (42 USC 17932 and 45 CFR 164.404). Notifications must be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity or business associate involved.
The covered entity or business associate involved will have to prove that all notifications were made as required, including evidence demonstrating the necessity of any delay.
How to provide notice. Notices to be provided to an individual, with respect to a breach, must be provided promptly and in writing by first-class mail to the individual at the last known address of the individual or, if specified as a preference by the individual, by e-mail. If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification must be sent by first-class mail to either the next of kin or personal representative. The notification may be provided in one or more mailings as information becomes available.
Substitute notice. If the contact information for an individual is insufficient or out of date, substitute notice may be provided.
If there is insufficient or out-of-date contact information for fewer than 10 individuals, a substitute notice may be provided by an alternative form of written notice, telephone, or other means (45 CFR 164.404).
If there is insufficient or out-of-date contact information for 10 or more individuals, the substitute notice must be made by a conspicuous posting for a period of 90 days on the home page of the website of the covered entity or a conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. This notice must include a toll-free phone number that remains active for at least 90 days with which an individual can learn whether the individual’s unsecured PHI may be included in the breach.
Urgent notice. If the covered entity involved expects the possible imminent misuse of the UPHI, the entity, in addition to the written notice, may provide information to individuals by telephone or other appropriate means.
Media notice. Notice must be provided to prominent media outlets serving a state or jurisdiction without unreasonable delay and in no case later than 60 days after the discovery of a breach involving UPHI of more than 500 residents of the same state or jurisdiction (45 CFR Sec. 164.406). Media notification supplements, but does not replace, individual notification.
Notice to HHS. Notice must be provided to the HHS by covered entities when UPHI has been acquired or disclosed because of a privacy breach. If the breach involved 500 or more individuals, the notice must be provided immediately. If the breach involved less than 500 individuals, the covered entity may maintain a log of breaches discovered during the preceding calender year and annually submit the log to the HHS (45 CFR Sec. 164.408).
Notice content. Regardless of how the notice of a breach is provided to individuals, the notice must include, to the extent possible, the following:
• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
• A description of the types of UPHI that were involved (such as whether full names, Social Security numbers, dates of birth, home addresses, account numbers, or disability codes were involved);
• The steps individuals should take to protect themselves from potential harm resulting from the breach;
• A brief description of what the covered entity is doing to investigate the breach, to mitigate losses, and to protect against any further breaches; and
• Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an e-mail address, a website, or a postal address (42 USC 17932 and 45 CFR Sec. 164.404).
Note: If a law enforcement official determines that a notification, notice, or posting required would impede a criminal investigation or cause damage to national security, the notification, notice, or posting may be delayed.
Business associates. A business associate that discovers a breach of UPHI must notify the covered entity of such breach (45 CFR 164.410). A breach is treated as discovered by a business associate as of the first day on which it is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate will be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate.
A business associate must provide the notification required without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification is to include, to the extent possible, the identification of each individual whose UPHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. A business associate must also provide the covered entity with any other available information that the covered entity is required to include in notification to the individual at the time of the notification or promptly thereafter as the information becomes available.
The National Provider Identifier (NPI) is a unique identification number for covered healthcare providers. Covered healthcare providers and all health plans and healthcare clearinghouses are required to use the NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-digit number that does not carry other information about healthcare providers, such as the state in which they are located or their medical specialty. For more information, visit http://www.cms.gov.
Under the HITECH Act, the HHS is required to perform periodic audits to make sure covered entities and business associates are in compliance with HIPAA's Privacy and Security Rules and Breach Notification standards. At the end of 2011, HHS's Office of Civil Rights (OCR) took steps to comply with these audit requirements and piloted a program to perform audits of covered entities to assess privacy and security compliance. Through this pilot program, the OCR developed an audit protocol (set of instructions) to measure the efforts of covered entities and business associates. For more information, visit HHS's website at http://www.hhs.gov/ocr.
Last reviewed on February 21, 2017.
Related Topics:
National
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) require the Department of Health and Human Services (HHS) to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. They also require that HHS adopt regulations to protect the privacy and security of healthcare information. These standards are intended to improve the efficiency and effectiveness of the nation's healthcare system by encouraging the widespread use of electronic data interchange in health care.
In January 2013, the HHS released final regulations that, according to the HHS, represented “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” The regulations reflected changes brought about by the Health Information Technology for Economic and Clinical Health (HITECH) Act (enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA)) and the Genetic Information Nondiscrimination Act of 2008 (GINA).
Group health plans with fewer than 50 participants that are administered solely by the employer are exempt from the HIPAA privacy, electronic transaction, and security standards (45 CFR 160.103).
The HIPAA Privacy Rule creates national standards to protect individuals' medical records and other personal health information and to give patients more control over their health information. It sets limits on the use and release of health records. It provides for safeguards that covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates must implement to protect the privacy of health information.
The Privacy Rule provides that, in general, a covered entity may not use or disclose an individual's protected health information (PHI) without specific authorization, except as permitted or required by the Privacy Rule (45 CFR 164.502). If a use or disclosure is permitted or required, covered entities and business associates must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request (45 CFR 164.502(b)).
The Privacy Rule requires many healthcare plans to do the following:
• Notify participants about their privacy rights and how their information can be used;
• Adopt and implement privacy procedures;
• Train certain employees so that they understand the privacy rules;
• Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed; and
• Secure PHI so that access is not available to those who do not need the information.
Important: Health plans may disclose PHI to plan sponsors only for plan administrative purposes and only if the sponsor certifies that it will use the information in accordance with the standards. Plan documents must be amended to provide that disclosure will be limited to permitted uses (45 CFR 164.504).
Warning: A plan may never disclose PHI to the plan sponsor for the purpose of employment-related actions or decisions, or in connection with any other benefit or employee benefit plan of the plan sponsor.
The HIPAA Privacy Rule sets out numerous specific policies, procedures, documents, and personnel appointments that a covered entity must implement in order to comply. In addition, the rule sets out several ways that a group health plan can reduce its compliance burden.
Privacy notice. The HIPAA Privacy Rule requires that group health plan participants be provided with adequate notice of the uses and disclosures of their PHI that may be made by a covered entity and of their privacy rights and the plan's legal duties with respect to PHI (45 CFR 164.520). Generally, a group health plan that provides health benefits solely through an insurance contract with a health insurance issuer or a health maintenance organization (HMO) does not have to provide a notice. However, if such a plan receives more than summary health information and/or enrollment information from the insurer, it must have a notice prepared that must be provided upon request to any person who has a right to a notice. A self-insured group health plan must distribute the notice itself.
Privacy notice availability reminders. The HIPAA privacy regulations require group health plans to notify plan participants at least once every 3 years of the availability of the privacy notice and how to obtain it.
Note:The regulations require covered entities to describe certain uses and disclosures of PHI, detail when separate statements for certain uses or disclosures are required, state that they are required to notify affected individuals following a breach of unsecured PHI, and describe the procedure that a health plan must follow if there is a material change to the notice.
Administrative requirements. The Privacy Rule imposes certain administrative requirements on covered entities (45 CFR 164.530). However, the requirements are designed to be flexible to allow a covered entity to evaluate its own needs and implement solutions that are appropriate for its particular organization. The administrative requirements address:
Personnel designations. A covered entity must designate a privacy officer responsible for developing and implementing required policies and procedures and a contact person responsible for receiving complaints and providing information about matters contained in the notice of privacy practices.
Training. A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions, and must document that training has been provided.
Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. It must also reasonably safeguard PHI to protect it from any intentional or unintentional use or disclosure in violation of the Privacy Rule and to limit incidental uses or disclosures as required by the Privacy Rule.
Complaints. A covered entity must provide a process for individuals to make complaints about the covered entity’s privacy policies and procedures or its compliance with the Privacy Rule. A covered entity must also document all complaints it receives and their disposition.
Sanctions. A covered entity must have and apply appropriate sanctions against its workforce members who fail to comply with its privacy policies and procedures or the requirements of the Privacy Rule.
Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect that is known of a use or disclosure of PHI by the covered entity or its business associate in violation of its policies and procedures or the requirements of the Privacy Rule.
Retaliation. A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of the individual’s rights under the Privacy Rule, including filing complaints.
Waiver. A covered entity may not require an individual to waive his or her rights under the Privacy Rule as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Policies and procedures. A covered entity must implement policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy Rule. The policies and procedures must be reasonably designed, taking into account the size and type of activities undertaken by the covered entity that relate to PHI. Thus, a very big organization with many employees handling large volumes of PHI will have to adopt much more elaborate policies and procedures than a small organization with few employees handling a small volume of PHI.
Documentation. A covered entity must maintain its privacy policies, procedures, and such communications, writings, actions, activities, or designations that are required to be documented by the Privacy Rule in written or electronic form for a period of 6 years from the date of its creation or when it was last in effect.
A group health plan is exempt from several compliance requirements if it provides health benefits solely through an insurance contract with a health insurance issuer or an HMO, and the only PHI it receives or creates is either summary health information or enrollment information. However, such an exempt plan does have to refrain from intimidating and retaliatory acts, may not require a waiver of rights, and must comply with the documentation requirements.
A group health plan generally does not have to be amended before it is permitted to share information with the plan sponsor if it or its health insurance issuer or HMO discloses only limited information to the plan sponsor (45 CFR 164.504). The information that may be provided without activating the amendment requirement falls into two categories.
The first is summary health information that the plan sponsor requests for the limited purposes of:
• Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or
• Modifying, amending, or terminating the group health plan.
The second category is information on whether an individual is participating in the group health plan or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
The HIPAA Security Rule is a corollary to the Privacy Rule and specifies a series of administrative, technical, and physical security procedures for covered entities and business associates to use to ensure the confidentiality, integrity, and availability of PHI in electronic format. The standards require covered entities and business associates to implement basic safeguards to protect electronic PHI from unauthorized access, alteration, deletion, and transmission (45 CFR 164.306). The security standards do not require use of specific technologies and were designed to be “technology neutral” in order to facilitate using the latest and most promising technologies that meet the needs of different healthcare organizations.
The various standards may have either "required" or "addressable" implementation specifications. If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities and business associates additional flexibility with respect to compliance with the security standards. A covered entity or business associate will have to decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as the entity's risk analysis, risk mitigation strategy, security measures already in place, and the cost of implementation. The decisions that a covered entity or business associate makes regarding addressable specifications must be documented.
Covered entities and business associates have some flexibility in designing the security measures they will implement, but they cannot assume that those measures will always remain “reasonable and appropriate.” Thus, covered entities and business associates are required to periodically review their security measures and modify them when necessary.
There are quite a few administrative safeguards that covered entities and business associates are required to implement (45 CFR 164.308). More specifically, they are required to:
• Implement security management policies and procedures to prevent, detect, contain, and correct security violations;
• Identify a security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule;
• Implement workforce security policies and procedures to ensure that all members of the workforce have appropriate access to electronic PHI and to prevent giving access to those workforce members who are not authorized to have access;
• Implement information access management policies and procedures for authorizing access to electronic PHI;
• Implement security awareness and training so that all members of the workforce (including management) are aware of and trained about security issues;
• Implement security incident procedures to address security incidents;
• Establish and implement, as needed, policies and procedures for responding to an emergency or other occurrence that damages systems that contain electronic PHI;
• Perform periodic evaluations to establish how well an entity’s security policies and procedures meet the requirements of the Security Rule; and
• Allow business associate contracts and other arrangements to permit a business associate to create, receive, maintain, or transmit electronic PHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will properly safeguard such information. (Additionally, a business associate may allow a subcontractor to create, receive, maintain, or transmit electronic PHI on its behalf only if the business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.)
Covered entities and business associates are also required to implement certain physical safeguards (45 CFR 164.310). They are required to:
• Implement facility access controls to limit physical access to electronic information systems, and to the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed;
• Implement workstation use policies and procedures to specify the proper functions to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI;
• Implement physical safeguards for all workstations that access electronic PHI to restrict access to authorized users; and
• Implement policies and procedures to regulate the receipt and removal of hardware and electronic media that contain electronic PHI into and out of a facility and the movement of those items within the facility.
Finally, covered entities and business associates are required to implement various technical safeguards (45 CFR 164.312). They must:
• Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access;
• Implement audit controls that record and examine activity in information systems containing or using electronic PHI;
• Implement integrity policies and procedures to protect electronic PHI from improper alteration or destruction;
• Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed; and
• Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.
Requirements for group health plans. Unless a plan discloses only limited electronic PHI to the plan sponsor, the plan documents must be amended to provide that the plan sponsor will reasonably and appropriately safeguard electronic PHI created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan (45 CFR 164.314).
Many of HIPAA’s requirements apply to covered entities and their “business associates.” Generally, a business associate is any person or entity that performs some function for a covered entity that involves handling PHI. The formal definition includes any person or entity that:
• On behalf of a covered entity or certain organized healthcare arrangements, creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA (e.g., claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, certain patient safety activities, billing, benefit management, practice management, and repricing); or
• Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity (or certain organized healthcare arrangements), when the provision of the service involves the disclosure of PHI (45 CFR 160.103).
Additionally, a business associate would include any “subcontractor that creates, receives, maintains, or transmits [PHI] on behalf of the business associate.” This provision greatly expands the group of organizations that covered entities and their direct business associates must ensure are contractually obligated to comply with the Privacy Rule and Security Rule.
Business associate contracts. Under the Privacy Rule, a covered entity must enter into written agreements with business associates (often referred to as “business associate agreements”) that contain certain terms. For example, the business agreement must:
• Establish the permitted and required uses and disclosures of PHI by the business associate;
• Set certain limitations and obligations for the business associate; and
• Authorize the covered entity to terminate the contract if the covered entity finds out that the business associate violated a material term of the contract (45 CFR 164.504(e)(2)).
Additionally, HIPAA regulations require that business associate contracts must provide that the business associate will:
• Comply with the applicable requirements of the Security Rule;
• Ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of the business associate agree to comply with the applicable requirements of the Security Rule by entering into a contract or other arrangement; and
• Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI (45 CFR 164.314).
These contract requirements also apply to the contract or other arrangement between a business associate and a subcontractor.
Direct application of the privacy and security rules to business associates. Under the HITECH Act, a lot of the privacy and security rules apply directly to business associates in the same way that they apply to covered entities, including the civil and criminal penalties for violations (42 USC 17931 and 42 USC 17934).
The Privacy Rule provides individuals with the right to receive an accounting of certain disclosures of the individual's PHI made by a covered entity in the 6 years before the request for the accounting (45 CFR 164.528). One of the exceptions to this requirement is disclosures to carry out treatment, payment, and healthcare operations. However, under the HITECH Act, individuals have the right to request an accounting of such disclosures made through an electronic health record during the 3 years before the request (42 USC 17935).
Requests for electronic health records. If a covered entity uses or maintains electronic health records that contain PHI, an individual may request a copy of the record in electronic format or have the covered entity send a copy to another entity or person (42 USC 17935).
HIPAA was amended in 2009 to require notification by covered entities and their business associates of breaches of unsecured protected health information (UPHI) (42 USC 17932). If a covered entity discovers that UPHI that the entity accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses has been breached, the entity must notify each individual whose UPHI has been, or is reasonably believed by the entity to have been, accessed, acquired, or disclosed as a result of the breach. A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses UPHI must notify the covered entity if the business associate discovers such a breach of the privacy of the UPHI. The notice must identify each individual whose UPHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.
"Breach" defined. The term “breach” means the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information (45 CFR 164.402).
Exceptions. A breach does not include the following:
• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further impermissible use or disclosure;
• Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized healthcare arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further impermissibly used or disclosed; or
• A disclosure of PHI where a covered entity or business associate has a good-faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information (45 CFR 164.402).
An acquisition, access, use, or disclosure of PHI in an impermissible manner is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification;
• The unauthorized person who used the PHI or to whom the disclosure was made;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
The regulations also note that UPHI means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by HHS guidance.
Securing PHI. The HITECH Act requires the HHS to issue (and annually update) guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor and, thus, result in covered entities and business associates not being required to provide the notification otherwise required in the event of a breach. However, while adherence to this guidance may result in covered entities and business associates not being required to provide the notifications in the event of a breach, covered entities and business associates still must comply with all other federal and state statutory and regulatory obligations that may apply following a breach of PHI, such as state breach notification requirements, if applicable, as well as the obligation of covered entities to mitigate, to the extent practicable, any harmful effect that is known to the covered entity as a result of a breach of PHI by the covered entity or business associate.
Technologies and methodologies that make PHI unusable, unreadable, or indecipherable. HHS guidance provides that PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:
• Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key," and such confidential process or key that might enable decryption has not been breached. If encryption is used, the encryption keys must be stored on a separate device from the information being encrypted or decrypted.
• Paper, film, or other hard copy media on which the PHI is stored or recorded have been shredded or destroyed so that the PHI cannot be read or otherwise reconstructed. (Redaction, in lieu of destruction, is not acceptable.)
• Electronic media have been cleared, purged, or destroyed consistent with National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization, so that the PHI cannot be retrieved.
For more information, visit http://www.hhs.gov/ocr/privacy.
Notice requirements. A breach is to be treated as discovered by a covered entity or by a business associate as of the first day on which the breach is known by any person, other than the individual committing the breach, that is an employee, officer, or other agent of the entity or associate, or should reasonably have been known to such entity or associate to have occurred (42 USC 17932 and 45 CFR 164.404). Notifications must be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity or business associate involved.
The covered entity or business associate involved will have to prove that all notifications were made as required, including evidence demonstrating the necessity of any delay.
How to provide notice. Notices to be provided to an individual, with respect to a breach, must be provided promptly and in writing by first-class mail to the individual at the last known address of the individual or, if specified as a preference by the individual, by e-mail. If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification must be sent by first-class mail to either the next of kin or personal representative. The notification may be provided in one or more mailings as information becomes available.
Substitute notice. If the contact information for an individual is insufficient or out of date, substitute notice may be provided.
If there is insufficient or out-of-date contact information for fewer than 10 individuals, a substitute notice may be provided by an alternative form of written notice, telephone, or other means (45 CFR 164.404).
If there is insufficient or out-of-date contact information for 10 or more individuals, the substitute notice must be made by a conspicuous posting for a period of 90 days on the home page of the website of the covered entity or a conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. This notice must include a toll-free phone number that remains active for at least 90 days with which an individual can learn whether the individual’s unsecured PHI may be included in the breach.
Urgent notice. If the covered entity involved expects the possible imminent misuse of the UPHI, the entity, in addition to the written notice, may provide information to individuals by telephone or other appropriate means.
Media notice. Notice must be provided to prominent media outlets serving a state or jurisdiction without unreasonable delay and in no case later than 60 days after the discovery of a breach involving UPHI of more than 500 residents of the same state or jurisdiction (45 CFR Sec. 164.406). Media notification supplements, but does not replace, individual notification.
Notice to HHS. Notice must be provided to the HHS by covered entities when UPHI has been acquired or disclosed because of a privacy breach. If the breach involved 500 or more individuals, the notice must be provided immediately. If the breach involved less than 500 individuals, the covered entity may maintain a log of breaches discovered during the preceding calender year and annually submit the log to the HHS (45 CFR Sec. 164.408).
Notice content. Regardless of how the notice of a breach is provided to individuals, the notice must include, to the extent possible, the following:
• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
• A description of the types of UPHI that were involved (such as whether full names, Social Security numbers, dates of birth, home addresses, account numbers, or disability codes were involved);
• The steps individuals should take to protect themselves from potential harm resulting from the breach;
• A brief description of what the covered entity is doing to investigate the breach, to mitigate losses, and to protect against any further breaches; and
• Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an e-mail address, a website, or a postal address (42 USC 17932 and 45 CFR Sec. 164.404).
Note: If a law enforcement official determines that a notification, notice, or posting required would impede a criminal investigation or cause damage to national security, the notification, notice, or posting may be delayed.
Business associates. A business associate that discovers a breach of UPHI must notify the covered entity of such breach (45 CFR 164.410). A breach is treated as discovered by a business associate as of the first day on which it is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate will be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate.
A business associate must provide the notification required without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. The notification is to include, to the extent possible, the identification of each individual whose UPHI has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach. A business associate must also provide the covered entity with any other available information that the covered entity is required to include in notification to the individual at the time of the notification or promptly thereafter as the information becomes available.
The National Provider Identifier (NPI) is a unique identification number for covered healthcare providers. Covered healthcare providers and all health plans and healthcare clearinghouses are required to use the NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-digit number that does not carry other information about healthcare providers, such as the state in which they are located or their medical specialty. For more information, visit http://www.cms.gov.
Under the HITECH Act, the HHS is required to perform periodic audits to make sure covered entities and business associates are in compliance with HIPAA's Privacy and Security Rules and Breach Notification standards. At the end of 2011, HHS's Office of Civil Rights (OCR) took steps to comply with these audit requirements and piloted a program to perform audits of covered entities to assess privacy and security compliance. Through this pilot program, the OCR developed an audit protocol (set of instructions) to measure the efforts of covered entities and business associates. For more information, visit HHS's website at http://www.hhs.gov/ocr.
Last reviewed on February 21, 2017.
CT-WEB02
Copyright © 2017 Business & Legal Resources. All rights reserved. 800-727-5257
This document was published on http://Compensation.BLR.com
Document URL: http://compensation.blr.com/analysis/Benefits-Administration/HIPAA-Health-Information-Privacy/