Companies within the medical industry need to be aware of all rules and regulations that govern both the care side and the business side. That goes not just for healthcare providers themselves, but also many companies working with them.
For example, here’s a question:
The HIPAA privacy rule applies to which of the following ?
The answer is: Hospitals, doctors’ private practices, or vendors that work with them and more.
If your business is within or adjacent to the medical industry, you’ll likely need to comply with the HIPAA privacy rule. But all of its various specifications can make following it a challenge. And that difficulty compounds with the three other HIPAA rules you need to follow as well.
Beginner’s Guide to the HIPAA Privacy Rule
To understand HIPAA, you have to start with the privacy rule.
The “Standards for Privacy of Individually Identifiable Health Information,” is a foundational element of the Health Insurance Portability and Accountability Act of 1996, (HIPAA). In fact, the rule establishes the basic underlying principles and protections for all of HIPAA.
In this blog, we’ll provide a HIPAA privacy rule summary, then break down all you need to know about the other rules within HIPAA, as well as how to comply. By the time we’re done, you won’t be a beginner anymore; you’ll be a privacy rule and HIPAA expert.
What is HIPAA and Why it Matters
HIPAA was passed in 1996 for two main reasons. The first concerns consumers: it ensures safety and security of all patients. The second concerns providers: legislators also wanted to improve the overall effectiveness and efficiency of the healthcare system. HIPAA ensures the safety and privacy of both patients and healthcare companies. Should a data leak occur, both parties could experience significant harm.
On top of this, failure to comply can result in huge potential costs. The US Department of Health and Human Services administers HIPAA. Its internal Office of Civil Rights (OCR) enforces civil fines for noncompliance. Serious or chronic violations of HIPAA can result in criminal penalties, enforced by the Department of Justice (DOJ). So, even if you’re only acting out of self preservation, you need to understand and abide by the privacy rule—and all of HIPAA.
Assess your HIPAA / HITECH compliance
HIPAA Privacy Rule Summary
The HIPAA privacy rule was the first of what would eventually become four HIPAA rules. It sets the stage for the whole Act by defining key terminology, such as:
- The HIPAA Privacy Rule applies to which of the following
- Which entities are covered
- What HIPAA helps protect
- Which information is protected
Importantly, these definitions guide all other HIPAA rules. But the privacy rule also includes specific regulations, namely:
- How exactly the privacy rule regulates safety
- Which safeguards it required
History of the Privacy Rule
While HIPAA was passed in 1996, the first proposal form of the privacy rule appeared in 1999. This is because the HHS Secretary was required to publicize Administrative Simplifications of the law within three years, unless Congress passed its own such legislation. Since Congress did not pass its own legislation, the request for comments went out in November of 1999.
Over 50,000 comments from stakeholders in the industry helped shape the first form of the privacy rule, which was released in December of 2000. Since then, major modifications came out in 2002’s then-final form and the current omnibus final form (2013) of all the HIPAA rules, combined.
These changes have modernized the privacy rule, making it possible to apply its original intent in a digital landscape that’s far different from when it first launched.
Who is Covered by the Privacy Rule
The Centers for Medicaid and Medicare Services (CMS) has prepared a covered entity guidance toolkit to determine whether or not the regulations apply to your business.
Covered parties are defined in three distinct categories:
- Health plans – Employers and other parties that pay for the cost of healthcare services, typically through health insurance plans, as well as the insurors themselves.
- Healthcare providers – Individual doctors and specialists, as well as larger institutions (hospitals, clinics, etc.), that provide health services (surgery, medicine, etc.).
- Healthcare clearinghouses – Companies that process identifiable health information in non-standard formats and convert it into standardized formats (billing services, etc.).
In addition to the parties directly involved in the healthcare industry, there are also rules in place for others who are indirectly involved with the business. Persons or associations deemed business associates are those who “service covered entities and require use or disclosure of PHI.” These entities also need to have protective measures in place, guaranteed via a contract with the covered entity.
What is Protected by the Privacy Rule
According to the Privacy Rule Summary, HIPAA protects any and all “individually identifiable health information that’s harbored, used, or transmitted by a covered entity.” This information is designated as personal (or protected) health information (PHI).
All electronic, paper, oral, and other forms of the following information are protected if they could be used to identify a given patient or client:
- Records of past, present, and future health conditions
- History of medical service encounters and treatments
- Financial records pertaining to any healthcare received
Importantly, de-identified PHI is not protected, nor is it regulated in terms of use or disclosure. De-identification involves a concerted effort to remove all pieces of information that could possibly be used to ID a client, as well as any other close connections that could indirectly ID them. A qualified statistician can verify the integrity of a de-identified document.
Also Read: What are the HIPAA Security Rule Requirements?
How the Privacy Rule Works in Practice
The most important element of the privacy rule is its codification of how PHI is to be protected.
Firstly, it specifies that PHI may only be used or disclosed in HIPAA permitted cases or when formally authorized by the patient to whom PHI pertains. Permitted use and disclosure cases include:
- To the individual – PHI may be disclosed to the individual who is the subject of the information in question, as well as certain personal representatives thereof.
- In healthcare operations – Covered entities may use or disclose PHI, internally or in concert with other covered entities providing care to a given individual, for purposes of:
- Providing healthcare services (therapy, surgery, etc.)
- Obtaining payment for services (through premiums, etc.)
- Maintaining business operations (assessment, planning, etc.)
- With informal permission – PHI may be used or disclosed if informal permission is granted, or if a medical professional determines such use or disclosure to be in the best interest of an individual unable to consent (due emergency, the influence of drugs, etc.).
- Incidental or combined – Uses or disclosures of PHI that occur as part of or incident to other permitted uses or disclosures are, likewise, also permitted.
- In the public interest – PHI may be used or disclosed without permission or authorization in 12 specific purposes that benefit a public interest:
- When required by law or court order
- To support public health initiatives
- To government agencies regarding abuse
- To aid health oversight activities
- As part of judicial proceedings
- For investigations or law enforcement
- To coroners and funeral arrangers
- For bodily donation purposes
- For medical and scientific research
- To prevent serious health threats
- For essential governmental functions
- In matters related to workers’ compensation
- Of limited data sets – Documents containing PHI may be used or disclosed if particular identifying information is removed. The recipient of such information must enter into a data use agreement that upholds the spirit of privacy rule regulations.
Within these parameters, covered entities are also obligated to limit their use and disclosure of PHI to only the minimum necessary amount required. This means sharing as little information as possible, with as few parties as possible, within the given permitted use case.
Importantly, the privacy rule also requires covered entities to disclose PHI to its subject(s) upon request, or to government agencies in certain situations. No minimum necessary requirement applies to required disclosures, nor any disclosure made to the subject of the PHI.
Overview of Remaining HIPAA Rules
The privacy rule is the most foundational and important set of HIPAA requirements, and it gives shape to HIPAA as a whole. However, it’s not the only rule that healthcare and health-adjacent companies need to understand and follow.
The remaining HIPAA rules include:
- The Security Rule – First proposed in 1998, the second rule reached its first final form in 2003. It extends the privacy rule’s requirements for PHI to electronic versions thereof (ePHI). It also codified safeguards and requirements across four categories:
- Administrative safeguards for adoption across the entire workforce
- Physical safeguards defining and limiting physical access to ePHI
- Technical safeguards related to technology and services used
- Organizational requirements governing logistical measures
- The Enforcement Rule – The first interim version of enforcement came about in 2003 as part of the privacy rule. Unlike the first two rules, this one codifies not requirements, but the formal enforcement process, including enforceable penalties:
- Civil money penalties, beginning at $100 dollars per incident and up to a maximum of $50 thousand per incident and $1.5 million per calendar year.
- Criminal penalties, beginning at 1 year’s imprisonment with $50 thousand in fines and up to 10 years in prison with an additional $250 thousand in fines.
- The Breach Notification Rule – In 2009, the rule was proposed and reached its first final form. It requires covered entities to follow specific protocols in the event of a data breach, or leak of unprotected PHI. Those specifications include:
- Individual notices, within 60 days of the incident, given to any and all subjects of PHI whose information was inappropriately used or disclosed.
- Media notice, within 60 days of the incident, to prominent media outlets for any incident involving 500 or more residents of a given jurisdiction.
- Notice to the HHS secretary, within 60 days or annually, depending on the severity of the breach and number of persons affected.
Importantly, these rules have a fair amount of overlap. Firstly, the privacy rule’s provisions pertain to all PHI, compounding with the security rule’s requirements for ePHI in particular.
Another example is 2009’s Health Information Technology for Economic and Clinical Health Act, or HITECH. When passed, HITECH made significant changes to the enforcement rule by way of changes to the security rule. The security and enforcement rules look the way they do because of HITECH. Likewise, all of HIPAA looks the way it does because of the privacy rule.
How to Achieve and Maintain Compliance
With all of the safeguards and other rules required, compliance can be a challenge for covered entities and business associates. That’s why, for most entities, professional advisory services are the easiest and best way to keep your patients — and company — safe.
RSI Security offers a robust suite of HIPAA compliance services to guide your company through all stages of HIPAA compliance. We’re fully accredited Compliance Assessors and Advisors.
As such, we’re happy to help with:
- Initial inventory and preparation
- Patch identification and implementation
- Risk analysis of patient data environment
- Audits for all required safeguards
- Ongoing compliance support
RSI Security is your best option for compliance with HIPAA over the short and long term.
Professionalize Your Compliance and Cybersecurity
Here at RSI Security, we’re dedicated to helping companies across industries meet all their compliance needs. In healthcare and adjacent industries, that means HIPAA. But, depending on the nature of your business, you might also need to meet other standards, such as PCI DSS, or GDPR. We offer compliance advisory services for any framework you need.
Plus, we know compliance is just the start of your cybersecurity.
Our team of experts boasts a decade of experience providing all kinds of cyberdefense solutions to companies of all sizes. Whether you need overall architecture implementation or vulnerability management, or even focused penetration testing, we’ve got you covered.
To revisit the question from above — the HIPAA privacy rule applies to which of the following businesses: hospitals, doctors, or vendors? All of them, and various others. So, if your healthcare or adjacent business needs to achieve compliance, contact RSI Security today!