HIPAA Flashcards
Sector
Medical
Year Passed/Amended
1996;
Privacy Rule promulgated in 2000 and amended 2002;
Security Rule promulgated 2004;
HITECH passed 2009
Original Purpose
Improve efficiency of healthcare delivery by requiring a shift to electronic format for certain types of records
Primary Requirements
Restricts use or disclosure of health information, beyond the minimum necessary for a particular list of uses (chiefly TPO: treatment, payment and operations)
Entities subject to the law
Two types of entities:
- “Covered entities:”
(a) healthcare providers that conduct certain transactions (namely billing and insurance) electronically;
(b) healthcare plans (i.e. insurers);
(c) healthcare clearinghouses; - “Business associates” (i.e. data processors), pursuant to HITECH: Any person or organization, other than a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services involve the use or disclosure of PHI. Note: this covers employers who acts as intermediaries between their employees and a health care provider
Term for relevant PII or regulated data
PHI (Protected Health Information); ePHI
Definition of relevant PII or regulated data
(a) individually identifiable;
(b) health information;
(c) held by a covered entity or its business associate;
(d) which identifies the individual or offers a reasonable basis for identification; and
(e) relates to
(i) a past, present or future medical condition,
(ii) provision of health care, or
(iii) payment of health care
Enforcing Authority - Civil
General: HHS - Department of Health and Human Services
Privacy Rule: HHS OCR - Office of Civil Rights
Non-preempted state law: state AGs
Non-preempted FTC rules: FTC
Penalties - Civil
Up to $1.6 million per type of violation
Examples: $3.9 million settlement in 2016 for PHI stolen from employee’s laptop; $1.7 million in 2013 for not implementing required policies and procedures
Enforcing Authority - Criminal
DOJ - Department of Justice
Penalties - Criminal
Prison sentences up to 10 years
Preemption
Does not preempt stricter state laws (but does preempt less strict state law); does not preempt FTC Section 5 authority over the same conduct
Private Right of Action?
No
FIP Individual Rights Provided
Notice, opt-in consent, access (Privacy Rule), list of disclosures
Notice Requirements - non-breach
Must provide detailed privacy notice at the date of first service delivery
Notice Requirements - breach
HITECH requires notice of breach unless there is a low probability that the security or privacy of the PHI has been compromised:
(a) must notify individuals within 60 days of discovery of breach;
(b) if breach affected more than 500 people, must notify HHS immediately; and
(c) if breach affected more than 500 people in the same jurisdiction, must notify the media.
Breach notification rules apply only to “unsecured” (read: unencrypted) data
Exceptions to notice requirements
Non breach:
(a) medical emergencies;
(b) Indirect treatment relationship
Breach:
(a) data is “secured,” i.e. encrypted;
(b) low probability that the security or privacy of the PHI has been compromised
Choice and consent
Opt-in (written authorization) for most uses.
Cannot be a condition for treatment
Consent Exceptions
(a) Essential healthcare purposes - Treatment, Payment and Operations (TPO);
(b) De-identified information (remove listed elements, or get certification);
(c) Research;
(d) Public health activities;
(e) to report abuse;
(f) in judicial and administrative proceedings;
(g) to HHS, to investigate compliance with HIPAA
Access rights
Privacy Rule provides the right to access and copy PHI
FIP Controls Addressed
Information Security, Information Quality
Information Security Requirements
Privacy Rule: must implement administrative, physical and technical safeguards
Security Rule: “reasonable” safeguards (effectively a negligence standard?), proportionate to entity’s size and capabilities and the type of PHI. Some safeguards are required; others are “addressable:”
Required:
(a) ensure confidentiality, integrity and accessibility of PHI;
(b) protect against reasonably anticipated threats;
(c) protect against reasonably anticipated impermissible use or disclosure;
(d) ensure compliance by employees/agents;
(e) conduct ongoing risk assessments and adjust based on the results
Information Quality Requirements
Security Rule: must ensure CIA (confidentiality, integrity and availability)
Privacy Rule: right to amend
FIP Information Lifecycle Categories Covered
Use and Retention, Disclosure (not Collection/Disposal)
