HIPAA

Question 1

Sector

Answer 1

Medical

Question 2

Year Passed/Amended

Answer 2

1996;
Privacy Rule promulgated in 2000 and amended 2002;
Security Rule promulgated 2004;
HITECH passed 2009

Question 3

Original Purpose

Answer 3

Improve efficiency of healthcare delivery by requiring a shift to electronic format for certain types of records

Question 4

Primary Requirements

Answer 4

Restricts use or disclosure of health information, beyond the minimum necessary for a particular list of uses (chiefly TPO: treatment, payment and operations)

Question 5

Entities subject to the law

Answer 5

Two types of entities:

1. “Covered entities:”
   (a) healthcare providers that conduct certain transactions (namely billing and insurance) electronically;
   (b) healthcare plans (i.e. insurers);
   (c) healthcare clearinghouses;
2. “Business associates” (i.e. data processors), pursuant to HITECH: Any person or organization, other than a covered entity’s workforce, that performs services and activities for, or on behalf of, a covered entity, if such services involve the use or disclosure of PHI. Note: this covers employers who acts as intermediaries between their employees and a health care provider

Question 6

Term for relevant PII or regulated data

Answer 6

PHI (Protected Health Information); ePHI

Question 7

Definition of relevant PII or regulated data

Answer 7

(a) individually identifiable;
(b) health information;
(c) held by a covered entity or its business associate;
(d) which identifies the individual or offers a reasonable basis for identification; and
(e) relates to
(i) a past, present or future medical condition,
(ii) provision of health care, or
(iii) payment of health care

Question 8

Enforcing Authority - Civil

Answer 8

General: HHS - Department of Health and Human Services

Privacy Rule: HHS OCR - Office of Civil Rights

Non-preempted state law: state AGs

Non-preempted FTC rules: FTC

Question 9

Penalties - Civil

Answer 9

Up to $1.6 million per type of violation

Examples: $3.9 million settlement in 2016 for PHI stolen from employee’s laptop; $1.7 million in 2013 for not implementing required policies and procedures

Question 10

Enforcing Authority - Criminal

Answer 10

DOJ - Department of Justice

Question 11

Penalties - Criminal

Answer 11

Prison sentences up to 10 years

Question 12

Preemption

Answer 12

Does not preempt stricter state laws (but does preempt less strict state law); does not preempt FTC Section 5 authority over the same conduct

Question 13

Private Right of Action?

Answer 13

No

Question 14

FIP Individual Rights Provided

Answer 14

Notice, opt-in consent, access (Privacy Rule), list of disclosures

Question 15

Notice Requirements - non-breach

Answer 15

Must provide detailed privacy notice at the date of first service delivery

Question 16

Notice Requirements - breach

Answer 16

HITECH requires notice of breach unless there is a low probability that the security or privacy of the PHI has been compromised:

(a) must notify individuals within 60 days of discovery of breach;
(b) if breach affected more than 500 people, must notify HHS immediately; and
(c) if breach affected more than 500 people in the same jurisdiction, must notify the media.

Breach notification rules apply only to “unsecured” (read: unencrypted) data

Question 17

Exceptions to notice requirements

Answer 17

Non breach:

(a) medical emergencies;
(b) Indirect treatment relationship

Breach:

(a) data is “secured,” i.e. encrypted;
(b) low probability that the security or privacy of the PHI has been compromised

Question 18

Choice and consent

Answer 18

Opt-in (written authorization) for most uses.

Cannot be a condition for treatment

Question 19

Consent Exceptions

Answer 19

(a) Essential healthcare purposes - Treatment, Payment and Operations (TPO);
(b) De-identified information (remove listed elements, or get certification);
(c) Research;
(d) Public health activities;
(e) to report abuse;
(f) in judicial and administrative proceedings;
(g) to HHS, to investigate compliance with HIPAA

Question 20

Access rights

Answer 20

Privacy Rule provides the right to access and copy PHI

Question 21

FIP Controls Addressed

Answer 21

Information Security, Information Quality

Question 22

Information Security Requirements

Answer 22

Privacy Rule: must implement administrative, physical and technical safeguards

Security Rule: “reasonable” safeguards (effectively a negligence standard?), proportionate to entity’s size and capabilities and the type of PHI. Some safeguards are required; others are “addressable:”
Required:
(a) ensure confidentiality, integrity and accessibility of PHI;
(b) protect against reasonably anticipated threats;
(c) protect against reasonably anticipated impermissible use or disclosure;
(d) ensure compliance by employees/agents;
(e) conduct ongoing risk assessments and adjust based on the results

Question 23

Information Quality Requirements

Answer 23

Security Rule: must ensure CIA (confidentiality, integrity and availability)

Privacy Rule: right to amend

Question 24

FIP Information Lifecycle Categories Covered

Answer 24

Use and Retention, Disclosure (not Collection/Disposal)

Question 25

Use and Retention

Answer 25

Privacy Rule: “Minimum necessary” use and disclosure to accomplish the intended purpose.
Stricter rules for psychotherapy notes.

Question 26

Disclosure

Answer 26

Privacy Rule: “minimum necessary” use and disclosure to accomplish the intended purpose.
Stricter rules for psychotherapy notes.
“Compassionate sharing” exception for mental health disorders and alcohol/substance abuse (Cures Act)

Question 27

Redisclosure

Answer 27

Requires separate consent

Question 28

Right to list of disclosures

Answer 28

Yes, for a reasonable fee

Question 29

FIP management categories covered

Answer 29

Administration, Monitoring and Enforcement

Question 30

Administration Requirements

Answer 30

Must appoint a data quality officer. Staff must be trained in requirements.

Security Rule: must implement a security awareness and training program.

Question 31

Monitoring and Enforcement Requirements

Answer 31

Must appoint a data quality officer. Must have established complaint procedures.

Security Rule: staff must be disciplined if they fail to comply.