Part II – The HIPAA Privacy & Security Rule
Part I of this series, we covered what the Health Insurance Portability and Accountability Act (“HIPAA”) covers and included an overview of the regulation. We also discussed those persons and entities that HIPAA can apply to and identified the types of various entities that are legally required to abide by its standards. Please review our previous post found here: Part I, as it will provide additional context to this article.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule was incorporated into the regulation and became effective on April 14, 2001, following an increase in mandates surrounding privacy. The Privacy Rule applies to a wide variety of organizations, such as healthcare providers, health plans, healthcare clearinghouses, and sets forth standards for the protection of patient privacy and the protection of protected health information, which is commonly referred to as "PHI." PHI can include any individually identifiable information related to an individual’s physical health, mental health, the provision of healthcare services to an individual, and/or payment for healthcare services related to an individual.
The Privacy Rule provides individuals with certain rights pertaining to their PHI and limits how covered entities may use or disclose this information. To accomplish this, the Privacy Rule requires these organizations to have appropriate safeguards in place to protect the confidentiality and integrity of PHI and to provide individuals with a notice of their privacy rights. These standards are important because they provide notification for individuals to have a certain level of visibility and control over how their PHI is used and disclosed. To avoid potential hefty fines and penalties, it is essential that covered entities and other organizations which are required to abide by HIPAA, understand and comply with the requirements established by the Privacy Rule.
What information can be considered PHI?
PHI can include information such as an individual’s name, address, date of birth, Social Security number, medical diagnosis and/or treatment, as well as health insurance information, regardless of whether this information is given orally, in writing or electronically. Under the Privacy Rule, PHI is classified as sensitive information and covered entities and business associates are required to protect PHI by implementing appropriate administrative, physical, and technical safeguards to protect this information from any unauthorized access, use or disclosure. As such, PHI must be kept confidential and may only be used or disclosed as permitted or required by law, or with the individual’s written and explicit consent. The Privacy Rule applies to all PHI that is created, received, maintained, or transmitted.
What are the requirements under the Privacy Rule?
The Privacy Rule has several requirements that organizations must follow to ensure compliance and to protect the confidentiality of PHI, including the following:
- Limiting the use and disclosure of PHI to only the minimum necessary to accomplish the intended purpose, and only for permitted uses unless explicit consent is given by the individual for other uses or disclosures.
- Provisioning access to PHI to only those individuals with a “need-to-know” basis.
- Maintaining records of certain disclosures of PHI and providing individuals with a record of these disclosures upon request.
- Providing individuals with a notice of privacy practices explaining how their information will be used or disclosed, including their right to access a copy of their information, request corrections and updates, and to have amendments made to their records.
- Responding to an individual’s request to access their information no later than 30 calendar days after receiving the request.
- Implementing appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of PHI.
- Developing and implementing organizational policies and procedures for compliance with the Privacy Rule and ensuring that training on this rule is provided to applicable employees.
- Implementing a security management and risk analysis process, that includes access controls and workforce security.
- Notifying individuals if their PHI has been or is believed to have been involved in an actual or suspected data breach no later than 60 days following the discovery of a breach.
- Providing individuals with the opportunity to file a complaint if they believe that their privacy rights have been violated, including providing the necessary information to file such complaint.
In summary, these are just some of the many requirements that the HIPAA Privacy Rule requires of organizations which are responsible for abiding by and maintaining compliance with the HIPAA regulation. The focus of the Privacy Rule is to protect the privacy of an individual and their PHI, while also providing these individuals with certain rights regarding how their information may be used, accessed, or disclosed.
What is the HIPAA Security Rule?
The HIPAA Security Rule was finalized and went into effect on February 20, 2003, establishing national standards to protecting electronic protected health information, commonly referred to as “ePHI.” ePHI can include the same information as PHI, but it is specific to the electronic version of this information which is created, accessed, received, and disclosed. Like the Privacy Rule, the Security Rule also requires organizations which are covered entities and their business associates implement appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI that is held or transmitted by the organization, regardless of the form it is held in. These safeguards include administrative, technical, and physical measures, and should be appropriate for the complexity, size, scope, and nature of the organization.
The Security Rule is designed and intended to ensure that organizations take the appropriate measures required to protect against the unauthorized access, use disclosure, disruption, modification, or destruction of ePHI. Additionally, organizations are required to have written policies and procedures in place pertaining to security management, as well as to perform regular monitoring and auditing of systems and devices that have access to ePHI. Employees must also receive training on these policies and procedures which highlights the importance of effectively maintaining and protecting ePHI.
Additionally, covered entities are required to enter into a business associate agreement, often referred to as a “BAA,” with all of their business associates, which must document the proper controls and safeguards that the business associate needs to have in place to ensure that the information is properly protected upon any onward transfer of the ePHI. Therefore, it is not only important that organizations have proper policies, procedures, and safeguards in place, but also that they ensure their business associates are implementing these same safeguards. Failure to ensure that the organization and its business associates are protecting ePHI in accordance with the Security Rule can lead to potential penalties, fines, and sanctions.
What are the requirements under the Security Rule?
The Security Rule has several requirements and controls that organizations must implement to ensure compliance and to protect the integrity of ePHI, which include the following:
- Enforcing security access control measures to ensure that only authorized individuals have access to ePHI.
- Implementing incident response policies and procedures surrounding the handling and remediation of a security incident or breach, including making the required notifications.
- Ensuring appropriate technical controls, transmission security, and encryption methods are in place to prevent unauthorized access.
- Establishing audit and integrity controls regarding ePHI, such as monitoring and logging records of access to ePHI, as well network intrusion detection.
- Maintaining access logs to ePHI and security incident reports for at least six years.
- Conducting organizational risk assessments to identify any potential vulnerabilities and/or threats to ePHI or the systems and devices which store ePHI.
- Appointing a Security Official to oversee the organization’s HIPAA compliance efforts.
- Implementing proper physical safeguards to protect against the unauthorized access or tampering of ePHI, such as facility access controls, workstation auto-lock features, and device and media controls.
- Establishing appropriate policies and procedures regarding the retention of ePHI in accordance with applicable laws and regulation, as well as the proper and secure disposal of ePHI.
- Reviewing and regularly evaluating the effectiveness of the safeguards in place and making any identified or necessary adjustments to ensure the continued safety and security of any ePHI.
Security Controls that support the Security Rule?
To ensure compliance with HIPAA Security Rule, covered entities and their business associates should assess their security controls and identify any potential gaps. Based on the findings, they may need to implement a range of security controls, including administrative, physical, and technical safeguards. These safeguards are designed to ensure the confidentiality, integrity, and availability of PHI, such as access controls, encryption, backups, audit trails, and risk assessments. The security controls that fall in these categories and meet the requirements of the HIPAA Security Rule include Multi-Factor Authentication (MFA), Network and Data Segmentation, Privileged Access, Secure Backups, Attack Surface Testing and incorporating Security and Privacy Awareness Training into employee education programs.
In summary, these are just some of the security standards and controls that the HIPAA Security Rule requires organizations to establish and implement to abide by and maintain compliance with the HIPAA regulation. The focus of the Security Rule is to enforce organizational security controls and standards which in turn will help to protect the confidentiality, integrity, and availability of the ePHI an organization holds. Adhering to HIPAA standards demonstrates compliance with regulatory requirements and also forms the foundation for better risk management, improving security posture, and protecting critical data, devices, and assets from breaches.
To provide our clients with the best possible service and to ensure that they can meet the technical security requirements under the HIPAA Security Rule, BD Emerson has partnered with Blue INK Security. Blue INK Security is a leading provider of cybersecurity services and specializes in helping organizations implement cybersecurity programs which meet the requirements set forth by HIPAA. Together we can offer our clients the expertise and resources they need to protect any PHI or ePHI with which they are entrusted, and to meet the stringent standards required under the HIPAA regulations.
Please be sure to lookout for the next part of this series which will discuss some of the additional rules encompassed within HIPAA, such as the Breach Notification Rule and the Omnibus Rule. Also, did you know that BD Emerson specializes in conducting various organizational assessments, including HIPAA assessments, and can help your organization meet and maintain the requirements of this regulation? If you believe your organization is subject to compliance with HIPAA, and have not yet implemented a HIPAA compliance program to meet these requirements, please allow us to help by contacting us at jose.gonzalez@bdemerson.com or drew.danner@bdemerson.com.