What are some basics that I need to know about the HIPAA privacy and security rules?

Our clients are frequently asked if they are HIPAA compliant. Other than clinics and doctor’s offices, few of them are aware of even the basics. This brief article describes some key provisions of a very broad law.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a federal law that applies to certain health care providers, health plans, and health care clearinghouses (commonly referred to as “covered entities”). As a result of HIPAA, the U.S. Department of Health and Human Services (“HHS”) enforces several rules that relate to information privacy and security that covered entities must obey. The core rules of HIPAA are the Privacy Rule and the Security Rule.

HIPAA Privacy Rule
The Privacy Rule protects the privacy of individually identifiable health information (“PHI”). PHI is information that (a) relates to an individual’s health or condition, the provision of health care to that individual, or the payment for health care, and (b) identifies, or reasonably could identify, the individual.

The Privacy Rule establishes rules regarding the use and disclosure of PHI, including:

  1. Mandatory Disclosures – When PHI must be disclosed (for example, to HHS when it undertakes an enforcement action).
  2. Permissive Uses or Disclosures – When PHI is permitted to be used or disclosed (for example, for use by a health care provider in treatment, payment, and health care operations).
  3. Authorized Uses or Disclosures – When PHI is authorized to be used or disclosed (for example, what procedures a health care provider must follow to obtain an individual’s authorization to disclose PHI).
  4. Generally Protect Privacy – In all other cases, covered entities must guard the privacy of PHI to prevent its unauthorized use or disclosure.

Notice of Privacy Practices
The Privacy Rule also requires that covered entities develop a Notice of Privacy Practices, describing the ways the covered entity will use and disclose PHI, and deliver this notice to individuals.

HIPAA Security Rule
The Security Rule protects the security, integrity, confidentiality, and availability of electronic PHI (“ePHI”). The Security Rule requires that covered entities develop internal policies and procedures establishing certain safeguards for the protection of ePHI, including:

  1. Administrative Safeguards,
  2. Physical Safeguards, and
  3. Technical Safeguards for the protection of ePHI.

Covered entities must evaluate the effectiveness of these policies and procedures on a periodic basis and take steps to identify and address threats and vulnerabilities to ePHI security.

HIPAA Compliance
The Privacy Rule and the Security Rule provide some flexibility to covered entities in terms of how to comply with these requirements, but HHS has published enforcement actions against covered entities of a variety of sizes and for breaches of varying severity. From these actions, it is clear that HHS takes compliance with these rules seriously and covered entities should too.