By: Samantha Moench, Information Assurance Analyst
Congress created the Health Insurance Portability and Accountability Act (HIPAA) and President Bill Clinton signed it into law in 1996. This act set national standards for protecting electronic healthcare transactions and information that could potentially identify an individual.
When conducting HIPAA gap analysis and risk analysis services, we often start by helping our clients understand and navigate the Security Rule. Part of this starts with a basic understanding of the terms used in the rule, as understanding them can be confusing at first:
- Standards are high-level requirements. Required and addressable implementation specifications help support a standard.
- Required implementation specifications must be in place and alternatives are not acceptable.
- Addressable implementation specifications have 3 ways to be addressed:
- Implement a control(s) to meet the implementation specification.
- Implement an alternative control that meets the requirement.
- Based on the output of a risk analysis, choose not to implement a control. This decision needs to be risk informed, justifiable, and documented. These decisions should be reviewed on an ongoing basis to determine if a control should be implemented due to a change in business or technical circumstances or security risk.
There have been additional acts and rules published that update requirements for HIPAA compliance:
- The “Standards for Privacy of Individually Identifiable Health Information”, more commonly known as the Privacy Rule, was later published in the year 2000 to set standards regulating the use and disclosure of protected health information (PHI).
- The “Health Information Technology for Economics and Clinical Health Act (HITECH Act) of 2009” updated requirements for reporting breaches and disclosing patients’ information.
- The “Final Omnibus Rule” (of March 26, 2013) also updated breach notification requirements, with the most notable change being that business associates now must also be HIPAA compliant.
What is PHI/ePHI?
HIPAA and the Privacy Rule were written concerning PHI and, more recently, electronic protected health information (ePHI). ePHI can include information about:
- Past, present, or future health status.
- The provisioning of health care.
- Any part of an individual’s medical record or payment history.
HIPAA regulations not only require that this information be secured in the present, it must also be protected for 50 years after a person has deceased.
Acceptable Uses of PHI
The Privacy Rule strongly dictates how organizations are to handle PHI. Generally, organizations cannot use or disclose PHI unless the Privacy Rule requires or permits it, or if an individual authorizes such use in writing. Whether PHI is disclosed because it is required or it was authorized, the organization must make a reasonable effort to disclose only the minimum necessary health information required to achieve its purpose. This is what HHS refers to as the Minimum Necessary Requirement.This also applies to whenever an organization uses or requests PHI/ePHI.
Governing Entities and Enforcement
So, who is responsible for ensuring that these standards are met? The Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. The tools OCR utilizes to achieve this include random compliance audits and civil money penalties. Civil money penalties may be issued to an organization that suffers a breach.
OCR’s use of civil money penalties depends on how proactive the organization is with preventing and stopping potential breaches. If an organization suffered a breach and did everything they could to prevent it and stop it shortly after it was discovered, any potential fine would likely be smaller. However, if the organization was negligent regarding prevention or response activities and became a victim of a breach, they would likely be fined significantly more.
If you are wondering where you stand in terms of HIPAA compliance, NuHarbor Security can help by performing a detailed HIPAA gap analysis or HIPAA risk analysis. If you’re not ready for that or would like help determining how HIPAA applies to your organization, we also offer general HIPAA consulting to address your unique needs.