HIPAA-covered entities must abide by Privacy, Security, and Breach Notification Rules, and the best place to start is with the basics, which are detailed in a new summary of HIPAA Rules recently released by the Department of Health and Human Services’ Office for Civil Rights (OCR).
The OCR frequently issues guidance for HIPAA-covered entities (CEs) to help them understand what is required of them. Guidelines can be quite specific, to assist with certain aspects of the legislation; however in the latest guide the rules are neatly summarized, with handy references for CEs to find out more information.
HIPAA Basics for Healthcare Providers, Insurers, Clearinghouses and Business Associates
The new guidance, titled “HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules” has been compiled by the OCR in conjunction with the Medicare Learning Network, and contains a summary of HIPAA Rules; explaining what each rule means, what is required of CEs and the data that must be protected. The main elements are listed below:
The HIPAA Privacy Rule
The privacy rule lays down the rules for accessing and disclosing Protected Health Information, or PHI. PHI is data that relates to an individual’s health, either physical or mental, and applies to past, present and future health. It covers the provision of healthcare to an individual, as well as payment for health services; again applying to past, present and future payments. There are 18 separate identifiers classed as PHI under HIPAA, such as the patient’s name, date of birth, telephone numbers, address, Social Security number and health insurance information, the latter two being particularly sensitive as they can be used by criminals to commit numerous types of fraud.
The HIPAA Security Rule
The Security Rule covers the safeguards that must be put in place to keep PHI private and confidential, in addition to steps that must be taken to maintain the integrity of data, prevent data loss and ensure it is available at all times to authorized members of the care team. The Rule explains a number of data security elements which must be put in place, or addressed, although the exact measures that must be applied are left to the discretion of the CE in many cases. Data encryption for example, must be addressed, but it is not mandatory. Data backups, which allow data to be restored if accidentally deleted or lost, is a mandatory requirement.
The HIPAA Breach Notification Rule
The Breach Notification Rule covers the steps that must be taken by a CE following a breach of PHI. There are strict timescales for reporting data breaches to the federal government and for notifying affected patients. The Rule also requires CEs to identify the cause of the breach, who has been affected, and the steps that should be taken to mitigate the risk of data being used for malicious purposes.
The OCR summary of HIPAA Rules explains the timescale for reporting HIPAA breaches – 60 days from the discovery of the breach – and the specific steps that must be taken for large breaches – involving over 500 records – and those for smaller breaches affecting fewer patients.
Often it is the basic elements of compliance which are forgotten, so the guide is a handy reminder for any healthcare professional.
A failure to comply with any aspect of HIPAA is likely to result in financial penalties being issued. In the HIPAA summary, the enforcement role of the OCR is detailed, with examples provided of settlements reached with past violators of Health Insurance Portability and Accountability Act Rules.
The HHS summary of HIPAA rules is available for download on the following hyperlink: HHS Guide to HIPAA Compliance.