HIPAA legislation is essentially comprised of a number of rules, each of which lays out different requirements for HIPAA compliance.
The rules are as follows:
HIPAA Privacy Rule: The Privacy Rule dictates how, when, and under what circumstances PHI can be used and disclosed. Enacted for the first time in 2003, it applies to all healthcare organizations, clearinghouses, and entities that provide health plans. Since 2013, it has been extended to include Business Associates.
The Privacy Rule sets limits regarding the use of patient information when no prior authorization has been given by the patient. Additionally, it mandates patients and their representatives have the right to obtain a copy of their health records and request corrections to errors. CEs have a 30-day deadline to respond to such requests.
HIPAA Security Rule: The Security Rule sets the minimum standards to safeguard ePHI. Anybody within a CE or BA who can access, create, alter or transfer ePHI must follow these standards. Technical safeguards include encryption to NIST standards if the data goes outside the company’s firewall.
Physical safeguards may relate to the layout of workstations (e.g. screens cannot be seen from a public area), whereas administrative safeguards unite the Privacy Rule and the Security Rule. They require a Security Officer and Privacy Officer to conduct regular risk assessments and audits. These assessments aim to identify any ways in which the integrity of PHI is threatened and build a risk management policy off the back of this.
Breach Notification Rule: The Department of Health and Human Services must be notified if a data breach has been discovered. This must be within 60 days of the breach’s discovery for incidents involving 500 or more individuals, and within 60 days of the end of the calendar year in which the breach was experienced for breaches of fewer than 500 records. Individuals whose personal information has been compromised must also be informed within 60 days, and if more than five hundred patients are affected in a particular jurisdiction, a media notice must be issued to a prominent news outlet serving that area.
Omnibus Rule: The Omnibus Rule activated HIPAA-related changes that had been part of the HITECH Act. These included the extension of HIPAA coverage to BAs, the prohibition of using PHI for marketing or fundraising purposes without authorization and new penalty tiers for violations of HIPAA. Part of those penalties can be retained by OCR to fund more stringent investigations of data breaches and complaints of noncompliance.
Enforcement Rule: Should a breach of PHI occur, this rule lays out how any resulting investigations are carried out. Once the level of negligence has been determined, appropriate fines can be issued. For example, if it is determined that the violation was due to ignorance, a fine of up to $50,000 can be levied against the negligent party per violation with an annual maximum of $25,000 for violations of an identical provision. If the violation was because of willful neglect and was not rectified within 30 days, a fine of $50,000 per offense is possible up to an annual maximum of $1,500,000 for violations of an identical provision.
Since the Final Omnibus Rule was introduced in 2013, new guidelines have been released on how PHI must be accessed and sent in a medical-related environment. The revised Act allocates patients further rights to know and manage how their health information is used.
HIPAA-covered entities and Business Associates must put in place mechanisms to limit the flow of information inside a private network, monitor activity on the network, and take steps to stop the unauthorized disclosure of PHI beyond the network’s boundaries. More attention must be invested in conducting risk assessments, and new reporting procedures have been implemented to cover data breaches.
Changes to the HIPAA Security Rule list the conditions (“safeguards”) that must be in place for HIPAA-compliant storage and the communication of ePHI. These “safeguards” are referred to in the HIPAA Security Rule as either “required” or “addressable”. In fact, all the security measures are generally required – irrespective of how they are listed – as the following section explains.
If you have any questions or concerns please contact us via the "help button" in the bottom right-hand corner of the screen or email us at firstname.lastname@example.org.
Source: HIPAA Guide