The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules protect the privacy and security of health information. The blog post below will help you understand the HIPAA Basics your business needs to be in compliance with. They also provide individuals with certain rights as it pertains to their health information. You as a provider, play a vital role in protecting the privacy and security of patient information and ePHI data.
This blog post covers discussed the following
- Privacy Rule – Sets national standards for when protected health information (PHI) may be used and disclosed.
- Security Rule – Specifies safeguards that covered entities and business associates have to implement in order to protect the confidentiality, integrity and availability of electronic protected health information (ePHI)
- Breach Notification Rule – Requires that covered entities notify any affected individuals in conjunction with the U.S. Department of Health & Human Services of any breaches of unsecured PHI.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes standards to protect PHI data held by these entities and their business associates:
● Health plans
● Health care clearing-houses
● Health care providers that conduct certain health care transactions electronically
When “you” is used in this blog post, we’re referring to these entities and persons. The Privacy Rule gives individuals important rights with respect to their protected PHI, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.
HIPAA Security Rule
The HIPAA Security Rule specifies safeguards that covered entities and their business associates must implement to protect ePHI confidentiality, integrity, and availability. Covered entities and business associates must develop and implement reasonable and appropriate security measures through policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. The security rule is a fundamental part of any basic HIPAA plan. Each entity must analyze the risks to ePHI in its environment and create solutions appropriate for its own situation. We’re experts when it comes to any and all types of industry compliance and with the help of our Cyber Security and Managed IT Services we ensure your business keeps HIPAA data secure, no matter what. What is reasonable and appropriate depends on the nature of the entity’s business as well as its size, complexity, and resources. Specifically, covered entities must:
● Ensure the confidentiality, integrity, and availability of
all ePHI they create, receive, maintain, or transmit
● Identify and protect against reasonably anticipated
threats to the security or integrity of the ePHI
● Protect against reasonably anticipated, impermissible
uses or disclosures
● Ensure compliance by their workforce
When following the HIPAA basics for developing and implementing Security Rule compliant safeguards, covered entities and their business associates may consider all of the following:
● Size, complexity, and capabilities
● Technical, hardware, and software infrastructure
● The costs of security measures
● The likelihood and possible impact of risks to ePHI
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI. Generally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. The impermissible use or disclosure of PHI is presumed to be a breach unless you demonstrate there is a low probability the PHI has been compromised based on a risk assessment of at least the following factors:
● The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
● The unauthorized person who used the PHI or to whom the disclosure was made
● Whether the PHI was actually acquired or viewed
● The extent to which the risk to the PHI has been mitigated.
Most notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of
covered entities to notify the covered entity of breaches at or by the business associate.
We hope that these HIPAA Basics help put things in to perspective to just how important it is to keep patient information secure. Our Managed IT Services for Medical Providers include all of these security rules as well as much more documentation to ensure every aspect of your business is HIPAA compliant and safe from cyber threats.
If you’re not currently following HIPAA standards and are involved in processing, transmitting or viewing PHI, it’s time for you to Contact Us and protect your business from huge fines and patients from loss of confidential information.