HIPAA Basics
Brian Fleetham
Dickinson Wright PLLC
HIPAA Overview
General prohibition: a “covered entity”
cannot disclose “protected health
information” unless an exception
applies.
HIPAA Overview
Translation: treat patient information
as confidential.
HIPAA Overview
Two main parts: privacy rule and
security rule.
HIPAA – Key Definitions
“Covered Entity” means (1) health
plans, (2) healthcare clearinghouses,
and (3) health care providers that
transmit protected health information in
an electronic format.
HIPAA – Key Definitions
“Protected Health Information” or “PHI”
means individually identifiable
information that is transmitted by
electronic media; maintained in any
electronic media; or transmitted or
maintained in any other form or
medium.
HIPAA – Key Definitions
“Individually Identifiable Health
Information” means information
collected from an individual that (1) is
created or received by a health plan, a
health provider, an employer, or a
health care clearinghouse;
HIPAA – Key Definitions
“Individually Identifiable Health
Information” (continued) (2) relates to
the past, present, or future mental or
physical health of an individual, the
care provided to an individual, or the
past, present, or future payment for the
care of an individual; and
HIPAA – Key Definitions
“Individually Identifiable Health
Information” (continued) (3) identifies
the individual or there is a reasonable
belief that the information could be
used to identify the individual.
HIPAA – Key Definitions
Common identifiers of health
information include names, social
security numbers, addresses, and birth
dates.
HIPAA – Key Definitions
A key concept under HIPAA is
“minimum necessary.” Most uses and
disclosures of PHI, even internally,
must use or disclose PHI only as
minimally necessary to accomplish the
use or disclosure.
HIPAA – Privacy Standards
The HIPAA Privacy Standards
generally prohibit a covered entity from
using or disclosing PHI, unless the use
or disclosure fits within a particular
exception.
HIPAA – Key Exceptions to the
Privacy Standards
Among other uses or disclosures,
covered entities may use or disclose
PHI:
• For payment, treatment, or
healthcare operations.
HIPAA – Key Exceptions to the
Privacy Standards (continued)
• To the individual that the PHI
pertains to or to his or her
designated representative.
• As directed by an individual’s
written authorization.
• As required by law.
• To a business associate.
HIPAA – Business Associates
A business associate is a person or
entity that performs services for a
covered entity which involve PHI.
HIPAA - Business Associates
PHI can be provided to a “business
associate” only if the PHI is a
necessary component of the services
provided by the business associate to
the covered entity and an appropriate
business associate agreement is in
place.
HIPAA - Business Associates
Business associates can include
billing companies, IT providers,
consultants, attorneys, etc. Other
covered entities are not business
associate unless non-clinical services
are involved.
HIPAA – Business Associates
With the HITECH Act, business
associates now have direct liability
under HIPAA. Covered entities remain
liable for the actions of their business
associates.
HIPAA – Individual Rights
The HIPAA Privacy Standards
establish several individual rights
relating to PHI, such as the following:
• Notice of privacy practices from a
covered entity
• Request for restrictions on use of
PHI
HIPAA – Individual Rights
(continued)
• Request for reasonable handling of
the manner of communications
• Access and amendments to PHI
• Accounting of disclosures of PHI
HIPAA – Security Standards
The HIPAA Security Standards apply to
all PHI maintained or used
electronically (known as “ePHI”). A
covered entity must evaluate each
Security Standard and determine the
extent to which each must be
implemented, based on various factors.
HIPAA – Risk Assessment
This process is known as conducting a
risk assessment.
• Must be performed regularly.
• Also a “core requirement” for
meaningful use payments.
HIPAA – Risk Assessment
(continued)
• A covered entity risks a mandatory
repayment or loss of future
meaningful use payments if it
cannot produce written risk
assessments for each year that
meaningful use payments are
claimed.
HIPAA – Security Standards
The Security Standards fall under three
main categories:
• Administrative Safeguards (e.g.,
plans, policies, protocols, training,
etc.)
HIPAA – Security Standards
(continued)
• Physical Safeguards (e.g., media
and physical access controls,
workstation requirements, etc.)
• Technical Safeguards (e.g., data
and entity authentication, network
control, etc.)
HIPAA – Data Breaches
A data breach consists of the
impermissible acquisition, access, use,
or disclosure of unprotected (i.e.,
unencrypted) PHI (whether electronic
or otherwise).
HIPAA – Data Breach
The prior harm standard has been
replaced with a test of whether PHI has
been “compromised.” The regulations
create a general presumption that the
data has been compromised.
HIPAA – Data Breach
Upon a suspected data breach, a
covered entity must, within 60 days,
either immediately notify affected
individuals and DHHS (and possibly the
media) or undertake an analysis of
whether an actual breach has occurred
and then notify as necessary.
HIPAA – State Law Preemption
State law provisions that are more
stringent preempt applicable HIPAA
requirements.
HIPAA – Applicable Michigan Law
Under Michigan law, physicians are
broadly prohibited from disclosing
treatment information. Disclosure thus
requires consent, court order, or a
specific legal mandate.
HIPAA - Enforcement
Prior to HITECH, enforcement was
complaint-driven with limited penalties
except for intentional violations, with
the main goal being compliance.
HITECH authorized HIPAA
enforcement audits and increased the
amount of fines for violations.
HIPAA - Penalties
Penalties for HIPAA violations fall
under four tiers:
• Tier A – Did not know of the
violation – fines between $100 and
$50,000 for each violation
HIPAA – Penalties (continued)
• Tier B – Reasonable cause for
violation rather than willful neglect
– fines between $1,000 and
$50,000 for each violation
HIPAA – Penalties (continued)
• Tier C – Violation due to willful
neglect but corrected – fines
between $10,000 and $50,000 for
each violation
• Tier D – Violations due to willful
neglect but not corrected – fines of
$50,000 for each violation.
HIPAA – Penalties (continued)
Cap of $50,000 fine per violation and
$1.5 million annually for the same
type of violation.
HIPAA – Main Compliance Steps
• Updated notice of privacy practices
• Updated business associate
agreements in place
• Appropriate policies and
procedures
• Regular workforce education
HIPAA – Main Compliance Steps
(continued)
• Encryption protection for electronic
PHI
• Other electronic and physical
safeguards
• Risk assessment
• Appointment of HIPAA privacy and
security officer
HIPAA - Resources
• Model privacy notice from DHHS:
http://www.hhs.gov/ocr/privacy/hip
aa/modelnotices.html
• Sample business associate
agreement provision from DHHS:
http://www.hhs.gov/ocr/privacy/hip
aa/understanding/coveredentities/c
ontractprov.html
HIPAA – Resources (continued)
• AMA toolkit: http://www.amaassn.org/ama/pub/physicianresources/solutions-managingyour-practice/coding-billinginsurance/hipaahealth-insuranceportability-accountability-act.page
HIPAA – Resources (continued)
• DHHS risk assessment tool:
http://www.healthit.gov/providersprofessionals/security-riskassessment-tool