HIPAA
Privacy of Health Information
Claudia Allen, Esq.
General Counsel
HealthBridge
Federal Privacy Legislation
a. State laws requiring privacy and confidentiality
have existed for many years
b. Federal law – HIPAA – was enacted in 1996, but
the regulations containing the Privacy and
Security Rules were not in place until 2003
c. HIPAA creates a minimum threshold of
confidentiality – but does not pre-empt state
law if the state law requires a higher standard
Federal Privacy Legislation
d. “Covered Entities” are subject to the rules
protecting the privacy/confidentiality of
“Protected Health Information”
i. Covered Entities:
1. Providers of health care services (e.g.,
labs, physicians, dentists, chiropractors,
psychologists)
2. Health Plans
3. Health Clearinghouses
Federal Privacy Legislation
ii. PHI is health related information that is
1. Identifiable to an individual
(contains name, address, phone, SSN,
medical record number, date of birth,
etc.)
2. Transmitted or maintained by
electronic or any other media
I. HIPAA Privacy Rule (1)
A. HIPAA sets standards for security, use and
disclosure of PHI and permits disclosure or use of
PHI without patient consent for the following
purposes:
i. Treatment
ii. Payment
iii. Health Care Operations
iv. Research: Limited data set or IRB
v. Public health
vi. As otherwise required by law
I. HIPAA Privacy Rule (2)
B. HIPAA rules for Business Associates of CEs (e.g.,
HealthBridge, the Collaborative, EMR vendors)
i. Covered Entities may authorize disclosure of
PHI to BA for a specific permitted purpose
ii. CE required to enter into a Business Associate
Agreement with BAs to protect PHI security
iii. Originally, a breach of the BAA would only
subject the CE to liability to third parties
iv. CE would recover cost from BA in a breach of
contract lawsuit
II. 2009: ARRA and HITECH Extended Privacy &
Security Rules to Business Associates (“BA”)
a. Business Associates became directly subject to
privacy/confidentiality requirements and some
security rules (can be held liable)
b. BA can be held liable for privacy noncompliance by a subcontractor who is acting as
an “agent” of a BA
c. BA Agreements are now required with entities
that provide data to a CE such as Health
Information Exchanges
III: 2013: Omnibus Final Regulations
A. Definition of “Business Associate” Expanded
i. Entities that create, receive, maintain, transmit
PHI to perform functions or activities for a CE
ii.Health Information Organizations, e-prescribing
gateways, entities maintaining personal health
records for a CE
iii. Subcontractors receiving PHI on behalf of BAs
• Subcontractors are now subject to the same obligations
as BAs with respect to the CE – need BAAs
• Subs must have HIPAA compliant security policies
III. Omnibus Final Regulations (2)
B. New Breach Standard:
When it is discovered that there has been an
unauthorized use or disclosure of Unsecured
PHI, notice is presumed necessary EXCEPT
where CE or BA demonstrates that “there is a
low probability that PHI has been
compromised.”
III. Omnibus Final Regulations (3)
i. Final Rule does not define “Compromised” but
specifies what the risk assessment must consider:
• Nature and extent of PHI, types of identifiers
(likelihood of re-identification)
• The unauthorized person to whom PHI was
disclosed
• Was the PHI actually used/viewed?
• Extent to which the risk has been mitigated
III. Omnibus Final Regulations (4)
C. Notification requirements upon
determination of Breach:
i. CEs must notify each individual whose UPHI
is breached
ii. BA must notify the CE (CE may delegate to
BA by BAA)
iii. Time period: without unreasonable delay
but no later than 60 calendar days after
discovery (first day known or should have
been known)
III. Omnibus Final Regulations (5)
1. Burden on discoverer to notify
2. Written notice by mail unless urgent
3. If more than 9 individuals involved, posting on
web
4. Notice to media if over 500 residents in state or
jurisdiction affected
5. Immediate notice to Secretary if over 500
affected
6. Breach log required to be sent to Secretary
annually
III. Omnibus Final Regulations (6)
D. Notice must contain
1. Description of what happened
2. Description of types of data involved
3. Steps individuals should take to protect
themselves
4. What CE is doing to investigate, mitigate
losses, and protect from further
breaches
5. Contact procedures
IV. Patient Rights re Disclosures
a. Individuals may restrict disclosure to a health
plan for payment or operations if individual
has paid out of pocket in full for services
b. Patient may request an accounting of all 3
years’ disclosures of his/her ePHI to any third
party including TPO – i.e., to the billing
company, to the insurance company, to
another provider for a consult.
V. HHS Audit Initiative
• Pilot Audit of 115 CEs uncovered violations
– All but 13 had some type of violation
– 60 violations were security related
• Missing: risk assessments, documentation of decisions
• Privacy violations include no notice of privacy practices
– Notices must be revised to include new breach notification
and disclosure rules
– Policies and procedures (such as patient access to disclosure
information, breach assessment and notification, restriction
where paid) must be formulated and written
– Employee training missing to inform them of rules and
procedures
VI. Practical Steps to Avoid Liability:
Show How You Secure PHI
a. Appoint a Privacy Officer to establish policies, field
questions and monitor compliance
b. Review company policies and procedures with your
staff to ensure compliance with ARRA privacy and
security requirements – update as needed
c. Make sure you have signed BAAs with those from
whom you are receiving PHI (as from other
physicians, clinics, hospitals, labs) and those you are
sending/disclosing PHI to (e.g., billing company,
insurance company, etc.)
d. Conduct a general risk assessment to determine if
procedures are protecting PHI. Document review.
VI. Practical Steps (2)
e. Take steps to see that:
i. Doors are locked except for business entrances and
exits during business hours
ii. Employee access is restricted/logged during nonbusiness hours
iii. Visitors are not in a position to see or access data
iv. Employees understand the importance of not
disclosing patient information outside of work- and
at work, only as necessary
v. All remote access to data is limited, inventoried
vi. All portable electronics are encrypted
VI. Practical Steps (3)
vii. Keys, pass codes are inventoried/changed frequently
viii. Workstations are secured, screens not in view of
public
ix. Procedures are implemented for ending data access by
terminated employees
x. Procedures are implemented for reporting suspicious
activity
xi. Hiring practices are implemented that help minimize
risk –(i.e., checking references and background)
xii. Regular training on privacy and security
requirements is conducted
xiii. Decisive action is taken if a breach is suspected:
procedures are followed and actions documented.
HIPAA Privacy
QUESTIONS?