Helpful information about cloud computing, cyber security and more, all at a glance.
Physicians are entrusted with some of the most intimate and personal information in a patient’s lifetime—account and identity information as well as health information. Patients expect that information to be kept private. When that trust is breached, the ramifications to the healthcare organization can be heavy.
The HIPAA Privacy Rule was issued by the United States Department of Health and Human Services to restrict the use and disclosure of personally identifiable information that pertains to a patient or consumer of healthcare services. This information is called protected health information (PHI). The rule was created to protect patients’ privacy.
Under HIPAA, a covered entity (CE) must make practical efforts to use, disclose and request only the minimum necessary amount of PHI required for any particular task. The Privacy Rule also gives patients rights over their health information and the right to access their own medical records.
The HIPAA Privacy Rule applies to covered entities and their business associates (BA). A covered entity is a health plan, a healthcare clearinghouse or a healthcare provider. Subcontractors, or business associates of business associates, must also be in compliance. In other words, if your organization might have access or the ability to access PHI, HIPAA applies to you.
If you’re a covered entity and you use a vendor or organization that will have access to PHI, you need to have a written business associate agreement (BAA). A BAA states how PHI will be used, disclosed and protected. If a breach occurs, BAs are directly liable to the same penalties as covered entities.
The Privacy Rule protects a patient’s health information and any identifying information, in any medium or format—files, email, audio, video or verbal communication. Any of the following is considered private health information:
You’ll also need to maintain audit reports, or tracking logs, to keep activity records on hardware and software. This is especially useful to pinpoint the source or cause of any security violations. Your procedures should also designate a privacy officer and explain the complaint and resolution process.
In addition, your employees should be trained in HIPAA requirements, business associates must sign agreements respecting the confidentiality of PHI, and patients must be well informed of their rights and your practices.
Breaches can happen even with the most secure safeguards in place. In the case of loss, theft, or certain other impermissible uses, you must notify the affected patients. If the breach involves more than 500 individuals, you must also notify the Secretary of the HHS and the media in the state or jurisdiction where the individuals live.
If you’re a covered entity, you are required by Federal law to comply with the HIPAA Security Rule, or you could face strict fines and penalties. Civil penalties range from $25,000 to $1.5 million per year. Criminal penalties can also be enforced for purposefully accessing, selling or using ePHI unlawfully. Criminal penalties include heavy fines and imprisonment—up to $250,000 and ten years in prison.