HIPAA provides guidance for the proper uses and disclosures of protected health information (PHI), how to secure PHI, and the response activities in case there is a breach. The HIPAA rules and regulations consists of five major components
- HIPAA Security Rule
- HIPAA Privacy Rule
- HIPAA Omnibus Rule
- HIPAA Breach Notification Rule
- HIPAA Enforcement Rule
A summary of these Rules is discussed below.
HIPAA Security Rule:
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate technical, physical and administrative safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Technical Safeguards concern the technology that is used to protect ePHI and provide access to the data. The only stipulation is that ePHI – whether at rest or in transit, it must be encrypted once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable, and unusable. Thereafter organizations are free to select whichever mechanisms are most appropriate to:
Physical Safeguards focus on physical access to ePHI irrespective of its location. ePHI could be stored in a remote data center, in the cloud, or on servers which are located within the premises of the HIPAA covered entity. They also stipulate how workstations and mobile devices should be secured against unauthorized access:
HIPAA Administrative Safeguards
The Administrative Safeguards are the policies and procedures which bring the Privacy Rule and the Security Rule together. They are the pivotal elements of a HIPAA compliance checklist and require that a Security Officer and a Privacy Officer be assigned to put the measures in place to protect ePHI, while they also govern the conduct of the workforce.
HIPAA Privacy Rule
- The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearing houses and – from 2013 – the Business Associates of covered entities.
- The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
- Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared.
HIPAA Omnibus Rule:
HHS enacted the  final Omnibus Rule  in 2013 to address policy gaps in earlier HIPAA rules. Most notably, the Omnibus Rule defines the role of business associates, which were not previously subject to HIPAA rules, and outlines the criteria for Business Associate Agreements (BAAs) which must be executed between organizations sharing PHI before any information is transferred, handled, or maintained.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify patients when there is a breach of their ePHI. The Breach Notification Rule also requires entities to promptly notify the Department of Health and Human Services of such a breach of ePHI and issue a notice to the media if the breach affects more than five hundred patients.
There is also a requirement to report smaller breaches – those affecting fewer than 500 individuals – via the OCR web portal. These smaller breach reports should ideally be made once the initial investigation has been conducted. The OCR only requires these reports to be made annually.
Breach notifications should include the following information:
- The  nature of the ePHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the ePHI  or to whom the disclosure was made (if known).
- Whether the ePHI was actually  acquired or viewed  (if known).
- The extent to which the  risk of damage has been mitigated.
HIPAA Enforcement Rule
HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.
- Fines are imposed per violation category and reflect the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved.
- Penalties can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be noted that the penalties for willful neglect can also lead to criminal charges being filed.
- Civil lawsuits for damages can also be filed by victims of a breach.
The organizations most commonly subject to enforcement action are private medical practices (solo doctors or dentists, group practices, and so on), hospitals,  outpatient facilities such as pain clinics or rehabilitation centers, insurance groups, and pharmacies.
Need more insights ?  Get in touch  with our experts for any queries on HIPAA Assessment and Compliance.