HIPAA provides guidance for the proper uses and disclosures of protected health information (PHI), how to secure PHI, and the response activities in case there is a breach. The HIPAA rules and regulations consists of five major components
- HIPAA Security Rule
- HIPAA Privacy Rule
- HIPAA Omnibus Rule
- HIPAA Breach Notification Rule
- HIPAA Enforcement Rule
A summary of these Rules is discussed below.
HIPAA Security Rule:
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate technical, physical and administrative safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Technical Safeguards concern the technology
that is used to protect ePHI and provide access to the data. The only
stipulation is that ePHI – whether at rest or in transit, it must be encrypted
once it travels beyond an organization´s internal firewalled servers. This is
so that any breach of confidential patient data renders the data unreadable, undecipherable,
and unusable. Thereafter organizations are free to select whichever mechanisms
are most appropriate to:
Physical Safeguards focus on physical
access to ePHI irrespective of its location. ePHI could be stored in a remote
data center, in the cloud, or on servers which are located within the premises
of the HIPAA covered entity. They also stipulate how workstations and mobile
devices should be secured against unauthorized access:
HIPAA Administrative Safeguards
The Administrative Safeguards are the
policies and procedures which bring the Privacy Rule and the Security Rule
together. They are the pivotal elements of a HIPAA compliance checklist and
require that a Security Officer and a Privacy Officer be assigned to put the
measures in place to protect ePHI, while they also govern the conduct of the
HIPAA Privacy Rule
- The HIPAA Privacy Rule governs how ePHI can be used and disclosed. In force since 2003, the Privacy Rule applies to all healthcare organizations, the providers of health plans (including employers), healthcare clearing houses and – from 2013 – the Business Associates of covered entities.
- The Privacy Rule demands that appropriate safeguards are implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization. The Rule also gives patients – or their nominated representatives – rights over their health information including the right to obtain a copy of their health records – or examine them – and the ability to request corrections if necessary.
- Under the Privacy Rule, covered entities are required to respond to patient access requests within 30 days. Notices of Privacy Practices (NPPs) must also be issued to advise patients and plan members of the circumstances under which their data will be used or shared.
HIPAA Omnibus Rule:
HHS enacted the  final Omnibus Rule  in 2013 to address policy gaps in
earlier HIPAA rules. Most notably, the Omnibus Rule defines the role of
business associates, which were not previously subject to HIPAA rules, and
outlines the criteria for Business Associate Agreements (BAAs) which must be
executed between organizations sharing PHI before any information is
transferred, handled, or maintained.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires
covered entities to notify patients when there is a breach of their ePHI. The
Breach Notification Rule also requires entities to promptly notify the
Department of Health and Human Services of such a breach of ePHI and issue a notice
to the media if the breach affects more than five hundred patients.
There is also a requirement to report
smaller breaches – those affecting fewer than 500 individuals –
via the OCR web portal. These smaller breach reports should ideally be made
once the initial investigation has been conducted. The OCR only requires these
reports to be made annually.
Breach notifications should include the following information:
- The  nature of the ePHI involved, including the types of personal identifiers exposed.
- The unauthorized person who used the ePHI  or to whom the disclosure was made (if known).
- Whether the ePHI was actually  acquired or viewed  (if known).
- The extent to which the  risk of damage has been mitigated.
HIPAA Enforcement Rule
HIPAA Enforcement Rule governs the investigations that follow a breach of ePHI, the penalties that could be imposed on covered entities responsible for an avoidable breach of ePHI and the procedures for hearings. Although not part of a HIPAA compliance checklist, covered entities should be aware of the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.
- Fines are imposed per violation category and reflect the number of records exposed in a breach, risk posed by the exposure of that data and the level of negligence involved.
- Penalties can easily reach the maximum fine of $1,500,000 per year, per violation category. It should also be noted that the penalties for willful neglect can also lead to criminal charges being filed.
- Civil lawsuits for damages can also be filed by victims of a breach.
The organizations most commonly subject to enforcement action are private medical practices (solo doctors or dentists, group practices, and so on), hospitals,  outpatient facilities such as pain clinics or rehabilitation centers, insurance groups, and pharmacies.
Need more insights ?  Get in touch  with our experts for any queries on HIPAA Assessment and Compliance.