A guide to HIPAA's rules

The rules and associated legislation that set up the Health Insurance Portability and Accountability Act (HIPAA) and further define its limitations must be understood by healthcare providers to ensure that PHI in their care is effectively used and disclosed.

Covered entities and business associates

HIPAA applies to entities that access and handle PHI and fall into one of two categories:

1. Covered entities: These include healthcare providers, health plan providers, and healthcare clearinghouses. Covered entities must comply with the Privacy Rule when handling PHI and ensuring patient access to their records.
2. Business associates: Business associates are third-party entities that provide services to covered entities, such as medical transcription services, IT vendors, and billing companies. Business associates are also subject to the Privacy Rule's requirements regarding the handling of PHI.

See more: What is a covered entity?

Privacy rule

The Privacy Rule protects the privacy of patient information and determines the limitations of sharing such information without patient authorization. 

The limitations to the disclosure of PHI encompass the following:

1. Permitted disclosures: These refer to disclosures for treatment, payment, and operations that do not necessitate patient authorization. However, such disclosures pose privacy risks due to the broader distribution scope of the shared PHI.
2. Law enforcement and public health: In specific situations, PHI may be shared with law enforcement agencies or public health authorities. While these disclosures serve public interest purposes, they still entail limited risks to the privacy of PHI.
3. Minimum necessary standard: This standard mandates organizations to use and disclose only the minimum necessary PHI for a specific purpose, such as treatment, payment, or healthcare operations.
4. Lack of patient control: Covered entities hold the discretion and legal obligations to use and disclose PHI, thereby limiting patient control over the flow of their own PHI.

Right of access

The Privacy Rule further grants patients the right to access their designated records within the care of the covered entity, with limited exceptions. Records would consist of medical and billings records of the patient. 

The requirements for the right of access include:

1. Timeliness: Covered entities must provide individuals with access to their PHI within 30 days of the request. However, they may have one 30-day extension if they provide a written explanation for the delay.
2. Format: Individuals have the right to receive their PHI in the format they request if it is readily producible in that format. Covered entities should accommodate reasonable requests, such as providing electronic copies or transmitting the information securely.
3. Verification of identity: Covered entities must verify the identity of the individual making the request to ensure that PHI is only disclosed to authorized individuals. They may request certain documentation or authentication methods to confirm the requester's identity.
4. Denials and restrictions: Covered entities may deny access to certain PHI under limited circumstances, such as when access could endanger the life or safety of the individual or others. However, denials must be based on specific reasons, and individuals have the right to appeal such denials.
5. Fees: Covered entities can charge a reasonable, cost-based fee for providing copies of PHI. However, they must inform individuals of the approximate fee in advance and provide the requested information at a reasonable cost or offer alternatives if the individual cannot afford the fee.

Security rule

The Security Rule establishes standards for securing electronic protected health information (ePHI) throughout its storage, accessibility, and transmission. To ensure adequate protection, the Security Rule outlines different levels of safeguards:

1. Administrative safeguards: This category focuses on administrative policies and procedures that healthcare entities must implement to protect ePHI. It includes workforce training, security management processes, risk assessments, and contingency planning. Administrative safeguards ensure that personnel are knowledgeable about security protocols and follow appropriate practices to safeguard ePHI.
2. Technical safeguards: These address the technological aspects of securing ePHI. They involve the use of technology to control access to ePHI, authenticate users, and encrypt data. Technical safeguards include access controls, audit controls, integrity controls, transmission security like HIPAA compliant email, and the implementation of secure messaging and encryption mechanisms.
3. Physical Safeguards: This relates to the physical protection of ePHI and the facilities that house it. This includes measures such as limited access to data storage areas, the use of security cameras, secure storage for electronic equipment, and policies for workstation security. Physical safeguards aim to prevent unauthorized access, damage, or theft of physical devices that contain ePHI.

Read more: What's the difference between PHI and ePHI?

HITECH act

The HITECH Act, which stands for Health Information Technology for Economic and Clinical Health Act, is a U.S. federal law enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). The HITECH Act is closely associated with HIPAA and has significant implications for the use and protection of electronic health information.

The primary purpose of the HITECH Act is to promote the adoption and meaningful use of PHI by healthcare providers. It includes provisions for the advancement of health information technology, the secure exchange of electronic health information, and the privacy and security of health information.

Key aspects of the HITECH Act include the following:

1. Meaningful use: The HITECH Act establishes incentive programs to encourage healthcare providers to adopt and effectively utilize certified EHR technology. It defines specific criteria and objectives that providers must meet to qualify for incentive payments.
2. Privacy and security: The HITECH Act strengthens the privacy and security protections for electronic health information. It extends HIPAA requirements to business associates of covered entities and imposes stricter penalties for non-compliance.
3. Breach notification: The HITECH Act introduces a federal breach notification requirement, mandating that covered entities and business associates notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, in the event of a breach of unsecured health information.
4. Enforcement: The HITECH Act enhances the enforcement provisions of HIPAA, providing the Office for Civil Rights (OCR) with more authority to investigate complaints, conduct audits, and impose penalties for violations.

Omnibus Rule

The Omnibus Rule, implemented in 2013, introduces modifications and enhancements to HIPAA, focusing on strengthening the privacy and security of PHI. It incorporates provisions from the HITECH Act of 2009 and expands the definition of Business Associates to mandate that they comply with specific privacy and security standards, as is the case with covered entities. 

Additionally, it establishes clear guidelines for breach notification. Covered entities and business associates must promptly notify affected individuals, the HHS, and, in some cases, the media, in the event of a breach of unsecured PHI.

By implementing the Omnibus Rule, the privacy and security protections outlined in the Privacy and Security Rule are reinforced, ensuring the confidentiality and integrity of PHI. The rule plays a role in safeguarding individuals' health information and maintaining compliance with HIPAA regulations.

Breach notification rule

The Breach Notification Rule outlines the necessary actions that a covered entity must take in the event of a breach of PHI. Unauthorized use or disclosure of PHI is generally considered a breach unless the covered entity can demonstrate a "low probability of compromise" based on a four-factor test:

1. Nature and extent of PHI: This factor evaluates the nature and scope of the PHI involved, including the types of identifiers present and the likelihood of reidentification.
2. Unauthorized person or recipient: Assessing the identity of the unauthorized person or people who accessed or received the PHI is essential for determining the severity of the breach and potential harm.
3. Acquisition or viewing of PHI: Determining whether the unauthorized person actually acquired or viewed the PHI helps gauge the level of risk associated with the breach.
4. Risk mitigation: Evaluating the extent to which the covered entity has taken measures to mitigate the risk to the PHI is a critical factor in the breach assessment.

Enforcement rule

The Enforcement Rule outlines the procedures and mechanisms through which the HIPAA Privacy Rule and Breach Notification Rule should be enforced by the Department of Health and Human Services (HHS). 

The Office for Civil Rights (OCR) is responsible for enforcing these penalties. 

The OCR carries out various activities, including conducting compliance reviews, reaching out to organizations to promote and encourage compliance, and investigating complaints related to HIPAA violations. By performing these functions, the OCR plays a vital role in enforcing HIPAA regulations and promoting the privacy and security of individuals' health information.

Administrative simplification rules

The HIPAA Administrative Simplification Rule sets standards for electronic transactions and code sets used in healthcare. It aims to improve the efficiency of electronic healthcare transactions.

This rule establishes specific formats and codes for various healthcare transactions, like submitting claims and checking eligibility. It ensures consistency in exchanging healthcare information electronically, reducing administrative work and enabling different healthcare entities to work together more effectively.

Who do these rules apply to?

The listed rules, including the Privacy Rule, Right of Access Rule, Security Rule, Omnibus Rule, Breach Notification Rule, Enforcement Rule, and Transaction Rule, apply to covered entities and business associates. By proactively educating themselves about these rules, organizations can effectively fulfill their legal obligations, mitigate the risk of breaches or violations, and ensure the privacy and security of PHI throughout their operations.