by Kapua Iao
Article filed in

Understanding and implementing HIPAA rules

by Kapua Iao

HIPAA requirements for PHI disclosure

HIPAA (the Health Insurance Portability and Accountability Act) is a 1996 U.S. law that protects the rights and privacy of patients by introducing standards to healthcare. Since its initial creation, the U.S. Department of Health and Human Services (HHS) has included several major HIPAA rules to ensure even more patient protection.

The HIPAA rules discussed most often are the Privacy Rule and Security Rule. Together, they provide essential guidelines for the proper protection and disclosure of protected health information (PHI).

RELATED: Is a name PHI?

For covered entities (CEs) and their business associates, understanding HIPAA’s intricacies is essential to providing strong patient care. Let’s dig deeper into HIPAA’s rules before exploring what a CE can do to ensure it is HIPAA compliant.

Understanding HIPAA

HHS created HIPAA to combat fraud and abuse as related to PHI.

RELATED: HIPAA Stands For . . .

The Act is regulated and enforced by the HHS Office for Civil Rights (OCR) and consists of five sections (or titles):

Title I – regulates group health plans and certain individual health insurance policies

Title II – establishes standards for the privacy and security of PHI

Title III – standardizes pretax medical savings accounts

Title IV – specifies conditions for group health plans and further explains coverage clarifications

Title V – adds provisions about tax deductions for employers

Most commonly associated with the Act is Title II as it contains the actual security measures a CE must maintain for HIPAA compliance. Significant provisions of Title II include:

  • Privacy Rule (2003) – provides guidelines on PHI use and disclosure
  • Security Rule (2005) – sets the necessary safeguards needed to protect electronic PHI (ePHI)
  • Enforcement Rule (2006) – sets the standards of enforcing HIPAA and penalizing noncompliant CEs
  • HITECH Act (2009) – promotes the adoption and meaningful use of technology in healthcare
  • Breach Notification Rule (2009) – requires CEs to report breaches to OCR and affected individuals
  • Final Omnibus Rule (2013) – incorporates HITECH further by improving privacy protections

Any CE that OCR finds noncompliant with Title II has committed a HIPAA violation, no matter how the original breach happened.

In fact, the CE may find itself on HHS’ Wall of Shame and subject to fines, angry patients, and a cleanup disaster. Ultimately, avoiding a HIPAA violation is possible by understanding and following HIPAA, the Privacy Rule, and the Security Rule.

RELATED: HIPAA Breach Report for December 2020

The Privacy Rule

Generally, the Privacy Rule sets limits for the use and disclosure of PHI. Ideally, the rule provides patients with needed confidentiality protections while also allowing the continuous flow of healthcare information.

Recently, HHS provided two fact sheets meant to elucidate permissible PHI use and disclosure.

The first offers examples of administrative, financial, legal, and quality improvement activities when patient authorization is not required. And the second defines when PHI can be used and disclosed for patient treatment, again without that patient’s authorization.

RELATED: HIPAA Privacy Rule for Business Associates

The idea is that such uses must reinforce or improve a CE’s ability to provide patient care.

Beyond this, the Privacy Rule also addresses what type of information can be shared. For example, a CE must still adhere to the rule’s minimum necessary requirement that limits PHI to the least amount.

Finally, the Privacy Rule also supports the rights of patients seeking access to their own PHI. OCR strengthened its HIPAA Right of Access Initiative in 2019 to ensure CEs complied with this aspect at all times.

The Security Rule

The Security Rule, then, establishes the security standards necessary for the protection of ePHI. In other words, it puts the information contained in the Privacy Rule into practice by addressing the how of use and disclosure.

Furthermore, the Security Rule champions the adoption and use of new technologies if they aid in patient care and keep PHI safe.

Accordingly, the rule specifies that administrative, physical, and technical safeguards are necessary for compliance. Specifically, CEs must:

  • Ensure confidentiality, integrity, and availability of ePHI
  • Identify and protect against reasonably anticipated threats
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by employees

The idea is to show that every effort was taken to block a breach, whether from human error, a cyberattack, or a technical failure.

RELATED: Healthcare Data Breaches – A Haunting Reality

As long as the safeguards are in place and a CE does everything possible to protect patients and their PHI, the chance of a HIPAA violation is minor.

Implementing HIPAA rules

The first step to HIPAA compliance is to read and understand the law and its amendments. And the second step is to translate the law and its rules into workable policies and procedures.

This means following use and disclosure requirements under the Privacy Rule and the safeguard standards listed under the Security Rule.

Finally, the third step is to implement the policies and procedures:

  • Create and display use and disclosure guidelines
  • Establish up-to-date risk analysis and management strategies
  • Continuously audit and update cybersecurity methods
  • Utilize separate and offline backup for sensitive information
  • Apply physical and technical access controls to systems, networks, and storage
  • Keep your employees knowledgeable and aware of HIPAA
  • Use antivirus and antimalware software
  • Employ encryption and other similar measures for safe HIPAA compliant communication (e.g., HIPAA compliant email).

The only way to ensure CEs follow the Privacy Rule and Security Rule is by using a combination of the above for complete patient security.

How can Paubox help

Paubox works tirelessly to help CEs maintain cybersecurity and HIPAA compliance.

HIPAA compliant email is guaranteed through Paubox Email Suite, which provides needed protections without the use of extra logins, passwords, or portals. With our HITRUST CSF certified solution, all emails are encrypted, sent directly from your existing email platform (such as Microsoft 365 and Google Workspace).

Compliance is further ensured with Paubox Marketing and Paubox Email API. Both let CEs send targeted messages while not stressing about possible HIPAA violations through email.

Understanding and implementing HIPAA is fundamental to HIPAA compliance; let Paubox help you with an important aspect of HIPAA and its rules today.

Try Paubox Email Suite for FREE today.