What are the HIPAA Privacy Laws?
HIPAA privacy laws were introduced in 2002 to ensure the privacy of patients is protected, but also to give patients the right to access their health data on request. If patients have access to their health information they can take a more active role in their own healthcare. They can also check their health information for any errors and pass on their health data to new healthcare providers or research organizations.
The HIPAA Privacy Rule requires Covered Entities to provide patients with access to their health data within 30 days of the request being made. Covered entities should offer patients the option of having their PHI provided on paper or as an electronic copy, either on a CD, portable storage device or made available via patient portals.
HIPAA privacy laws apply to all covered entities – healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. A business associate is any individual or organization that is contracted to provide services to a covered entity that requires access to PHI. Prior to being given access to PHI, a business associate must be advised of its responsibilities with respect to PHI and must sign a HIPAA-complaint business associate agreement (BAA). By signing the agreement, the business associate agrees to comply with the HIPAA Privacy, Security and Breach Notification Rules. If HIPAA laws are violated, the business associate can be fined directly by regulators.
What Data Are Covered by HIPAA Privacy Laws?
HIPAA privacy laws apply to all individually identifiable health information created or received by a HIPAA-covered entity (See 45 CFR 160.103). That information includes personal identifiers such as names as well as identification numbers, contact information, Social Security numbers, driver’s license details, financial information, and biometric data. It also includes information about past, present or even future medical conditions, the provision of healthcare services, and past, present, and future payments. HIPAA privacy laws apply to physical records, electronic copies of data and images and videos.
HIPAA covered entities are permitted to disclose patients’ protected health information for the purpose of treatment, payment, or healthcare operations without obtaining consent from the patient. In such cases, information must only be disclosed to individuals authorized to receive the information and PHI disclosures should only include the ‘Minimum Necessary Information’ to perform the specific purpose for which the information was disclosed. Prior to any disclosure, a covered entity or business associate must assess what information must be disclosed on a case-by-case basis.
Any disclosure not specifically covered by the HIPAA Privacy Rule would only be possible if prior consent from the patient has been obtained in writing.
HIPAA Privacy Laws and Unauthorized Disclosures
Covered entities must implement safeguards to prevent the unauthorized disclosure of protected health information as detailed in the HIPAA Security Rule. HIPAA is not technology specific, so the methods used to protect the privacy of patients should be based on a risk assessment and will differ from covered entity to covered entity.
The failure to implement appropriate controls to prevent unauthorized disclosures, or disclosing PHI to unauthorized individuals, can result in substantial fines for non-compliance. The maximum penalty for non-compliance with HIPAA Rules is $1.5 million, per violation category per year that the violation has been allowed to persist. A single privacy violation that has occurred for several years could result in multi-million-dollar fines.
The Department of Health and Human Services’ Office for Civil Rights publishes a summary of all healthcare data breaches that have impacted more than 500 individuals. Some of the most common unauthorized disclosures have occurred as a result of the loss or theft of unencrypted portable devices such as laptops, zip drives and hard drives. Many healthcare organizations have been fined for these disclosures for the failure to use encryption or other equivalent measures to secure protected health information.
Portable devices are easily lost or stolen. Rather than use encryption, many covered entities have implemented solutions that allow stored data to be remotely wiped in the event of loss or theft of a device. One such solution is a secure messaging service.