CredU Global works under the HIPAA policy, and each and every staff member of the organization follows the HIPAA guidelines. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules protect the privacy and security of health information and provide individuals with certain rights to their health information. You play a vital role in protecting the privacy and security of patient information. This fact sheet discusses:

 

  • The Privacy Rule, which sets national standards for when protected health information (PHI) may be used and disclosed

 

  • The Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI)

 

  • The Breach Notification Rule requires covered entities to notify affected individuals; the U.S. Department of Health & Human Services (HHS); and, in some cases, the media of a breach of unsecured PHI.

 

HIPAA Privacy Rule

 

The HIPAA Privacy Rule establishes standards to protect PHI held by these entities and their business associates:

 

  • Health plans
  • Health care clearinghouses
  • Healthcare providers that conduct certain healthcare transactions electronically

 

When “you” is used in this fact sheet, we are referring to these entities and persons.

 

The Privacy Rule gives individuals important rights with respect to their protected PHI, including rights to examine and obtain a copy of their health records in the form and manner they request and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.

 

PHI

 

The Privacy Rule protects PHI held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper or verbal. PHI includes information that relates to all of the following:

 

  • The individual’s past, present, or future physical or mental health or condition
  • The provision of health care to the individual
  • The past, present, or future payment for the provision of health care to the individual

 

PHI includes many common identifiers, such as name, address, birth date, and Social Security number. Visit the HHS HIPAA Guidance webpage for guidance on:

 

  • De-identifying PHI to meet HIPAA Privacy Rule requirements
  • Individuals’ right to access health information
  • Permitted uses and disclosures of PHI

 

HIPAA Security Rule

 

The HIPAA Security Rule specifies safeguards that covered entities and their business associates must implement to protect ePHI confidentiality, integrity, and availability.

 

Covered entities and business associates must develop and implement reasonable and appropriate security measures through policies and procedures to protect the security of the ePHI they create, receive, maintain, or transmit. Each entity must analyze the risks to ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate depends on the nature of the entity’s business as well as its size, complexity, and resources. Specifically, covered entities must:

 

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit

 

  • Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI

 

  • Protect against reasonably anticipated, impermissible uses or disclosures

 

  • Ensure compliance by their workforce When developing and implementing Security Rule compliant safeguards, covered entities and their business associates may consider all of the following:

 

  • Size, complexity, and capabilities
  • Technical, hardware, and software infrastructure
  • The costs of security measures
  • The likelihood and the possible impact of risks to ePHI

 

HIPAA Breach Notification Rule requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI. Generally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. The impermissible use or disclosure of PHI is presumed to be a breach unless you demonstrate there is a low probability the PHI has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  • The unauthorized person who used the PHI or to whom the disclosure was made
  • Whether the PHI was actually acquired or viewed
  • The extent to which the risk to the PHI has been mitigated.

 

Most notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

 

Who Must Comply with HIPAA Rules?

 

Covered entities and business associates, as applicable, must follow HIPAA rules. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA rules. For the definitions of “covered entity” and “business associate,”.

 

Covered Entities

 

The following covered entities must follow HIPAA standards and requirements:

 

  • Covered Health Care Provider: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard, such as:

 

  • Chiropractors
  • Clinics
  • Dentists
  • Doctors
  • Nursing
  • homes
  • Pharmacies
  • Psychologists
  • Health Plan: Any individual or group plan that provides or pays the cost of health care, such as:

 

  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs
  • Health insurance companies
  • Health maintenance organizations (HMOs)
  • Health Care Clearinghouse: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format, or vice versa, such as:
  • Billing services
  • Community health management information systems
  • Repricing companies
  • Value-added networks

 

Business Associates

 

A business associate is a person or organization, other than a workforce member of a covered entity, that performs certain functions on behalf of or provides certain services to, a covered entity that involve access to PHI. A business associate can also be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of another business associate. Business associates provide services to covered entities that include:

 

  • Accreditation
  • Billing
  • Claims processing
  • Consulting
  • Data analysis
  • Financial services
  • Legal services
  • Management administration
  • Utilization review

 

Enforcement

 

The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. Violations may result in civil monetary penalties. In some cases, criminal penalties enforced by the U.S. Department of Justice may apply.

 

Common violations include:

 

  • Impermissible PHI use and disclosure
  • Use or disclosure of more than the minimum necessary PHI
  • Lack of PHI safeguards
  • Lack of administrative, technical, or physical ePHI safeguards
  • Lack of individuals’ access to their PHI

 

The following are actual case examples:

 

  • HIPAA Privacy and Security Rule: A wireless health service provider (remote mobile monitoring) agreed to pay $2.5 million and implement a corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. A laptop with 1,391 individuals’ ePHI was stolen from an employee’s vehicle. The investigation revealed insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the organization’s policies and procedures implementing HIPAA Security Rule standards were in draft form and had not been implemented. Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

 

  • HIPAA Breach Notification Rule: A specialty clinic agreed to pay $150,000 to settle potential violations of the HIPAA rules. An unencrypted thumb drive with the ePHI of about 2,200 individuals was stolen from a clinic employee’s vehicle. The investigation revealed the clinic had not accurately or thoroughly analyzed the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, the clinic did not fully comply with the requirements of the Breach Notification Rule to have written policies and procedures in place and train workforce members. This case was the first settlement with a covered entity for not having policies and procedures to address the HIPAA Breach Notification Rule.

 

● Criminal prosecution: A former hospital employee pleaded guilty to criminal HIPAA charges after obtaining PHI with the intent to use it for personal gain. He was sentenced to 18 months in Federal prison.