HIPAA Training Security, Privacy, and Breach Notification Rules

HIPAA Training Security, Privacy, and Breach Notification Rules

Security, Privacy, and Breach Notification The Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, and Breach Notification Rules safeguard the privacy of sensitive health information and give patients certain rights to their health information. Covered entities hold the critical responsibility of maintaining the protection and privacy of patient health information. This training informational serves as a guide to define, explain, provide guidance for, and describe enforcement of The Privacy, Security, and Breach Notification Rules.

The Security Rule The HIPAA Security Rule established protections that covered entities and their business associates must enact to safeguard electronicPatient Health Information (e-PHI) availability to authorized individuals, integrity, and confidentiality. It is required that entities and their business associates develop and implement reasonable and suitable security measures for e-PHI through systematic procedures and policies.

The Security Rule Determining Reasonable and Suitable Security Measures Ensure that all e-PHI created, received, maintained, and transmitted is confidential, available, and being used properly Ensure that all potential cyber vulnerabilities are reasonably protected against and anticipated so as not to destroy the integrity of e-PHI Ensure that e-PHI is protected against any reasonably anticipated, impermissible uses or disclosures of information Ensure workforce compliance

The Security Rule What to Consider When Creating Security Measures The size, complexity, and capabilities of the hospital. This is generally determined by the number of hospital beds, patients, and staff in the hospital. The technical, hardware, and software infrastructure (IT personnel should be able to assist with this). The cost of the security measures needed to protect the hospital. The likelihood and potential impact that a breach of data could pose to e-PHI.

The Security Rule Guidance Materials for administrative, physical, and technical safeguards, cybersecurity, and remote/ mobile use of e-PHI can be found below: HIPAA

The Privacy Rule The HIPAA Privacy Rule implements national standards for the privacy of Patient Health Information (PHI) held by: health plans- any individual or group that provides or pays for the cost of health care healthcare clearinghouses- any entity (public or private) with the ability to process another entity’s health care information such as billing services healthcare providers- any provider of mental or other health services or supplies who sends health information in electronic form that conduct certain healthcare appointments/ transactions electronically, and any business associates of these entities. This includes any form of the information, whether electronic, verbal, or paper.

The Privacy Rule Rights Provided to Patients by The Privacy Rule Rights to examine and obtain a copy of their health records in the form and manner they request To ask for corrections to their information Permits the use and disclosure of health information needed for patient care and other purposes

The Privacy Rule Patient Health Information (PHI) includes: Individual’s physical or mental health or condition (past, present, or future) The provision of health care to the individual The payment for the provision of health care to the individual (past, present, or future)

The Privacy Rule The Privacy Rule also recognizes the importance that entities and persons play in essential public health activities. The Privacy Rule permits covered entities to disclose protected material, without authorization, to such persons or entities for the public health activities below: Child abuse or neglect Quality, safety, or effectiveness of a product or activity regulated by the FDA Persons at risk of contracting or spreading disease Workplace medical surveillance

The Privacy Rule Guidance materials for de-identifying PHI to meet HIPAA Privacy Rule requirements, the permitted uses and disclosures of PHI, and individuals’ right to access health information can be found below: HIPAA

The Breach Notification Rule The HIPAA Breach Notification Rule requires covered entities to notify any individuals affected by a breach of PHI. A breach is defined as the impermissible use or disclosure of PHI. Any unauthorized use or disclosure of this information is presumed to be a breach unless it can be proven that there is a low probability, due to security measures, that PHI has been compromised.

The Breach Notification Rule Providing evidence that there is a low probability, due to security measures, that PHI was compromised in a breach can be done by completing a risk assessment of many factors. Some are listed below: The nature and extent of the PHI involved (types of identifiers and the likelihood of re-identification) The unauthorized individual who used the PHI or to whom the unauthorized disclosure was made

The Breach Notification Rule Guidance for administrative requirements and burden of proof, how to make unsecured PHI unusable, unreadable, or indecipherable to unauthorized individuals, and reporting requirements can be found below: HIPAA

Enforcement of the Security, Privacy, and Breach Violations of the HIPAARules Privacy, Security, ad Breach Notification Rules Notification may result in civil monetary penalties, and in some cases, criminal penalties may be enforced by the U.S. Department of Justice. The civil monetary penalties can range from 100 to 1.5 million, and the criminal penalties can include loss of licensing and/or legal sanctions.

Enforcement of The Rules Common Violations Include: Impermissible PHI use and disclosure Use or disclosure of more than the minimum necessary PHI Lack of PHI safeguards Lack of administrative e-PHI safeguards (technical and physical) Lack of individuals’ access to their PHI

Enforcement of The Rules Guidance Materials on HIPAA Compliance and Enforcement can be found below: HIPAA Compliance and Enforcement

Additional Resources The link below provides resources on Cloud Computing, Mobile Apps, and HIPAA Regulation History: HHS Special Topics in Health Information Privacy