HIPAA Patient Privacy, Security, Enforcement, and Omnibus Rules
Understanding the HIPAA Patient Privacy Rule
The HIPAA Patient Privacy Rule lays out the details of how your organization should manage, use, and protect your PHI. In fact, these rules are the foundation of HIPAA regulations. Your organization, or a covered entity that accesses your business’s PHI, can use these rules to explain how or when you’re allowed to use that sensitive data.
The regulatory standard has to be properly documented in your business’s HIPAA policies and procedures. It’s best if you have all employees undergo annual training on these policies. In order to make your organization’s PHI available to other parties, the law requires you to sign a HIPAA PHI release form.
Information Protected by the Patient Privacy Rule
- Medical records
- Social Security Numbers
- Finger and voiceprints
- Contact information
- Location information
- Birth, death, and treatments dates
Understanding the HIPAA Security Rule
This rule defines the minimum standards necessary to meet in order for covered entities to handle, maintain, and transmit electronic PHI (ePHI). “The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.”
Below are key ideas expressed in that rule:
- Security Management Process — covered entities have to create policies and procedures that effectively contain, correct, prevent, and detect security violations. Before implementing new policies, make sure you assess the overall risk of your current policies.
- Assigned Security Responsibility — someone in your organization has to be assigned as the designated security official. This person will be responsible for the development and implementation of your HIPAA Security Rules.
- Workforce Security — your organization must determine which employees will require access to PHI or ePHI. Efforts should be made to regulate control over that access.
- Information Access Management — once your organization has determined which personnel will have access to your PHI and ePHI, access should be restricted from all other parties.
- Security Awareness and Training — you must train your workforce on the relevant rules and security policies related to HIPAA compliance regulations.
- Security Incident Procedures — the process of creating policies that address what to do in the event of a data breach. Your organization should report said breaches and any other security violations. Setting up alerts to spot these breaches can go a long way in this endeavor.
- Contingency Plan — your company should have a backup plan or disaster recovery plan to respond to the event. Your MSP or IT team should be able to take care of this when it comes to ePHI.
- Evaluation — your organization should regularly review and evaluate your HIPAA security policies and procedures to make sure they are effective and up-to-date.
- Business Associate Contracts — to prevent 3rd party contractors from leaking your PHI or ePHI, you should create business associate contracts and other relevant arrangements.
- Facility Access Controls — facilities that contain ePHI data, such as your server rooms, stay locked. Limit which personnel has access to these facilities.
- Workstation Use — workstations and devices that access ePHI should be properly managed and secured. For instance, only personnel who are authorized to handle ePHI should be allowed to use these workstations.
- Workstation Security — your company should make an effort to securely manage any devices that access ePHI.
- Device and Media Controls — laptops and computers aren’t the only things that need to be secured. If ePHI is transferred via USBs or other forms of removable storage, they should be properly secured as well in a designated storage area.
- Access Control — appropriate authentication measures for users that need to access ePHI.
- Audit Controls — provide thorough audit trails of any data breaches that occur so that the OCR will be able to understand precisely how the breach occurred in the first place.
- Integrity — your company will have to be able to prove that the PHI and ePHI that you manage are properly protected from internal and external threats, no matter how big or small.
- Person or Entity Authentication — the people you allow to access PHI and ePHI are who they say they are, whether a patient or a user. This can be accomplished via biometrics, two-factor authentication, and other more sophisticated password security best practices.
- Transmission Security — your company transfers PHI data to other business partners, you must be able to prove to the OCR that only authorized individuals had access to the sensitive data.
Understanding the HIPAA Enforcement Rule
This rule clarifies what your company needs to do in the event of a HIPAA violation. If a data breach occurs and PHI was involved, your organization must report it to the Office for Civil Rights (OCR). They will then investigate and review the violation to determine whether or not your company was negligent. Your organization will need to provide an audit trail, figure out what caused the breach, and deal with the relevant PHI data to make sure it’s safe.
If the OCR determines that the actions your company takes to respond to the violation are insufficient, you’ll be subject to a fine.
Understanding the Omnibus Rule
This rule is perhaps one of the most important changes to HIPAA regulations. The rule made a number of notable updates that clarified and broadened the definition of business associates, which thus expanded HIPAA to cover several other organizations and individuals.
Civil penalties were also increased for HIPAA violations as a result of this rule, and the penalties themselves became tiered. The Omnibus rule also prohibited companies from utilizing PHI for marketing purposes.
Understanding HIPAA Breach Notifications
HIPAA Breach Notifications is a rule that requires your organization to send a notification of a breach or improper access to your PHI or ePHI within 60 days. If over 500 PHI records are improperly accessed, the Department of Health and Human Services (HHS) must be notified and your organization will be required to do a press release regarding the breach.
In your company’s report of the HIPAA violation, you must mention a few details, including:
- Any information you have on the unauthorized person or persons who accessed your PHI data.
- A list of the PHI that was made available.
- A list of all mitigation steps your company has taken to respond to the breach.
- Confirmation that the unauthorized person or persons actually viewed the PHI.
If the breach impacts less than 500 PHIs, your company can simply report the violations once per year, as mentioned in the Breach Notification Rules.
Keeping Your Company’s Private Data Secure
PHI is data that your organization is responsible for, and the protection and security of your data are critical to thriving in the modern digital age. If you’re uncertain of your business’s security or compliance, with our IT Security and Compliance Auditing services, you’ll be able to get a complete picture of the security of your IT systems, network, and data.