Learn Privacy Law for the Healthcare Industry
After completing this unit, you’ll be able to:
- Describe how HIPAA is administered and enforced.
- List the different entities that have obligations under HIPAA.
- Explain what the HIPAA Privacy and Security Rules require.
Under the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services (HHS) issued the Privacy, Security, and Breach Notification Rules to protect individually identifiable health information, known as protected health information, or PHI. The Privacy Rule governs the collection, use, storage, and disclosure of PHI. It seeks to balance individuals’ privacy rights with healthcare organizations’ need to use PHI to provide quality healthcare. The Security Rule addresses how to properly secure PHI. Finally, the Breach Notification Rule requires certain notifications when unsecured PHI is breached.
HHS also created the Office of Civil Rights and granted it the authority and responsibility to enforce these rules, whether through securing voluntary compliance or imposing monetary penalties.
HIPAA directly applies to “covered entities”:
- Healthcare providers who transmit PHI in electronic form in connection with certain standard transactions, such as a hospital, doctor’s office, nursing home, or pharmacy
- Healthcare plans, such as insurance companies
- Healthcare clearinghouses, such as third-party billing companies, that process or facilitate the processing of PHI into or from standard data elements
HIPAA also creates certain obligations for the business associates of covered entities. A business associate is a person or entity outside the covered entity’s workforce that provides services to a covered entity that involve the creation, receipt, maintenance, or transmission of PHI. For example, a third-party administrator that processes claims for a health plan is the plan’s business associate. Salesforce may be a business associate for one of its healthcare customers if it receives, maintains, or transmits PHI to provide services to the customer.
The Privacy Rule governs the use and disclosure of PHI by covered entities and business associates. It establishes national standards to facilitate the flow of PHI while also protecting the PHI. For example, the Privacy Rule allows for the use and disclosure of PHI with the subject’s consent or in certain specific situations, such as for treatment or payment purposes. The rule also allows for the use and disclosure of PHI for certain public interest reasons, such as to stem the spread of infectious disease or to report domestic violence.
Under the Privacy Rule, covered entities also must implement policies and procedures that restrict the access and use of PHI to the minimum amount necessary to accomplish the intended purpose.
The Privacy Rule also gives individuals certain rights, which covered entities must outline in a notice of privacy practices and provide to their data subjects. These include the right of individuals to:
- Access their own PHI
- Direct the disclosure of their PHI to a third party
- Request amendment of inaccurate or incomplete PHI
- Receive a list of the PHI disclosures made by the covered entity
- Request restrictions on the use or disclosure of their PHI
- Request specific requirements or restrictions on the means of communication of their PHI
Finally, the Privacy Rule requires that covered entities obtain assurances in writing from their business associates that these associates appropriately safeguard any PHI they receive or create on the covered entity’s behalf. This written arrangement, commonly referred to as a business associate agreement, must explicitly describe the ways the business associate may use or disclose the PHI. Salesforce enters into such agreements when acting as a business associate on behalf of its customers.
The Security Rule addresses how PHI must be properly secured. It establishes standards for protecting e-PHI, or PHI that covered entities hold or transfer in electronic form. The rule requires that covered entities maintain administrative, technical, and physical safeguards to protect e-PHI, as is reasonable and appropriate given the covered entity’s size and resources, and the risks to the e-PHI. Among other things, this means that a covered entity must take reasonable steps to:
- Ensure the confidentiality, integrity, and availability of all e-PHI
- Design and implement policies and procedures to limit access to e-PHI
- Train employees and ensure that they comply with internal policies
- Regularly perform risk analysis and implement remediating security measures
- Identify and protect against reasonably anticipated threats to the security or integrity of the e-PHI
The Breach Notification Rule requires covered entities and business associates to make certain notifications when unsecured PHI is breached. A breach involves the use or disclosure of PHI that is not permissible under the Privacy Rule and that compromises the security or privacy of the PHI. Following a breach, covered entities must notify affected individuals about the breach. They also must notify the Secretary of Health and Human Services and, in certain circumstances, the media. If a business associate experiences a breach, it must notify the covered entity.
Failure to comply with HIPAA can result in investigation and enforcement actions by HHS or state attorneys general. When a covered entity fails to comply with HIPAA, the HHS Office of Civil Rights first seeks voluntary compliance with its rules. When that fails, the office has the power to issue civil monetary penalties. Before imposing a penalty, the office provides the covered entity with an opportunity to present evidence supporting a reduction in the fine.
There also can be criminal consequences for HIPAA violations. The Department of Justice has the authority to prosecute anyone who knowingly obtains or discloses PHI in violation of the Privacy Rule. Depending on intent and motive, such a defendant may be subject to up to 10 years imprisonment and a $250,000 criminal penalty.