HIPAA Privacy & Security Rule
The Health Insurance Portability and Accountability Act
Privacy Rule
The HIPAA Privacy Rule gives patients certains rights regarding personal health information that are collected by covered entities as defined by HIPAA. A covered entity may be a health care provider, a health plan, or a healthcare clearinghouse which transmit information electronically. The goal of the Privacy Rule is to protect the privacy of patients while allowing information to flow when needed to provide quality health care to the patients and the public. An individuals rights include access to records, accounting of disclosures, amendments of health information records, and request for restrictions of disclosure.
The Department of Health and Human Services (HHS), Ofifice of Civil Rights (OCR) administers and enforces compliance to the standards set forth by The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule). A covered entity's failure to comply with the the standards may be subject to civil money penalites and/or criminal penalites depending on their knowledge of the violation.
Civil Money Penalties
For violation occurring prior to 2/18/2009 | For violations occuring on or after 2/18/2009 | |
Penalty Amount | Upt to $100 per violation | $100 to $50,000 or more per violation. |
Calendar Year Cap | $25,000 | $1,500,000 |
Criminal Penalties
Knowingly obtain or disclose health information | If violation occurred under false pretenses | Intent to sell, transfer, or use health information for personal gain or to cause harm |
Up to $50,000 and 1 year in prison | Up to $100,000 and 5 years in prison | Up to $250,000 and 10 years in prison |
Security Rule
The HIPAA Security Rule established national standards to protect electronic health information that a covered entity creates, exchanges, and maintains. The Security Rule took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans". The Security Rule was enacted to specifically deal with Electronic Protected Health Information (e-PHI) and proposed appropriate procedures and measures to protect the confidentiality and security of patient information in an electronic environment. The Security Rule outlines three types of security safeguards required for compliance: administrative, physical, and technical.
Administrative Safeguards:
- proper risk assessment associated with e-PHI and measures to reduce this risk, policies for access to e-PHI
- policies and procedures for authorizing access to e-PHI
- proper training, authorization and supervision of workers using e-PHI
- periodic assessment of policies as they pertain to the Security Rule.
Phyical Safeguards:
- limiting physical access to facilities while allowing authorized access
- proper use and access of workstation or other electronic media
- policies and procedures regarding the transfer, removal, disposal and re-use of electronic media
Technical Safeguards
- technical policies and procedures to prevent unauthorized access to e-PHI
- hardware, software, and /or procedural mechanisms to monitor e-PHI use
- policies and procedures to prevent alteration or destruction of e-PHI
- technical security measures to prevent unauthorized access to e-PHI when transmitting over a network
HITECH Act
The Health Information Technology for Economic and Clinical Health Act was signed to law in February 17, 2009 and extends the Privacy and Security Provisions of HIPAA to business associates of covered entities. It significantly increased penalties for violations with "a maximum penalty amount of $1.5 million for all violations of an identical provision". It also implemented new rules for the accounting of disclosures of patient information when using electronic health records (EHR) and proposed new measures and procedures specifically to ensure the privacy an security of EHR.
HIPAA Compliance
HIPAA required that covered entities demonstrate compliance to the Privacy Rule on April 14, 2003 and to the Security Rule on April 20, 2005. The Office for Civil Rights (OCR) was given the authority to enforce the Privacy and Security Rules under HIPAA and HITECH on July 27, 2009. Covered entities who fail to comply may be subject to civil or criminal penalties as outlined above.
For further reading visit these informative sites.