Though the HIPAA Privacy Rule has been in effect since 2000, many people still don’t know what it does. This post will answer ten common questions about the HIPAA Privacy Rule.
1. What is the HIPAA Privacy Rule?
The U.S. Department of Health and Human Services (HHS) developed the Privacy Rule to make sure providers and their business associates were implementing the requirements of the Health Insurance Portability and Accountability Act (HIPAA). This rule was the first set of national standards. HHS designed the rule to protect patients’ medical records and other protected health information (PHI). The Privacy Rule protects PHI in all media, whereas the Security Rule only covers electronic PHI.
2. Who has to comply with the Privacy Rule?
Health insurance plans, health care providers, business associates who have access to PHI, and healthcare clearinghouses must follow the Privacy Rule. These are “covered entities” (CEs).
3. What types of patient information are “protected?”
- Geographical subdivisions smaller than a State (street address, city, county, precinct, zip code)
- All elements of dates, except the year, that relate to an individual (birth date, admission date, discharge date, date of death)
- All ages over 89 and all elements of dates, including the year, that indicate that age, unless aggregated into a category of 90 and older
- Phone and fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, such as license plate numbers
- Device identifiers and serial numbers
- IP addresses
- Biometric identifiers, such as finger or voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code
4. Is genetic information covered?
Yes. If the genetic information meets the definition of PHI, then it’s covered by the Privacy Rule.
5. What do CEs need to do to comply with the Privacy Rule?
CEs must have administrative, technical, and physical safeguards in place. These safeguards should protect PHI from compromise. CEs must also train their employees so that all members know how to execute these safeguards.
6. What is a breach?
A breach is an acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule.
7. How do I prevent a breach?
Be proactive. Implement safeguards to protect your PHI. Most breaches are due to a lack of security safeguards and are preventable.
8. How do I report a breach?
If the breach affected fewer than 500 people, all you need to do is report it to the affected individuals within 60 days and to the secretary of the Office for Civil Rights (OCR) by the end of the year. If it involves more than 500 people, you must report it to the affected individuals, the media, and the OCR within 60 days. If the incident involves a business associate, they must report the breach to you and follow the same breach notification steps as a CE.
9. What are the chances a HIPAA privacy or security breach will happen to me?
Healthcare organizations are a prime target for hackers and thieves. In 2013, 51% of breaches reported to OCR were due to theft, especially of laptops and other portable devices. Also consider that insiders cause 58% of all healthcare security incidents. Human error and intentional misuse of privilege account for most of these insider-caused breaches. There are countless ways your PHI could be at risk from both insiders and outsiders, so the changes are high you will face a breach at some point.
10. What other steps should I take to protect my company and adhere to the Privacy Rule’s standards?
Conduct a risk analysis. Risk analyses help you to discover any vulnerabilities in your systems and workflows, as well as threats that could exploit those vulnerabilities and gain access to your data. Your risk analysis will help you improve your security controls and develop a mitigation plan for if a breach occurs.
HIPAAtrek can guide you through the complex world of HIPAA law. HIPAAtrek simplifies your HIPAA compliance program by housing all your policies and procedures, automating staff training and security reminders, maintaining an auditable trail of compliance, and much more. Contact us to learn more or request a demo today.