10 Common Questions about the HIPAA Privacy Rule
One recurring segment that HIPAAtrek’s Blog will contain are a series of posts devoted to answering some of the most commonly asked questions about a HIPAA-related topic. Since our last post covered the basics of HIPAA in a nutshell, we thought a good place to start would be to answer some common questions about a specific part of HIPAA – The HIPAA Privacy Rule.
1. Q: What exactly IS the HIPAA Privacy Rule?
A: The HIPAA Privacy Rule that was modified in 2002 set national standards for providers and business associates with the goal of protecting patient’s medical records and other personal health-related information. This was the first time that national standards had been set.
2. Q: What groups have to comply with these new standards?
A: Health insurance plans, health care providers or their business associates who have access to protected health information (PHI), and healthcare clearinghouses
3. Q: What categories of patient information are considered “protected?”
A: 1. Names; 2.All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. 3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 4. Phone numbers; 5. Fax numbers; 6. Electronic mail addresses; 7. Social Security numbers; 8. Medical record numbers; 9. Health plan beneficiary numbers; 10. Account numbers; 11. Certificate/license numbers; 12. Vehicle identifiers and serial numbers, including license plate numbers; 13. Device identifiers and serial numbers; 14. Web Universal Resource Locators (URLs); 15. Internet Protocol (IP) address numbers; 16. Biometric identifiers, including finger and voice prints; 17. Full face photographic images and any comparable images; and 18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
4. Q: In general, are there any actions that “covered entities” need to take organizationally in order to comply with the Privacy Rule mandates
A: YES! Every “covered entity” will need to administer administrative, technical, and physical safeguards to decrease the chances that PHI will be compromised. Covered entities will also need to provide workforce training to ensure that all staff is aligned with how to execute these safeguards.
5. Q: Is genetic information covered under the HIPAA Privacy Rule?
A: Yes! As long as the genetic information meets the definition of protected health information, then genetic information is covered under the Privacy Rule.
6. Q: What IS a HIPAA breach anyway, and how does it relate to the Privacy Rule?
A: A breach is an acquisition, access, use, or disclosure of PHI (protected health information) in a manner not permitted under the Privacy Rule. (Privacy Rule protects PHI in all medium while the Security Rule only covers ePHI).
7. Q: How do I prevent a future breach?
A: Implement stronger safeguards. The majority of breaches that occur because of lack of security safeguards or a lazy approach to implanting planned safeguards.
8. Q: How do I report a breach if it happens to me?
A: It depends on how many individuals were affected by the breach. If it was less than 500, all you need to do is report it to the individuals affected and report by the end of the year to the OCR (Office of Civil Rights).
If it involves more than 500 individuals, you still need to report through the OCR’s reporting portal; however, there are the timelines are more strict for reporting. You must report to the individual affected, the media, and the OCR. If the incident involves a BA/CE (Business Associate/Covered Entity) relationship, the breach must also be reported back to the CE and the BA must follow the same steps as a covered entity.
9. Q: I’ve never experienced a HIPAA breach or security/privacy incident in the past, so what are the chances that it will happen to me?
A: 51% of breaches reported to OCR in 2013 were theft, the next highest was unauthorized access/disclosures at 18%. Laptop breaches accounted for 22% of breaches while paper records accounted for 21%.
It is important to note that more and more breaches are occurring in the health industry. Hackers, other cybercriminals, and thieves are aware that the health industry is moving electronic and there is more data to steal. The data is also EASIER to steal.
10.Q: Are there any other steps that I need to take to protect my company and adhere to the Privacy Rule’s standards?
A: Yes! Conduct a thorough risk analysis at your company and develop a comprehensive mitigation plan if a breach occurs. Be sure to have a documented plan in place and document all steps you would take.