HIPAA
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Its primary purpose is to protect the privacy and security of individuals' health information while ensuring the portability of health insurance coverage. HIPAA represents a significant shift in how health information is managed and safeguarded in the United States, emphasizing both the rights of individuals and the responsibilities of entities handling health data.
HIPAA comprises several key rules and provisions, each aimed at addressing different aspects of health information privacy and security:
Privacy Rule
The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.
Under HIPAA, the University of Florida designates itself as a Hybrid Covered Entity. This designation applies to organizations whose business activities include both covered and non-covered functions and that designates certain units as health care components.
What Information is Protected
The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Individually identifiable health information is: information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act (FERPA).
Permitted Uses and Disclosures
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
- To the Individual (unless required for access or accounting of disclosures)
- Treatment, Payment, and Health Care Operations
- Uses and Disclosure with an Opportunity to Agree or Object
- Incidental use and disclosure
- Public Interest and Benefit Activities
- Limited Data Set for the purposes of research, public health or health care operations.
There are exceptions to the authorization requirements, and these are described more fully in the HIPAA regulations. These include disclosures in connection with public health, child abuse, elder abuse, domestic violence, averting a serious threat to health or safety, law enforcement, and judicial and administrative proceedings.
Disclosures should be limited to the minimum amount of information necessary to accomplish the purpose of the disclosure.
Individual Rights under HIPAA
The Privacy Rule grants individuals several rights, including:
- Access and obtain a copy of PHI;
- Request amendments to inaccurate or incomplete PHI;
- Obtain an accounting of disclosures;
- Request restrictions on access to PHI;
- Prevent uses and disclosures of PHI, such as for fundraising;
- Request an alternative location or method for receiving communications relating to PHI;
- Receive a copy of the Notice of Privacy Practices of a Covered Entity.
Security Rule
The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of ePHI that is created, received, stored, or transmitted electronically. The Rule applies to covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates who handle ePHI.
Administrative Safeguards: Policies and procedures to manage the selection, development, and implementation of security measures. This includes risk assessments, workforce training, and access controls.
Physical Safeguards: Measures to protect physical infrastructure and equipment that store or access ePHI. This includes facility access controls, workstation security, and device and media controls.
Technical Safeguards: Measures to protect ePHI through technological means. This includes access controls, audit controls, integrity controls, and transmission security.
Safeguards for Protecting PHI in any medium
The Security Rule also requires that PHI in any medium be protected by “reasonable safeguards”, although it does not specify what constitutes “reasonable safeguards”. A practical approach is useful, for example:
- Always get permission before discussing a patient’s information with family or friends
- Use the automatic logoff function on your computer
- Encrypt data sent by email
- Verify fax numbers
- Verify the identity of anybody you call;
- Dispose of paper PHI properly – in locked confidential bins for shredding
- Never post information about patients on social media
Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media of breaches of unsecured PHI.
Notification Requirements: Notifications must be made without unreasonable delay and no later than 60 days from the discovery of the breach. Notifications must include:
- A description of the breach.
- The types of information involved.
- Steps individuals can take to protect themselves.
- Actions taken by the covered entity or business associate to mitigate the breach.