Health Insurance Portability Accountability Act: HIPAA
The Privacy Rule requires covered entities to guard against misuse of personally identifiable health information and limit the sharing of such information. The Privacy Rule also grants consumers significant rights regarding the use and disclosure of their health information.
The Security Rule requires covered entities to implement basic safeguards to protect electronic protected health information ("PHI") from unauthorized access, alteration, deletion, and transmission. The security standards define the administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
HIPAA Data Breach Notification Rules
PUBLISHED ON AUGUST 24, 2009
The US Health and Human Services Department fulfilled their obligations under ARRA by publishing a rule on notification requirements related to data breaches. Here are the high points:
- The rule does not replace or modify any guidance already provided in the Security Rule.
- Unsecured protected health information is PHI that is not secured using an HHS-specified technology or methodology
- Only encryption and destruction are technologies recognized in the rule that deny unauthorized individuals access to accidentally disclosed PHI (exposure of encrypted or destroyed information is not considered a breach)
- Redaction of paper records or digital security measures such as firewalls, password protection or other access controls identified in the security rule are not recognized as preventing accidental disclosure. If these protection measures are somehow rendered ineffective and an unauthorized person gains access to PHI, this would be considered a breach even though the protection methods used is compliant with the security rule.
- Encryption methods used with data at rest should be compliant with NIST 800-111 Guide To Storage Encryption Technologies For End User Devices.
- Encryption technologies used with data in motion should be compliant with NIST 800-52 for Transport Layer Security; 800-77 for IPsec VPNs; 800-113 for SSL VPNs; or others validated by Federal Information Processing Standard 140-2.
- Here are the destruction guidelines for paper and electronic media:
- The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
- (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read
or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction.
- (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-
- 88, Guidelines for Media Sanitization,\6\ such that the PHI cannot be retrieved."
- A breach is considered "discovered" by a business associate on the first day it is known.
- The covered entity (client) must be notified in a timely manner and no later than 60 days after the breach is discovered - individuals whose information was potentially breached should be identified if possible.
- Communication should include the following: brief statement of what happened; type of PHI involved in the breach; steps individuals should take to prevent harm from breach; info about the investigation and what is being done to prevent future breaches; and contact procedures individuals can use to find out more information.
- If more than 500 persons are involved the media must be notified
The rule goes into effect on September 23, 2009. HIPAA was enacted in 1996 as part of a broad congressional attempt at incremental health care reform. The law required the United States Department of Health and Human Services (DHHS) to develop standards and requirements for the maintenance and transmission of health information. DHHS's rules and regulations focus on four primary areas: privacy, security, transaction standards and code sets, and unique Identifiers.
Click on the link to download the HIPAA Changes 2009.