HIPAA and Security

What is HIPAA?

iDASH HIPAAThe Health Insurance Portability and Accountability Act, or the HIPAA, was enacted in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions includes, amongst other things, a Privacy and Security Rule. The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes privacy rights for individual health information. The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) establishes regulations for use and disclosure of Protected Health Information (PHI). These Security Rule regulations require Administrative, Physical, and Technical Safeguards to ensure confidentiality, integrity, and security of electronic PHI.

 

iDASH Security and HIPAA

The iDASH program is committed to maintaining the privacy and security of the research data contained within its computing environment. This is accomplished through the use of Security measures that meet the HIPAA Security standards and implementation specifications. Examples of the security requirements addressed by the iDASH security controls include categories such as access controls, data backup and storage, audit logging, transmission security, and configuration management.

For more information regarding the HIPAA Security Rule, visit U.S. Department of Health & Human Services.

 

HIPAA Changes

Per the Department of Health and Human Services,

“The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.”

 

The HITECH Act created changes in HIPAA. The Office of Civil Rights, who oversees HIPAA compliance, then published these changes in January 2013 into a final rule. The rule is effective beginning March 26, 2013 but HIPAA-covered entities, meaning doctors, health plans, and other health care providers, have until September 23, 2013 to comply with the new requirements. The changes are detailed below:

 

These changes are being made to further extend HIPAA protection to electronic records and health information technology. These new rules will allow patients to have greater control over their electronic medical information.

Highlights of the changes to HIPAA brought about by the HITECH Act

                                                                                                                                                                      New rules:

Privacy, Security and Breach Notification policies and procedures

  • Clarifies and expands the obligation of the physician to notify patients if there is a breach of their PHI
  • Maintains the same reporting and timeframe requirements for breach notification

Disclosures to health plans

  • Requires physicians to abide by a patient’s request not to disclose PHI to a health plan when the patient pays out-of-pocket for the services and requests that the information not be disclosed

Marketing communications

  • Authorizes the physician to use a patient’s PHI to inform the patient about a third-party’s product or service without the patient’s prior written authorization if:

- The physician is not receiving direct or indirect compensation for the communication
- The communication is conducted in-person
- The patient is currently on the drug or therapy being discussed (as long as any payment received for the communication is reasonably related to the costs of making it)
- The communication involves general health promotion and not a specific product or service
- The communication involves government or a government-sponsored program

Sale of PHI

  • Extends the prohibition of the “sale” of PHI without the patient’s written authorization to license or lease agreements for PHI and to circumstances where the “sale” involved receipt of in-kind benefits

Childhood immunizations

  • Allows physicians with consent of the parent to share children’s immunization records with schools who are required to obtain proof of immunization prior to admitting a student (written detailed authorization no longer needed)

Decedents

  • Eliminates any HIPAA protection for PHI 50 years after a patient’s death; research rules allowing use of a decedent’s data are unchanged
  • Allows the physician to make relevant disclosures to the deceased’s family and friends under the same basic circumstances that such disclosures were allowed when the patient was alive

Copies of PHI

  • Gives physicians 30 days to respond to a patient request for his or her electronic PHI (can be extended for another 30 days if the information are stored off-site)
  • Allows physicians to send PHI in unencrypted emails if the requesting patient is advised of the risk and requests the PHI in that format
  • Allows labor costs to be charged to the individual for obtaining copies of electronic PHI

Research authorizations

  • Allows physicians to combine conditioned and unconditioned authorizations for research participation
  • Allows consent for future research uses as long as those uses are sufficiently described

Notice of Privacy Practices (NPP)

  • Requires that the notices given to patients by physicians must reflect the new rules put forth by the HITECH Act

Business Associate (BA) Agreements

  • Expands the number of individuals and groups treated as Business Associates by adding Patient Safety Organizations, health information exchange organizations, and personal health record (PHR) vendors when the PHR services are provided on behalf of a physician
  • Requires BAs to comply with Security and Breach Notification Rules (BAs must notify the physician who must then notify the patient and regulators)
  • Extends BA liability to subcontractors
  • Makes physicians liable for the actions of their BAs who are agents but not the actions of their BAs who are independent contractors
  • No longer requires physicians to report failures of their BAs to the government; however, physicians are still expected to take action to terminate agreements with noncompliant BAs.