HARK home page Left to Right Arrow Introduction to HIPAA Left to Right Arrow Security and Privacy
Security
NOTE: This is an educational document designed to assist entities in understanding and planning for HIPAA implementation.

This document is not a supplement for sound legal advice and should only be used as a guide. It is highly recommended that you review the Final Rule for all HIPAA requirements.
Information security has always been emphasized as good business and it continues to be emphasized with HIPAA regulations.  Although regulations are centered on information received, housed, and transmitted electronically, they also incorporate the need for a reasonable security strategy to be documented and taught to your employees.

An important point to security is the standard of reasonable safeguards.  It is unlikely that you will be able to protect against every type of intrusion, natural hazard, or malicious intent to access individually identifiable information, but you must do what is reasonable to safeguard this information in your business environment.

The security standards will not require the use of specific technologies, hardware, or software; rather you must meet some minimum requirements.  Following are four categories outlining security considerations to guard data integrity, confidentiality, and availability: Administrative Procedures; Physical Safeguards; Technical Security Services; and Technical Security Mechanisms.

  Administrative Procedures  top
Administrative procedures are documented, formal practices to protect data and to manage the conduct of personnel in relation to the protection of data.  This includes:
  • Certification of computer systems and network design
  • Contingency plan for data backup, data recovery, emergency mode operation
  • Information access control:  access authorization, establishment, and modification
  • Internal audit
  • Security configuration management:  documentation, review, and testing for security features on hardware and software, inventory, and virus checking
  • Security incident procedures:  both reporting and response
  • Security management:  risk analysis and management - sanction and security policies
  • Chain of trust partner agreements with organizations with whom individual identifiable information is exchanged
  • Personnel security: clearance procedures, all system users trained in security
  • Training:  general security awareness, virus protection, incident reporting
  • Formal mechanisms for processing records
  • Termination procedures:  combinations and locks changed, all access cards are returned
  Physical Safeguards  top
Physical Safeguards are related to the protection of physical computer systems, equipment, and related buildings from fire, natural and environmental hazards, and intrusions.  It covers the use of locks, keys, and administrative measures used to control access to computer systems and facilities.  This includes:
  • Assigned security responsibility
  • Media controls:  access control, accountability, data backup, data storage, and disposal
  • Physical access controls:  disaster recovery, emergency mode operation, equipment control, facility security plan, maintenance records, sign-in for visitors
  • Workstation use policy
  • Secure workstation location:  place workstation where it cannot be viewed by passersby
  • Security awareness training
  Technical Security Services   top
Technical security services are processes that are put into place to protect information and to control individual access to information.  This includes:
  • Access control:  restrict access to resources and allowing privileged entities access (role-based access, user-based access, discretionary access control, mandatory access control)
  • Audit controls:  mechanisms to record and examine system activity
  • Authorization control
  • Data authentication:  proof that data has not been altered or destroyed in an unauthorized manner
  • Entity authentication:  automatic log off, tokens, personal identification numbers (PINs), passwords, and biometrics
  Technical Security Mechanisms   top
Technical security mechanisms are related to processes that are put into place to guard against unauthorized access to data that is transmitted over a communications network.  This includes:
  • Communications/network controls:  integrity controls, message authentication, access controls, encryption, alarm, audit trails, event reporting and entity authentication


Privacy
The Privacy Rule is established to protect written, spoken, and electronic individually identifiable information.  This ruling empowers healthcare recipients to have more control over their health information by establishing boundaries and safeguards that must be adhered to by the healthcare industry.  The ruling also limits information exchange to what is necessary for healthcare services and billing purposes, while enabling patients to discover who has access to their information and to access, copy and request amendments to their own information.
 What is Protected Health Information?
Protected Health Information (PHI) includes all individually identifiable health information related to the individual's physical or mental health and the provision of health care or payment of health care.  This information becomes protected when it is electronically transmitted or maintained in any form or medium.
 What is De-identified Information?
De-identified information is protected health information that has been stripped of elements that could be used to identify individual subjects.  The use of de-identified health information is encouraged.

De-identified data can be used and disclosed freely.  A covered entity can render PHI de-identified if all of the following identifiers of the individual, relatives, employers, and household members are removed:
  • Names
  • All geographic codes smaller than state, including street, city, county, precinct or zip code.  The first three digits of the zip code may be used if it represents more than 20,000 people according to the most recent data from the Bureau of Census.
  • All date elements related to an individual.  The year element can be kept except for any age indicator for individuals over age 89.  For individuals over 89, the age may be aggregated into a 90+ category.
  • Telephone number
  • Fax number
  • E-mail address
  • Social Security Number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle identifier (serial number, license plate)
  • Device identifier and serial number
  • URL's
  • IP address
  • Biometric identifier (e.g. fingerprint, voice print) full face photographic or comparable image
  • Any other unique identifying number, characteristic or code.
NOTE:  Gender, race, ethnicity, and marital status do not need to be removed.
An alternative method of de-identification is permitted when covered entities with appropriate statistical experience and expertise can certify the risk of re-identification of an individual is very small.
 What Steps Can be Taken to Comply with the Privacy Rule?
Business Associates
A business associate is any entity that performs services to or on behalf of a covered entity and uses or discloses protected health information belonging to the covered entity.

For HIPAA purposes, a business associate is seen as an extension of your business.  Furthermore, a business association contract (BAC) is required between you and the business associate, except for purposes of treatment, and the responsibility of HIPAA compliance remains with your business to a certain extent.

For example, if you contract with a business associate to process your claims, any compliance penalties that occur while performing your contracted services can be leveraged against your business if you are aware of the infractions and did not take action to amend the violations or terminate the contract.   This gives light to the need of understanding how your business associates maintain processes to ensure HIPAA compliance.

Back
Notice of Privacy Practices
Covered entities are required to provide a written notice of their general privacy practices to any individual of which PHI is obtained.  Inmates are the only exception to whom a notice is not required.  The covered entity is not permitted to use or disclose PHI beyond what is stated in the notice.
When Should Patients Receive a Notice of Privacy Practices?
If you are a: Then you must give the notice to:
Health Care Provider with direct treatment relationships All individuals by the first day of service. This includes services delivered electronically, such as a Web pharmacy. This will be mandated after April 14, 2003.
Health Care Provider with indirect treatment relationships On request.
Health Plan or Clearinghouse Existing enrollees: by April 14, 2003

New enrollees: at the time of enrollment

When material revision occurs to the notice:  within 60 days of the change

All enrollees should receive a copy of the notice at least once every three years. You must notify the individuals of the availability of the notice and how it is obtained.
Business Associate Clearing House Notice not required
Back
Consent
Consent is a general document that allows a provider with a direct treatment relationship with a patient to use and disclose protected health information for purposes of treatment, payment, or healthcare operations (TPO).  A consent grants permission only to that provider, and does not have to specify which information is used or disclosed, nor must it specify who can receive the information.

Back
Consents are required when:
A provider having a direct relationship with the patient wishes to use or disclose protected health information for purposes TPO.
Consents are not required:
  1. When emergency care is needed
  2. When a provider is required by law to administer treatment
  3. When substantial communication barriers exist and in the exercise of professional judgment, the circumstances infer the individual's consent
  4. By a provider with an indirect treatment relationship (i.e. laboratories)
  5. By a health plan using the information for TPO
  6. By a clearinghouse using the information for TPO
Consent Format:
  1. The consent document can be a brief written statement in general terms.
  2. It must be written in plain language.
  3. It must inform the individual that information may be used and disclosed for TPO.
  4. It must indicate the patient's rights to review the provider's privacy notice.
  5. It must indicate the patient's right to request restrictions and to revoke consent.
  6. It must be signed and dated by the individual, or the appropriate representative.
Patient Rights Regarding Consent Forms:
  1. An individual may revoke consent in writing, except to the extent that the covered entity has taken action in reliance on the consent.
  2. An individual can restrict which information is used for TPO, and to whom it is disclosed.
Provider Requirements Regarding Consent Forms:
  1. Provider must give patients notice of the provider's privacy practices before the patient signs a consent form.
  2. Providers must keep the consent for six years from the last day the consent was in effect.
  3. If consent and an authorization are obtained to disclose protected health information, the provider is bound to the most restrictive document unless clarification is documented with the patient.
  4. If the patient refuses to consent to use or disclosure of their protected health information for purposes of TPO, the provider can refuse to treat the patient.
  5. Although health plans and clearinghouses are not required to obtain consent for TPO, they can request consent that observes the standard requirements.
Authorization
An authorization allows use and disclosure of PHI for lawful purposes, other than treatment, payment, and health care operations.  Authorization may be required for non-routine disclosures of PHI.

Back
What is Required On An Authorization?
  • It must specify the information to be disclosed
  • It must specify who will receive the information
  • It must specify when the authorization will expire
  • If the authorization is for the use of PHI by the covered entity, the authorization must include a description of the extent to which it will not use or disclose the PHI it obtains in connection with the research protocol for purposes that are permitted without individual authorization.
When Is an Authorization Not Required?
Some examples of when a covered entity is not required to obtain an authorization to disclose PHI are for purposes of:

  • Public health activities such as prevention and control of disease
  • Health oversight activities authorized by law, including audits and civil and criminal investigations
  • Research, when the protocol has been reviewed and approved by an Institutional Review Board (IRB), or a "privacy board"
  • Judicial or administrative proceedings in response to a court order, subpoena, or other lawful process
Psychotherapy Notes
Psychotherapy notes are treated differently from other PHI. There are stricter requirements of the disclosure of psychotherapy notes and in order for information to be considered psychotherapy notes, the notes must be separated from the rest of the individual's medical record. Generally, psychotherapy notes can be disclosed only with specific authorization, however, there are exceptions such as:

  • The originator of the notes can use them for purposes of treatment
  • The covered entity can use or disclose the notes to defend a legal action or other proceeding brought by the individual.
Limitations Regarding Psychotherapy Notes
  • Health plans may not condition enrollment or eligibility for benefits on the patient's providing an authorization for the use and disclosure of psychotherapy notes.
  • Health plans may not request authorization to use or disclose psychotherapy notes for determination of benefits, underwriting, issuing insurance, or payment of claims.
  • Authorizations for psychotherapy notes may not be combined with any other authorization of consent.
Accounting of Disclosures
Individuals have the right to request a summary of entities that were given their PHI for the previous six years.  This does not include shared information for the purpose of treatment, payment, and health care operations.

Back
  • The request must be fulfilled within 60 days, with only one 30-day extension allowed.
  • One request must be honored for free in every 12-month period.
    1. Additional requests may be charged a reasonable, cost based fee
    2. Individuals must be given an opportunity to withdraw or revise their request if a fee is charged.
  • You must retain a copy of the report, along with the name and title of employees that received and processed the request/report.
The report must contain:
  • Date of each disclosure
  • Name and address, if known, of the person or organization receiving the PHI
  • Brief description of the information disclosed
  • Purpose of the disclosure, or a copy of the individual's authorization or request for disclosure.
The report does not have to include disclosures:
  1. Made to carry out treatment, payment, or health care operations
  2. To facility directories
  3. Made to individuals or persons involved in the individual's care
  4. To national security or intelligence
  5. To correctional institutions or law enforcement officials
  6. To any disclosures made prior to the compliance date of the Privacy Rule
Access to Information
Individuals have a right to see and copy their own health information.  Specifically, they have a right to access their PHI as it is maintained in the "designated record set."  A designated record set is defined as the PHI maintained by either the covered entity or their business associates, and used in whole or in part to make a decision on an individual.

Back
If you are a: The minimum designated record set to be available within 30 days:
Health Care Provider Medical records
Billing records
Health Plan Enrollment information
Payment information
Claims adjudication
Case records
Medical records
Clearinghouse Any, or all of the above, depending on the clearinghouse's function
What Are Your Rights and Timeframes to Provide This Information?
Covered entities:

  • May require the access request be in writing
  • May take an additional 30 days to respond if the health information is not maintained or available on-site
  • May extend access request response time an additional 30 days beyond the preceding timeframes
  • Charge a fee for copying or summarizing the individual's record (NOTE: you may not charge a record retrieval fee even if state law allows for one).
  • May deny the request in certain circumstances (i.e., access is reasonably likely to endanger the life or physical safety of the individual or other person).
Minors
PHI is controlled by the person that has the legal right to control the health care itself.  In the case of minors, this is usually the parent, "personal representative" or guardian.  In some instances this may not be the case.  Following are some examples of when a parent may not have authoritative decision over a minor's PHI:
  • When state or other law does not require consent of a parent or other person before a minor can obtain a particular health care service and the minor consents to the health care service.
  • When a parent agrees to a confidential relationship between the minor and the physician, then the parent does not have access to the health information related to that conversation or relationship.
  • When a covered entity reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child.
Amendment of Health Information
Individuals have a right to amend any of the PHI maintained in a designated record set as long as it is maintained by the covered entity.  The request to amend may be denied if:

Back
  • The covered entity did not create the PHI or record in question. (NOTE:  if it is believed that the original creator of the record or PHI is no longer available to act on the request, then the covered entity must address the request as thought they were the creator.)
  • The PHI is not part of the designated record set
  • The information is determined to be accurate and complete.
If the amendment request is denied, the denial must be in writing and include:
  • The basis of the denial
  • How the individual may file a written statement disagreeing with the denial
  • How the individual may file a complaint with the covered entity and the Department of Health and Human Services.
Enforcement of the Privacy Rule
The office of Civil Rights (OCR) has been given the authority by the Secretary of the Department of Health and Human Services (DHHS) to enforce the Privacy Rule.  Civil monetary and criminal penalties can be imposed against covered entities that fail to comply and wrongfully disclose PHI.  Any person, not just the subject of the health information, can file a complaint.

Back
Civil Fines
Civil Fines fall into the category of a general penalty for failure to comply with the requirements in the Privacy Rule.
  • Each violation: $100
  • Maximum penalty for all violations of an identical requirement may not exceed $25,000 per year.
Criminal Penalties
  • Wrongful disclosure offense:  $50,000 and/or imprisonment of not more than one year
  • Offense under false pretenses:  $100,000 and/or imprisonment of not more than 5 years
  • Offense with intent to sell information for personal gain:  $250,000 and/or imprisonment of not more than 10 years
Oral Communications
Truly this requirement boils down to a practical and "common-sense" business practice. It is necessary to speak with other healthcare professionals to administer treatment, without second-guessing what should or should not be said. The important factors are to:

Back
  1. Know who are you speaking with, and do they need the information for TPO purposes?
  2. Be aware of your environment.  Who is around that should not be privileged to the protected health information that you are sharing or requesting?
  3. Determine the risks to protected health information and restructure administrative processes to a reasonable extent for improved confidentiality.  It is not required that you restructure your building, such as creating soundproof rooms.
A guarantee of privacy is not required.  What is required is a standard of practice that strives to hold in confidence all protected health information, as is reasonable for your business operations that support health care delivery.  The "need to know" overtone implied here includes coworkers; meaning that protected health information should not be shared with employees that do not require it as part of their job functions.
Minimum Necessary
It is important to note that the Minimum Necessary requirement does not apply to treatment.  The heart of this requirement is to enact reasonable efforts that limit the amount of shared information to what is necessary for accomplishing a specific task, but not to impede provision of health care.

Back
Minimum Necessary requirements do not apply to:
  1. Disclosures to, or request by a healthcare provider for treatment purposes
  2. Disclosures to the individual who is the subject of the information
  3. Uses or disclosures made pursuant to an authorization requested by the individual
  4. Uses or disclosures required for compliance with the standardized HIPAA transactions
  5. Disclosures to the Department of Health and Human Services when disclosure of information is required under the rule for enforcement purposes.
  6. Uses or disclosures that are required by other law
Provider Requirements:
  1. Policies and practices must be developed to incorporate minimum necessary provisions into business practices and workflow.  For example, someone in accounting may not need access to a patient's treatment plan.
  2. A standard policy or practice can be established for routine or recurring requests and disclosures, which adheres to the Minimum Necessary requirements.
  3. Non-routing requests and disclosures must be reviewed on an individual basis to identify the minimal necessary protected health information and determine what should be released.