Home    |   Events & Conferences    |    HIPAA Links    |    Cancellation Policy - Legal Note
Contact Us    |    Privacy Security News    |    CMS News

HIPAA Privacy and Security

  • Privacy - an individual’s rights to control access and disclosure of their protected or individually identifiable healthcare information (IIHI)
  • Establish authorization requirements
  • Establish administration requirements
  • Establish individual rights
  • Establish regulations for use or disclosure of Protected Health Information ("PHI")
  • Security - an organization’s responsibility to control the means by which such information remains confidential
  • Administrative Procedures
  • Physical Safeguards
  • Technical Security Services
  • Technical Security Mechanisms

Relationship between Privacy and Security
There is a direct relationship between privacy and security:

  • Security is the ‘how’.. privacy is the ‘what’ and often the ‘why’
  • Security is the structure established to protect IIHI
  • One of the implementation barriers to privacy is the security infrastructure of the Covered Entity
  • Security awareness and education addresses ‘what’ is being protected

Protected Health Information (PHI) verses Individually Identifiable Health Information (IIHI):

  • Two distinct areas of information
  • PHI is IIHI that is or has been stored electronically
  • IIHI is information that is created by or received from a covered entity that can be reasonably assumed to identify the individual

Intersections - Required Safeguards
While the proposed security regulations create a technology based verification system, the privacy regulations rely on oral statements and written documentation

  • Could result in duplication of electronic and written documentation
  • Not clear that compliance with the security standards will be considered as same for the privacy regulations

Minimum Necessary Vs. Need to Know

  • The Privacy regulations require covered entities to make reasonable efforts to use and disclose only the "minimum necessary" PHI to accomplish the stated purpose
  • The Security regulations require "need-to-know" procedures which can be technologically implemented (role based access controls)

The Key Security Provisions
While most health care organizations have security programs and are providing "due diligence", HIPAA requires specific administrative and technology related security practices and procedures with the expressed goal of providing for the security and availability of protected health care information. The security requirements are very comprehensive and extend far beyond the information technology environment. Most of the proposed rule’s security standards impact administrative areas and cannot be solved by technology alone.

The Security Rule provides for compliance actions structured within the following basic categories:

  1. Administrative Procedures - formal practices to manage security and personnel
  2. Physical Safeguards - protection of computer systems
  3. Technical Security Services - safeguards to control and monitor information access (data-at-rest)
  4. Technical Security Mechanisms - includes technology to secure data-in-transit
  5. Electronic Signatures - Optional at this time, however if used they must be digital signature

What is the Privacy Final Rule?
The 1996 Health Insurance Portability and Accountability Act of 1996 included regulatory requirements to establish a comprehensive federal law for the protection of individually identifiable health care information. HIPAA established a deadline of August 21, 1999 for Congress to Act on this provision, otherwise it mandated that the Secretary of Health and Human Services (HHS) must issue the privacy regulations. HHS ultimately published the Privacy NPRM on November 3, 1999 and received some 52,000 comments during the public comment period that followed.

The final Privacy Rule published on December 20, 2000 extended privacy coverage to personal medical records in all forms. This includes paper records and oral communications. While the initial proposed rule simply applied to electronic records and to any paper records that had at some point existed in electronic form, the final regulation provides protection for paper, oral and electronic information, creating a privacy system that covers all personal health information created or held by covered entities.

The Key Privacy Provisions
While the confidentiality of health care records was once maintained by family doctors, which kept records of care sealed away in file cabinets, today the use and disclosure of this information is greatly distributed and protected only by a myriad of state laws. This had lead to large gaps in protection of patients' privacy and confidentiality. The Privacy regulations of HIPAA are established to meet the pressing need for national standards to control the flow of sensitive patient information and to establish real penalties for the misuse or disclosure of this information.

Privacy General Rules

  • Use and disclosure for treatment, payment, and healthcare operations
  • Minimum necessary use and disclosure
  • Right to restrict uses and disclosures
  • Creation of de-identified information
  • Application to business partners
  • Application to information about deceased persons
  • Adherence to the notice of information practices
  • Application to covered entities that are components of organizations that are not covered entities

Privacy Establishes Rights of Individuals

  • Rights and procedures for a written notice of information practices
  • Rights and procedures for access for inspection and copying
  • Rights and procedures with respect to an accounting of disclosures
  • Rights and procedures for amendment and correction

Administrative Requirements

  • Designation of privacy official
  • Training
  • Safeguards
  • Internal complaint process
  • Sanctions
  • Duty to mitigate

Uses and Disclosures with Individual Authorization

  • Requirements when the individual has initiated the authorization
  • Requirements when the covered entity initiates the authorization
  • Model forms
  • Plain language requirement
  • Prohibition on conditioning treatment or payment
  • Inclusion in the accounting and disclosures
  • Revocation of an authorization by the individual
  • Expired, deficient, or false authorization

** This information is for Education and Awareness Use Only. While all information in these documents is believed to be correct at the time of the writing, these documents are for educational purposes only and do not purport to provide legal advice. If you require legal advice, you should consult with an attorney. The information provided here is for reference use only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by SHARP or individual members.

The listing of an organization does not imply any sort of endorsement and SHARP takes no responsibility for the products, tools, and Internet sites listed. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by SHARP, or any of the individual Workgroup members.