The Health Insurance Portability and Accountability Act (HIPAA) sets forth federal information security requirements and personal information privacy rights related to individually identifiable health information, including patient records and medical files.
HIPAA’s “Privacy Rule” regulates the use and the potential disclosure of “protected health information.” Information protected under HIPAA’s privacy rule includes any data pertaining to 1) an individual’s medical status, 2) the provision of medical services, or 3) payment for health care services. The Privacy Rule applies to those health care organizations that are “covered entities” under HIPAA, and the rule requires covered entities to maintain appropriate administrative, technical and physical safeguards to protect the privacy of individually identifiable health information, strictly governing the terms of allowable disclosure. HIPAA requires that authorization for any disclosure of health information not permitted by the rule be in writing. Covered entities also must give patients written notice of their privacy practices, which, as a patient, you will notice that health care providers in the United States do (or should do) prior to providing any health care services.
Individual and group health care plans that provide or pay for medical services, providers of billing or information services related to health care, or other entities that facilitate information transmission between health care providers and a third party are all covered entities. If these covered entities share medical information with business associates such as vendors, those parties are also considered to be covered entities that are subject to the Privacy Rule.
Working in conjunction with the Privacy Rule, HIPAA’s “Security Rule” requires that the U.S. Department of Health and Human Services establish a set of national standards for the security of health care information. HIPAA requires technical security measures to protect against unauthorized access to protected health information transmitted over any electronic communications network. Covered entities must maintain physical safeguards relating to property access, employee workstation security, storage and other technical devices or media.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as part of American Recovery and Reinvestment Act of 2009 and requires covered entities and their business associates to provide notice of any breach in data security that involves “unsecured protected health information” and/or “unsecured personal health record information.” As long as covered entities and their business associates apply methods and technologies to secure protected health information as specified in guidelines promulgated by the Department of Health and Humans Services (DHHS), the HITECH Act does not require them to give notice of a data security breach to individuals, DHHS or the media, as would otherwise be required.
Failure to comply with HIPAA can result in civil and criminal penalties. Most businesses in or assisting the health care field understand that HIPAA-compliant information management practices must be in place. In light of the increasing prevalence of memory data storage technologies in digital copiers and multi-function printers, covered entities also need to ensure that their HIPAA compliance practices are continually monitored with regard to all patient records to avoid a violation.
*The usual disclaimer: HIPAA and HITECH involve much more detail than this brief overview provides, and this post does not set forth legal advice or opinion to any extent. Please contact an attorney familiar with privacy and data security requirements for an analysis of your specific compliance issues.