HIPAA Privacy & Security
The Health Law Partners, P.C., assists health care providers, suppliers, plans, and organizations with their HIPAA compliance needs. For example, our HIPAA attorneys can assist with:
- Developing and updating billing compliance policies;
- Developing training programs and presenting compliance in-service and education sessions regarding billing, HIPAA privacy, and HIPAA security;
- Undertaking compliance investigations and responding to identified problems;
- Directing auditing and monitoring;
- Reviewing contracts and relationships for compliance with the Stark and Anti-Kickback laws;
- Drafting compliant contracts;
- Counseling providers regarding sensitive refund and disclosure issues;
- Drafting and updating HIPAA privacy and security programs and policies; and,
- Reimbursement matters.
The HIPAA privacy rule (45 CFR Part 164) addresses the use and disclosure of “protected health information” (PHI) by covered entities (i.e., providers, health plans, and clearinghouses). It also addresses standards for privacy rights that must be afforded individuals. According to the government, a major goal of the HIPAA privacy rule is to make sure that covered entities appropriately protect health information while allowing the flow of health information needed to provide and promote high-quality health care. Given the diverse entities covered by HIPAA, the privacy rule is flexible to cover the variety of uses and disclosures that need to be addressed.
Regulations released in January of 2013 add to the privacy and security protections for health information. The regulations may require substantial changes for many health care professionals and organizations, and business associates subject to these conditions, and make access to a qualified, knowledgeable HIPAA attorney important for providers.
In summary, the HIPAA Privacy Rule:
- Restricts uses and disclosures of PHI. The privacy rule sets forth the instances in which protected patient information can be used or disclosed to outside parties;
- Creates individual patient rights to inspect and copy their records, to amend erroneous information, to request certain restrictions on the use and disclosure of their information, to file written complaints, and to receive a notice of the entities’ privacy practices;
- Requires covered entities to include certain privacy language in contracts with “Business Associates” regarding safeguarding patient information;
- Requires a covered entity to appoint a HIPAA Privacy Officer;
- Requires implementation of privacy policies and procedures;
- Requires certain notifications if breaches of PHI occur;
- Requires the designation of a contact person or office responsible for receiving privacy complaints and who can provide information about the entity’s privacy policies and procedures; and,
- Requires covered entities to provide HIPAA privacy education to all employees.
The HIPAA security rule (45 CFR part 164) addresses the integrity, confidentiality, and availability of electronically protected health information (EPHI). EPHI means any protected health information maintained or transmitted in an electronic medium.
The security rule sets forth certain general requirements. The general requirements mandate that covered entities:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information that the covered entity creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information not permitted or required by the Privacy Rule; and,
- Ensure workforce compliance.
To achieve the general requirements set forth above, covered entities must meet 18 standards. To meet each of these standards, the Security Rule sets forth “implementation specifications” that serve as the “instructions” for compliance with each standard. Some implementation specifications are “required” while others are “addressable.” The standards and their related “implementation specifications” are broken down into three broad categories: administrative safeguards, physical safeguards, and technical safeguards.