HIPAA Privacy Rule
HIPAA Privacy Rule
The HIPAA Privacy Rule was first published in 2002 with the goal of protecting the confidentiality of patients and their healthcare information, while enabling the flow of patient healthcare information when it is needed. Also known as the “Standards for Privacy of Individually Identifiable Health Information”, the HIPAA Privacy Rule regulates who can have access to Protected Health Information (PHI), the circumstances in which it can be used, and who it can be disclosed to.
The HIPAA Privacy Rule not only applies to healthcare organizations. It applies to other entities with access to personal information about a patient that – if it were disclosed to third party – could present a risk of harm to the patient´s finances or reputation, or be used by the third party to fraudulently obtain health care. Therefore “covered entities” include health insurers, healthcare clearing houses, employer-sponsored health plans and third party service providers to covered entities – generally known as “Business Associates”.
What Information is Protected by the HIPAA Privacy Rule?
The “Individually Identifiable Health Information” protected by the HIPAA Privacy Rule is extensive. Furthermore, as PHI is often accessed by insurance providers and clearing houses for billing information, individually identifiable health information not only includes such items as names, addresses, date of birth and Social Security numbers, but also credit card information, vehicle registration plate numbers and even electronically-stored examples of a patient´s handwriting.
The HIPAA Privacy Rule not only applies to information in written format. Videos and images containing any individually identifiable health information are also protected by the HIPAA Privacy Rule as is PHI stored electronically. This means that if a healthcare provider has taken a photograph of a patient´s wound – and the identity of the patient can be determined by any distinguishing feature – the image is also protected by the HIPAA Privacy Rule and the guidelines for use and disclosure.
HIPAA Privacy Standards
The Standards for Privacy of Individually Identifiable Health Information – more often referred to as the HIPAA Privacy Standards – are found in Subpart E of the Administrative Simplification Rule (45 CFR § 164.500 – 164.534). These stipulate the allowable uses and disclosures of PHI and when it is necessary to obtain an authorization from a patient for using or disclosing PHI in any other circumstances. The HIPAA Privacy Standards also explain a patient´s right to withdraw their authorization, access their PHI, and request amendments when PHI is incorrect or incomplete.
Possibly the most important of the HIPAA Privacy Standards is 45 CFR § 164.530 – the Administrative Requirements of the Privacy Rule. These require Covered Entities to designate a Privacy Office, train members of the workforce on policies and procedures, implement safeguards to protect the privacy of PHI, and develop a process for patient complaints. This section of the HIPAA Privacy Standards also includes employee sanctions for noncompliance, how to publicize changes to privacy practices, and the standards for documentation and document retention.
PHI and the Minimum Necessary Rule
In addition to establishing what constitutes Protected Health Information, the HIPAA Privacy Rule also determines when and how it should be disclosed. With the exception of disclosures for the purpose of treatment, payment or healthcare operations, any PHI relating to a patient´s past, present or future physical or mental health, the provision of healthcare, or payment for healthcare can only be disclosed without authorization from the patient to the patient´s legal representative or decedents:
- When the disclosure is required by law.
- When it is in the patient´s or the public´s interest.
- To another HIPAA covered entity when a relationship exists between the other covered entity and the patient.
Irrespective of the circumstances, covered entities must abide by the “Minimum Necessary Rule”. This rule stipulates that the disclosure of PHI must be limited to the minimum necessary for the stated purpose. Exceptions to the rule exist in a healthcare environment – where it may be necessary for a healthcare provider to access a patient´s complete medical history – but non-routine disclosure requests must be reviewed on a case-by-case basis, even when the patient has given their authorization for their medical records to be made available for research, marketing, or fundraising purposes.
Threats to the Integrity of PHI
Threats to the integrity of PHI are all both internal and external. Internal threats are often attributable to the use of personal mobile devices in the workplace. BYOD policies have created environments in which up to 80 percent of healthcare providers use a Smartphone or laptop to support their workflows. According to a survey conducted by Health Information Trust Alliance, 41 percent of PHI breaches are attributable to the theft of an employee´s mobile device or portable media.
External threats are more sinister. Cybercriminals attempt to extract PHI by using phishing campaigns to fool unsuspecting employees to download malware or disclose login credentials. The most dangerous types of downloads are ransomware, which locks up computer systems through rogue encryption, and surveillance malware – which records keystrokes to report usernames and passwords back to the party responsible for creating the malware. Cyberattacks are now responsible for more than half of the PHI breaches reported to the Department of Health and Human Services Office for Civil Rights.
HIPAA Privacy Rules Summary
- The HIPAA Privacy Rule was first enacted in 2002 with the goal of protecting the confidentiality of patient healthcare information.
- The HIPAA Privacy Rule not only applies to healthcare organizations, but also healthcare plans, healthcare clearinghouses, and Business Associates with access to Protected Health Information.
- Protected Health Information consists of eighteen “Individually Identifiable Health Information” which individually or together could reveal the identity of a patient, their medical history or payment history.
- The HIPAA Privacy Rule not only applies to data in written format. Videos and images containing any individually identifiable health information are also protected by the HIPAA Privacy Rule.
- PHI can only be disclosed to a third-party with the authorization of the patient, unless the disclosure is related to healthcare treatment, payment for healthcare or healthcare-related operations.
- Even when these conditions are met, and irrespective of the circumstances, Covered Entities and Business Associates must abide by the “Minimum Necessary Rule”.
- There are many different types of threats to the integrity of PHI. Measures that can be taken to mitigate both internal and external threats to PHI are discussed below.
How Secure Messaging Protects against Internal Threats
Secure messaging is a system of communication that maintains all messages containing PHI within a covered entities private communications network. Healthcare providers – and others authorized to access PHI – can download secure messaging apps onto their personal mobile devices and desktop computers, and use them in the same way as commercially available messaging apps to communicate with each other, and access patient data for healthcare reasons and billing information.
The secure messaging solution has mechanisms in place to prevent PHI being transmitted outside of the covered entities private communications network, copied and pasted, or saved to an external hard drive. System administrators have the ability to assign message lifespans to communications so that they delete after a pre-determined period of time, or remotely wipe messages received on the secure messaging app if a Smartphone or laptop is lost or stolen.
In addition to helping healthcare organizations comply with the HIPAA Privacy Rule, secure messaging solutions also comply with the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act. All messages in transit are encrypted so that they are unreadable in the event they are intercepted on a public 3G or WiFi service, and security features exist to comply with the rules for ID authentication, automatic logoff and message accountability.
How Web Filtering Protects against External Threats
The concept of a web filter is very simple. Whenever a request to visit a website is made, the web filter checks the request against its parameters and allows or denies the request depending on the filters that have been applied. System administrators are not expected to know what websites harbor malware, so web filter vendors maintain a list of known “unsafe” websites – known as a blacklist. The web filter will, by default, deny any request to visit a website that appears on the blacklist.
Web filters also have category and keyword filters that can be configured to refuse access to non-work related websites most likely to harbor malware. Typically these include pornographic websites, P2P file sharing websites and non-subscription video streaming websites. Importantly for compliance with the HIPAA Privacy Rule, web filters can be configured to refuse access to websites that are hosted by a proxy server in order to protect their true identity, and block the downloading of specific file types.
This is important because much of the malware that is downloaded onto healthcare IT systems comes from websites that employees have been directed to by phishing campaigns. If access to the bogus websites is denied, or the attempted downloading of malware is blocked, it is less likely that cybersecurity defenses will be breached and PHI exposed to an unauthorized party.
HIPAA Privacy Rule FAQs
What are the eighteen identifiers that determine whether health information should be protected?
All health information, patient histories, test results, and billing information should be protected by a Covered Entity or Business Associate when it includes one of the following identifiers:
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e., retinal scan, fingerprints)
- Any unique identifying number or code
Is there any difference between Protected Health Information (PHI), Personally Identifiable Information (PII), and Individually Identifiable Health Information (IIHI)?
If Personally Identifiable Information does not contain health information, patient history, test results, or billing information (i.e., just a name and telephone number), it does not qualify as Protected Health Information. Individually Identifiable Health Information only becomes Protected Health Information when it is created, used, stored, or disclosed by a Covered Entity or Business Associate.
How does the HIPAA Privacy Rule differ from the HIPAA Security Rule?
The Privacy Rule applies to all Protected Health Information regardless of how it is created, used, stored, or disclosed. The Security Rule applies to Protected Health Information that is created, used, stored, or disclosed electronically. Effectively, the Security Rule is a subset of the Privacy Rule.
Who enforces the HIPAA Privacy Rule?
The HIPAA Privacy Rule is enforced by the U.S. Department of Health and Human Services´ Office for Civil Rights (OCR). OCR officers are most often made aware of Privacy Rule violations via public complaints, HIPAA audits, and Covered Entities complying with their obligation to notify OCR of data breaches. OCR also enforces the HIPAA Security Rule and Breach Notification Rule.
Are there specific technologies that are HIPAA compliant?
No technology is HIPAA-compliant because it is how the technology is configured and used that determines compliance, not the capabilities of the technology itself. However, the technologies referenced above can help Covered Entities achieve compliance with the Privacy Rule by eliminating threats to the availability, confidentiality, and integrity of Protected Health Information.
Further Information about the HIPAA Privacy Rule
The HIPAA Privacy Rule fills more than 400 pages on the Federal Registry and it is therefore not possible to cover every element of the rule in a single article. However, our “HIPAA Compliance Guide” expands on many of the points raised in this article, and you are invited to download and read the guide for further information about the HIPAA Privacy Rule. Our guide also elaborates on the Minimum Necessary Rule, the HIPAA Security Rule, and HITECH.
Also included in the HIPAA Compliance Guide is further information about secure messaging solutions – how they work, their security features and the proven benefits of secure messaging. The content is supported by case studies from a number of healthcare organizations that have implemented secure messaging solutions in order to comply with the HIPAA Privacy Rule and to prevent reputation-damaging and potentially costly breaches of Protected Health Information.