HIPAA Privacy and Security Rules.

Health care professionals and businesses are required by federal law to protect identifiable health information through the Health Insurance Portability and Accountability Act (HIPAA). This law includes a complicated regulation structure that has the tendency to baffle even the savviest health professionals. G2Z Law Group, PLLC is here to help your organization understand and comply with HIPAA and particularly with its Privacy and Security Rules. Our knowledge and experience will help you create and maintain privacy practices and procedures that comply with HIPAA and our attorneys can represent you in State or Federal Investigations involving HIPAA violations.

HIPAA Overview.

Congress passed HIPAA in 1996 to organize and simplify the law on privacy, security, and electronic transactions of health information. Any health care provider that submits insurance claims electronically is subject to HIPAA. The Affordable Care Act and the Department of Health and Human Services altered HIPAA law and regulatory policy in the areas of portability, privacy, security, and enforcement.

HIPAA requires particular privacy standards when “covered entities” and “business associates” handle private health information (PHI). It also provides administrative, physical, and technical security requirements, notification requirements in the event of a data breach, and standardized practices for processing health care claims.

Is Your Business Required to Comply with HIPAA?

HIPAA requires “covered entities” and their “business associates” to implement privacy protections for individually-identifiable health information. A business associate or covered entity in HIPAA include:

• Health care providers that use electronic health information;

• Health plans;

• Health care clearinghouses; and

• Any business associates that use or store protected health information (PHI). Business associates must contractually obtain a clearance to use or store PHI supplied by the health entity.

Health care providers include most hospitals, clinics, doctors, therapists, chiropractors, nursing homes, dentists, and pharmacists. Health plans typically include employer-sponsored health programs, health insurance companies, health maintenance organizations (HMOs), and government sponsored healthcare (such as Medicare and Medicaid). Health care clearinghouses are companies that codify health information into established electronic formats.

Entities that are not subject to HIPAA include employers, workers compensation, life and disability insurers, schools, state agencies, and law enforcement agencies. These entities, however, may be required to comply with HIPAA indirectly.

What Information Is Subject to HIPAA?

Under HIPAA, PHI covers nearly all information created, held, or distributed by a health care provider or supplier. PHI also covers electronically stored information.

The requirements for “individually identifiable health information” include information that:

• Originated or was accepted by a health provider, health plan, health care clearinghouse, employer, or other covered entity; and

• Communicates either:

  • A person’s physical or mental health condition, whether past, present, or future;

  • Information relating to an individual’s health care; or

  • The payment, whether past, present, or future, for an individual’s health care.

What Are the Privacy and Security Requirements Under HIPAA?

HIPAA Privacy Rule

The HIPAA Privacy Rule governs the disclosure and use of protected health information (PHI). PHI as described above is subject to the privacy regulations of HIPAA. If PHI is used for any purpose outside of the treatment, payment, and health care operations of the individual, the entity disclosing the information must secure the patient’s express authorization. Covered entities can only disclose PHI without patient consent under specific circumstances, such as if the disclosure is required by law for judicial or administrative proceedings.

All covered entities are required to adhere to additional privacy guidelines, which include:

• The appointment of a HIPAA Privacy officer to monitor compliance;

• The maintenance of organizational HIPAA policies and procedures;

• Training employees on HIPAA policies and procedures; and

• Maintaining business associate agreements with any association that provides PHI-related services on behalf of the covered entity.
  

HIPAA Security Rule

The HIPAA Security Rule was created “to assist covered entities in understanding and properly using the set of federal information security requirements” under HIPAA. It safeguards electronically stored PHI, otherwise known as EPHI. EPHI is used frequently in the maintenance of health records, the billing procedure, and laboratory records systems.

HIPAA requires strict security standards for the creation, use, and distribution of PHI in electronic form. All covered entities are required to adhere to additional security guidelines, which include:

• ·The appointment of a HIPAA Security Officer to monitor security protocols (this individual may not simultaneously serve as the HIPAA Privacy Officer);

• The maintenance of security HIPAA policies and procedures;

• Training employees on HIPAA policies and procedures; and

• Completion of a Security Risk Analysis, thoroughly identifying and addressing security risks within the entity.

Do Patients Have Rights Under HIPAA?

HIPAA guarantees patients’ rights relating to their PHI. Specifically, individuals are given the right to:

• Access, amend, and correct any portion of PHI that is incorrect or incomplete;

• Access and copy PHI that is deemed part of the patient’s health record;

• Obtain records of financial accounts relating to their PHI;

• Control the communication methods of their PHI; and

• Control restrictions on uses and disclosures of PHI.

What Are the Penalties for Violating HIPAA?

Federal regulations provide steep penalties and demanding remedies for violations of HIPAA. The Department of Health and Human Services has enforced punishments that have resulted in costly litigation and high-profile settlements.

Some of the common HIPAA compliance violations that have resulted in penalties include:

• Business associates using and disclosing PHI before obtaining a legal agreement;

• Unsecured technology access points to PHI;

• Covered entities:

  • Failing to implement a broad HIPAA risk assessment;

  • Failing to properly protect and secure PHI in situations of error or theft;

  • Ignoring the breach notification protocol;

  • Failing to restrict access to PHI when employees’ roles change or are terminated;

  • Failing to securely destroy or contain PHI; and

  • Failing to reduce PHI disclosures to the minimum necessary information.

What Can G2Z Law Group, PLLC Do for My Health Care Business?

Our firm is prepared to assess your business’s compliance with HIPAA’s privacy, security, and breach notification requirements. Whether as a preventative measure or as a response to an ongoing investigation by HHS, our firm knows how to assess, reduce, and control HIPAA risks. It is challenging to constantly grapple with changing HIPAA requirements, but G2Z Law Group is prepared to develop a risk management plan, implement mitigation procedures, review and revise HIPAA policies and procedures, establish evaluation and training materials, and develop best practices regarding the access, storage, and termination of PHI.

Our attorneys can also defend you in investigations for HIPAA privacy and/or security violations before State agencies, such as the State Health Professional Boards or in Federal investigations, such as before the Office of Civil Rights.