Integrating Privacy & Security Into Your Practice
Understanding Patients’ Individual Rights and Provider Responsibilities
The HIPAA Privacy Rule establishes a set of national standards for the use and disclosure of individually identifiable health information – often called protected health information (PHI) – by covered entities, as well as standards for providing individuals’ with health information privacy rights and helping individuals understand and control how their health information is used.
In general, HIPAA Privacy Rule requirements:
- Apply to most health care providers;
- Set a federal floor for protecting individually identifiable health information across all mediums (electronic, paper, and oral);
- Limit how covered entities may use and disclose individually identifiable health information they receive or create;
- Give individuals rights with respect to their PHI, including a right to examine and obtain a copy of information in their medical records and the right to ask covered entities (that’s you!) to amend their medical record if information is inaccurate or incomplete;
- Impose administrative requirements for covered entities; and
- Establish civil penalties.
How to Keep Your Patients’ ePHI Secure
An EHR alters the mix of security needed to keep patient health information secure, and it brings new responsibilities for safeguarding your patients’ health information in an electronic form.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic protected health information (e-PHI) that is created, received, used, or maintained by a HIPPA covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
These safeguards, when applied well, can help you avoid some of the common security gaps that lead to cyber attack or data loss. They can protect the people, information, technology, and facilities that you may depend on to carry out your primary mission: helping your patients.
The HIPAA Security Rule requires covered providers to implement security measures, which help protect patients’ privacy by creating the conditions for patient health information to be available but not be improperly used or disclosed.
What to do in Case of a Breach of Unsecured PHI
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
The Breach Notification Rule requires covered providers to promptly notify individuals and the Secretary of the HHS of the loss, theft, or certain other impermissible uses or disclosures of unsecured PHI. Health care providers must also promptly notify the Secretary of HHS if there is any breach of unsecured protected health information if the breach affects 500 or more individuals, and notify the media if the breach affects more than 500 individuals of a State or jurisdiction.
Your Practice & the HIPAA Rules
Failure to comply with the HIPAA Rules can result in civil and criminal penalties.
- The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for administering and enforcing the HIPAA Privacy and Security Rules and conducts associated complaint investigations, compliance reviews, and audits. OCR may impose fines on covered providers for failure to comply with the HIPAA Rules.
- State Attorneys General may also enforce provisions of the HIPAA Rules.
- The U.S. Department of Justice (DOJ) may enforce criminal penalties for HIPAA violations.
For more information about integrating privacy and security into your medical practice, download Chapter Four of the Guide to Privacy and Security of Health Information [PDF -1.3 MB].