In this article I will be breaking down the complex HIPAA privacy regulations and explain what a medical practice is required to do to protect client health information. Regardless of whether patient information is electronic or on paper, covered entities are responsible for safeguarding patient information.
What is a covered entity?
Covered entities (CEs) are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Essentially, a covered entity is anyone who handles electronic health information. Covered entities must comply with HIPAA’s Privacy, Security, and Breach Notification rules.
What is the Privacy Rule?
The HIPAA Privacy Rule protects individually identifiable health information. Essentially, any health document that identifies a patient in any way must be kept private. This includes medical records, laboratory reports, and hospital bills.
The Privacy Rule was erected to protect people from being discriminated against. According to the Privacy Rule, a banker who sat on the county health board gained access to patient information and identified people with cancer, then called their mortgages. In another instance, a surgeon was diagnosed with AIDS at the hospital he practiced at. He was no longer allowed to perform surgery afterwards. The Privacy Rule prevents these things from happening.
What is the Security Rule?
All covered entities must also adhere to the HIPAA Security Rule. The security rule mandates that all covered entities including State Medicaid agencies, private health plans, health care providers, and health care clearing houses must make certain that their customers and patients know that the integrity, confidentiality, and availability of electronic health records collected by the aforementioned agencies are protected. Improper storage of electronic health records could result in a breach of security because the information could be intercepted.
What is the Breach Notification Rule?
HIPAA’s Breach Notification Rule mandates that covered entities must provide a notification following a breach of protected health information. A breach is defined as an impermissible use or disclosure of information that compromises the security or privacy of health information held by covered entities or their business associates. Following a breach of health information, covered entities must notify the affected individuals and the Secretary of the U.S. Department of Health & Human Services. Furthermore, if the breach affects 500 or more people covered entities must notify a media outlet in their area
What is the penalty for a violation?
According to 45 CFR Subtitle A (10-1-07 Edition), Section 160, where the Privacy, Security, and Breach Notification rules were erected, the Secretary of State can conduct compliance reviews at any time, presumably without notice. Furthermore, covered entities must always provide access to their place of business during normal business hours. If it’s found that the privacy rule has been violated, a civil money penalty ranging from $100 to $50,000 may be imposed, with a maximum penalty of $1.5 million per year for violations of an identical provision. What’s more, violators can also receive criminal charges and jail time for failure to comply.