Neglecting the three HIPAA rules can lead to large fines, loss of face, and for an employee worker – loss of job. Businesses can lose up to $1.5 million dollars as fines. So, if you are covered under HIPAA, you must comply with the three HIPAA rules.
The three HIPAA rules
The Health Insurance Portability and Accountability Act (HIPAA) lays out three rules for protecting patient health information.
- The Privacy Rule
- Thee Security Rule
- The Breach Notification Rule
These three rules set national standards for the purpose. These standards address the issue of protecting the health information, which could be used for identifying a person.
1. The Privacy Rule
The standards set by the Privacy rule address subjects such as:
- Which organizations must follow the HIPAA standards
- What is protected health information (PHI)
- How organizations can share and use PHI
- Permitted usage and disclosure of PHI
- Patient’s rights over their health information
Healthcare entities covered by HIPAA include:
- Health plans
- Health care clearinghouses
- Health care providers
HIPAA also applies to business associates, who conduct healthcare transactions for covered entities.
Usage and disclosure limitations
The privacy rule restricts the usage of health information, which could identify a person (PHI). Covered entities cannot use or disclose PHI unless:
- It’s permitted under the Privacy rule, or
- The individual has authorized it in writing.
The Privacy rule does not restrict de-identified health information.
2. The Security Rule
The security rule sets the standards for the protection of PHI in electronic format (ePHI).
The Security rule standards cover:
- Which organizations must follow the security rule
- What health information is protected under the security rule
- What safeguards must in place for the purpose
The security rule covers all healthcare providers who use ePHI. It also covers business associates of such providers.
All the covered entities must protect all ePHI that they create, receive, store, or send. They must:
- Ensure the confidentiality, integrity and availability of the PHI
- Protect the ePHI against all threats to its security and integrity
- Protect it against impermissible use or disclosure
- Train employees, and ensure compliance with the security rule
- Adapt suitable policies and procedures
The covered entities are also required to perform risk analysis, and create a risk management plan to mitigate the risk to ePHI.
The risk analysis process should at least include the following steps.
- Identify potential risks to patient health information
- Create a risk management plan
- Put in place administrative, physical, and technical safeguards
- Conduct HIPAA training, and train workers to follow HIPAA policies and procedures
- Document their risk analysis process
- Conduct risk analysis yearly to identify and mitigate new risks
3. The breach notification rule
HIPAA considers all PHI usage or disclosures that aren’t permitted under the Privacy rule as a breach.
The breach notification rule requires covered entities to send alerts upon discovery of a breach. Once a covered entity becomes aware of a breach, the alerts have to be sent within next 60 days.
Covered entities are required to alert:
- Affected individuals
- Health and Human Services (HHS)
- Media, if necessary
Business associates of a covered entity need to alert their covered entity too.
If the breach affects more than 500 people, the HHS must be notified immediately. The HHS would post it on their website. The covered entity would also need to post the message on their website.
Organizations may also choose not to send alerts, but only if they can prove that there is low probability of the PHI being compromised.
Reportable Breaches and Exceptions
Organizations should consider all impermissible uses and disclosures as a breach of PHI. But, they need to send alerts only for unsecured PHI. Besides this, the breach notification rule is flexible under three more circumstances.
- If it was unintentional or done in good faith, and was within the scope of the authority.
- If it was done unintentionally between two people permitted to access the PHI.
- It the organization has a good faith belief that the person to whom the disclosure was made would not be able to retain the PHI.
Under any case, the organization should ensure that such incidents don’t reoccur.
Breach alerts are required only for unsecured PHI. If you secured it as specified by this guidance, then you don’t need to send the alerts.
The HHS Office for Civil Rights enforces the three HIPAA rules. Violations of the HIPAA rules may result in fines and penalties. In some cases, criminal penalties may also apply.
If you want to know more about the three HIPAA rules, you may visit the HHS website.