HIPAA (Health Insurance Portability and Accountability Act)

Passed in 1996 Enacted to protect health information

transaction standards for the exchange of health information security standards privacy standards

Protects protected health information

means individually identifiable health information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium
there are certain exclusions such as education records and employment records held by a covered entity in its role as employer

 Applies to covered entities

Covered entity means (1) A health plan, (2) A health care clearinghouse, (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, . . .employer, . . . and (2) Relates to the past, present, OR future physical or mental health or condition of an individual; the provision of health care to an individual; OR the past, present, or future payment for the provision of health care to an individual.

 Also applies to the business associates of covered entities

Business associate means broadly, a person who performs, or assists in the performance of . . . a function or activity involving the use or disclosure of individually identifiable health information
including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing

Broadly, this means that if you use or receive PHI, then you are either a covered entity or a business associate

 HITECH (Health Information Technology for Economic and

Clinical Health)

Signed into law on February 17, 2009 Provides for the adoption of electronic health records Also adds new breach provisions
"the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information"

HITECH Breach

Who is under Obligations?

Covered Entity Business Associate Subcontractor Requirements

HITECH Breach

Who is under Obligations?

Covered Entity Business Associate Subcontractor Requirements Investigate, give notice, reprimand, record/notify Secretary of Health and Human Services If over 500 individuals affected, then must report to the Secretary

What are an entitys Obligations?

As of September 26, 2011, 330 reports (several organizations more than once), impacting more than 11 million records

Getting out of Breach Notification

Only provide the required notification if the breach involved unsecured protected health information

Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance

Getting out of Breach Notification

Guidance available:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificatio nrule/brguidance.html (and is to be updated annually) Data at Rest: NIST Data in Motion: