Health Insurance

Portability and
Accountability Act of 1996

The Security Rule

11/02/2021 1
 CONSTITUTIONAL PRIVACY
RIGHTS
Individual privacy rights, in
general, are not specifically
mentioned in the U.S.
Constitution. They are more
or less implied from the First,
Third, Fourth, Fifth and Ninth
Amendments

11/02/2021 2
 PRIVACY RIGHTS VIA STATE
LEGISLATION
On the State level, individual privacy rights are
specifically expressed within the constitutions of
individual States. For example, Article 1, Section 1
of the current California state constitution adopted
in 1879 reads as follow:

All people are by nature free and independent and

have inalienable rights. Among these are enjoying
and defending life and liberty, acquiring, possessing,
and protecting property, and pursuing and obtaining
safety, happiness, and privacy.

11/02/2021 3
 PRIVACY & TORT LAW
Torts are defined as “the wrongful conduct of
one party that causes injury to another party”.

As part of Tort law, an Invasion of Privacy is

classified as an “Intentional Tort against
Persons”.

A more comprehensive legal definition of

Invasion of Privacy would be “the publishing or
otherwise making known or using information
relating to a person’s private life and affairs,
with which the public has no legitimate concern,
without the person’s permission or approval”.

11/02/2021 4
The Health Insurance Portability
and Accountability Act of 1996
(HIPAA) was passed by Congress
as a means to established a
standardized set of general
requirements and security
guidelines to protect the privacy
of patients

11/02/2021 5
HIPAA created guidelines to
promote consistency in the
procedures utilized by health
care providers, health plan
administrators, and health care
clearinghouses to protect patient
related information from
unauthorized access as well as
ensure its’ integrity.

11/02/2021 6
The American Health Information
Management Association
(AHIMA) has observed that,
an average of 150 people
"from nursing staff to x-ray
technicians, to billing clerks"
have access to a patient's
medical records during the
course of a typical
hospitalization

11/02/2021 7
 PATIENT DATA FLOWCHART

11/02/2021 8
 THE SECURITY RULE
The Security Rule outlines
specific implementation
guidelines for the protection and
transmission of individually
identifiable health information in
an electronic format or media
also known as “electronic
protected health information”.

11/02/2021 9
 HIPAA SECURITY
STANDARDS
The HIPAA security rule component
consists of three major categories of
specified operational standards that
have to be fully implemented to
process and transmit EPHI. They are
listed as follows:
1) Administrative Safeguards
2) Physical Safeguards
3) Technical Safeguards

11/02/2021 10
 ADMINISTRATIVE
SAFEGUARDS
Administrative safeguards
involve the supervision and
assignment of system security
responsibility to individuals
within the organization in
addition to developing and
deploying security procedures
and training.

11/02/2021 11
 PHYSICAL SAFEGUARDS
Physical safeguards are
mechanisms required to
protect electronic systems,
equipment and the data
they hold, from threats,
environmental hazards and
unauthorized intrusion.

11/02/2021 12
TECHNICAL SAFEGUARDS
Technical safeguards are defined
as the automated processes used
to protect data and control
access to data.

11/02/2021 13
 PENALTIES FOR
INDIVIDUAL VIOLATORS
Featured Health Business Daily Story June 23, 2008
UCLA Health System Facilities Are Cited by State for Patient
Privacy Breaches; Former Employee Is Charged Under HIPAA

The feds indicted Lawanda Jackson, a former

administrative specialist at UCLA Medical Center, on
April 29. They allege that she accessed celebrity
patients' records and sold information to a national
media outlet for about $4,600. She faces 10 years
in prison if convicted, according to the U.S.
Attorney's Office for the Central District of
California.

11/02/2021 14
PENALTIES FOR HEALTHCARE
PROVIDERS VIOLATORS
Kaiser fined for patient-privacy breach
Rebecca Vesely, STAFF WRITER - Oakland Tribune – 06/21/05

Kaiser Foundation Health Plan was fined $200,000 by the

state for posting patient information on an unprotected
Web site for as long as four years and not telling
regulatory officials about it, the state Department of
Managed Health Care said Monday.
Kaiser's information technology staff created the Web
pages containing the information of about 150 patients in
1999 as a test portal. The site contained names,
addresses, phone numbers and lab results for the patients,
according to a state investigation.
The site wasn't protected from public viewing without prior
consent of the patients -- a violation of state law and
Kaiser privacy policies.
11/02/2021 15
 CALIFORNIA ENACTS ADDITIONAL
LAWS TO PENALIZE VIOLATORS
In an effort to strengthen privacy and security enforcement of protected
and electronic protected health information standards among healthcare
providers and their employees, the State of California enacted two bills,
AB 211 and SB 541. These were signed by Governor Schwarzenegger in
September 2008 in response to the recent security breach described
below:

Laws bolster penalties for privacy breaches in California

In the wake of multiple high-profile cases of snooping, the state cracks down on
unauthorized looks at medical files.

By Pamela Lewis Dolan, AMNews staff. Dec. 1, 2008.

About the same time the California governor signed the two patient privacy bills into law, a
report published by the California Health Dept. found snooping incidents at the UCLA Medical
Center were much worse than initially thought. The study found that since 2003, hospital
workers inappropriately accessed the electronic medical records of 1,041 patients,
including those of California first lady Maria Shriver. Some of those employees were
feeding celebrity information to the media, the report said.

11/02/2021 16
 SUMMARY OF NEW CALIFORNIA
PRIVACY BREACH LEGISLATION
Jones’ Assembly Bill 211 would authorize the newly-created Office
of Health Information Integrity in the Department of Public Health
to fine individuals involved in medical data breaches depending on
the severity of the breach.  The maximum amount of a fine from
the new office would be $250,000.  The bill also would forward
relevant breach information to the relevant licensing authority
(California Medical Board, etc.) for possible further action. 

AB 211 is part of a two-bill package on medical privacy and serious

medical errors.  The partner bill is SB 541, authored by Senator
Elaine Alquist (D-Silicon Valley).  Both bills are sponsored by the
Schwarzenegger administration.  The Alquist bill authorizes fines
on providers and facilities for patient privacy breaches and also
increases penalties on so-called “immediate jeopardy” violations
where a health care facility’s actions caused death or serious
injury to a patient. 

11/02/2021 17