HIPAA: PRIVACY AND SECURITY OF PROTECTED HEALTH INFORMATION (PHI)
Our HIPAA Legal Team counsels clients on federal and state law confidentiality, privacy and security healthcare needs. Our legal services include:
- Customizing HIPAA Policies and Procedures For Your Practice or Enterprise
- Determining Whether HIPAA Applies To Your Practice
- Developing HIPAA Policies and Procedures for Mobile Apps or Telemedicine
- Drafting Business Associate Agreements
- Responding to HIPAA Complaints
- Reviewing Arrangements for HIPAA Violations
Contact our HIPAA attorneys for questions regarding your HIPAA privacy and security obligations, or to discuss compliance in the event of a HIPAA breach that could result in federal and state enforcement and significant penalties. Or find out more about online HIPAA compliance training.
Our HIPAA lawyers have expertise counseling clients to update their HIPAA compliance efforts — including updating and implementing privacy and security policies, procedures, and forms — both in a preventative capacity, and to mitigate following an unanticipated data breach.
Let us know whenever HIPAA issues arise, whether you are a startup technology (and possible a business associate under HIPAA), an established medical group or practice, or a consultant or vendor involved in telemedicine or a mobile application through which protected health information (PHI) is transmitted.
HIPPA and HITECH
Under federal law, the Health Insurance Portability and Accountability Act (“HIPAA”) regulates electronic data exchange of health care information. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data.
Under Title II of HIPAA, HHS has promulgated five sets of implementing regulations, which are variously known as the Privacy Rule; the Security Rule; the Unique Identifiers Rule (National Provider Identification (“NPI”)); the Transactions and Code Sets Rule; and the Enforcement Rule. But our clients are primarily concerned with the Privacy Rule and the Security Rule, both of which address protecting the confidentiality and privacy of patients’ healthcare information.
Portions of HIPAA have been amended by a subsequent federal statute, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.
HIPAA establishes civil money penalties and criminal penalties for violations. HHS enforces the civil money penalty provision, while the U.S. Department of Justice enforces the criminal penalties. HIPPA’s civil money penalty provision authorizes a civil penalty of up to $100 per violation, up to $25,000 per year. HIPAA authorizes criminal penalties according to the level of culpability, up to $1.5 million.
State Privacy and Confidentiality Laws
States also have their own privacy and confidentiality laws, portions of which apply notwithstanding HIPAA’s pre-emption provisions. In addition, providers who do not fall under HIPAA will nonetheless be bound by state laws and regulations.
For example, in California:
California privacy standards are contained in the Confidentiality of Medical Information Act (“CMIA”).
- The Health & Safety Code (sections 123100 et seq.) govern patient access to health records. (Among other things, special considerations apply to psychotherapy notes and mental health records).
- California law also establishes a State Office of Health Information Integrity, dedicated to informing about rights and responsibilities relevant to health information, as well as the role of electronic health information exchanges (“HIEs”) in transmitting patients’ health information.
- California’s Department of Health Care Services also has a Privacy Office, which sits within the Department’s Office of HIPAA Compliance, and works to protect PHI, including investigating privacy breaches and complaints involving unauthorized access or disclosure of PHI.
- California further has an Office of Privacy Protection which provides information on privacy topics for individuals and consumers.
HIPAA applies to “Covered Entities” and to their “Business Associates.”
Covered entities include:
(1) Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
(2) Most Health Care Providers — who transmit any health care information in electronic form to health insurance companies. Such health care providers can include doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists, or any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
(3) Health Care Clearinghouses — entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
A Business Associate is a person not in the workforce of a Covered Entity, who uses individually identifiable health information claims processing or administration; data analysis, processing or administration.
The U.S. Department of Health of Human Services (HHS) summarizes the major administrative procedures a Covered Entity must have under HIPAA, as follows:
- Privacy Policies and Procedures. A Covered Entity must develop and implement written privacy policies and procedures that are consistent with HIPAA.
- Privacy Personnel. A Covered Entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the Covered Entity’s privacy practices.
- Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entity (whether or not they are paid by the entity). A Covered Entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions; and must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or HIPAA.
- Mitigation. A Covered Entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or HIPAA.
- Data Safeguards. A Covered Entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.
- Complaints. A Covered Entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The Covered Entity must explain those procedures in its privacy practices notice. Among other things, the Covered Entity must identify to whom individuals can submit complaints to at the Covered Entity and advise that complaints also can be submitted to the Secretary of HHS.
- No Retaliation and Waiver. A Covered Entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A Covered Entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
- Documentation and Record Retention. A Covered Entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Contact our HIPAA Legal Team for legal advice related to patient privacy, confidentiality, and data security.
See also our full series of articles:
Or find out more about online HIPAA compliance training.