The requirement enacted by the HITECH Act, that covered entities and business associates notify patients when there has been an impermissible use or disclosure of protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach Notification can be triggered by simply losing control of protected health information (PHI) or electronic protected health information (ePHI) or temporarily allowing others to have access the PHI or ePHI.
Any person or company, that is not a covered entity, that has access to ePHI. Examples of business associates that might come into contact with ePHI are: an IT company that supports computers that hold ePHI; a document destruction company; a Software as a Service (SAAS) provider that deals with ePHI; or an accountant or lawyer who comes into contact with ePHI. Business associates are required by HIPAA to comply with the administrative, physical and technical safeguards required by the HIPAA Security Rule and are also required to comply with certain aspects of the HIPAA Privacy Rule and the HIPAA Breach Notification Rule.
The agreement between a covered entity and a business associate or between two business associates that clearly defines the roles and responsibilities of each of the parties to the agreement regarding the protection of ePHI. Covered entities are required to execute business associate agreements with anyone who may come into contact with ePHI that is not directly employed by the covered entity and who does not otherwise have the right to access the ePHI in accordance with the HIPAA Privacy Rule. In addition, anyone who is a business associate is required by HIPAA to execute a business associate agreement with anyone else who might come into contact with the ePHI due to their relationship with the business associate.
Click here to see OnRamp’s Business Associate Agreement.
COVERED ENTITY (CE)
A covered entity under HIPAA is a Health Care Provider, Health Care Plan or Health Care Clearinghouse.
ELECTRONIC PROTECTED HEALTH INFORMATION (EPHI)
Protected Health Information (PHI) that is created, maintained or transmitted electronically.
Protected Health Information (PHI) is any information that identifies an individual (usually a patient) and relates to at least one of the following:
- The individual’s past, present or future physical or mental health
- The provision of health care to the individual
- Past, present, or future payment for health care
Information that can identify an individual includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.
Data are “individually identifiable” if they include any one of 18 types of identifiers for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual.
These 18 types of identifiers are:
- Telephone numbers
- FAX number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- IP address
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
- Address (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
FIPS (FEDERAL INFORMATION PROCESSING STANDARDS)
FIPS refers to the publicly announced standards developed by NIST for use in computer systems by non-military government agencies and government contractors. FIPS provides requirements for cryptographic modules and guidelines for media sanitization that are required by HIPAA to render unsecured PHI unusable, unreadable, or indecipherable to unauthorized individuals.
A federal standard for cryptographic modules that specifies which type of encryption ciphers and key storage systems are appropriate for protecting data at rest and data in motion.
Anyone that processes or facilitates the processing of ePHI received from another covered entity in a nonstandard format into a standard format. An example of a Healthcare Clearinghouse would be a billing company that modified medical entries into a standard billing format for processing.
HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
A federal law created in 1996 to ensure the portability of health insurance when employees change employers. HIPAA gives the Department of Health and Human Services the authority to mandate the use of standards for the interchange of patient health information and to mandate the steps entities must take to provide for the security and privacy of patient health information.
HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH (HITECH)
An update to HIPAA passed in 2009 that increases the civil penalties related to HIPAA non-compliance, adds criminal penalties for some violations, requires business associates to comply with specific administrative, physical and technical requirements and adds a requirement for covered entities and business associates to notify patients in the event of a security breach of the patient’s ePHI.
HHS (THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES)
HHS is the government agency responsible for providing essential health services to Americans. HHS has several divisions, including ONC and OCR which enforce HIPAA compliance, oversee the adoption of information technology in the healthcare setting, as well as its impact on the privacy and security of protected health information.
INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
Information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
NIST (NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY)
NIST is a federal technology agency that works with industry to develop and apply technology, measurements and standards. NIST security standards and guidelines, including the FIPS Special Publications 800 series, can be used to support the requirements of both HIPAA and FISMA to select, specify, employ and evaluate the security controls in information systems.
OCR (THE OFFICE OF CIVIL RIGHTS)
OCR is a division of HHS that enforces federal laws that prohibit discrimination by health care and human services providers that receive funds from HHS. With regard to HIPAA, OCR has the ability to leverage civil and criminal penalties upon covered entities and/or business associates that fail to comply with this stringent set of requirements.
On March 26, 2013 the long-awaited, Health Information Portability and Accountability Act’s (HIPAA) Omnibus Rule went into effect, giving HIPAA Covered Entities and HIPAA Business Associates until September 23, 2013 to achieve compliance under its new provisions.
ONC (THE OFFICE OF THE NATIONAL COODINATOR FOR HEALTH INFORMATION TECHNOLOGY)
ONC is a division of HHS that provides counsel to the Secretary of HHS and departmental leadership for the development and nationwide implementation of an interoperable health information technology infrastructure. ONC’s work on health IT is authorized by the HITECH Act.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
PROTECTED HEALTH INFORMATION
Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
On September 1, 2012, the Texas Legislature passed House Bill 300 (H.B. 300) in an effort to enhance the safeguards for Protected Health Information (PHI). This law serves to increase the number of entities that are required to be HIPAA compliant, expands upon the guidelines that they must follow, and increases the penalties if they are found to not be in compliance.