brigham young university hawaii office of compliance ...€¦ · 3/5/2020 · brigham young...

Brigham Young University–Hawaii

Office of Compliance & Ethics Research Memo

Health Insurance Portability and Accountability Act (HIPAA)

Law/Act: Health Insurance Portability and Accountability Act

Public Law Citation: Pub. L. No. 104-191, 110 Stat. 1936 (1996)

U.S. Code Citation: 29 U.S.C. §§ 1167, 1181-1191c; 42 U.S.C. §§ 201, 300gg to

300gg-95, 1320a-7 to 1320a-7e, 1320d to 1320d-9. Code of Federal Regulations Citation:

45 C.F.R. pts. 160, 162, 164

Responsible Regulator: U.S. Department of Health and Human Services, Office for Civil Rights

BYU–Hawaii Responsible Officer: Student Life Vice President; HIPAA Compliance Officer

Updated Apr. 2013 TDS

Version 1.0 Effective Date: 7/1/1997

PURPOSE The Health Insurance Portability and Accountability Act1 (HIPAA) was enacted to make health insurance more available for individuals who change jobs, combat abuses in the health care system, and simplify the administration of health insurance.2 The act also aims to protect privacy by creating requirements for how personal medical information may be used and disclosed, increasing the security and confidentiality of stored health information, and establishing uniform standards for transmitting health information electronically.3 HISTORY HIPAA was passed in 1996,4 and rules enforcing HIPAA’s provisions were released thereafter.5 The first regulations came out in 2000, instituting the Privacy Rule (concerning appropriate uses and disclosures of health information).6 The Privacy Rule was amended in 2002.7 The second set of regulations came into force in 2003, establishing the Security Rule, which introduced measures for maintaining the confidentiality of electronic health information. HIPAA was amended in 2009 by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extended the requirement to implement security standards to business associates and established new provisions for notification of security breaches.8 In 2013, modified HIPAA rules were released—largely in response to the Genetic Information Nondiscrimination Act of 2008 (GINA) and the HITECH Act.9

1 Pub. L. No. 104-191, 110 Stat. 1936 (1996). 2 Id.; FAQs about Portability of Health Coverage and HIPAA, U.S. DEP’T OF LABOR, http://www.dol.gov/ebsa/faqs/faq_consumer_hipaa.html (last visited Mar. 7, 2013). 3 42 U.S.C. § 1320d-2(c); The Privacy Rule, U.S. DEP’T OF HEALTH & HUM. SERVICES, http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html (last visited Mar. 7, 2013); The Security Rule, U.S. DEP’T OF HEALTH & HUM. SERVICES, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ (last visited Mar. 7, 2013). 4 Pub. L. No. 104-191, 110 Stat. 1936 (1996). 5 See e.g.¸ Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000); Health Insurance Reform: Security Standards, 68 Fed. Reg. 8,334 (Feb. 20, 2003). 6 Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000). 7 Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 53,182 (Aug. 14, 2002). 8 Pub. L. No. 111-5, 123 Stat. 226 (2009). The HITECH Act is part of the American Recovery and Reinvestment Act of 2009. Id. 9 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, 78 Fed. Reg. 5,565 (Jan. 25, 2013).

https://www.gpo.gov/fdsys/pkg/USCODE-2016-title29/pdf/USCODE-2016-title29-chap18.pdf

https://www.gpo.gov/fdsys/pkg/USCODE-2016-title42/pdf/USCODE-2016-title42-chap6A.pdf

https://www.gpo.gov/fdsys/pkg/USCODE-2016-title42/pdf/USCODE-2016-title42-chap6A.pdf

https://www.ecfr.gov/cgi-bin/text-idx?SID=fb11c8c13aa53a021a2d041e4c7f6f39&mc=true&tpl=/ecfrbrowse/Title45/45CsubchapC.tpl

http://www.dol.gov/ebsa/faqs/faq_consumer_hipaa.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/


Office of Compliance and Audit

Research Memo


2

APPLICABILITY TO BYU–HAWAII The requirements of HIPAA apply to all “covered entities” and their business associates.10 A covered entity is defined as (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider that transmits health information electronically to carry out financial or administrative activities related to health care.11 A business associate is a person who is not part of the covered entity’s workforce who provides services to a covered entity and deals with a covered entity’s protected health information.12 In hybrid entities (organizations where the entire entity would not be subject to HIPAA if it were separated into parts), only the parts of the entity that would be considered covered entities or business associates by themselves are subject to HIPAA requirements.13 HIPAA applies to Brigham Young University because its Health Services is a provider of medical or health services, and transmits health information electronically to carry out financial or administrative activities related to health care. The BYU–Hawaii Student Medical Benefit is also covered by HIPAA. For BYU–Hawaii to be considered a hybrid entity, the university must designate Health Services and any other components of the university that fall under HIPAA as the health care component of the university, and keep a written record of this designation.14 Only those designated components need to comply with HIPAA rules, but they are also prohibited from sharing protected health information with components of the university that are not part of the health care component.15 REQUIREMENTS Title I of HIPAA imposes requirements regarding health insurance coverage and access.16 Title II, known as the administrative simplification provisions, imposes requirements related to the privacy and security of protected health information.17 Preexisting Conditions

10 45 C.F.R. §§ 160.102, 160.300. A covered entity can be legally responsible for its business associates’ actions if the associate is acting as the covered entity’s agent. 42 U.S.C. § 1320a-7a(l); 45 C.F.R. § 160.402(c)(1). 11 42 U.S.C. § 17921(3), 45 C.F.R. § 160.103. A health care provider is defined as a person or organization that is paid for or provides health care as a regular part of its business. 45 C.F.R. § 160.103. Transactions that make a health care provider a covered entity are usually electronic transactions of information about health insurance claims, payments, and eligibility. Id. A health plan can be a group health plan, an HMO, or a health insurance issuer. Id. 12 42 U.S.C. § 17921(2); 45 C.F.R. § 160.103. Health information organizations, persons who offer personal health records to others on behalf of a covered entity, and subcontractors who deal with PHI on behalf of other business associates are specifically listed as qualifying as business associates. Id. Health care providers, in the capacity of receiving PHI for the treatment of a patient, plan sponsors of group health plans, and government agencies which determine individuals’ eligibility for government health plans are not considered business associates. Id. 13 45 C.F.R. § 164.105(a)(1). 14 45 C.F.R. § 164.105(a)(2)(iii)(D), (c)(1). 15 Id. § 164.105(a)(2)(ii)(A). A definition of PHI and examples of what qualifies as PHI is included below under “Health Information Security.” 16 Pub. L. No. 104-191, 110 Stat. 1936 (1996). 17 Id.



Research Memo


3

Under HIPAA, a group health plan may not exclude someone from health insurance coverage due to a preexisting condition if the person seeking coverage received no diagnosis or treatment for that condition in the six months before enrolling in a new health plan.18 This limitation on preexisting condition exclusions has been amended and enhanced by the Affordable Care Act, which prohibits any exclusion from coverage due to preexisting conditions for both individual and group health plans.19 Transmission of Electronic Health Information HIPAA establishes uniform standards for transmitting health care information electronically.20 When conducting certain transactions, covered entities must use data code sets, which are codes for encoding data elements like medical diagnoses and procedures.21 Covered entities and business associates are required to use the standard code sets to send and receive information in the following transactions:

Health claims, attachments to health claims, and the status of health claims;

Enrolling in or withdrawing from a health plan;

Transactions regarding eligibility for a health plan;

Advice on health care payment and remittance;

Payments for health plan premiums and any other electronic funds transfers;

The first report of an injury; and

Referral certifications and authorizations.22

Covered entities have the option of either sending the data according to the standards or using the services of a health care clearinghouse to encode and send the data in the standard code sets.23 Health Information Security HIPAA requires covered entities and business associates to implement certain security measures to maintain the safety of electronic protected health information (PHI) and protect it against security threats and unauthorized disclosures.24 Covered entities must also include a requirement to comply with

18 29 U.S.C. § 1181(a)(1). If the individual did have a preexisting condition in the six months before enrolling in the health plan, he or she can only be excluded from receiving coverage for twelve months after enrolling, or for eighteen months, if the individual enrolled late. Id. § 1181(a)(2). 19 See Patient Protection and Affordable Care Act, Pub. L. No. 111-148, 124 Stat. 119 (2010); Patient Protection and Affordable Care Act: Preexisting Condition Exclusions, Lifetime and Annual Limits, Rescissions, and Patient Protections, 75 Fed. Reg. 37,188, 37,190 (June 28, 2010). 20 42 U.S.C. § 1320d-2(a). 21 Id. § 1320d(1); 45 C.F.R. § 162.1000. 22 42 U.S.C. §§ 1320d-4(a)(1)(A)-(C), 1320d-2(a)(2)(A)-(J); see also 45 C.F.R. §§ 162.1101-162.1802. 23 42 U.S.C. § 1320d-4(a)(2)(A)-(B). 24 Id. § 1320d-2(d)(1)-(2); 45 C.F.R. § 164.306(a)(1)-(3); see also 42 U.S.C. § 17931(a) (applying security rules to business associates). A table of these standards is provided in Appendix A of this document.



Research Memo


4

the security rules in any business associate agreements.25 Those subject to HIPAA must also ensure their employees comply with the security rules.26 PHI is any health information created or received by a covered entity that identifies (or reasonably could identify) an individual;27 PHI may include the following information:

Demographic information (such as name, address, birthdate, and social security number),

Information regarding an individual’s past, present, or future physical or mental health condition,

Information about health care provided to the individual, and

Information about health care payments.28 Importantly, PHI does not include education records covered by FERPA, employment records, or student medical records used only in connection with treatment.29 Additionally, PHI is only protected for fifty years after an individual’s death.30 Some of the security measures outlined in HIPAA are “addressable” rather than “required,” meaning implementation is optional based on an entity’s size, needs, and capabilities (see Appendix A).31 However, if an entity chooses not to implement an addressable standard, it must document why implementation was not reasonable and appropriate and must subsequently implement an equivalent alternative measure, if appropriate.32 Personnel Designations and Training Covered entities and business associates must designate a privacy official and a security official, who are responsible for developing and implementing policies and procedures related to the security and privacy of PHI.33 Additionally, HIPAA requires an entity to train all members of its workforce on its policies and procedures regarding PHI within a reasonable time after hiring and within a reasonable time after implementing material changes to its policies and procedures.34 Recordkeeping

25 45 C.F.R. § 164.314(a)(2)(i)-(iii). 26 42 U.S.C. § 1320d-2(d)(2)(C); 45 C.F.R. § 164.306(a)(4). Specifically, a covered entity or business associate must impose appropriate sanctions against workforce members who violate its security policies and procedures. See 45 C.F.R. §§ 164.308, 164.530(e)(1). 27 45 C.F.R. § 160.103. 28 Id.; 42 U.S.C. § 1320d(6)(A)-(B). 29 See 45 C.F.R. § 160.103. 30 Id. §§ 160.103, 164.502(f). 31 Id. § 164.306(b)(1)-(2), (d)(1). 32 Id. § 164.306(d)(3)(i)-(ii). 33 Id. §§ 164.308(a)(2), 164.530(a)(1)(i). 34 Id. §§ 164.308(a)(5)(i), 164.530(b)(1). Such training must be documented. Id. § 164.530(b)(2)(ii).



Research Memo


5

Entities subject to HIPAA must keep records showing their compliance and make those records available for review by the U.S. Department of Health and Human Services (HHS) if requested.35 Both covered entities and their business associates must document the policies and procedures they use in order to comply with HIPAA requirements and must retain written records of those policies and procedures as well as compliance activities for at least six years from each document’s creation.36 Permitted Disclosures of PHI A covered entity may use or disclose PHI for treatment or payment purposes, or for other uses with proper authorization from a patient.37 A business associate may use or disclose PHI only as outlined in its business associate agreement or as required by law.38 Both covered entities and business associates are required to disclose information to individuals or to HHS when requested.39 Any disclosures of PHI must be limited to the minimum amount of data and to the minimum number of people necessary.40 To be valid, a patient authorization to disclose PHI must include at least the following elements:

A description of the information to be disclosed;

The name(s) of the people authorizing the disclosure and to whom the information may be disclosed;

The purpose of the disclosure;

An expiration date/event on the authorized disclosure;

The signature of the individual or their representative and date;

Notice that the individual may revoke the authorization in writing;

Notice that the information disclosed may potentially be re-disclosed by the recipient, and

A statement describing if the covered entity may condition treatment, payment, enrollment, or benefit eligibility on whether the individual signs the authorization and the consequences of not signing.41

Written authorization is generally required when PHI is disclosed in the form of psychotherapy notes or marketing communications sent by the covered entity and when PHI is sold.42 In contrast, written authorization is not required for disclosures of PHI made for the following purposes:

Disclosures required by law;

Public health activities;

35 42 U.S.C. § 1320d-2(h)(2); 45 C.F.R. § 160.310(a)-(c). 36 45 C.F.R. § 164.316(a)-(b). 37 Id. § 164.502(a)(1)(i)-(vi). 38 Id. § 164.502(a)(3). 39 Id. § 164.502(a)(2)(i)-(ii), (a)(4)(i)-(ii). 40 Id. § 164.502(b)(1). 41 Id. § 164.508(c)(1)-(2). Authorizations that have conditions may be combined in the same form as those without conditions as long as the two parts are clearly distinguished from each other. Id. § 164.508(b)(3)(i). 42 See id. § 164.508(a)(2)-(4). When a covered entity sells PHI and if a covered entity will receive money from a third party in exchange for sending a marketing communication, this fact must be stated in the authorization. Id. § 164.508(a)(3)(ii), (a)(4)(ii).



Research Memo


6

Reports of child abuse, neglect, or domestic violence;

Health oversight activities;

Judicial and administrative proceedings;

Law enforcement;

Information needed about a deceased person;

Organ or tissue donation;

Research (if waiver of consent is approved by institutional review board or other appropriate body);

Aversion of a serious threat to health or safety;

Specialized government functions; or

Workers compensation.43 Under the exception for public health activities, student immunization records can be disclosed directly from covered entities to schools in a state where proof of immunization is required for enrollment, so long as agreement for the disclosure—which can be oral—is obtained and documented.44 Additionally, covered entities may disclose PHI without the patient’s consent in some emergency situations when the patient cannot consent and disclosure is in the patient’s best interest.45 When the individual becomes able to object, the health care provider must inform the individual of the disclosure and give him or her an opportunity to object.46 Other disclosures of PHI without the individual’s consent may be made to family members or close friends who are involved in paying for treatment.47 A covered entity may disclose PHI to its business associates.48 However, the covered entity must have arrangements with the business associate to protect PHI.49 An appropriate arrangement could be a contract or other agreement.50 A covered entity may use some limited parts of an individual’s PHI to contact the individual for fundraising purposes.51 Each fundraising communication must include an opportunity to easily opt out of receiving further fundraising communications.52 Prohibited Disclosures of PHI

43 Id. § 164.512(a)-(l). 44 Id. § 164.512(b)(vi) (stating that agreement must be from either the individual or, in the case of a minor, a parent or guardian). 45 Id. § 164.510(a)(3)(i). 46 Id. § 164.510(a)(3)(i)(B)(ii). 47 Id. § 164.510(b)(1)(i). Disclosures may also be made to find family members or other representatives of a patient and notify such persons of a patient’s location, condition, or death. See id. § 164.510(b)(1)(ii). 48 Id. § 164.308(b)(1). 49 42 U.S.C. § 17938; 45 C.F.R. § 164.308(b)(1). Covered entities do not need assurances that the subcontractors of their business associates will keep PHI secure, but business associates do need satisfactory assurances from their subcontractors. 45 C.F.R. § 164.308(b)(1)-(2). 50 Id. § 164.314(a)(2)(i)-(ii). Business associates are subject to the HIPAA Privacy Rule regarding covered entities’ PHI, and like covered entities, are required to take any security measures which are necessary and appropriate to maintain the confidentiality of PHI. 42 U.S.C. § 17931(a); 45 C.F.R. §§ 164.306(a)(1), 164.500(c). 51 45 C.F.R. § 164.514(f)(1). 52 42 U.S.C. § 17936(b); 45 C.F.R. § 164.514(f)(2)(ii).



Research Memo


7

Regardless of whether it receives authorization, a covered entity or business associate may not disclose genetic information to a health plan for underwriting purposes.53 Genetic information is defined as an individual’s genetic tests, the individual’s family members’ genetic tests, the manifestation of a disease in the individual or his or her family, as well as requests for genetic services or participation in research which includes genetic services.54 Accountability to Patients for PHI If requested, a covered entity must provide individuals with a written accounting of any PHI disclosures made to third parties within the past six years that were not authorized by the individual or necessary to carry out treatment, payment, and health care operations.55 The written accounting must include the date of disclosure, name of recipient, description of information disclosed, and the purpose.56 If the entity maintains electronic records, it only has to provide the last three years of disclosures upon request by the patient, but these disclosures must include information about disclosures during normal treatment and payment operations.57 Covered entities must make appropriate amendments to PHI and other records if an individual requests amendment.58 However, if the information was not created by the covered entity, is not part of the record set, is not normally available to the patient for inspection, or is determined to already be accurate and complete, the covered entity may deny the individual’s request.59 If a request to amend the record is refused, the individual must be allowed to add a statement of disagreement to their record.60 Additionally, covered entities must grant individuals’ requests to place restrictions on the disclosure of PHI to a health plan if the disclosure is to carry out payment or health care operations and if the PHI pertains to a service or item for which the individual has paid the entity in full.61 When individuals request access to their PHI, the covered entity must provide it to them in the form and format the individual requests, if readily producible, or in a readable hard copy.62 However, if an electronic form is requested which cannot be readily produced, the alternative form must also be electronic.63 Individuals may request that their PHI be electronically transmitted to another person through a signed writing.64

53 42 U.S.C. § 1320d-9(a)(1)-(2); 45 C.F.R. § 164.502(a)(5)(i). 54 45 C.F.R. § 160.103. A genetic test is one that detects genotypes, mutations, or chromosomal changes and does not include HIV tests, complete blood counts, cholesterol tests, liver function tests, or drug and alcohol tests. 78 Fed. Reg. 5,565, 5,662 (Jan. 25, 2013). 55 45 C.F.R. § 164.528(a)(i)-(ix) (listing other exceptions for disclosures made for national security or law enforcement purposes). 56 See id. § 164.528(b)(2). 57 42 U.S.C. § 17935(c)(1)(B). 58 45 C.F.R. § 164.526(a)(1). 59 Id. § 164.526(a)(2)(i)-(iv). 60 Id. § 164.526(d)(2). The covered entity may also add its own statement of rebuttal explaining why it did not make the requested change. Id. § 164.526(d)(3). 61 42 U.S.C. § 17935(a)(1)-(2); 45 C.F.R. § 164.522(a)(1)(vi). 62 42 U.S.C. § 17935(e)(1); 45 C.F.R. § 164.524(c)(2)(i). 63 45 C.F.R. § 164.524(c)(2)(ii). 64 42 U.S.C. § 17935(e)(1); 45 C.F.R. § 164.524(c)(3)(ii).



Research Memo


8

All requests for access to PHI must be acted on within thirty days of receiving the request.65 If it is not possible to respond to a request within thirty days, a one-time extension of up to thirty days is possible as long as the covered entity gives a timely and written explanation of the delay and a date when the request will be fulfilled.66 Notice of Privacy Practices A covered entity must provide individuals with a written notice of privacy practices (NPP) that describes how it uses and discloses PHI.67 The notice is required to contain the following header: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”68 Additionally, the notice must contain the following information:

Sufficiently detailed description and at least one example of the situations in which the covered entity can disclose PHI for treatment, payment, and health care operations;

Sufficiently detailed description of when the covered entity can disclose PHI without authorization;

Description of disclosures requiring authorization (psychotherapy notes, marketing, sale of PHI);

Statement that other uses and disclosures will be made only with written authorization;

Statement that the individual may revoke an authorization;

Statement of individual’s right to request restrictions on uses and disclosures of PHI, including a statement that the covered entity is not required to agree to the restriction unless the PHI relates to health care the individual paid for completely out of pocket;

Statement of individual’s right to receive confidential communications of PHI, inspect and copy PHI, amend PHI, receive an accounting of disclosures of PHI, and receive a paper copy of the notice;

Statement that the covered entity is required by law to maintain the privacy of PHI, provide individuals with notice of its legal duties and privacy practices, and notify individuals following a breach of PHI;

Statement that the covered entity is required to abide by the terms of the notice currently in effect;

Statement that individuals may complain, without the risk of retaliation, if they believe their rights have been violated and a description of how to file a complaint;

Contact information of a person to contact for more information; and

Effective date of the notice.69 A covered entity that engages in fundraising, discloses PHI to a health plan sponsor, or uses PHI for underwriting purposes must inform individuals about and describe those activities in the privacy

65 45 C.F.R. § 164.524(b)(2)(i). 66 Id. § 164.524(b)(2)(ii). 67 Id. § 164.520(b)(1). 68 Id. § 164.520(b)(1)(i). 69 Id. § 164.520(b)(1)(ii), (iv)-(viii).



Research Memo


9

notice.70 For covered entities that contact individuals for fundraising purposes, the notice must state that individuals may opt out of receiving fundraising communications.71 Health plans also must include in the notice a statement that genetic information about an individual cannot be used during the underwriting process.72 The NPP must be provided to any person upon request and, if a covered entity has a website, be prominently posted on the website.73 Health plans are required to provide their NPP to new enrollees and notify covered individuals how to obtain the NPP at least every three years.74 Health care providers that have a direct treatment relationship with patients need to post the NPP in a prominent place at the site where health care is delivered.75 A summary of the NPP can be posted instead if it is accompanied by the full NPP in a place where it can be taken by individuals without having to ask for a copy from a receptionist or other employee.76 Health care providers are also required to provide a copy of the NPP to new patients.77 In all cases except for emergency treatment, the health care provider must make a good faith attempt to obtain written acknowledgment from the patient that he or she received the NPP.78 If this acknowledgment is not obtained, the covered entity must document the efforts made to obtain it and the reason it was not obtained.79 When an NPP is materially revised, a health plan must prominently post the change on its website and distribute information in the next annual mailing.80 Likewise, a health care provider must promptly post a revised NPP at its physical service site and have the notice available for patients.81 Breach Notification A breach is defined as the acquisition, access, use, or disclosure of PHI in a way that violates the Privacy Rule, and which compromises the security or privacy of the PHI.82 The acquisition, access, use, or disclosure of PHI is presumed to be a breach unless a covered entity or business associate demonstrates—using a four-factored risk assessment—that it is improbable that PHI has been compromised.83 Breaches must be reported to individuals affected without unreasonable delay and

70 Id. § 164.520(b)(1)(iii). 71 Id. § 164.520(b)(iii)(A). 72 Id. § 164.520(b)(iii)(C). 73 Id. § 164.520(c), (c)(3)(i). 74 Id. § 164.520(c)(1). 75 Id. § 164.520(c)(2)(iii)(B). 76 78 Fed. Reg. 5,565, 5,625 (Jan. 25, 2013). 77 45 C.F.R. § 164.520(c)(2)(i)(A). 78 Id. § 164.520(c)(2)(ii). 79 Id. 80 Id. § 164.520(c)(1)(v) (requiring a health plan that does not post its NPP on a website to provide the revised notice or information about how to obtain it within sixty days of the material revision). 81 Id. § 164.520(c)(2)(iv). 82 42 U.S.C. § 17921(1)(A); 45 C.F.R. § 164.402. 83 45 C.F.R. § 164.402(2). The factors required to be considered in a risk assessment are (1) the nature and extent of the PHI involved, (2) the person who received the PHI, (3) whether the PHI was acquired or viewed, and (4) risk mitigation. Id. § 164.402(2)(i)-(iv).



Research Memo


10

within sixty calendar days of the breach’s discovery.84 Breach notifications must include the following information:

A description of what happened;

The date of the breach;

The date the breach was discovered;

A description of the type of information that was compromised

What the individual should do to protect himself or herself,

What the covered entity is doing to investigate, mitigate harm, and prevent future breaches, and,

Contact information for individuals to ask questions about the breach.85 If the breach involves more than 500 people, it must also be reported to HHS contemporaneously with the notification to individuals and to prominent media outlets in the state within sixty days.86 Breaches involving less than 500 people must be recorded in a log, and HHS must be notified of these breaches annually within sixty days after the end of each calendar year in which they were discovered.87 Covered entities and business associates must be able to demonstrate that all required notifications were made.88 Breach notifications may be delayed if a law enforcement official states that the breach would interfere with a criminal investigation or damage national security.89 If this is expressed orally, the delay may be a maximum of thirty days.90 Notifications may be delayed longer than thirty days if a law enforcement official makes a written statement that includes the length of the required delay.91 Enforcement HIPAA has a tiered system of monetary penalties for violations, and the penalties increase depending on the nature and extent of the violation and the harm caused.92 The least serious level of violation is “did not know,” if the covered entity did not know about the violation, and would not have learned of it through reasonable diligence.93 The next level is “reasonable cause,” for actions or omissions the covered entity knew, or would have known with reasonable diligence, were a violation of the rules.94

84 42 U.S.C. § 17932(d)(1); 45 C.F.R. § 164.404(a)-(b). Business associates are required to report any breaches to the covered entity within the same time period. 42 U.S.C. § 17932(b), (d)(1); 45 C.F.R. § 164.410(a)(1). 85 42 U.S.C. § 17932(f)(1)-(5); 45 C.F.R. § 164.404(c)(A)-(E). 86 42 U.S.C. § 17932(e)(3); 45 C.F.R. §§ 164.406(a)-(b), 164.408(a)-(b). 87 42 U.S.C. § 17932(e)(3); 45 C.F.R. § 164.408(c). 88 42 U.S.C. § 17932(d)(2); 45 C.F.R. § 164.414(b). 89 42 U.S.C. § 17932(g); 45 C.F.R. § 164.412. 90 45 C.F.R. § 164.412. 91 Id. 92 42 U.S.C. § 1320d-5. 93 Id. § 1320d-5(a)(1)(A); 45 C.F.R. § 160.404(b)(2)(i). 94 42 U.S.C. § 1320d-5(a)(1)(B); 45 C.F.R. § 160.401.



Research Memo


11

The third level is “willful neglect,” which is an intentional failure to follow or reckless indifference to the rules.95

Categories of Violations and Penalty Amounts96

Violation category Penalty per violation All identical violations in a calendar year

Did Not Know $100-$50,000 $1,500,000

Reasonable Cause $1,000-$50,000 $1,500,000

Willful Neglect—Corrected $10,000-$50,000 $1,500,000

Willful Neglect—Not Corrected $50,000 $1,500,000

In all cases except willful neglect, the penalty will be waived if the violation is corrected within thirty days of when the person legally responsible for the violation found out about the failure to comply.97 For violations due to willful neglect, the minimum penalty will be reduced if the problem is corrected within thirty days.98 In determining the amount of a penalty, the Secretary of HHS will consider many factors.99 COMPLIANCE CALENDAR Health plans are required to notify covered individuals how to obtain the NPP at least every three years.100 In the case of a breach of PHI, a covered entity must notify individuals, HHS, and the media according to the deadlines set forth in the section above entitled “Breach Notification.” STAYING UP-TO-DATE The following websites provide valuable information regarding this law and its applicability.

95 42 U.S.C. § 1320d-5(a)(1)(C); 45 C.F.R. § 160.401. 96 See 42 U.S.C. § 1320d-5(a). These penalty amounts apply to violations occurring on or after February 18, 2009. 45 C.F.R. § 160.404(b)(2). 97 42 U.S.C. § 1320d-5(b)(2)(A); 45 C.F.R. § 160.410(c). The thirty-day period may also begin with the date when the person would have learned about the violation by exercising due diligence. 42 U.S.C. § 1320d-5(b)(2)(A); 45 C.F.R. § 160.410(c). 98 42 U.S.C. § 1320d-5(a)(1)(C)(i)-(ii); 45 C.F.R. § 160.404(b)(2)(iii). 99 45 C.F.R. § 160.408(a)-(d). These external factors include the nature and extent of the violation, the covered entity’s history of compliance, and the financial condition of the covered entity. Id. 100 Id. § 164.520(c)(1).

DOCUMENT/REFERENCE DESCRIPTION

Understanding Health Information Privacy (http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html)

A webpage by HHS introducing resources for patients and covered entities to understand HIPAA better.

Ten Steps to HIPAA Security Compliance (http://www.aafp.org/fpm/2005/0400/p43.html)

An article from American Family Physician offering guidance on how health providers can comply with HIPAA regulations.

HIPAA News.org (http://www.hipaanews.org/)

A collection of news stories about HIPAA and its new regulations.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

http://www.aafp.org/fpm/2005/0400/p43.html

http://www.hipaanews.org/



Research Memo


12

APPENDIX A—SECURITY STANDARDS UNDER THE HIPAA SECURITY RULE

Section (45 C.F.R.) Implementation Specifications Required (R) or

Addressable (A)

Administrative Safeguards

164.308(a)(1)(ii)(A) Conduct a risk analysis R

164.308(a)(1)(ii)(B) Implement security measures to reduce risks R

164.308(a)(1)(ii)(C) Establish a policy to apply sanctions to employees not following security procedures

R

164.308(a)(1)(ii)(D) Regularly review records of information system activities R

164.308(a)(2) Identify an official responsible for developing and implementing security procedures

R

164.308(a)(3)(ii)(A) Implement procedures to authorize and supervise employees accessing PHI

A

164.308(a)(3)(ii)(B) Establish procedures to determine whether an employee’s access to PHI is appropriate

A

164.308(a)(3)(ii)(C) Establish procedures to terminate an employee’s access to PHI when their employment is terminated or their access is no longer appropriate

A

164.308(a)(4)(ii)(A) Isolate functions accessing PHI from the larger organization (for health care clearing houses that are part of a larger organization)

R

164.308(a)(4)(ii)(B) Implement procedures for granting access to PHI A

164.308(a)(4)(ii)(C) Implement procedures for documenting, reviewing, and changing access to PHI as necessary

A

164.308(a)(5)(ii)(A) Issue periodic security updates A

164.308(a)(5)(ii)(B) Establish procedures for guarding against and reporting malicious software

A

164.308(a)(5)(ii)(C) Establish procedures to monitor log-in attempts and report failed attempts

A

164.308(a)(5)(ii)(D) Establish procedures to create, change, and protect passwords A

164.308(a)(6)(ii) Identify, respond to, and document security incidents R

164.308(a)(7)(ii)(A) Create and maintain exact copies of PHI to retrieve if lost R

164.308(a)(7)(ii)(B) Establish procedures to restore any loss of data R

164.308(a)(7)(ii)(C) Create procedures to continually protect PHI while operating during an emergency

R

164.308(a)(7)(ii)(D) Implement procedures to periodically test and revise emergency plans

A

164.308(a)(7)(ii)(E) Assess how critical specific application and data in emergency planning

A

164.308(a)(8) Evaluate how established policies and procedures comply with the above requirements

R



Research Memo


13

164.308(b)(1) Permit a business associate access to PHI only after an assurance that the business associate will appropriately protect the information

R

Physical Safeguards

164.310(a)(2)(i) Establish procedures that allow access to facilities to restore lost data in case of disasters or emergencies

A

164.310(a)(2)(ii) Implement procedures protecting facilities and equipment from unauthorized access or tampering

A

164.310(a)(2)(iii) Establish procedures requiring verification of a person’s authority to access facilities (including visitor control)

A

164.310(a)(2)(iv) Document repairs to facilities when related to security provisions

A

164.310(b) Specify proper functions and physical attributes of a typical workstation

R

164.310(c) Implement physical safeguards to workstations accessing PHI R

164.310(d)(2)(i) Establish procedures addressing the final disposal of PHI and the hardware on which it is stored

R

164.310(d)(2)(ii) Remove PHI from electronic media before re-using them R

164.310(d)(2)(iii) Record the movements of electronic and hardware media and the employees responsible for them

A

164.310(d)(2)(iv) Create an exact copy of PHI before moving equipment for back-up purposes

A

Technical Safeguards

164.312(a)(2)(i) Assign each user a unique name or number to track their identity

R

164.312(a)(2)(ii) Establish procedures to access PHI in an emergency R

164.312(a)(2)(iii) Implement procedures for the system to log off after a certain amount of time of inactivity

A

164.312(a)(2)(iv) Implement mechanisms to encrypt and decrypt PHI A

164.312(b) Implement mechanisms that record and examine activity in information systems

R

164.312(c)(2) Implement mechanisms that confirm that PHI has not been changed or destroyed without proper authorization

A

164.312(d) Implement procedures to verify that a person accessing PHI is whom they claim to be

R

164.312(e)(2)(i) Establish procedures to ensure that PHI is not improperly modified without detection or authorization

A

164.312(e)(2)(ii) Implement mechanisms to encrypt PHI when appropriate A

Adapted from the Security Standards Matrix provided in Appendix A to Subpart C of Part 164

brigham young university hawaii office of compliance ...€¦ · 3/5/2020 · brigham young...

Documents