The phrase “HIPAA Regulations” is a phrase that can mean different things depending on context. At its broadest, it can refer to all of the requirements of the Health Insurance Portability And Accountability (HIPAA) Act of 1996, and the “new HIPAA regulations” as extended by the Department of Health and Human Services (HHS) and their Office for Civil Rights (OCR).
It’s important to remember that the HIPAA rules and regulations only apply to Protected Health Information (PHI), which is defined in the HIPAA compliance regulations as any combination of:
Personally Identifiable Information
And information on:
Past, Present, or Future Health Care
Sometimes the phrase “Individually Identifiable health information” is used, but PHI is the more precise term. This is more than just medical records. Eyeglass prescriptions, pharmacy receipts, and even face photos (if taken by a dentist) are also PHI! Read on to learn what are the HIPAA regulations, what is HIPAA required, and what can happen after HIPAA violations.
What are the HIPAA Regulations?
The question “What is HIPAA Regulations” can be answered in a few ways. As a HIPAA regulations summary, there are three individual HIPAA laws and regulations:
The HIPAA Privacy Rule governs the uses and disclosures of PHI.
The HIPAA Security Rule governs the security of PHI.
The HIPAA Breach Notification Rule governs what happens after a HIPAA violation, such as letters to affected patients.
All three of these rules require organizations to have an individual accountable for their implementation. This role can be called the “Privacy Officer”, “Security Officer”, “HIPAA Officer” or other titles.
Need Help with HIPAA?
Mention you read this blog, and get a free 30 minute session with one of our HIPAA consultants.
HIPAA Privacy Regulations
The HIPAA Privacy Regulations govern the uses and disclosures of PHI. It goes into detail on who can use what PHI, and why / for what purposes. Two important concepts of the Privacy Rule are:
Minimum Necessary: The use or disclosure of PHI must be the minimum necessary to accomplish the purpose (which purpose must be allowable under the Privacy Rule). Similarly, anyone’s routine access to PHI must be the minimum necessary that person needs to accomplish their job.
Authorization: Some uses and disclosures of PHI must be specifically allowed, “authorized”, by the patient. Use of PHI for fundraising is a prime example of this. Some uses and disclosures of PHI do not need the patient’s authorization, such as for Treatment, Payment, and Health Care Operations (TPO, in the industry acronym). And there are some uses and disclosures where the patient must have an opportunity to object, but an authorization is not required, such as for a hospital directory.
The Privacy Rule has about 75 total safeguards that cover more than this. The Privacy Rule also addresses such topics as de-identification of health data, accounting of disclosures of health information, and amendment of protected health information. It also includes HIPAA regulations for medical records storage (death is no escape; records must be secured for 50 years after a patient’s death). Two items that sometimes trip up organizations:
51% of a face photo is personally identifiable: Dentists often take “before and after” photos of their patients, but need to be careful that they don’t photograph so much of the face that it becomes identifiable (which can be a majority of the face, or a small photo that includes any distinctive feature).
Over 90 years of age is considered an identifier: Once you celebrate your 90th birthday, your caregivers have to be careful; instead of saying “A 92 year old”, which is distinct enough to be unique, they must refer to “A 90-100 year old”.
Want to Learn More About HIPAA? Read these Articles Today
HIPAA Security Regulations
The HIPAA Security Rules apply only electronic protected health information – that is, PHI stored, used, or transmitted in electronic formats such as email or hard drives. The HIPAA Security Rule lists 54 specific administrative, technical, and physical safeguards that must be in place to protect ePHI. It also requires a security risk assessment, to address safeguards that aren’t explicitly stated.
The administrative safeguards are items like access reviews, business associate agreements, and backup plans. The security risk assessment, and a risk management plan to address those risks you identified, also are included in the administrative safeguards.
The technical safeguards are items like passwords, screen time-outs, and encryption.
The physical safeguards are easily remembered by the phrase “guards, gates, and guns”, although firearms are not a HIPAA requirement. The privacy screens you often find on monitors are an example of a physical safeguard.
The HIPAA Security Rule was passed in 1996, which is a lifetime ago, in computing terms. One of the safeguards where it’s really showing its age is “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”. For our younger readers, we should say that 1996 was a different time, when the cutting edge laptop cost $6600 adjusted for inflation and had 72 megabytes of storage (yes, megabytes) Fortunately, that phrase “when needed” gives us an escape route.
HIPAA Breach Notification Regulations
The HIPAA Breach Notification Rule comes into effect when there is a HIPAA violation – either of the Privacy Rule or the Security Rule.
If protected health information was used or disclosed in violation of the rules, then the affected patient(s) must be notified; and if more than 500 patients were affected, then the local media must be notified.
The Office for Civil Rights (OCR) must also be notified. This notice must be given within 60 days. This was a well-intentioned regulation, but so many breaches have happened that many people we speak with are getting overwhelmed by the volume of breach notifications they receive. The technical term for this effect is “Alarm Fatigue”. It shows no sign of slowing down, however.
Obscure HIPAA Regulations
As can be expected of any law, there are many edge cases and obscure corners of the HIPAA Regulations, where there has been a ruling that is unexpected, counter-intuitive, or just plain odd.
While none of these rules are “fun”, strictly speaking, they are slightly less dreary than the other HIPAA regulations in a “well, isn’t that something” kind of way:
HIPAA applies for 50 years after death: As mentioned above, stating “He’s dead, Jim” does not repeal the requirements of HIPAA; information on a dead patient is still protected.
HIPAA only applies where insurance is used: If you are an all-cash plastic surgeon in Beverly Hills, CA, strictly speaking you are not required to follow the HIPAA laws and regulations, which only apply when insurance transactions are present.
Self-medication is not Protected Health Information: If you have too many martinis with your steak dinner, and take aspirin the next morning for your hangover, the fact that you purchased aspirin is not protected health information. If your physician prescribes you aspirin for your heart health, the fact that you purchased aspirin is protected health information. Regardless, that martini should be made with gin, and include a twist of lemon, not olives.
The mosaic theory isn’t just for spies and police: Information that is “officially” de-identified according to the HIPAA Privacy Rule can be considered identifiable, if the information can be used to uniquely identify someone.
This is the larger case of the “90 years rule” mentioned above. A colleague of Techumen’s is the only six-foot four white male in his zip code with Type 1 diabetes. While normally this collection of datums is not considered PHI, since none of these are unique, this particular combination of data can be used to identify a unique individual and thus is considered PHI.