The patient data of every US citizen is protected and secured under the Health Insurance Portability and Accountability Act (HIPAA). All HHS laws governing the creation and maintenance of the privacy and security protocols are automatically applicable on all relevant parties, irrespective of the state.
In addition to privacy and security, the laws also ensure that relevant patient parties are duly notified in case of healthcare breaches. Now, let’s take a look at some of the most important concepts which all covered entities and their business associates should be familiar with.
Protected Health Information (PHI)
The Privacy Rule, as defined by the HHS, classifies all identifiable and relatable patient data as Protected Health Information (PHI). Therefore, any entity with direct or indirect access to individually relatable patient data must handle it via HIPAA compliant policies. Failure to do so can lead to civil or even criminal penalizations on the violating individual or institution. Examples of PHI include, but are not limited to information regarding a patient’s previous, concurrent or predicted:
- Physical/mental condition
- Medical provisions, diagnostics, meds, prescriptions, treatment procedures, etc.
- Mode or sum of payment(s) made to avail the medical provisions
Unprotected Health Information (DHI)
All De-Identified Health Information is free from the HIPAA privacy rules, as they cannot be traced back to the source/patient. DHI is created by removing specific identifying elements which can in any way be traced back to the original patient party. The term patient party here includes not just the patient, but also their family members, relatives and employers. However, the de-identified info must also be verified and confirmed by a statistician with the necessary qualifications.
The Security Rule
The security rule is by far the simplest to decipher, as it is based more on common sense. However, it is also the hardest to implement, since it requires all covered entities and their business associates to:
- Maintain secrecy, integrity, and accessibility of the PHI records transmitted by them, or placed under their care
- Take reasonable protective measures against common and anticipated threats (data loss, manipulation, theft, etc.) to the medical data they are responsible for
- Take adequate measures against uses and disclosures that violate PHI Security Standards
- Take measures to train and monitor employees, so that violations are not committed wilfully or ignorantly
Only two parties hold the right to make PHI disclosure mandatory, and they are:
- The patient, or their official guardian/legal representative(s) can request PHI disclosure as their right.
- The HHS can ask for any specific PHI, if they are investigating a noncompliance complaint.
Incidental Uses and Disclosures
Incidental Use and Disclosure is a complicated concept to define, so we will break it down into a few crucial points. A covered entity or their business associate is allowed to use and/or disclose protected health information under the Incidental Uses and Disclosures law, if:
- It is an unavoidable secondary effect following a required and permitted use or disclosure of PHI
- The level of use and disclosure is kept to a minimum
- Proper safeguards were taken to prevent incidental disclosures
Breach Notification Requirements
On failing to secure and protect patient data from healthcare breaches, the covered entity must provide due notifications regarding the same to:
- Any affected patient parties and other associated individuals
- The Secretary of HHS
- The mass media, under specific circumstances concerning massive PHI breaches
In case the breach occurs at one of the business associate’s ends, they have the responsibility and legal obligation to inform the covered entity they were working with. The repercussions can be quite severe, but they can be mitigated with a breach management plan.