HIPAA, the Health Insurance Portability and Accountability Act, which was enacted in 1996, includes several rules and standards which aim to protect individuals’ medical records and personal health information through the creation of national standards and policies. Title II of HIPAA includes the National Provider Identifier Standard, the Transactions and Code Sets Standards, the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Enforcement Rule. The National Identifier Standard requires organizations to obtain a unique 10-digit national provider number (NPI). The Transactions and Code Sets Standards requires organizations to handle insurance claims through a standardized electronic interchange. The Privacy Rule, officially known as the Standards for Privacy of Individually Identifiable Health Information, creates protections for personal health information. The Security Rule establishes data security requirements while the Enforcement Rule outlines violation investigation procedures.
In 2013, the HIPAA Omnibus Rule was adopted. This rule strengthened privacy and security protections, established more objective standards to assess an organization’s liability after a breach, extended regulations to cover business associates, modified limitations on what information can be used for marketing purposes, as well as increasing penalties for violations. The changes also included a prohibition on the sale of an individuals’ medical and health data without their consent. Business associates under HIPAA means “any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information or Personal Health Records.”
Protected Health Information under HIPAA includes individually identifiable health information that relates to past, present, or future physical or mental health, health care services, or payment details for past, present, or future health care services. Employment records are not included.
HIPAA regulations apply only to unsecured protected health information. Unsecured information is protected health information that been rendered “unusable, unreadable, or indecipherable to unauthorized persons.” If the breach only accesses secured protected health information, covered entities and business associates are not required to provide notification under HIPAA.
HIPAA’s Breach Notification Rule applies to covered entities which includes health care professionals and health care organizations. Business associates of these entities are also required to comply with HIPAA and the Breach Notification Rule. This rule requires that notification be provided to impacted individuals in the event of a data breach. Business associates are not responsible for notifying individuals, however, business associates are required to notify the related covered entity of any breach. The Federal Trade Commission applies similar notification requirements to vendors of personal health records and any third party service providers.
Under HIPAA, a breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Any impermissible use or disclosure is assumed to be a breach, unless the entity shows there is a low risk the information has been compromised. This determination is based on four factors, (i) nature and extent of the health information involved, (ii) the unauthorized person who used the protected information or to whom the disclosure was made, (iii) whether the information was actually acquired or viewed, and (iv) the extent to which the risk of the protected information has been mitigated. Unless an entity demonstrates there is a low risk to protected health information has been comprised, the entity is required to provide notifications to impacted individuals under HIPAA.
There are three exceptions under the Breach Notification Rule that allow an entity to avoid having to provide notifications of a breach. The first is if the information was unintentionally accessed or used by an entity’s employee or agent. Under the first exception, this unintentional access or use must have been done in good faith and within the scope of authority. The second exception involves the inadvertent disclosure of information from one party or entity who was authorized to access the information to another authorized party or entity. Under this exception, notification is not required, however, further use of the information is prohibited in this situation. The third exception covers the disclosure of information by a covered entity or business associate to an unauthorized party when the covered entity or business associate had a good faith belief that the unauthorized party had no ability to retain the information. If a breach fits any of the three exceptions, the covered entity or business associate is not required to provide notification under HIPAA.
In the event a covered entity is required to provide notification under HIPAA, the covered entity must provide notice to the impacted individuals and the United States Department of Health and Human Services Secretary. Notices to individuals should be provided through first-class mail. Email is an acceptable method of notification if the individual has agreed to such method. Notifications to individuals must be made within 60 days of discovery of the breach. Notifications should include a description of the breach, information involved, any recommendations that the individual should do to help mitigate the breach, and what the cover entity is doing to investigate and mitigate the breach, including preventative measures the covered entity is establishing to avoid future breaches. There are additional requirements if a covered entity does not have up to date contacted information for more than ten impacted individuals. Notifications to the Secretary should be made using the electronic breach report form on the HHS website.
In limited situations, a covered entity may be required to provide notification to media outlets as well. Covered entities are required to provide notice to prominent media outlets in a state when a breach impacted more than 500 residents of a single state. Required notification to media outlets must be made within 60 days.
In the event that the breach occurs at or by a business associate, the business associate must notify the covered entity within 60 days of discovering the breach. If possible, the business associate should provide information on impacted individuals and other relevant information.
HIPAA permits covered entities to disclose protected information without consent in several situations. Information may be disclosed to the patient themselves. Information may be disclosed and used internally by the covered entity for payment, health care operations, and treatment. Information may be disclosed or used in any situation where the individual has consented or would have consented (when the individual is incapacitated or under an emergency situation). Incidental uses or disclosures are not required to be eliminated. Disclosure for public interest reasons are permitted including compliance with relevant laws, health oversight, law enforcement, judicial proceedings, research, and other public interest reasons. Information is also permitted to be included in data sets as long as certain specified identifiers are removed. Under any of these situations, a covered entity must make reasonable efforts to use and disclose the minimum amount of necessary information.