If you determined that you and/or your client are business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) under the final rules, here are ten things you must know about HIPAA.
- What does HIPAA protect? HIPAA controls uses and disclosures of protected health information (PHI) by covered entities and business associates. A covered entity includes health care clearinghouses, health plans (including employer-sponsored health plans), and health care providers that electronically transmit health information in connection with certain transactions, including billing. PHI is health information that (a) is created or received by a health care provider, health plan, employer, or health care clearinghouse; (b) relates to an individual’s physical or mental health or condition or the provision of or payment for health care; and (c) identifies or may identify an individual. There are exclusions, including workers compensation, FERPA, and employment records held in a covered entity’s role as an employer.
- How does HIPAA impact health information that I receive in a lawsuit? Just because a lawyer receives patient information pursuant to a subpoena or patient authorization does not necessarily subject the lawyer to HIPAA. Lawyers become HIPAA business associates by receiving PHI from covered entity clients to provide legal services.
- Am I subject to everything in HIPAA? No. Business associates are directly liable under HIPAA for failing to comply with the Security Rule and certain portions of the Privacy Rule (including impermissible uses, breaches, and disclosures of PHI). They are not directly obligated to do everything in the Privacy Rule, including having a Notice of Privacy Practices and a Privacy Officer. While business associates may not be directly required to have policies and procedures and to train their workforce on the Privacy Rule, they may need to do so under contract or as a practical matter to prevent impermissible uses and disclosures.
- What is the HIPAA Security Rule? The Security Rule establishes standards to protect electronic PHI (e-PHI) that is created, received, used, or maintained by a covered entity and, now, a business associate. These entities must ensure the confidentiality, integrity, and availability of e-PHI; identify and protect against reasonably anticipated threats to the security or integrity of the information; protect against reasonably anticipated impermissible uses or disclosures; and ensure compliance by their workforce. Among other requirements, an entity must have a Security Officer, adopt policies and procedures, and conduct a thorough assessment of the risks and vulnerabilities of its e-PHI.
- What is the HIPAA Privacy Rule?The Privacy Rule sets limits on the uses and disclosures of PHI with and without patient authorization and gives patients rights over their PHI (e.g., to be informed about a covered entity’s uses of PHI, to have access to, and request corrections of, health information, to get their own information, and to request an accounting of the disclosures of PHI by covered entities or business associates).
- What do I do if PHI is used or disclosed improperly? If there is a “breach” of “unsecured” (i.e., unencrypted or not destroyed) PHI, covered entities must notify individuals and the government (and the media if the breach is large enough). If a breach occurs at the business associate level, business associates must notify affected covered entities. With certain exceptions, a breach is an unauthorized use or disclosure of PHI in a manner that compromises its security or privacy. Under recently revised rules effective this September, a breach is presumed unless an entity demonstrates a low probability that the PHI has been compromised through a risk assessment.
- Is HIPAA a one size fits all rule? No. HIPAA recognizes the great variability in covered entities and business associates. The Security Rule has several “addressable” specifications with which compliance is unnecessary if an entity documents why implementation is not reasonable and appropriate. (In such cases, the entity can adopt alternative measures.) Entities also can consider factors, including size, complexity, capabilities, and resources, in determining which security measures are appropriate to satisfy Security Rule obligations. The government also recognizes that size is a factor in the Privacy Rule.
- What goes into a Business Associate Agreement (BAA) and where can I find one? HIPAA regulations set forth required elements of BAAs. For example, BAAs must establish business associates’ permitted and required uses and disclosures of, and provide that business associates will not use or further disclose, PHI other than as permitted or required by the contract or by law. Business associates can create their own BAAs, but the government has provided sample language at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
- What are the penalties for violating HIPAA?The government can impose civil monetary penalties ranging from $100 to $50,000 per violation, depending upon culpability, with a cap of $1.5 million for identical violations during a calendar year. Penalties cannot be imposed for violations not due to willful neglect that are corrected within 30 days. Criminal penalties can be assessed for knowingly obtaining or disclosing or selling PHI in violation of HIPAA.
- Although I may have many obligations, what should be my first steps?Business associates should assess their weaknesses in storing, transmitting, and using PHI. Lost laptops and briefcases and poor electronic security pose the biggest risks. Although encryption is not required, we recommend encrypting all portable electronic devices, including laptops, computers, and phones. Start with the required analysis and add training and common sense.
Peter Parvis, Thora Johnson, and Molly Ferraioli are attorneys at Venable who routinely counsel clients on HIPAA privacy matters.