Safety net provider organizations, not EHR vendors, bear responsibility for protecting the confidentiality, integrity, and availability of electronic health information in an EHR. The following are key concepts to understand as you address protection of health information.
Privacy. The HIPAA Privacy Rule protects the privacy of individually identifiable health information. Officially known as the “Standards for Privacy of Individually Identifiable Health Information,” HIPAA is designed to allow for disclosure of health information pertinent to patient care while safeguarding against unauthorized uses.
Security. The HIPAA Security Rule focuses specifically on electronic protected health information (ePHI). Its purpose is to set administrative, technical, and physical standards to protect electronic health information.
Enforcement. The HIPPA rules apply to health care providers, health plans, health care clearinghouses (that process health information received from another entity), and business associates (service providers to health care providers that use health information in their work). The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) administers and enforces the HIPPA Privacy and Security rules. Safety net providers must include requirements for compliance with HIPPA rules in their contracts with business associates. Failure to comply with the HIPPA rules on privacy and security can result in civil and criminal penalties.
Expansion of HIPAA. In 2009, the HITECH Act expanded the scope of privacy and security provisions of HIPAA by:
- Adding “business associates” (organizations such as claims processors, utilization reviewers, and others who provide services to health care providers using EHR data) to the list of those responsible for protecting health information
- Imposing a requirement to notify individuals in the event of a breach of identifiable personal health information
- Creating stricter disclosure requirements
- Strengthening enforcement procedures and penalties
Protected health information. Protected heath information (PHI), or ePHI when in electronic form, refers to individually identifiable health information that relates to:
- Past, present, or future physical or mental health or condition
- Health care received
- Payment for health care
Patient notification. The Privacy Rule requires that you must provide patients with a Notice of Privacy Practices that informs them of their legal duties about use and disclosure of their protected heath information and their legal rights concerning that information. You may need to update this notice when implementing your EHR. Your State may have additional requirements. You can obtain help or guidance from a local Health Care Controlled Network, Regional Extension Center or your State Health IT Coordinator’s office. They often have templates available that address HIPPA and State requirements.
Information that can be disclosed without authorization. In a few instances a provider can use or disclose PHI without authorization, specifically:
- To the individual, his or her health care providers, and others who use EHR data to perform their related services (e.g., billing department staff)
- For purposes of research, public health, or health care operations or for HHS compliance investigations and enforcement actions
HIPAA rules do not apply to disclosure of health information that does not identify an individual. This type of information is called “de-identified.” As summarized in this diagram from the HHS Office for Civil Rights, the Privacy Rule provides two methods by which health information can be designated as de-identified.
View these resources for additional information:
- HIPAA Privacy Rule
- Personal Health Records and the HIPAA Privacy Rule
- HIPAA Security Rule
- Guidance Regarding Methods for De-identification of Protected Health Information
Source: U.S. Department of Health & Human Services, “Laws Requiring Protection of Health Information.” http://www.hrsa.gov website. Accessed December 2, 2015. http://www.hrsa.gov/healthit/toolbox/healthitimplementation/implementationtopics/ensureprivacysecurity/ensureprivacysecurity_2.html
© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.