Safety net provider organizations, not EHR vendors, bear responsibility for protecting the confidentiality, integrity, and availability of electronic health information in an EHR. The following are key concepts to understand as you address protection of health information.

Privacy. The HIPAA Privacy Rule protects the privacy of individually identifiable health information.  Officially known as the “Standards for Privacy of Individually Identifiable Health Information,” HIPAA is designed to allow for disclosure of health information pertinent to patient care while safeguarding against unauthorized uses.

Security. The HIPAA Security Rule focuses specifically on electronic protected health information (ePHI). Its purpose is to set administrative, technical, and physical standards to protect electronic health information.

Enforcement. The HIPPA rules apply to health care providers, health plans, health care clearinghouses (that process health information received from another entity), and business associates (service providers to health care providers that use health information in their work). The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) administers and enforces the HIPPA Privacy and Security rules. Safety net providers must include requirements for compliance with HIPPA rules in their contracts with business associates. Failure to comply with the HIPPA rules on privacy and security can result in civil and criminal penalties.

Expansion of HIPAA. In 2009, the HITECH Act expanded the scope of privacy and security provisions of HIPAA by:

• Adding “business associates” (organizations such as claims processors, utilization reviewers, and others who provide services to health care providers using EHR data) to the list of those responsible for protecting health information
• Imposing a requirement to notify individuals in the event of a breach of identifiable personal health information
• Creating stricter disclosure requirements
• Strengthening enforcement procedures and penalties

Protected health information. Protected heath information (PHI), or ePHI when in electronic form, refers to individually identifiable health information that relates to:

• Past, present, or future physical or mental health or condition
• Health care received
• Payment for health care

Patient notification. The Privacy Rule requires that you must provide patients with a Notice of Privacy Practices that informs them of their legal duties about use and disclosure of their protected heath information and their legal rights concerning that information. You may need to update this notice when implementing your EHR. Your State may have additional requirements. You can obtain help or guidance from a local Health Care Controlled Network, Regional Extension Center or your State Health IT Coordinator’s office. They often have templates available that address HIPPA and State requirements.

Information that can be disclosed without authorization. In a few instances a provider can use or disclose PHI without authorization, specifically:

• To the individual, his or her health care providers, and others who use EHR data to perform their related services (e.g., billing department staff)
• For purposes of research, public health, or health care operations or for HHS compliance investigations and enforcement actions

HIPAA rules do not apply to disclosure of health information that does not identify an individual. This type of information is called “de-identified.” As summarized in this diagram from the HHS Office for Civil Rights, the Privacy Rule provides two methods by which health information can be designated as de-identified.

View these resources for additional information:

• HIPAA Privacy Rule
• Personal Health Records and the HIPAA Privacy Rule
• HIPAA Security Rule
• Guidance Regarding Methods for De-identification of Protected Health Information

Laws Requiring Protection of Health Information

Source: U.S. Department of Health & Human Services, “Laws Requiring Protection of Health Information.” http://www.hrsa.gov website. Accessed December 2, 2015. http://www.hrsa.gov/healthit/toolbox/healthitimplementation/implementationtopics/ensureprivacysecurity/ensureprivacysecurity_2.html

© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.

The privacy and security risks associated with EHRs include:

• Inappropriate access. Occurs when an unauthorized user gains access to EHR data or an authorized user violates appropriate use conditions. For example, a passerby may accidentally view data on a screen or purposely manipulate it, a hacker may breach network security, or a staff member may access the records of an acquaintance.
• Record tampering. Includes occurrences such as back dating, fraudulent entries, or erasures to EHR data. Those known to tamper with health records often are authorized users of the EHR or do so by having access to a server account.
• Catastrophic record loss. Includes events such as natural disasters, hardware breakage, and software issues.
• Record degradation. Can occur during system failures such as tape breakage or scratching of optical media. In these events, data can be permanently lost.
• Obsolescence. Occurs when upgrades and replacement parts for outdated EHR systems become unavailable as newer ones emerge.

Related terms used in health IT include:

• Vulnerability. A flaw or weakness in systems or controls that is accidentally triggered or intentionally exploited.
• Threat.  The potential to trigger or exploit vulnerability.

Source: U.S. Department of Health & Human Services, “Definition of Risks.” http://www.hrsa.gov website. Accessed December 2, 2015. http://www.hrsa.gov/healthit/toolbox/healthitimplementation/implementationtopics/ensureprivacysecurity/ensureprivacysecurity_1.html

© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.

Your organization must notify people if a breach (or potential breach) of privacy or security of protected health information occurs. A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.”

Following a breach, covered entities must notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media.

In addition, if a business associate experiences an unallowable release of protected health information, it is required to notify the health care provider organization that transmitted the information about the disclosure. The provider, in turn, must make the required notification to the Government and media, as appropriate.

There are three exceptions to the definition of breach. Disclosure under these circumstances is not considered a breach:

• By a workforce member acting under the authority of a covered entity or business associate.
• From a person authorized to access protected health information to another person authorized to access protected health information. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
• When there is a reasonable expectation that the recipient would not have been able to retain the information.

Read more about breach notification.

Source: U.S. Department of Health & Human Services, “Unauthorized Disclosures of Information.” http://www.hrsa.gov website. Accessed December 2, 2015. http://www.hrsa.gov/healthit/toolbox/healthitimplementation/implementationtopics/ensureprivacysecurity/ensureprivacysecurity_3.html

© Copyright 2016. All rights reserved. This content is strictly for informational purposes and although experts have prepared it, the reader should not substitute this information for professional insurance advice. If you have any questions, please consult your insurance professional before acting on any information presented. Read more.

Dear Valued Customer,

In this issue of the “——————“ we focus on establishing best practices for implementing and upholding HIPPA privacy policies in your practice.

Are you concerned about what would happen if the computer hard disk storing your patients’ medical information failed? The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established a set of national standards for the protection of certain health information.

Read on to learn about the Privacy Rule’s protection of the privacy of individually identifiable health information, which entities must comply with the Privacy Rule, the Privacy Rule’s requirements, and guidance available to help covered entities implement and maintain compliance with these requirements, and more.

We appreciate your continued business and look forward to serving you.

Kind regards,