HIPAA Compliance: Protecting Your Health Data

By Jim Venuto, March 23, 2024

Introduction:

Securing sensitive health information is non-negotiable in an era where digital data breaches are increasingly common. Consider the potential fallout from unauthorized exposure of your medical records—anything from a chronic condition to details of a recent surgery. The impact on patients can range from discrimination to identity theft. To combat these risks, the Health Insurance Portability and Accountability Act (HIPAA), enacted by Congress in 1996 and reinforced by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, establishes rigorous standards for protecting electronic health information. This blog delves into HIPAA’s core principles, who must comply, and baseline compliance strategies and highlights recent breaches, illustrating the critical, ongoing need for stringent security measures to safeguard personal health information.

Recent PHI Data Breaches: A Wake-Up Call

1. Philips Respironics (Breach occurred on May 31, 2023; reported to OCR recently): A zero-day vulnerability in Progress Software’s MOVEit Transfer software resulted in a breach affecting 1,125 individuals. Philips Respironics’ clients, Forward Healthcare LLC, and Rotech Healthcare, confirmed that the unauthorized access compromised patient names, contact details, dates of birth, and medical information.
2. R1 RCM (Reported on November 23, 2023): A breach impacted 16,121 individuals associated with Dignity Health’s St. Rose Dominican Hospital de Lima. An unauthorized party obtained sensitive information, including names, contact details, Social Security numbers, and clinical data. R1 RCM notified affected individuals and offered two years of complimentary credit monitoring and identity theft protection services.
3. St. Mary’s Healthcare System for Children, Inc. (Identified around November 9, 2023; Notifications sent on March 20, 2024): Unauthorized network activity led to the extraction of files containing personal information of 5,650 individuals, predominantly employees, with 254 patients’ PHI potentially compromised. Those affected received 12 months of complimentary credit monitoring services.
4. California Correctional Health Care Services (Impermissible disclosure identified around February 26, 2024): An email containing PHI, including last names, CDCR numbers, and medical information, was mistakenly sent to an unauthorized recipient. The recipient did not open the email, deleted the attachment, and the employee underwent additional privacy and security training.

Who is Subject to HIPAA?

HIPAA applies to covered entities and their business associates.

Covered entities include:

• Health care clearinghouses.
• Health plans (e.g., HMOs, insurance companies, Medicare, Medicaid).
• Certain healthcare providers transmit electronic health information.

Business associates, such as IT providers, billing companies, or legal services, are any service providers who handle protected health information on behalf of healthcare organizations.

Understanding Protected Health Information (PHI):

PHI encompasses any information created or received by a covered entity that relates to an individual’s past, present, or future physical or mental health condition, the provision of health care, or payment for health care. This information can be in electronic, paper, or oral form and includes medical records, X-rays, claims, and billing records. However, employment records, records covered under the Family Educational Rights and Privacy Act (FERPA), and de-identified health information are not considered PHI.

The Privacy Rule:

The HIPAA Privacy Rule defines and limits the circumstances in which covered entities may use or disclose an individual’s PHI. Generally, a covered entity can only use PHI if permitted by the Privacy Rule or authorized by the individual in writing. The most common permitted uses are for payment, treatment, or healthcare operations. The Privacy Rule also grants individuals certain rights, such as the right to notice, access, amend, and request restrictions on using or disclosing.

The Minimum Necessary Rule:

When using or disclosing PHI, covered entities must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This rule helps minimize risks in the event of a security breach. However, there are exceptions, such as disclosures for treatment purposes or as required by law.

The Security Rule:

The HIPAA Security Rule establishes national standards for electronic PHI (ePHI) security. Covered entities must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. They must also identify and protect against reasonably anticipated threats to the security of the information. The Security Rule requires covered entities to implement administrative, physical, and technical safeguards to protect ePHI.

Responsibilities of Key Players:

Covered Entity:

• Designate a HIPAA privacy officer.
• Business Associate:
• Carefully review and understand the terms of the BAA.
• Implement robust security measures.
• Promptly notify the covered entity of any potential security incidents.
• Train workforce on HIPAA policies and procedures.
• Implement appropriate safeguards to protect PHI.
• Ensure HIPAA compliance within the organization.
• Enter into Business Associate Agreements (BAAs) with third-party service providers handling PHI.

Doctor’s Office:

• Conduct staff training.
• Train all staff members on HIPAA policies and procedures.
• Regularly update policies and procedures.
• Implement physical, technical, and administrative safeguards to protect PHI.
• Establish a clear protocol for responding to patient requests to access or amend their PHI.

Patient:

• Be cautious about sharing PHI.
• Be aware of rights under HIPAA (e.g., right to receive a Notice of Privacy Practices, access medical records, request restrictions on PHI use or disclosure)
• Carefully review the Notice of Privacy Practices.
• Promptly report suspected privacy violations to the covered entity or the Department of Health and Human Services (HHS) at https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Provider Security Best Practices:

• Storing patient information securely
• Discussing patient information in private
• Avoiding unnecessary discussions
• Reviewing possible restrictions before making disclosures
• Confirming recipients’ credentials
• Properly shredding documents containing PHI.
• Logging off or locking computers when away
• Using secure passwords
• Avoiding sending PHI via unsecured email
• Being aware of phishing scams and email security threats

Glossary:

• The Covered Entity is a health plan, health care clearinghouse, or certain health care providers who transmit electronic health information.
• Business Associate: An entity that provides services to or on behalf of a covered entity involving the use or disclosure of PHI.
• PHI: Protected Health Information is any information created or received by a covered entity that relates to an individual’s health condition, health care, or payment for health care.
• ePHI: Electronic Protected Health Information. PHI is stored, transmitted, or processed electronically.

Handling Security Breaches:

In a security breach, stay calm and immediately contact your HIPAA privacy officer. They are trained to handle such situations and will guide you through the necessary steps, including notifying affected individuals, providing credit monitoring services, and implementing additional security measures to prevent future breaches.

Reference:

HIPAA Journal. (n.d.). R1 RCM Data Breach Impacts 16,000 Patients. Retrieved March 23, 2024, from https://www.hipaajournal.com/r1-rcm-data-breach-impacts-16000-patients/

U.S. Department of Health & Human Services. (n.d.). Filing a Complaint. Retrieved March 23, 2024, from https://www.hhs.gov/hipaa/filing-a-complaint/index.html