HIPAA, Privacy & Security
- Health Information Exchanges
- Health Information Portability and Accountability Act (HIPAA)
- Substance Abuse and Mental Health Services Administration (SAMSHA)
The Health Law Partners, P.C. assists health care providers, suppliers, plans and organizations with their HIPAA compliance needs. For example, our HIPAA attorneys can assist with:
- Developing and updating billing compliance policies
- Developing training programs and presenting compliance in-service and education sessions with regard to billing, HIPAA privacy and HIPAA security
- Undertaking compliance investigations and responding to identified problems
- Directing auditing and monitoring
- Reviewing contracts and relationships for compliance with the Stark and Anti-kickback laws
- Drafting compliant contracts
- Counseling providers with regard to sensitive refund and disclosure issues
- Drafting and updating HIPAA privacy and security programs and policies
- Reimbursement matters
The HIPAA privacy rule (45 CFR Part 164) addresses the use and disclosure of health information (“protected health information” or “PHI”) by covered entities (i.e., providers, health plans and clearinghouses). It also addresses standards for privacy rights that must be afforded individuals. According to the government, a major goal of the HIPAA privacy rule is to make sure that covered entities appropriately protect health information while allowing the flow of health information needed to provide and promote high quality health care. Given the diversity with regard to types and sizes of the entities covered by HIPAA, the privacy rule is designed to be flexible to cover the variety of uses and disclosures that need to be addressed.
Regulations released in January of 2013 add to the privacy and security protections for health information. The regulations may require substantial changes for many health care professionals and organizations, as well as business associates that are subject to these conditions, and makes access to a qualified, knowledgeable HIPAA attorney all the more important for providers.
In summary, the HIPAA privacy rule:
- Provides restrictions on uses and disclosures of PHI. The privacy rule sets forth the instances in which protected patient information can be used or disclosed to outside parties;
- Creates individual patient rights to inspect and copy their records, to amend erroneous information, to request certain restrictions on the use and disclosure of their information, to file written complaints, and to receive a notice of the entities’ privacy practices;
- Requires covered entities to include certain privacy language in contracts with “Business Associates” regarding safeguarding patient information;
- Requires a covered entity to appoint a HIPAA Privacy Officer;
- Requires implementation of privacy policies and procedures;
- Requires certain notification in the event of breaches of PHI;
- Requires the designation of a contact person or office who is responsible for receiving privacy complaints and who can provide information about the entity’s privacy policies and procedures; and
- Requires covered entities to provide HIPAA privacy education to all employees.
The HIPAA security rule (45 CFR part 164) addresses the integrity, confidentiality, and availability of electronic protected health information (“EPHI”). EPHI means any protected health information that is maintained or transmitted in an electronic medium.
The security rule sets forth certain general requirements. The general requirements mandate that covered entities do the following:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and
- Ensure workforce compliance.
In order to achieve the general requirements set forth above, covered entities are required to meet 18 standards. In order to meet each of these standards, the Security Rule sets forth “implementation specifications” that serve as the “instructions” for compliance with each standard. Some implementation specifications are “required” while others are “addressable.” The standards and their related “implementation specifications” are broken down into three broad categories: administrative safeguards, physical safeguards, and technical safeguards.
For related blog content, please click here.