HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included a series of requirements for the protection of personal health information (PHI) to ensure the integrity and confidentiality of patient data. Covered entities who must be “HIPAA compliant” are health plans, healthcare clearinghouses, healthcare providers, and, per the HITECH Act of 2009, business associates who have access to PHI.
-
Require covered entities to put in place safeguards to protect health information from unauthorized access, use, or disclosure
Describe the circumstances under which covered entities are permitted to use or disclose an individual’s health information
Give individuals specific rights to their health information, including the right to access their medical information, to change inaccurate or incomplete information, and to know the way their information might be disclosed and for what purpose.
-
The Security Rule requires all covered entities to put in place administrative, physical, and technical safeguards to maintain the security of ePHI– electronic personal health information.
-Administrative safeguards are the policies, procedures, and employee training implemented to protect ePHI
-Physical safeguards are the literal physical barriers preventing unauthorized access to ePHI or the computer systems used to store it
-Technical safeguards are the electronic means of maintaining the security of ePHI
HIPAA’s security requirements are not rigid—they allow for flexibility based on the size and resources of the covered entities. However, cost alone is not a sufficient basis for not adopting a standard. There is a tiered system of requirements, starting with base-level standards that all entities must meet. All covered entities must conduct a risk assessment.
The HHS Office for Civil Rights enforces the Privacy and Security Rules and has established civil penalties (in the form of fines) for failure to implement privacy and security standards and criminal penalties for instances of wrongful disclosure of health information.
-
Though HIPAA does not include specific telehealth provisions, telehealth practitioners must maintain the same privacy and security standards as in-person providers. Telehealth practitioners must perform a thorough risk assessment, with a particular eye toward business associates.
-
Business associates are any individual or organization that works with a covered entity and has access to ePHI. These associates may include software providers, tech support, or consultants. To ensure that ePHI is protected appropriately, a covered entity and the business associate must sign a Business Associate Agreement. A Sample BAA can be found on the HHS website.
Business Associates Agreement:
-A written agreement that specifies the responsibilities of the covered entity and the business associate
-Must describe the permitted and required use of ePHI
-State that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law”
-
Though certain telehealth technology and equipment may include security features such as encryption, this does not automatically ensure “HIPAA compliance.” As stated above, HIPAA standards require policies, procedures, and employee training, not just technical and physical measure to protect ePHI. A risk assessment is needed in every instance.