The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of patients' rights and certain health information.
Its standards address the use and disclosure of individuals' health information, known as protected health information or PHI by organizations subject to the Privacy Rule, as well as standards for an individual's rights to understand and control how their health data is used.
A major goal of the Privacy Rule is to ensure PHI is properly protected while allowing the flow of health information needed to provide and promote high quality health care, and to protect the public's health and well being.
In short, the rule attempts to strike a balance between confidentiality, integrity and availability of health care data. This means the rule is designed to be flexible, while remaining comprehensive enough to cover the variety of uses and disclosures it needs to address.
What is the background on the HIPAA Privacy Rule?
The HIPAA Privacy Act is one part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that was signed into federal law by President Bill Clinton on 21 August 1996. The Act itself consists of five titles:
- Title I: Protects health insurance coverage for workers and their families when they change or lose their jobs.
- Title II: Established national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
- Title III: Set guidelines for pre-tax medical spending accounts.
- Title IV: Set guidelines for group health plans
- Title V: Governed company-owned life insurance policies.
Under HIPAA, the Secretary of HHS was required to publicize standards for the electronic exchange, privacy and security of health information, collectively known as the Administrative Simplification provisions.
Other important HIPAA rules include the HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Omnibus Rule. Additionally, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) made changes to the Security Rule and Breach Notification Rule.
HIPAA required the Secretary to issue privacy regulations governing personal health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA. As Congress failed to enact legislation, HHS developed a proposed rule and released it for public comment on November 3, 1999. Over 52,000 comments were made and the final regulation, which is known as the Privacy Rule was published on December 28, 2000.
The Privacy Rule was later modified on August 14, 2002.
What is the purpose of the HIPAA Privacy Rule?
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected health information may be used or disclosed by covered entities.
Covered entities cannot use or disclose PHI unless:
- The Privacy Rule permits or requires it; or
- The subject of the information (or a representative) provides written authorization
There are only two situations when PHI must be disclosed:
- When an individual or their representative requests access to it, or an accounting of disclosures
- When HHS is undertaking a compliance investigation, review or enforcement action
Why is the HIPAA Privacy Rule important?
The HIPAA Privacy Rule is important because it seeks to protect the confidentiality of medical records and PHI.
In 2017, the Health Care Industry Cybersecurity Task Force convened by the US Department of Health and Human Services (HHS Office) concluded that health care cybersecurity was in critical condition.
The truth is health care providers are lagging far behind other industries, when it comes to information security. And unlike other industries, poor health care security can result in injury or death.
Like many industries, the health care industry is increasingly reliant on Internet-connected devices: from sharing patient records and lab results to medical devices and elevators.
And this is generally a good thing for patients, patient information can be transferred quickly, patient engagement is higher and there is better clinical support. However, this same technology can be vulnerable to vulnerabilities, cause data leaks or be infected with malware.
The attack targeted a zero day vulnerability called EternalBlue. EternalBlue exploited the SMB protocol in old Microsoft Windows Operating Systems to spread, encrypting data and holding the computer systems for ransom.
The reason the health care systems is such an attractive target for cybercriminals is largely due to the valuable information that electronic health records hold. Namely protected health information (PHI) and personally identifiable information (PII).
This health information is highly private data and its unauthorized disclosure can result in personal embarrassment, identity theft and financial harm.
Who is must comply with the HIPAA Privacy Rule?
The Privacy Rule applies to:
- Health plans
- Health care providers
- Health care clearinghouses
- Business associates
Health plans are individual or group plans that provide or pay the cost of medical care. This includes dental, vision, prescription drug, and health insurers, health maintenance organizations, Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans, and long-term care insurers (excluding nursing home fixed-indemnity policies).
There are exceptions:
- Group health plans with less than 50 participants administered solely by the employer who established and maintains the plan
- Government-funded programs whose
- Principal purpose is not providing or paying the cost of health care, e.g. food stamps
- Principal activity is directly providing health care, e.g. a community health center, or the making of grants to fund the direct provision of health care
- Certain types of insurance entities who provide only workers' compensation, automobile insurance, and property and casualty insurance
Health care providers
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions is a covered entity.
These transactions include:
- Eligibility inquiries
- Referral authorization requests
- Other transactions as established under the HIPAA Transactions Rule
It's important to note that the use of electronic technology, e.g. email, does not necessarily make a health care provider a covered entity. The transaction must be in connected with one of the transactions outlined above.
Additionally, it's important to note that whether the electronic transmit is directly made by the health care provider or by a third-party vendor, it must still be adequately protected.
This is why vendor risk management has become increasingly important in the health care industry.
Health care clearinghouses
Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard format or vice versa.
Generally, this means receiving individually identifiable health information when providing health care services to a health plan or health care provider as a business associate. In such cases, only certain provisions of the Privacy Rule are applicable to the clearinghouse's use and disclosure of PHI.
Examples include billing services, repricing companies, community health management, information systems, and value-add networks.
A business associate is a person, service provider or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI. A covered entity can be the business associate of another covered entity.
When a covered entity outsources to a business associate, they must contractually impose specific safeguards to protect PHI in a business associate agreement. Moreover, a covered entity cannot authorize a business associate to make any use or disclosure of PHI that would violate the Privacy Rule.
Common business associate products and services include:
- Claims processing
- Data analysis
- Utilization review
- Data Aggregation
- Financial services
Note: If a person or organization does not use or disclose PHI, they are not a business associate.
What information is protected by the HIPAA Privacy Rule?
The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or business associate, whether in paper, oral or electronic form. This information is known as protected health information (PHI) or electronic protected health information (ePHI).
PHI includes information, including demographic data, that relates to:
- An individual's past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present or future payment for the provision of health care to the individual
That can be used to identify an individual or where there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g. name, address, birth date, Social Security Number).
However, PHI excludes employment records that a covered entity maintains in its capacity as an employer and education and other records subject to or defined in the Family Educational Rights and Privacy Act.
Additionally, there are no restrictions on the use or disclosure of de-identified health information that has been either:
- Formally determined to be de-identified by a statistician; or
- Removed specified identifiers of the individual and of the individual's relatives, household members, and employers where required
What are examples of PHI?
HIPAA outlines 18 identifiers that must be treated with special care:
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
- Dates (other than year) directly related to an individual
- Phone Numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary number
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
When is a HIPAA covered entity permitted to use or disclose PHI?
A covered entity is permitted, but not required, to use and disclose PHI without an individual's authorization for the following purposes or situations:
- To the individual: Covered entities can disclose PHI to the individual who is subject to the information.
- Treatment, payment and health care operations: Covered entities may use and disclose PHI for its own treatment, payment, and health care operations. Additionally, they may disclose PHI to another covered entity for treatment activities, payment activities, or any quality or competency assurance activities, fraud and abuse detection, and compliance activities as long as both covered entities have or had a relationship with the individual and the information pertains to the relationship.
- Opportunity to agree or object: Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. If the individual is incapacitated, in an emergency situation, or not available, covered entities may use professional judgement to determine the best interests of the individual.
- Incident to an otherwise permitted use and disclosure: Incidental use or disclosure of PHI is permitted as long as the covered entity as adopted reasonable safeguards as required by the Privacy Rule and the information shared was limited to the minimum necessary.
- Public interest and benefit activities: PHI can be disclosed without an individual's authorization or permission for 12 national priority purposes, e.g. required for law enforcement purposes.
- Limited data set for research, public health or health care operations: A limited data set is PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.
How to comply with the HIPAA Privacy Rule?
HHS recognizes covered entities range from small providers to large, multi-state health plans. Therefore, there is flexibility and scalability in the Privacy Rule to allow entities to analyze their own needs and implement solutions appropriate for their environment, size, resources and business.
However, it's important to note that the Privacy rule is only one part of HIPAA compliance.
That said, there are some requirements:
- Privacy policies and procedures: Covered entities must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
- Privacy personnel: Covered entities must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing information about privacy practices.
- Workforce training and management: All workforce members must be trained on the covered entity's privacy policies and procedures, as necessary and appropriate for them to carry out their functions.
- Mitigation: Covered entities must attempt to mitigate any harmful effect it learns was caused by use or disclosure of PHI by its workforce or business associates in violation of its privacy policies and procedures or the Privacy Rule.
- Data Safeguards: Covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosures of PHI.
- Complaints: Covered entities must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. Among other things, entities must identify where individuals can submit complaints and advise complainants that they can submit their complaints to the Secretary of HHS.
- Retaliation and waiver: Covered entities cannot retaliate against a person for exercising rights provided by the Privacy Rule, for assisting an HHS investigation or other appropriate authority, or for opposing an act or practice that the person believes violates the Privacy Rule.
- Documentation and record retention: Covered entities must maintain, until six years after the later of the date of creation or last effective date, its privacy policies and procedures, its privacy practice notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
What are the penalties for not complying with the HIPAA Privacy Rule?
The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.
Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.
Before a civil penalty is imposed, OCR will notify the covered entity and provide them with an opportunity to provide written evidence that could reduce or bar them from the penalty. This must be submitted to OCR within 30 days of receipt of the notice.
Additionally, if OCR intends to impose a penalty, a covered entity has the right to request an administrative hearing to appeal.
The civil penalties range from $100 to $50,000+ per violation with a Calendar Year Cap of $1,500,000.
Civil penalties will not be imposed in some situations if:
- The failure to comply was not due to willful neglect and was corrected during a 30-day period after the entity knew or should have known the failure to comply had occurred
- The Department of Justice has imposed a criminal penalty for failure to comply.
In addition, OCR may choose to reduce a penalty if the failure to comply was due to a reasonable cause and the penalty would be excessive, given the nature and extent of the noncompliance.
If a person knowingly obtains or discloses PHI they may face a criminal penalty of up to $50,000 and one-year imprisonment. This can increase to $100,000 and up to five years imprisonment for wrongful conduct under false pretenses and $250,000 and up to 10 years imprisonment for wrongful conduct involving the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm.
How UpGuard can help protect PHI
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your own information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security ratings and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.