Comply with HIPAA
The Health Insurance Portability and Accountability Act of 1996 forms the primary federal regulation for patient privacy in the healthcare sector in the U.S. HIPAA's Privacy and Security Rules, alongside the Enforcement Rule, form a tapestry of comprehensive regulation for the sector and can make compliance a complicated issue for privacy professionals.
OneTrust DataGuidance's analysts work with an external network of contributors to provide you with Same Day Support in order to stay on top of all relevant HIPAA developments in the U.S. The HIPAA Portal provides easy access to all OneTrust DataGuidance content on HIPAA, including:
- comprehensive guidance on its rules and their application;
- tracking of all HIPAA-related enforcement actions and data breaches;
- access to key guidance and templates issued by the Department of Health and Human Services; and
- insights on HIPAA and the ever-changing landscape in the U.S. to stay ahead.
OneTrust's solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency and unparalleled guidance as you build, adapt, and mature your privacy program.
Find out more about OneTrust's full suite of solutions here.
Authors: Elizabeth Litten - [email protected]; Michael Kline - [email protected]
The Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), which has spawned a myriad of rules, regulations, guidelines, and court decisions, is a piece of legislation familiar to most people, but when and how it applies often confounds healthcare professionals, business executives, and attorneys alike, let alone the general public. Over the course of almost a quarter century of HIPAA's existence, this confusion persists and has even intensified in an age in which there is instantaneous and continuous global reporting of the struggle of large retail companies, sophisticated financial institutions, healthcare providers large and small, and government agencies to deal with data security breaches. Recent news stories about new and creative malware, ransomware, and phishing attacks and the proliferation of multiple laws governing data collection, use, and disclosure raise questions as to when and if HIPAA protects health information.
Because a HIPAA misstep can have serious legal, financial, and reputational consequences, understanding what HIPAA protects and requires is critical for any person or business that touches health information. The COVID-19 ('Coronavirus') pandemic has greatly increased the risk of HIPAA breaches, violations, and overall uncertainty related to HIPAA compliance. During the pandemic, we have seen a rapid global increase in the use of telemedicine, remote working and learning (often by individuals who lack education and experience in compliance with HIPAA), the conversion of in-person meetings to virtual meetings, and the furloughing and termination of skilled IT technicians and trainers. In addition, the proliferation of health apps and devices and patient expectations make compliance with HIPAA's individual access rights requirement more challenging. This article is not intended to detail each and every HIPAA requirement and nuance, but rather to list a sequence of basic questions whose answers can be used as fundamental building blocks for HIPAA compliance.1
2. DOES HIPAA APPLY?
HIPAA does not protect all information.2 HIPAA does not even protect all health information. To be HIPAA-protected, the information must fit within very specific definitions set forth in the HIPAA regulations, located in Part 160 and Part 164 of Title 45 of the Code of Federal Regulations ('45 CFR')3 before it qualifies for HIPAA protection and subjects those that use or disclose it to HIPAA's requirements. Only protected health information qualifies for HIPAA protection, so understanding the components of this definition is critical to understanding if HIPAA applies in the first place. Notably, HIPAA only applies to health information that is individually identifiable and that is created, received, maintained, or transmitted by covered entities or business associates, and their subcontractors (as such terms are defined under HIPAA).
2.1. Key definitions
Protected health information ('PHI'): is defined as 'individually identifiable health information' (defined below) that is transmitted or maintained in electronic media or in any other form or medium, but does not include information:
- in education records covered by the federal Family Educational Rights and Privacy Act of 1974 ('FERPA');
- in certain secondary school records held by healthcare providers4;
- in employment records held by a 'covered entity' (defined below) in its role as employer; and
- regarding a person who has been deceased for more than 50 years.
Individually identifiable health information ('IIHI'): information that is a subset of 'health information' (defined below), including demographic information such as an address, Social Security Number, and birth date, collected from an individual, that:
- is created or received by a 'health care provider,' 'health plan,' 'employer,' or 'health care clearinghouse' (as each of these terms is defined in 45 CFR §160.103); and
- relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and
- that identifies the individual; or
- with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Health information: any information, including 'genetic information', a term also specifically defined at 45 CFR §160.103, whether oral or recorded in any form or medium, that:
- is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and
- relates to the past, present, or future physical or mental health condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual.
Covered entity: a 'health plan', a 'health care clearinghouse', and/or a 'health care provider' that transmits any 'health information' in electronic form in connection with a 'transaction'. A transaction is the transmission of information between two parties to carry out financial or administrative activities related to healthcare, and specifically includes transmissions involving eligibility for a health plan and health plan premium payments, in addition to transmissions involving health are claims, coordination of benefits, referrals and authorisations for healthcare, and other types of transmissions associated with healthcare provider activities. The definition of 'health plan' excludes, among other things, plans that provide coverage for accident or disability income; coverage issued as a supplement to liability insurance; liability insurance, including general liability insurance and automobile liability insurance; workers' compensation insurance; automobile medical payment insurance; and other insurance coverage specified in the regulations under which benefits for medical care are secondary or incidental to other insurance benefits.
Finally, the HIPAA regulations make it clear that a 'business associate' is subject to many of the same HIPAA responsibilities as a 'covered entity'. A business associate is a person who, on behalf of a covered entity, but other than in the capacity of a member of the workforce of such covered entity, creates, receives, maintains, or transmits PHI for a function or activity regulated by HIPAA. A business associate that subcontracts with another person to provide services to the business associate that require the creation, receipt, maintenance, or transmission of PHI ('subcontractor') is subject to the same HIPAA responsibilities as the business associate. Accordingly, covered entities, business associates and subcontractors are each individually responsible for HIPAA compliance and risk both contract and federal government sanctions for failures to adequately protect the privacy and security of PHI as required by HIPAA.
2.2. Non-HIPAA data
When the definitions set forth above are put together, it becomes clear that certain information that is 'health information', even when it is IIHI, is not protected by HIPAA ('non-HIPAA data'). Similarly, those using and disclosing this non-HIPAA data are not subject to HIPAA's requirements with respect to such non-PHI.
Examples of non-PHI include:
- IIHI disclosed by individuals about themselves on websites and health apps (other than those developed and/or used by a covered entity, business associate, or subcontractor5 on behalf of a covered entity or business associate), to friends or family, or to anyone other than a healthcare provider, health plan, employer, or healthcare clearinghouse; such IIHI can be redisclosed by the recipient without violating HIPAA; or
- information that would be IIHI, but does not fall within the definition of 'health information' because it is not created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse.
Examples of information that is technically PHI, but which may be mistaken as non-HIPAA data, include:
- IIHI held in employment records by an employer that is not a covered entity (i.e. a healthcare provider, health plan, or health care clearinghouse); or
- health information that does not include a patient's name or other identifiers, but that can be combined with other information to identify the individual, such as 'redacted' medical records that include a date of service, or de-identified health information that can be re-identified when combined with aggregated data from another source.
2.3. When does HIPAA apply?
However, for HIPAA to apply and actually 'protect' the PHI under HIPAA's privacy and security requirements, it must be created, received, maintained, or transmitted by a covered entity, business associate, or subcontractor. In this sense, the term 'protected health information' is, itself, misleading, since an employer can create PHI, but that PHI will not be subject to HIPAA protections unless a covered entity, business associate, or subcontractor is involved.
The following hypothetical examples of PHI and non-PHI based upon recent publicity of information about patients illustrate the ways in which PHI and non-PHI can be confused.
Examples of IIHI generally subject to HIPAA protection:
IIHI that has been:
- created, received, maintained or transmitted by a hospital, physician, nurse, technician or other healthcare provider that is treating a patient;
- created, received, maintained or transmitted by a health app or medical device worn by an individual to a healthcare provider or treating facility6;
- created, received, maintained or transmitted by a health app to a health plan by a health plan member;
- created, received, maintained or transmitted by a quality management company in connection with analysis of health outcomes for a healthcare provider or health plan;
- obtained from patient records by a 'snooping' employee in the workforce of a treating health care facility;
- created, received, or maintained by an electronic health records company and sold to a data aggregator;
- collected from an employee wellness program about an employee and maintained by the employer's health plan; and
- maintained by a cloud service provider, even if the IIHI has been encrypted and the cloud service provider has no access to the decryption key7.
Examples of IIHI that are not generally subject to HIPAA protection:
- information disclosed by an individual about his or her own identity, address, diagnosis, health condition, or prognosis by way of a health app or wearable device not made available to the individual or recommended by the individual's healthcare provider or health plan;
- information disclosed by an individual on social media about his or her health status or condition;
- information disclosed by a healthcare provider to family members, friends or neighbours of a patient about the patient's identity, address, diagnosis, or health conditions;8
- publication by a newspaper, television news program or other internet or media outlet about the identity, address, diagnosis, health condition or prognosis of an individual being treated for a health condition;
- confirmation by family members, friends or neighbours of suspected Ebola patients about their identity, address, diagnosis, health condition or prognosis; and
- discussion by a healthcare professional, who has not treated or consulted with a suspected patient or another healthcare professional of the suspected patient, on television or through other media about the identity, location, diagnosis, health condition or prognosis of such patient.
3. WHAT ARE THE PERMITTED USES AND DISCLOSURES OF PHI?
Covered entities, business associates and subcontractors may only use or disclose PHI as permitted by the HIPAA Regulations.9
There are differences between the PHI uses and disclosures permitted for covered entities, on one hand, and business associates and subcontractors, on the other. Whereas a covered entity may use or disclose PHI to the individual for 'treatment', 'payment', or 'healthcare operations' (as these terms are defined at 45 CFR §164.501; pursuant to a valid authorisation; and for specified other purposes10 a business associate and/or subcontractor may only use or disclose PHI as permitted or required under its business associate agreement or subcontractor agreement, as required by law, and (but only if expressly permitted under its business associate agreement or subcontractor agreement) for its own management and administration or to provide data aggregation services relating to the healthcare operations of the covered entity.11 In other words, a business associate or subcontractor's rights to use and disclose PHI are generated by and limited to the rights set forth in the contract that gives it access to the PHI in the first place (though the business associate's and subcontractor's obligations to meet applicable HIPAA privacy and security obligations is independent of and may exceed express contractual obligations). In addition, a covered entity that is required under the HIPAA regulations to have a notice of privacy practices ('NPP') may only use or disclose PHI as described in its NPP.
Detailing each and every permitted use or disclosure of PHI is beyond the scope of this Guidance Note, but certain uses and disclosures are more likely than others to trip up covered entities, business associates, and subcontractors, either because the use or disclosure seems as though it should be permitted under HIPAA (but is not, or is only permitted under limited and specific circumstances), or because the parties using or disclosing the PHI misunderstand their HIPAA-defined roles. In some cases, a party who is acting as a business associate under HIPAA refuses to sign a business associate agreement under the mistaken belief that its services do not involve creation, receipt, maintenance, or transmission of PHI. In other cases, a covered entity may require every third party with which it contracts and that receives or accesses (or might receive or access) PHI to sign a business associate agreement, regardless of whether the third party is providing or is likely to provide a service on behalf of the covered entity. In some of these instances (where, for example, a hospital system seeks a business associate agreement from a physician group that will be accessing its electronic health records in connection with the treatment of mutual patients), a data use agreement would be the appropriate contract.
Covered entities should also be aware of the requirement to provide individuals with access to the individual's PHI that is contained in a Designated Record Set ('DRS'). A DRS is a group of records maintained by or for a covered entity that is either the medical records and billing records about individuals maintained by or for a covered healthcare provider or is used, in whole or in part, by or for the covered entity to make decisions about individuals.12 Individuals have the right to inspect the PHI and/or receive a copy of it, or may direct that it be sent to a designated person or entity of the individual's choice. Individuals have the right to access this information regardless of whether it is maintained on paper or in an electronic system, and regardless of whether it is maintained on-site or remotely. There are only two types of PHI in a DSR that are excluded from the individual access right:
- psychotherapy notes (i.e. personal notes of a mental healthcare provider documenting or analysing a counselling session that are maintained separate from the rest of the medical record); and
- information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
There are very limited circumstances under which an individual's request for access can be denied or unduly delayed, such as where a licensed healthcare professional determines in the exercise of professional judgment that access is reasonably likely to endanger the life or physical safety of the individual or another person. General concerns about psychological or emotional harm associated with disclosure, or concerns with the individual's ability to understand the information, are insufficient grounds for denying or failing to respond timely to an access request.
An access request must be responded to within 30 days after receipt of the request, either by providing the requested PHI or by explaining why a delay (of up to another 30 days maximum) is necessary to fulfil the request.
The covered entity or business associate, as applicable, may apply a reasonable, cost-based fee for the DRS, including the costs of only certain enumerated items or services, when an individual requests a copy of their PHI or a summary or explanation of that information.13 An issue arises when a covered entity engages the services of a business associate to fulfil the request for access to PHI, and the business associate charges more than HIPAA permits. The United States Department of Health and Human Services Office for Civil Rights ('OCR') is unable to take enforcement action against a business associate that charges an unreasonable fee because the Health Information Technology for Economic and Clinical Health ('HITECH') Act, a law that expanded the scope of HIPAA protections by increasing potential liability for non-compliance and outlining more stringent enforcement, does not apply the fee limitation provision to business associates. In the past, the OCR has stated that it would hold the covered entity responsible for amounts charged by a business associate that exceed what could be charged by the covered entity.
On 23 January 2020, a U.S. federal court invalidated certain language in the regulation that limits the fees that can be charged with in connection with an individual's request that the information be transmitted to a third party. However, fee limitations continue to apply with respect to an individual's request that the information be transmitted to the individual.14
3.1. Examples of impermissible use or disclosure of PHI
- Covered entity, business associate or subcontractor contracts with a software vendor that refuses to sign a business associate or subcontractor agreement, despite the fact the software vendor may access PHI when performing software updates or remediation of computer glitches.
- More PHI than that which is minimally necessary to accomplish the intended purpose of the use or disclosure is used or disclosed.
- PHI is used or disclosed in a manner not consistent with and described in the covered entity's NPP.
- A business associate de-identifies PHI, not on behalf of the covered entity or for its own management and administration, but in order to sell it to a data aggregator.
- PHI is disclosed pursuant to a subpoena, discovery request, or other 'lawful process', but the individual whose PHI is disclosed has not authorised the disclosure and no reasonable efforts (as described in the HIPAA regulations16) have been made to ensure the individual has been given notice of the request and/or to secure a qualified protective order.
3.2. Examples of permissible use or disclosure of PHI
- Provision of PHI by a hospital to a healthcare provider involved in treatment of the patient even though such healthcare provider has not signed a business associate agreement with the hospital.
- Release of PHI to a law enforcement official by a covered entity without the individual's consent where the individual is or is suspected to be a victim of a crime, under specified circumstances.17
- Release of PHI by a physician to avert a serious threat to health or safety when the use or disclosure is consistent with applicable law and standards of ethical conduct, and the physician, in good faith, believes the use or disclosure is necessary to prevent or lessen an imminent threat to the health or safety of a person or the public and is made to a person reasonably able to prevent or lessen the threat.18
4. WHAT ARE THE CONSEQUENCES OF NON-COMPLIANCE?
An acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA regulations protecting the privacy of the PHI19 is generally deemed to be a breach, triggering various notification and reporting requirements20 and potentially leading to federal and/or state government enforcement actions and civil monetary or criminal penalties. However, there is no right provided by HIPAA for an individual to sue under HIPAA for alleged damages to such individual stemming from a breach of HIPAA. It may be possible, however, for an individual to sue for damages resulting from a HIPAA breach under a tort such as negligence, invasion of privacy, or defamation, where HIPAA requirements may be used as a standard for 'best practices' in support of the tort case.21 For example, the Connecticut Supreme Court has recognised that the unauthorised disclosure of confidential information obtained in the course of treatment gives rise to a tort cause of action.22 The defendant in the case was a healthcare provider who mailed a patient's medical records to a court in response to a subpoena, despite the patient's request to keep the records confidential.23 The patient sued under tort theories of negligence and negligent infliction of emotional distress.24 The court held that a duty of confidentiality arises from the physician-patient relationship and therefore gives rise to a cause of action.25
The covered entity, business associate or subcontractor, as applicable, may determine that an impermissible disclosure of PHI is not a breach if it demonstrates there is a low probability the PHI was compromised, based on a risk assessment of at least the following four factors:
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorised person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed;
- the extent to which the risk to the PHI has been mitigated.26
As discussed above, a business associate or subcontractor is only permitted to use or disclose PHI as set forth in its business associate or subcontractor agreement (or as is required by law), so a use or disclosure that might be permitted by a covered entity, but that is not expressly granted in the business associate or subcontractor agreement would likely constitute a breach. By way of example, imagine a business associate that provides data analysis for a covered entity, healthcare provider, or health plan and is prohibited under its business associate agreement from using or disclosing the covered entity's PHI outside the United States (presumably to reduce the risk of a HIPAA breach that would be beyond the reach of HIPAA enforcement). The business associate hires a subcontractor to analyse a subset of the data, but fails to include a contractual provision prohibiting the subcontractor from using or disclosing the data outside the United States. The subcontractor has an office in Dubai, and individuals working in that office access the data for purposes of performing the necessary data analysis. The business associate would be directly liable for a HIPAA breach (and potentially subject to government action and contractual damages), even if there was no access to the PHI by third parties as a result of the work performed by the Dubai office.
The above example of the use of offshore services poses additional issues. The HIPAA rules do not impose specific requirements for the protection of PHI processed at or stored by a business associate or subcontractor outside of the United States, and covered entities and business associates typically have freedom to choose whether to utilise offshore services.27 However, the outsourcing of storage or other services related to PHI may increase the risks or vulnerabilities to PHI. For example, other countries may have less stringent privacy protections than HIPAA or an offshore vendor may not follow proper procedures to ensure HIPAA compliance. Additionally, whether the OCR has enforcement authority over an entity that is outside of the United States is uncertain because HIPAA does not explicitly provide for extraterritorial jurisdiction.28 Covered entities and business associates may consider these risks when implementing compliance programs and conducting risk assessments.29 To avoid these risks, some covered entities contractually impose stricter policies on business associates that utilise offshore services. Other covered entities choose to prohibit business associates from utilising any offshore services altogether. A contractual obligation limiting or prohibiting the use of offshore services may further benefit the covered entity because the covered entity may hold the business associate liable for breach of contract if the business associate or their offshore vendor does not comply with the obligations.
The OCR is not the only entity authorised to bring enforcement actions. The HITECH Act gives State Attorneys General ('AGs'), the authority to bring civil actions on behalf of state residents for violations of HIPAA in order to obtain damages on behalf of state residents or to enjoin further violations of HIPAA.30 One recent case provides an example. In 2018, twelve Attorneys General joined together to bring a multi-state lawsuit against Medical Informatics Engineering, Inc. ('MIE'), an electronic medical records company, after MIE was subject to a cyberattack that compromised the electronic PHI of 3.9 million people.31 The crux of the lawsuit was MIE's failure to correct known vulnerabilities in its security systems and its inadequate and ineffective responses to the breach.32 The case resulted in a $900,000 financial penalty and a settlement for $100,000.
The current trend weighs toward criminal prosecution of covered entities for HIPAA violations33 and multi-million dollar civil monetary penalty awards in extreme cases. In a record-breaking year for HIPAA enforcement for noncompliance, the OCR settled ten enforcement action cases totalling $28.7 million in 2018, including the largest-ever individual HIPAA settlement of $16 million with Anthem, Inc.34 The increase in enforcement actions should trigger renewed focus on HIPAA compliance by a wide array of businesses in the coming years. The OCR has made it clear that the adversities being experienced by covered entities and business associates in the Coronavirus pandemic do not exempt covered entities and business associates from enforcement of HIPAA. For example, on 5 May 2020, the OCR issued guidance reminding covered entity healthcare providers that patients must sign a valid HIPAA authorisation before the provider allows the media to access patient PHI.35
Additionally, the OCR has been actively investigating allegations that covered entities have violated individuals' right to timely access of their records. Last year, the OCR launched the Right of Access Initiative, which called for greater access to individuals (or their personal representatives) requesting their health information.36 As of November 2020, the OCR has settled 11 cases with various providers that received complaints from patients (or their personal representatives) stating that they were not provided with their requested medical records in a timely manner. The HIPAA Privacy Rule requires covered entities to respond to the request within 30 days37, although the OCR has stated that the 30-day window is an 'outer limit' and providers should strive to respond to the request as quickly as possible. If the provider cannot provide the medical records within the 30-day window, then it must still respond to the request within the allotted timeframe and provide a reason for non-compliance.
In addition to the 30-day window, the Office of the National Coordinator for Health Information Technology ('ONC') enacted a ten day response window when it is infeasible to respond to a request for medical records due to an uncontrollable event such as a public health emergency or labour strike or if the information cannot be made available law.
In the most recent settlements, a complaint from a single patient (or their representative) has been enough to launch an investigation by the OCR, which can result in fines or 'Resolution Amounts' ranging from $3,500 to $160,000. In addition to large 'Resolution Amounts', the OCR has implemented Corrective Action Plans ('CAPs') for every provider found to be in violation of the HIPAA Privacy Rules, as it relates to the Right of Access Initiative. In the CAPs, the providers are required to implement new HIPAA compliance policies and procedures relating to, send reports to the Department of Health and Human Services, and provide additional training to its staff members. Thus, the provider will accrue even further compliance costs, along with the Resolution Amounts.
Moving forward, the OCR Director does not plan to halt its enforcement under the Right of Access Initiative. In one of the more recent press releases involving a Right of Access Initiative settlement, the OCR Director delivered some warning remarks by stating that "It shouldn't take a federal investigation to secure access to patient medical records, but too often that's what it takes when health care providers don't take their HIPAA obligations seriously. OCR has many right of access investigations open across the [United States], and will continue to vigorously enforce this right to better empower patients38." Thus, all providers must be aware of the HIPAA Right of Access Initiative, given the serious economic consequences that can stem from a single patient or personal representative's request for their medical records.
5. WHAT OTHER PENALTIES MAY ARISE FROM A VIOLATION OF HIPAA?
A violation of HIPAA may lead to staggering penalties from OCR enforcement actions and actions by State AGs.39 On top of this, covered entities and business associates may face additional penalties if the incident that constitutes a HIPAA violation also constitutes a violation of a stricter State law.
HIPAA pre-empts any State law that is contrary to HIPAA or provides individuals with less right to access their PHI40. However, HIPAA does not pre-empt any State law that provides greater protection or rights than HIPAA41. This means that the same action may violate both HIPAA and the stricter State law. One example is fees charged for DRS, as mentioned above. States may authorise fees for records requests if the fees are for costs that are the same types of costs permitted under HIPAA and are reasonable. Consider Massachusetts law that defines a 'reasonable fee' for DRS as a base charge of no more than $15.00 plus a small per-page fee42. If a covered entity or its business associate were to charge a greater fee than the fee authorised under the State law, it could be in violation of both HIPAA and the State law.
6. WHAT ARE OTHER CURRENT ISSUES RELATED TO HIPAA?
How HIPAA applies to a covered entity's transfer of electronic PHI ('ePHI') to an application or other software ('app') can be puzzling because the applicability of HIPAA depends on the relationship between the covered entity and the app. If the app was developed for, or provided by or on behalf of the covered entity, and thus creates, receives, maintains or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA rules for a subsequent impermissible disclosure because a business associate relationship exists between the covered entity and the app developer43. However, if an individual chose an app to receive the individual's ePHI and the covered entity did not provide the app, the app is neither a covered entity nor a business associate and therefore HIPAA no longer protects the ePHI44.
The United States opioid epidemic45 presents a unique and evolving situation under HIPAA. HIPAA allows health professionals to share PHI with a patient's loved ones without the patient's consent in some emergent or dangerous situations46. For example, a healthcare provider may share a patient's PHI with the individual's family member or close friend that cares for the patient if the patient is incapacitated or unconscious, the provider determines that doing so is in the best interest of the individual, and the disclosed information is directly related to the patient's care or payment for the individual's care47. Healthcare providers may also share PHI with persons in a position to prevent or lessen a serious or imminent threat to a person's health or safety.48 In the context of the opioid epidemic, these permitted disclosures arise, for example, when a provider must speak with a patient's family about an overdose or when a provider determines the disclosure is necessary because the patient's continued opioid abuse poses a serious or imminent threat to the individual's health or safety.49
However, decision-making incapacity may be temporary and situational. If a patient does have capacity or regains capacity, a healthcare provider must give the patient the opportunity to agree or object to sharing the PHI.
Out of necessity, this article can only graze the surface of even the relatively limited scope of the three questions regarding HIPAA that have been addressed. It can serve to give an introduction to the terminology and structure of HIPAA and its regulatory scheme. However, the challenges and deepening complexity of issues confronting businesses affected by HIPAA as it approaches a quarter century of regulation and the broader data privacy and security universe suggests that assistance of competent professionals should be sought, even for matters that may at first blush appear to be relatively simple.
1. This article addresses the requirements of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, and implementing regulations at 45 CFR Part 160, Subparts A through E, and 45 CFR Part 164, Subparts A, C (referred to as the 'Security Rule'), and E (referred to as the 'Privacy Rule') as amended by the 'Omnibus Rule' (45 CFR Part 160, Subparts A, B, C and D and Part 164, Subparts A and C). The authors wish to express their deep appreciation to Jeffrey Jarel Johnson, a Corporate Department Associate in the Fox Rothschild LLP Chester County, PA office for his contributions to the 2020 updates to this article and to Anahita Anvari for her contributions to this article during her service as a Law Clerk with Fox Rothschild LLP in its Philadelphia office.
2. Note that HIPAA standards, requirements or implementation specifications that are 'contrary to' state law generally pre-empt state law (45 CFR 160.203), but state laws that relate to the privacy of individually identifiable health information and are determined by the Secretary of the Department of Health and Human Services to be 'more stringent' (as described at 45 CFR 160.202) than HIPAA are among those not pre-empted by HIPAA. This article does not address specific state laws that are not pre-empted by HIPAA, and a separate review of state laws pertaining to privacy and security of individually identifiable health information is necessary to ensure compliance with applicable state laws.
3. 45 C.F.R. § 160.103.
4. See 20 U.S.C. § 1232g(a)(4)(B)(iv) for complete description.
5. HHS Office of Civil Rights, Health App Use Scenarios & HIPAA (Feb. 2016), available at https://hipaaqsportal.hhs.gov/community-library/accounts/92/925889/Public/OCR-health-app-developer-scenarios-2-2016.pdf .
7. HHS Office of Civil Rights, Guidance on HIPAA & Cloud Computing (Jun. 16, 2017), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.
8. HHS Office of Civil Rights, How HIPAA Allows Doctors to Respond to the Opioid Crisis (last visited Jun. 21, 2019), available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf.
9. 45 C.F.R. § 164.502.
10. 45 C.F.R. § 164.502(a)(1).
11. 45 C.F.R. §§ 164.502(a)(3) and (4).
12. 45 C.F.R. § 164.501.
13. 45 C.F.R. § 164.524(c).
14. See HHS Office of Civil Rights, Individuals' Right under HIPAA to Access their Health Information 45 C.F.R. 164.524, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html (This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.)
16. 45 C.F.R. § 164.512(e).
17. 45 C.F.R. § 164.512(f)(3).
18. 45 C.F.R. § 164.512(j).
19. 45 C.F.R. § 164.500 et seq.
20. 45 C.F.R. §§ 164.404, 164.406, 164.408, 164.410.
21. Xtelligent Healthcare Media, CT Supreme Court Rules Patients Can Sue Over PHI Disclosure.
26. 45 C.F.R. § 164.402.
27. U.S. Department of Health and Human Services, Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States? (Oct. 6, 2016), available at https://www.hhs.gov/hipaa/for-professionals/faq/2083/do-the-hipaa-rules-allow-a-covered-entity-or-business-associate-to-use-a-csp-that-stores-ephi-on-servers-outside-of-the-united-states/index.html.
28. Deven McGraw, et. al., Business Associate Compliance With HIPAA: Findings From a Survey of Covered Entities and Business Associates.
29. HHS Office of Inspector General, Memorandum Report: Offshore Outsourcing of Administrative Functions by State Medicaid Agencies, OEI-09-12-00539 (Apr. 11, 2014) available at https://oig.hhs.gov/oei/reports/oei-09-12-00530.pdf.
30. The American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5, 123 Stat 115 §13410(e) (February 17, 2009).
31. State of Indiana et. al. v. Medical Informatics Engineering, Inc. et. al. (3:18-cv-009696).
32. Multi-state Action Results in $900,000 Financial Penalty for Medical Informatics Engineering, HIPAA Journal (May 28, 2019), available at https://www.hipaajournal.com/multi-state-action-results-in-900000-financial-penalty-for-medical-informatics-engineering/.
33. United States Attorney's Office, District of Massachusetts, Springfield Doctor Convicted by Jury of Illegally Sharing Patient Medical Files (Apr 30, 2018), available at https://www.justice.gov/usao-ma/pr/springfield-doctor-convicted-jury-illegally-sharing-patient-medical-files.
34. U.S. Department of Health and Human Services, OCR Concludes All-Time Record Year for HIPAA Enforcement with $3 Million Cottage Health Settlement (Feb. 7, 2019), available at https://www.hhs.gov/about/news/2019/02/07/ocr-concludes-all-time-record-year-for-hipaa-enforcement-with-3-million-cottage-health-settlement.html.
35. OCR Issues Guidance on Covered Health Care Providers and Restrictions to Media Access to Protected Health Information about Individuals in Their Facilities, May 5, 2020 available at https://www.hhs.gov/about/news/2020/05/05/ocr-issues-guidance-covered-health-care-poviders-restrictions-media-access-protected-health-information-individuals-facilities.html.
36. OCR Settles First Case in HIPAA Right of Access Initiative, September 9, 2019 available at https://www.hhs.gov/about/news/2019/09/09/ocr-settles-first-case-hipaa-right-access-initiative.html
37. 45 C.F.R. § 164.524(b)(2).
38. OCR Settles Eight Investigation in HIPAA Right of Access Initiative October 7, 2020 available at https://www.hhs.gov/about/news/2020/10/07/ocr-settles-eighth-investigation-hipaa-right-access-initiative.html
39. U.S. Department of Health and Human Services, State Attorneys General (Dec. 21, 2017), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html (“The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.”).
40. 45 C.F.R. § 160.203.
42. Massachusetts General Law Part I, Title XVI, Chapter 111 §70.
43. U.S. Department of Health and Human Services, Health Information Technology (last visited July 26, 2019), available at https://www.hhs.gov/hipaa/for-professionals/faq/health-information-technology/index.html.
45. U.S. Department of Health and Human Services, What is the U.S. Opioid Epidemic? (Jan. 22, 2019), available at https://www.hhs.gov/opioids/about-the-epidemic/index.html.
46. 45 C.F.R. § 164.510(b)(3).
48. 45 C.F.R. § 164.512(j).
49. HHS Office of Civil Rights, How HIPAA Allows Doctors to Respond to the Opioid Crisis (last visited July 26, 2019), available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pd
1.1. Issuing body
The U.S. Department of Health and Human Services ('HHS') is an executive department of the U.S. federal government, seeking to enhance and protect the health and well-being of American citizens by providing for effective health and human services and fostering advances in medicine, public health, and social services.
This Guidance Note provides an overview of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules ('the Privacy and Security Rules').
1.2. Foundations and purpose
The HHS issued the Privacy Rule in 2000 and the Security Rule in 2003, seeking to compliment HIPAA and set national standards for the protection of individually identifiable health information and for the protection of confidentiality, integrity, and availability of electronic protected health information ('EPHI'), respectively.
The Privacy Rule addresses the use and disclosure of protected health information ('PHI') by covered entities as well as standards for individuals' privacy rights to understand and control how their health information is used. In addition, the Privacy Rule is implemented and enforced by the Office of Civil Rights ('OCR') with respect to voluntary compliance activities and civil money penalties. According to the OCR, the Privacy Rule assures that PHI is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being. The Privacy Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.
The Security Rule was established to create a national set of security standards for PHI that is held or transferred in electronic form. Furthermore, the Security Rule operationalises the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals' EPHI. Similar to the Privacy Rule, the OCR is responsible for enforcing the Security Rule with voluntary compliance activities and civil money penalties. According to the OCR, a major goal of the Security Rule is to protect the privacy of PHI while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.
1.3. Compliance benefits
Compliance with the Privacy and Security Rules is mandatory and not voluntary and any failure to comply may result to enforcement action by the HHS which may impose civil money penalties on a covered entity of $100 per failure to comply with the Privacy and Security Rules requirements. That penalty may not exceed $25,000 per year for multiple violations of the identical requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve wilful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
1.4. Related legislation, frameworks, standards, and supplemental resources
In addition to the Privacy and Security Rules, the HHS has issued:
- the Health Information Technology for Economic and Clinical Health Act ('the HITECH Act') which expands the scope of HIPAA protections by increasing potential liability for non-compliance and outlining more stringent enforcement;
- the Omnibus HIPAA Rulemaking, which implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under HIPAA; and
- the Breach Notification Rule, which requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.
2. SCOPE OF APPLICATION
The Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. The Privacy Rule protects PHI, which is all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. In its scope, the Privacy Rule does not include protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act of 1974.
One of the purposes of the Privacy Rule is to define and limit the circumstances in which an individual's PHI may be used or disclosed by covered entities. As a result, under the Privacy Rule a covered entity may not use or disclose protected health information, except either:
- as the Privacy Rule permits or requires; or
- where the individual who is the subject of the information (or the individual's personal representative) authorises in writing.
A covered entity must disclose PHI in only two situations:
- to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and
- to HHS when it is undertaking a compliance investigation or review or enforcement action.
Similar to the Privacy Rule, the Security Rule applies to covered entities, including covered health providers, health plans, health care clearinghouses and medicare prescription drug card sponsors. The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access and differs from the Privacy Rule in that the former covers only PHI that is in electronic form, including ePHI that is created, received, maintained or transmitted. As expected, the Security Rule provides for far more comprehensive security requirements and includes a level of detail not provided in the Privacy Rule.
According to the Security Rule, security standards are divided into the categories of administrative, physical, and technical safeguards. In addition to such safeguards, the Security Rule contains various standards and implementation specifications that address organisational requirements, as well as policies and procedures and documentation requirements.
3. KEY DEFINITIONS | BASIC CONCEPTS
Access: the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
Administrative safeguards: administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.
Authentication: the corroboration that a person is the one claimed.
Confidentiality: the property that data or information is not made available or disclosed to unauthorized persons or processes.
Covered entity: A health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
Encryption: the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
Health care: care, services, or supplies related to the health of an individual.
Health care clearinghouse: a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and 'value-added' networks and switches, that does either of the following functions: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Health care provider: a provider of services, a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health information: any information, including genetic information, whether oral or recorded in any form or medium, that: (1) os created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Health plan: an individual or group plan that provides, or pays the cost of, medical care.
Information system: an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Physical safeguards: physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Protected health information: individually identifiable health information, that is: (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium.
Security or Security measures: encompass all of the administrative, physical, and technical safeguards in an information system.
Security incident: the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Standard: means a rule, condition, or requirement: (1) describing the following information for products, systems, services, or practices: (i) classification of components; (ii) specification of materials, performance, or operations; or (iii) delineation of procedures; or (2) with respect to the privacy of protected health information.
User: a person or entity with authorized access.
Technical safeguards: the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.
Workstation: an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.
4. DATA PROCESSING
Under the Privacy Rule, a covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorisation, for the following purposes or situations:
- to the individual (unless required for access or accounting of disclosures): a covered entity may disclose protected health information to the individual who is the subject of the information;
- for treatment, payment, and health care operations: a covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose PHI for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship;
- for uses and disclosures with opportunity to agree or object: Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures, if in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual;
- during an incident to an otherwise permitted use and disclosure: it is not required that every risk of an incidental use or disclosure of PHI be eliminated. A use or disclosure of this information that occurs as a result of, or as 'incident to,' an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the 'minimum necessary;'
- in the name of public interest and benefit activities: use and disclosure of PHI is permitted without an individual's authorisation for 12 national priority purposes. These disclosures are permitted, although not required, by the Privacy Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose, striking the balance between the individual privacy interest and the public interest need for this information; and
- under a limited data set: A limited data set is PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the PHI within the limited data set.
In addition, covered entities must obtain the individual's written authorisation for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrolment, or benefits eligibility on an individual granting an authorisation, except in limited circumstances. Such an authorisation must be written in specific terms, which may allow use and disclosure of PHI by the covered entity seeking the authorisation, or by a third-party and must be in plain language, and contain specific information regarding the information to be disclosed or used, the persons disclosing and receiving the information, expiration, right to revoke in writing, and other data.
Authorisations and exceptions for marketing activities
For marketing-related activities, a covered entity must obtain an authorisation to use or disclose PHI, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value. No authorisation is needed, however, to make a communication that falls within one of the exceptions to the marketing definition, such as communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the covered entity making the communication or communications for the treatment of individuals. An authorisation for marketing that involves the covered entity’s receipt of direct or indirect remuneration from a third party must reveal that fact.
Furthermore, in relation to data minimisation, covered entities must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request. In addition, a covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. In addition, when information is used internally, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.
Finally, covered entities must provide a privacy notice of their practices which must include certain elements:
- describe the ways in which the covered entity may use and disclose protected health information;
- state the covered entity's duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice;
- describe individuals' rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated; and
- include a point of contact for further information and for making complaints to the covered entity.
Under the Security Rule, covered entities and business associates must:
- ensure the confidentiality, integrity, and availability of all EPHI the covered entity or business associate creates, receives, maintains, or transmits;
- protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required; and
- ensure compliance with requirements by its workforce.
5. MANAGEMENT SYSTEM
Policies and procedures
Covered entities must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. Such policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to PHI undertaken by a covered entity, to ensure such compliance and must be changed necessary to comply with changes in law and implementation specifications. In addition, whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure.
Roles and responsibilities
In addition, a covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity as well as a contact person or office who is responsible for receiving complaints section and who is able to provide further information about matters covered by the notice of privacy practices for PHI.
Awareness and training
Covered entities should also train all members of their workforce on the policies and procedures with respect to PHI as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
Under the Security Rule, security standards that must be implemented by covered entities are divided into the categories of administrative, physical, and technical safeguards.
The administrative safeguards are functions that should be implemented to meet the security standards and include assignment or delegation of security responsibility to an individual and security training requirements. According to the administrative standards, covered entities must have in place processes to prevent, detect, contain, and correct security violations, as well as follow these necessary steps:
- risk analysis, by conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associates;
- risk management, by implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
- sanction policy, by applying appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate; and
- information system activity review, by implementing procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Other relevant processes under the administrative safeguards include implementation of procedures for the authorisation and/or supervision of workforce members who work with EPHI or in locations where it might be accessed, isolating health care clearinghouse functions and establishing (and implementing as needed) policies and procedures for responding to an emergency or other occurrence.
6. DATA SECURITY
For more information on safeguards please refer to section 5.
Under their physical safeguards obligations, covered entities must:
- implement policies and procedures to limit physical access to their electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorised access is allowed;
- specify the proper functions to be performed by electronic computing devices as inappropriate use of computer workstations can expose a covered entity to risks, such as virus attacks, compromises of information systems and breaches of confidentiality;
- implement physical safeguards for all workstations that access EPHI, to restrict access to authorised users; and
- implementing policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility as well as removal of EPHI from electronic media before the media are made available for re-use.
Finally, in order to reduce risks to EPHI, covered entities must implement the following technical safeguards:
- access control, by establishing technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights;
- audit controls, by establishing hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI;
- integrity, by creating policies and procedures to protect electronic protected health information from improper alteration or destruction; and
- person or entity authentication, by having procedures to verify that a person or entity seeking access to EPHI is the one claimed; and
- transmission security, by technical security measures to guard against unauthorised access to electronic protected health information that is being transmitted over an electronic communications network.
7. ACCOUNTABILITY AND RECORDKEEPING
A covered entity must maintain, until six years after the later of the date of their creation or last effective date:
- its privacy policies and procedures;
- its privacy practices notices;
- its personnel designations;
- all complaints it received, and their disposition, if any; and
- any sanctions against members of its workforce who fail to comply with the privacy policies and procedures.
In addition, the Privacy Rule provides individuals with the right to accounting, according to which, they may request and receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the accounting is requested. Certain exemptions apply to this right, including when the disclosures were:
- for treatment, payment, or health care operations;
- to the individual or the individual's personal representative;
- for notification of or to persons involved in an individual's health care or payment for health care, for disaster relief, or for facility directories;
- pursuant to an authorisation;
- for a limited data set;
- for national security or intelligence purposes;
- to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or
- incident to otherwise permitted or required uses or disclosures.
Under the Security Rule, covered entities must have contracts or other arrangements with business associates that will have access to a covered entity's EPHI. Such contracts must provide that the business associate will:
- implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the EPHI that it creates, receives, maintains, or transmits on behalf of the covered entity;
- ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
- report to the covered entity any security incident of which it becomes aware; and
- authorise termination of the contract by the covered entity if the covered entity determines that the business associate has violated a material term of the contract.
Furthermore, a group health plan is required to ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard EPHI that it creates, receives, maintains or transmits on behalf of the group health plan.
Under the documentation standard, covered entities are required to:
- maintain the policies and procedures implemented to comply with the Security Rule; and
- if an action, activity or assessment is required to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
Such documentation must be:
- retained for six years from the date of its creation or the date when it last was in effect, whichever is later;
- made available to those persons responsible for implementing the procedures to which the documentation pertains; and
- reviewed periodically, and update as needed, in response to environmental or operational changes affecting the security of the EPHI.
8. DATA SUBJECT RIGHTS
Individuals have the following rights under the Privacy Rule:
- the right be provided by covered entities with a privacy notice;
- the right to review and obtain a copy of their PHI in a covered entity’s designated record set (right of access);
- the right to have covered entities amend their protected health information in a designated record set when that information is inaccurate or incomplete (right to amendment);
- the right to an accounting of the disclosures of their PHI by a covered entity or the covered entity’s business associates (right to disclosure accounting); and
- the right to request that a covered entity restrict use or disclosure of protected health information for treatment, payment or health care operations, disclosure to persons involved in the individual’s health care or payment for health care, or disclosure to notify family members or others about the individual's general condition, location, or death (right to restriction request).
9. CROSS-BORDER DATA TRANSFERS AND LOCALISATION
For more information on disclosure of information, please refer to section 4.
10. VENDOR MANAGEMENT
When a covered entity uses a contractor or other nonworkforce member to perform business associate services or activities, the Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Privacy Rule.
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. In addition, a business associate may permit another business associate that is a subcontractor to create, receive, maintain, or transmit EPHI on its behalf only if the business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.
The contract between a covered entity and a business associate must provide that the business associate will:
- ensure that any subcontractors that create, receive, maintain, or transmit EPHI on behalf of the business associate agree to comply with the applicable requirements; and
- report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI.
11. INCIDENT AND BREACH
The Privacy and Security Rules do not provide details on incident and breach notification requirements. For general HIPAA-related requirements and more information on the Breach Enforcement Rule, please refer to OneTrust DataGuidance's Scope of HIPAA Guidance Note.
12. PRIVACY BY DESIGN
13. ADDITIONAL REQUIREMENTS
The Health Insurance Portability and Accountability Act of 1996 ('HIPAA') regulates the use of personal health information at a federal level in the US. The U.S. Department of Health & Human Services' Office for Civil Rights ('HHS OCR') has issued various rules under HIPAA, including the Privacy Rule, the Security Rule and the Enforcement Rule, all codified under Parts 160, 162 and 164 of Title 45 of the Code of Federal Regulations ('45 CFR'). This Guidance Note provides an overview of the Enforcement Rule, which is found under 45 CFR Part 160, Subparts C, D, and E.
HIPAA provides covered entities ('CE') and business associates ('BA') with significant benefits when adhering to its compulsory requirements; these can range from increasing patient trust, following best practices as provided by the U.S. Department of Health and Human Services ('HHS') and creating a more proactive data protection environment in the organisation.
A violation of HIPAA may lead to potentially significant penalties from the OCR enforcement actions as well as actions by state Attorneys General ('AGs') as highlighted under HSS, State Attorneys General (12 December 2017). Moreover, the OCR works in conjunction with the U.S. Department of Justice in case where there might be possible criminal violations of HIPAA as per the OCR Enforcement Process. On top of this, CEs and BAs may face additional penalties if the incident that constitutes a HIPAA violation also constitutes a violation of a stricter state law.
Please note that this section constitutes a short summary of the scope of HIPAA and its Rules. For more detailed information, please refer to OneTrust DataGuidance's Scope of HIPAA and HIPAA Privacy and Security Rules Guidance Notes.
HIPAA regulates information that must fit within very specific definitions set forth in the HIPAA Rules before it qualifies for HIPAA protection and subjects those that use or disclose it to HIPAA's requirements. Consequently, only protected health information ('PHI') qualifies for HIPAA protection, so understanding the elements of this definition is key to understanding if HIPAA applies. HIPAA defines PHI as protected health information that is created or received by or on behalf of the health care component of the CE (45 CFR 164.105(2)(C)) applies to health information that is individually identifiable and that is created, received, maintained, or transmitted by CE or BA, and their subcontractors.
A CE refers to a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered under HIPAA (45 CFR 160.103).
Whereas a BA refers to one of the following (45 CFR 160.103):
- a health information organisation, e-prescribing gateway, or other person that provides data transmission services with respect to PHI to a CE and that requires access on a routine basis to such protected health information;
- a person that offers a personal health record to one or more individuals on behalf of a CE; or
- a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
HIPAA preempts any state law that is contrary to its provisions or provides individuals with less right to access their PHI. However, HIPAA does not pre-empt any state law that provides greater protection or rights than HIPAA (45 CFR 160.203). This means that the same action may violate both HIPAA and the stricter state law.
Under 45 CFR 160.310, both CEs and BAs are required to:
- provide records and compliance reports;
- cooperate with complaint investigations and compliance reviews; and
- permit access to information.
3. SUPERVISORY AUTHORITY
The OCR is the main entity that is authorised to bring enforcement actions under HIPAA. The Health Information Technology for Economic and Clinical Health Act ('HITECH Act') was enacted in 2009 as a means to expand the scope of HIPAA protections by increasing potential liability for non-compliance and expand the use of health information technology, specifically, the use of electronic health records by healthcare providers. As a result, HITECH gives state AGs the authority to bring civil actions on behalf of state residents for violations of HIPAA in order to obtain damages on behalf of state residents or to enjoin further violations of HIPAA.
If a CE or BA (including a subcontractor BA) violates a direct regulatory requirement, then it may be subject to civil penalties and, in some cases, criminal penalties. The OCR may impose civil monetary penalties, with minimum and maximum amounts varying based on the level of knowledge and culpability (45 CFR 160.404):
- $119 to $59,522 - the CE or BA did not know and by exercising reasonable diligence, would not have known of the violation ('no knowledge');
- $1,191 to $59,522 - the violation was due to reasonable cause and not to wilful neglect ('reasonable cause');
- $11,904 to $59,522 - the violation was due to wilful neglect and was corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred ('wilful neglect - corrected'); or
- $59,522 to $1,785,651 - the violation was due to wilful neglect and was not corrected during the 30-day period beginning on the first date the CE or BA knew, or by exercising reasonable diligence, would have known that the violation occurred ('wilful neglect - not corrected').
The value of these fines is adjusted, annually in accordance with the Federal Civil Penalties Inflation Adjustment Act of 1990 (as amended in 2015) (Section 701 of Pub. L. 114-74). The updated amounts are published annually at 45 CFR Part 102.
45 CFR 160.402(a) notes that subject to the defences under 45 CFR 160.410 the Secretary of HHS ('the Secretary') will impose a civil money penalty upon a CE or BA if the Secretary determines that the CE or BA has violated an administrative simplification provision.
45 CFR 160.402(c)(1) and (2) highlights that a CE or BA is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the CE or BA, including a workforce member or subcontractor, acting within the scope of the agency.
In addition to the powers of the OCR, CE and BA's may face additional penalties if the incident that constitutes a HIPAA violation also constitutes a violation of a stricter state law.
4. DATA BREACH NOTIFICATION AND DISCLOSURE
Please note that this section provides a short summary on data breach notification under HIPAA, for further information please see OneTrust DataGuidance's USA - HIPAA - Data Breach Notification Guidance Note.
The HIPAA Rules prohibit the acquisition, access, use or disclosure of PHI is generally deemed to be a breach, triggering various notification and reporting requirements (45 CFR 164.404, 164.406, 164.408, 164.410) and potentially leading to federal and/or state government enforcement actions and civil monetary or criminal penalties. However, there is no right provided by HIPAA for an individual to sue under HIPAA for alleged damages to such individual stemming from a breach of HIPAA. It may be possible, however, for an individual to sue for damages resulting from a HIPAA breach under a tort theory such as negligence, invasion of privacy, or defamation, where HIPAA requirements may be used as a standard for 'best practices' in support of the tort case (Byrne v. Avery Center for Obstetrics & Gynecology, P.C. (SC 19873)).
The CE, BA or subcontractor, as applicable, may determine that an impermissible disclosure of PHI is not a breach if it demonstrates there is a low probability the PHI was compromised, based on a risk assessment of at least the following four factors (45 CFR 164.402):
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- the unauthorised person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed;
- the extent to which the risk to the PHI has been mitigated.
As discussed above, a BA or subcontractor is only permitted to use or disclose PHI as set forth in its business associate or subcontractor agreement (or as is required by law), so a use or disclosure that might be permitted by a CE, but that is not expressly granted in the BA or subcontractor agreement would likely constitute a breach.
A person who believes a CE is not complying with a requirement of the Privacy Rule may file with OCR a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred. The Secretary may waive this 180-day time limit if good cause is shown (45 CFR 160.306 and 164.534).
Finally, individuals have a right to file a complaint directly with the CE. Moreover, the HHS notes that individuals should refer to the CE's notice of privacy practices for more information about how to file a complaint with the CE.