While most people know HIPAA for compliance, those standards were derived as part of the HIPAA Privacy Rule. This rule was designed to protect the medical records and other personal health information of individuals.
Who does the privacy rule apply to?
This rule applies to anyone handling and transmitting healthcare information. That includes healthcare clearinghouses, health plans, healthcare providers, individuals, organizations, institutions, research facilities and government agencies. In 2013, the Omnibus Rule extended this to business associates, including IT contractors, accountants, attorneys and cloud service providers.
If the rules are broken, what happens?
Any covered entity must have physical, technical and administrative policies in place for protected health information (PH). Extensive fines come with breaking those rules. For noncriminal violations, it could range from $100 to $50,000 per violation “of the same provision.” Civil penalties may also result, as well as criminal.
What are the mandated provisions of the rule?
All technology and policies associated with the use of that technology in protecting ePHI, control and access to it. This includes access (reading, writing, modifying and communicating data). These controls must have unique identifiers for users, automatic logoffs and procedures for emergencies. How the system records and examines the epHI, and all policies and procedures for protecting the data for altering or destroying the data in a manner that is unauthorized.
This relates to any physical policies, procedures and physical measures for protecting electronic information systems and all equipment and buildings from natural hazards and unauthorized intrusion. This includes access control of the facility; what occurs at employee workstations; and the removal of hardware and electronic media that contains ePHI in and out of the facility.
Any administrative policies, procedures and actions that help manage the selection, implementation, development and maintenance in protecting the ePHI and employee conduct. This includes all security management processes; responsibility and assigned security; and workforce security; contingency plans; and incident procedures.