The Four HIPAA Compliance Rules
There are four HIPAA security rules that further define how covered entities and business associates safeguard protected health information (PHI). The four rules are:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
In the normal course of business operations, only the first three rules apply to covered entities and their associates who have signed business associate agreements. The last rule comes into play only when HIPAA violations occur or websites are breached and there's a risk that PHI has been compromised.
HIPAA solutions come in many shapes and sizes. From a simple online pharmacy to a complex doctor-patient portal to a mobile application, they all need to acting in a HIPAA-compliant manner regarding PHI.
1. Privacy Rule Considerations
In addition to all of the privacy protection mentioned above, care providers must consider other patient PHI privacy concerns. For instance, they can share information with authorized individuals such as family members in certain circumstances. An example is if the patient is mentally incapacitated or if the patient is a minor.
Generally, rules that makes sure a website is HIPAA compliant prevent healthcare providers from sharing or exposing confidential information in electronic, written, and oral forms. This means that those in the healthcare industry have a duty even when discussing health records over the phone where they could be overheard by unauthorized people.
In some cases, outside service providers may need access to information to provide medical services, so these cases are exempted from privacy restrictions. The Privacy Rule applies to computer information about patients, conversations between doctors and medical staff, billing information, medical charts, and prescription information.
2. Security Rule Considerations
National standards of security protect the information in healthcare organization databases, eCommerce customer lists where medical records are part of the database, medical clearinghouses, pharmacies, health insurance companies, and other care providers and business associates.
The HIPAA Security Rule has three components: technical safeguards, administrative safeguards, and physical safeguards. Some of the major highlights of when working a HIPAA Security Rule checklist include—but aren't limited to—the following points:
- Performing periodic risk analysis to determine physical and digital vulnerabilities of PHI.
- Reducing risks to acceptable levels.
- Regularly reviewing system activities, digital logs, and audit trails.
- Authorizing and supervising the employees who have access to PHI.
- Protecting PHI from unauthorized parent companies, subcontractors, and partner organizations.
- Sending regular updates to staff members about security issues and training employees to recognize malware, malicious software, and other virtual and real-world threats.
- Implementing a system of access controls.
- Providing encryption and decryption tools, especially when you transmit PHI.
- Facilitating safeguards like automatic logoffs.
- Establishing mandatory policies for using workstations and mobile devices.
3. Enforcement Rule Considerations
The HIPAA Enforcement Rule mostly concerns penalties and investigations when companies are found to be non-compliant, but eCommerce companies do have some enforcement responsibilities through the administrative section of the Security Rule. These include getting authorization forms for disclosing information to third-party sources, providing customers with a Notice of Privacy Practices, and getting partners to sign a business associate agreement (BAA) to acknowledge their responsibilities under HIPAA.
4. Breach Notification Rule Considerations
Breaches occur when unauthorized people gain access to protected health information in some manner that's not permitted under the HIPAA Privacy Rule. These breaches include unauthorized access to physical areas, inadvertent disclosures, stolen or misplaced documents, and digital hacks. If the HIPAA Breach Notification Rule is violated, covered entities must:
- Determine if PHI is compromised.
- Assess the type and amount of data involved.
- Find out who used the PHI illegally or to whom information was disclosed.
- Chronicle steps taken to mitigate the breach.
- Ascertain if the breach was closed or information returned before being used.
- If the breach occurred inadvertently under a covered associate’s or entity’s authority.
- Send notices of breach incidents to each patient's last known address by First Class mail or email if electronic notifications are authorized.
- If the Breach Notification Rule is broken, write notices in easy-to-understand language and include a summary of how the situation occurred, the date of exposure, and other relevant details.