Health Insurance Portability and Accountability Act (HIPAA)
- Lawfulness, Fairness, and Non-Discrimination
- Transparency and Free Access
- Purpose Specification, Use Limitation, and Suitability
- Data Minimization, Storage Limitation and Accuracy
- Security and Prevention
- Accountability and Record Keeping
- Data Protection Officer
- Data Subject Rights
- Vendor Management
- Incident and Breach
The Health Information Technology for Economic and Clinical Health (HITECH) Act, was signed into law on February 17, 2009. HITCH builds on the privacy and security provisions of HIPAA by strengthening the civil and criminal enforcement of the HIPAA rules and mandating certain breach notification requirements.
Who is covered by the Privacy and Security Rules?
The Privacy Rule, and Security Rule, apply to health plans, health care clearinghouses, and to any health care provider (including business associates) who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
What information is covered?
Privacy Rule: Protected Health Information (PHI) — all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Security Rule: Electronic Protected Health Information (e-PHI) applies to all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rules does not apply to PHI transmitted orally or in writing.
The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164)
The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule, 45 C.F.R. 160 and 164
Lawfulness, Fairness, and Non-Discrimination
Under the Privacy Rule a covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Transparency and Free Access
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity.
Purpose Specification, Use Limitation, and Suitability
A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
- To the Individual (unless required for access or accounting of disclosures);
- Treatment, Payment, and Health Care Operations;
- Opportunity to Agree or Object;
- Incident to an otherwise permitted use and disclosure;
- Public Interest and Benefit Activities; and
- Limited Data Set for the purposes of research, public health or health care operations.
Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.
Data Minimization, Storage Limitation and Accuracy
A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. When the minimum necessary standard applies to a use or disclosure, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.
Security and Prevention
A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and Security Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
Accountability and Record Keeping
Under the Privacy Rule, a covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Under the Security Rule, A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
Data Protection Officer
Under the Privacy Rule, a covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices. Under the Security Rule, a covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Data Subject Rights
A covered entity must have procedures for individuals to exercise an individual’s rights or complain about the covered entities compliance with the covered entity’s privacy policies and procedures under the Privacy Rule.
Under the HIPAA, individuals have the following rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to restriction
- Right to data portability
- Right to object
When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Privacy Rule.
Incident and Breach
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
What is a “breach”?
A breach is, generally (subject to certain exceptions), an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of certain factors. Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information.
Notice to HHS and the Media
In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by submitting an online form on the HHS wesbite.
- If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach.
- If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.
Notice to Affected Individuals
Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible:
- a brief description of the breach,
- a description of the types of information that were involved in the breach,
- the steps affected individuals should take to protect themselves from potential harm,
- a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and
- prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
In the U.S., the federal HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Depending on whether the breach affects more than 500 individuals, the covered entities may have the obligation to notify the breaches to the individuals, media and the Secretary. On the other hand, a business associate generally has the obligation to notify any discovered breaches of protected health information to the covered entities.
Is it Mandatory to Notify Individuals?
Is it Mandatory to Notify Regulator?
Yes, if the breach involves more than 500 individuals.
Without unreasonable delay and in no case later than 60 days following the discovery of a breach.
Secretary for the U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: US toll-free: (800) 368-1019, TDD toll-free: (800) 537-7697
E-mail: ocrpr[email protected]
Breach Notification Format
Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered – all of the breaches affecting fewer than 500 individuals can be reported by the covered entity on one date, but a separate notice must be completed for each breach incident.
Health Insurance Portability and Accountability Act (HIPAA)
42 U.S.C. §1301 et seq.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996. HIPAA requires the Secretary of the U.S. Department of Health and Human Services (HHS) to develop and publicize standards for the electronic, exchange, privacy, and security of health information.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.