For this project, I have to complete a research on HIPAA privacy and security rules. In my research I must include the specific legislation (state and/or federal) of HIPAA. I must Conduct any other professional and academic as necessary. Based on my research findings, I must scope, the depth of the intended presentation, and determine what key areas I plan to discuss.

The Health Insurence Portablility and Accountability Act of 1996 required the Secretary of the U.S.Department of Health and Human Services to develop regulations protecting the privacy and security of certain health information. To fulfill this requirements HHS,published what are commonly known as the HIPAA, the HIPAA Privacy Rule and HIPAA Security RULE.The Health Insurance Portability and Accountability Act (HIPAA) established several rules that covered entities and business associates must follow in order to be compliant.

 

HIPAA Privacy Rule

The HIPAA Privacy Rule created regulations on how protect health information(PHI) can be used and disclosed. This safeguards PHI to ensure that only authorized individuals have access. it also requires the disclosure of PHI to a patient upon request.

The HIPAA Privacy Rule establishes standards to protect PHI held by these entities and their business associates:

Health plans

Health care clearinghouses

Health care providers that conduct certain health care transactions electronically.

The Privacy Rule gives individuals important rights with respect to their protected PHI, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information.Also, the Privacy Rule permits the use and disclosure of health information needed for the patient care and other important purposes.

PHI

The Privacy Rule protect PHI held or transmitted by a covered entity or its business associate, in any whether electronic, paper, or verbal. PHI includes information that relates to all of the following;

The individual's past presenr, future physical or mental health condition.

The provision of healthcare to the individual.

The past, present,or future payment for the provision of health care to the individual.

PHI includes many common identifiers, such as name, address, birth date and social security number.

The identifying PHI to meet PIPAA Privacy Rule requirements.

Individual's right to access health information.

Permitted use and disclosures of PHI.

HIPAA Security Rule

The HIPAA Security Rule is meant to protect electronic PHI. It is established national standard on how ePHI is created, received, used, or maintained.The HIPAA Security Rule specifies safe guard that covered entities and their business associates must implement to protect ePHI confidentiality, integrity, and availability. Covered entities an business associates must develop and implement reasonable and appropriate security measures through policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. Each entity must analyze the risks of ePHI in its environment and create solution appropriate for its own situation. What is reasonable and appropriate depends on the nature of entity's business as well as its size, complexity and resources, specifically covered entities must:

Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.

Identify and protect against reason-ability anticipated threats to the security or integrity of the ePHI

Protect against reasonably anticipated, impermissible uses or disclosures.

Ensure compliance by their workforce.

When developing and implementing Security Rule complaints safeguard, covered entities and their business associates may consider all of the following:

Size, complexity, and capabilities.

Technical, hardware, and software infrastructure.

The cost of security measures.

The likelihood and possible impact of risk to ePHI.

Covered entities must review and modify security measures to continue protecting ePHI in a changing environment.

Administrative, physical. and technical safeguards.

Cyber security.

Remote and mobile use of ePHI.

Risk Analysis and Management

The Administrative Safeguard provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. Security measures re reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguard contained in the Security Rule.

Evaluate the likelihood and impact of potential risk to ePHI

Implement appropriate security measure to address the risk identified in the risk analysis.

 

Document the chosen security measures and where required the rational for adopting those measures and maintain continuous reasonable, appropriate security protections. Risk analysis should be an ongoing process in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluate the effectiveness of security measures put in place and regularly reevaluates risks to e-PHI.

Administrative safeguards

Security management process- a covered entity must identify and analyze potential risk to ePHI, it must include security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

Security personnel-A covered entity must designate a security official responsible for developing and implementing its security policies]es and procedures.

Information access management consistent with the Privacy Rule standard limiting uses and disclosure of PHI to minimum necessary, the Security Rule requires a covered entity to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the users or recipient's role.

Work force train and management

A covered entity must provide for appropriate authorization and supervision of workforce members who work with ePHIA covered entity must train all workforce members regarding its policies and procedures.

Evaluation

A covered entity must perform as periodic assessment of how well its securities policies and procedures meet the requirements of the Security Rule.

Physical safe guards

Facility access and Control.

Workstation and Device security.

Technical safeguards

Acess Control- a covered entity must implement technical policies and procedure that allow only authorized persons to access electronic protected health information.

audit Controls-A covered entity must implement hardware, software and procedural mechanism to record and examine acss and other activity information system that contain.

integrity controls

Transmission Security

Who must comply with HIPPA Rules

 Covered entities and business associated , as applicable must follow HIPAA rules.If any entity does not meet the definition of covered entity or business associate ,it does not have to comply with the HIPAA rules.

Covered Entities

Covered health care provider: any provider of medical or other healthcare services or supplies who transmits any health information in electronic form in connection with transaction for which HHS has adopted a standard, such as Chiropractors.clinics, Dentist, Doctor, Nursing homes, Pharmacies, Psychologists

Health Plan: any individual or group plan that provides or pays the cost of health care such as; Company health plan, Government programs that pay for health care such as medicare Medicaid and the military and veterans healthcare programs, Health insurance company, Health maintenance organizations.

 

Healthcare Clearinghouse" A public or private entity that processes another entity;s health care transactions from a standard format to anon-standard format, or vice versa, such as Billing services, Community health management information system, Reporting companies, Value -added networks.

Business associates

A business associates is a person or organization, other than a workforce member of a covered entity, that performs certain functions on behalf of or provides certain services to, a covered entity that involve access to PHI,a business associate can also be a subcontractor responsible for creating, receiving, maintaining,or transmitting PHI on behalf of another business associate

Business associate provide services to covered entities that include:

Accreditation, Billing, Claims processing, Consulting, Data analysis, financial services, legal services, Management administration, utilization review.

 

Enforcement

The HHS Office for Civil Right enforces the HIPAA Privacy, Security, and Breach Notifications Rules. Violation may result in civil monetary penalties, In some cases , criminal penalties enforced by the U>S> Department of Justice may apply.

Common Violations include;

Impermissible PHI use and disclosure.

Use or disclosure of more than the minimum necessary PHI.

Lack of PHI safeguards.

Lack of administrative , technical, or physical ePHI safeguards.

Lack of individuals access to their PHI.