Technology related Healthcare Privacy

Health Insurance Portability and Accountability Act (HIPAA) mandates privacy protection for personal individual identifiable health information. Later on, Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to create new and expand certain privacy provisions under HIPAA, while using information technology for any health service. The statutes have given regulatory rule-making authority to Department of Health and Human Services (HHS) for providing supplemental guidance. We cover areas where there is an intersection privacy law and technology.

Below is the very basic outline of Healthcare Privacy. Please contact us by email or phone to set-up an appointment to discuss further about your need in this area.

HIPAA Privacy rule

This privacy rule provides the minimum threshold requirement under the federal law. The states can always require more in terms of privacy for Protected Health Information (PHI) under the state law. There are three types of Covered Entities (CE) that come under the HIPAA Privacy rule. They are

“(1) A health plan: [Individual or group plan that provides, or pays the cost of, medical care.]

(2) A health care clearinghouse: [A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches, that does either of the following functions:
(1) Processes or facilitates the processing of health information…
(2) Receives a standard transaction…]

(3) A health care provider who transmits any health information in electronic form in connection with a transaction….” 45 C.F.R. § 160.103.

Business Associate (BA): “[It] means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity …creates, receives, maintains, or transmits protected health information for a function…, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation…, management, administrative, accreditation, or financial services to or for such covered entity….” 45 C.F.R. § 160.103.

Therefore, HIPAA privacy is also applicable to Business Associate, who provide certain services to Covered Entities (CE). The third party contractors of a Business Associate (BA) who provide services to BA, and handle Protected Health Information (PHI) also come under this rule.

Business Associate Agreement (BAA): Covered Entities (CE) make an agreement with Business Associate requiring the nature and boundaries of use of PHI. Covered Entity is not responsible for Business Associate hiring third party contractor to complete its services. Business Associate need to have a contract with third party contractors reflecting the guidelines of the agreement stated with CE. 

Consent for use or disclosure: “A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.” 45 CFR § 164.506(b)(1). “A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.”  45 CFR § 164.506(c)(1).

 

Minimum Necessary requirement: “…When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” 45 CFR § 164.502(b).

Right to amend PHI: “An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set….” 45 CFR § 164.526(a)(1). “The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements.” 45 CFR § 164.526(b)(1).

Notice of Privacy practices: “[A]n individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information.” 45 CFR § 164.520(a)(1).

There are separate requirements for the content of notice, additional disclosure for each separate use, header statement, individual rights, and Covered Entity (CE) duties.

Administrative requirements: “Safeguards: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” 45 CFR § 164.530(c)(1). We will further discuss various technical, and physical safeguards in HIPAA security rule.

 Personnel designations: Covered Entities need to have a dedicated personnel for privacy and contact purposes. Sometimes, depending on the size of CE, a person can perform dual roles. The below statute states in part:

“(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

(ii) A covered entity must designate a contact person or office who is responsible for receiving complaints….” 45 CFR § 164.530(a)(1). 

Training: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information… as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” 45 CFR § 164.530(b)(1).

 

HIPAA Security rule

HIPAA Security rule applies to Electronic Protected Health Information (EPHI). A Covered Entity (CE) and Business Associate (BA) must comply with applicable standards, and any implementation specifications. 45 CFR § 164.302. Examples of entities irrespective of size that need to follow HIPAA Security rule include insurance companies, hospitals (small, medium, and big size), work force that are employed in these entities etc.

Purpose: Covered entities and business associates must:

“(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information….” 45 CFR § 164.306(a).

Flexibility in implementation:

“(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications …

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

           (i) The size, complexity, and capabilities of the covered entity or business associate.

          (ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

          (iii) The costs of security measures.

          (iv) The probability and criticality of potential risks to electronic protected health information.” 45 CFR § 164.306(b).

There are three safeguards that need to be implemented for HIPAA privacy rule by CE and BA’s. They include:

1. Administrative safeguards; 2. Technical safeguards; 3. Physical safeguards.

The below statute states about the “implementation specification” requirement.

Implementation specifications are required or addressable: If an implementation specification is required, the word ‘Required’ appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word ‘Addressable’ appears in parentheses after the title of the implementation specification.” 45 CFR § 164.306(d).

As noted in the above statute, some of the “implementation specification” within the various “standards” under the three safeguards are required, whereas others are addressable.

1. Administrative safeguards (45 CFR § 164.308): Below are the various “standards” under this safeguard. I did not list “implementation specification,” under each of these standards for space purposes.

      a. Security Management Process.
      b. Assigned Security Responsibility.
      c. Workforce Security.
      d. Information Access Management.
      e. Security Awareness and Training.
      f. Security Incident Procedures.
      g. Contingency Plan.
      h. Evaluation.
      i. Business Associate Contracts and Other Arrangements.

2. Technical safeguards (45 CFR § 164.312): Below are the various “standards” under this safeguard. I did not list “implementation specification,” under each of these standards for space purposes.

     a. Access Control.
     b. Audit Controls.
     c. Integrity.
     d. Person or Entity.
     e. Authentication.
     f. Transmission Security.

3. Physical safeguards (45 CFR § 164.310): Below are the various “standards” under this safeguard. I did not list “implementation specification,” under each of these standards for space purposes.

     a. Facility Access Controls.
     b. Workstation Use.
     c. Workstation Security.
     d. Device and Media Controls.

 

HITECH Act

HITECH Act introduces some additional provisions that modify certain requirements applicable to Business Associates (BA) along with breach notification requirements. The primary changes include the following:

1. Certain privacy requirements that are applicable to Covered Entities (CE) are also applicable to BA’s.

2. The HIPAA’s security rule involving administrative, physical, and technical safeguards are now additionally applicable to BA’s along with CE’s.

3. Notify breaches of unsecured PHI by CE’s, who are responsible to customers.

Cloud Computing of PHI & NIST Cybersecurity Framework​

Maintaining Information Technology (I.T.) infrastructure to manage healthcare services are a big cost. Covered Entities (CE) like any other businesses want to optimize revenue in the best way possible depending on the size and revenue of the entity. Some CE’s doing business in billions of dollars may manage to maintain their own dedicated I.T. team for providing services. However for many CE’s, there are alternative options available in the form of cloud computing.

Cloud computing provide on demand network access to various shared computing resources such as network, storage, servers, applications, and services etc that can be managed with little effort compared to traditional method of provide I.T. service along with no additional effort from cloud service provider. They are various deployment and service models depending on the need of your entity. The following are four deployment models. They include:

(i) Private cloud.

(ii) Public cloud.

(iii) Hybrid cloud.

(iv) Community cloud.

The following are the three service models. They include:

(i) Infrastructure as a Service (IaaS).

(ii) Platform as a Service (PaaS).

(iii) Software as a Service (SaaS).

Even if you choose SaaS as a service model, you may need to have some dedicated I.T. team to manage privacy and security within CE’s own network. Also, CE’s access SaaS through their own network. Whenever CE’s move PHI to cloud, there needs to be an understanding in the cloud agreement that the privacy and security matters are paramount to CE. Any steps taken by the cloud provider to secure the content on its cloud also should be noted in the agreement.

CE’s need to have a good understand of the terms of the cloud Service Level Agreement (SLA) including measuring metrics of any of the following:

(i) Disaster recovery plan.

(ii) Auditing rights of protocols.

(iii) Privacy and Security.

(iii) Geographical restrictions in server location.

(iv) Up-time.

(V) Access requirements including system response time.

(vi) Data updating only at desired times.

(vii) Response time to issues.

NIST cybersecurity Framework: National Institute of Standards and Technology (NIST) issued a cybersecurity in response to the executive order issued by the President. Each department including HHS issued guidelines by working with NIST for better cybersecurity standards. This cybersecurity framework is advisory only. As long as entities comply with HIPAA privacy and security rule along with HITECH act, they are in compliance. However, it is better to align with cybersecurity framework issued by NIST to make sure that there are not vulnerable to hackers etc. NIST provided “mappings,” between HIPAA Security rule for each of administrative, technical, physical safeguards, and cybersecurity framework. These mappings are useful in accessing whether your entity is meeting the voluntary guidelines to access risk for PHI in case of cyber threats etc.