This lesson is all about learning some important definitions to better help you understand HIPAA terminology. There will, of course, be a little repetition.

HIPAA

Health Insurance Portability and Accountability Act of 1996.

HITECH

Health Information Technology for Economic and Clinical Health Act of 2009.

Pro Tip #1: The goal of HITECH is to promote the adoption and meaningful use of health information technology and significantly expand the HIPAA privacy rule and security standards as new requirements concerning privacy and security of PHI are enacted.

PHI

Protected Health Information (patients’ personal and medical information).

ePHI

Electronic Protected Health Information.

This includes all personal health information that is stored, and/or transmitted, electronically. Common examples of ePHI include:

  • Faxes
  • Emails
  • Data backup
  • Cloud providers
  • Patient portals
  • Removable media
  • Secure texting

Whether the health information is being stored or transmitted, it must be encrypted first.

Business Associate

Any person or organization that supports the healthcare industry in some fashion and performs functions and activities in support of a covered entity.

Business Associate Requirements

Per HITECH regulations, business associates are now legally required to be compliant with the HITECH Act. This includes assuming financial liability for any and all data breaches caused by their organization or employees.

All business associates are required to have:

  • A risk assessment
  • Proper training
  • A Book of Evidence

Risk Assessment

A set of government mandated questions to help organizations identify gaps in risk, to their organization and to the covered entities they serve. This includes a risk report with a road map to resolving any potential problems.

There are three sections on a risk assessment along with three types of questions.

Sections on Risk Assessment

  1. Administrative
  2. Technical
  3. Physical

Types of Risk Assessment Questions

  1. Standard
  2. Required
  3. Addressable

Standard questions measure a covered entity to ensure confidentiality, integrity, and availability of ePHI, while in the custody and care of covered entities and/or business associates.

Pro Tip #2: Covered entities and business associates must comply with the applicable standards provided in the Security Rule with respect to all ePHI.

Required questions are those that must be implemented by covered entities and/or business associates.

Addressable questions, while not optional, do provide covered entities some additional flexibility with respect to compliance with the security standard.

All organizations must determine their level of risk to PHI. If a risk is deemed reasonable, appropriate security measures will need to be applied.

Book of Evidence

The Book of Evidence is a customized book of policies and procedures that all organizations are required to create. The Book of Evidence illustrates how that organization handles all PHI and ePHI. This includes:

  • Data breach notifications
  • Disaster recovery policies
  • Privacy and patient policies

Privacy Policy

A privacy policy explains how covered entities and business associates handle PHI. All covered entities are required by law to provide patients with a copy of their privacy policy upon request.

Business associates must also be able to provide their privacy policies to both internal employees and external companies – also known as downstream suppliers – and for government audits.

A Word About the Disposal of PHI

The disposal of all protected health information (PHI) comes with its own set of requirements set forth by the HIPAA Privacy and Security Rules. These are steps that covered entities take when they dispose of PHI.

  1. Shred all hard copies containing PHI when the copies are no longer needed.
  2. Place hardcopies to be recycled in locked recycle bins if available.
  3. Delete all soft copy files containing PHI from all computers and from the server when the information is no longer needed within the record retention requirements.
  4. Destroy all disks, CDs, and other pieces of hardware that contained PHI before disposing of them.
  5. Do not reuse disks and/or CDs that contained PHI without thoroughly sanitizing them first.
  6. Contact the IT department for the proper procedures before transporting or transferring equipment and sanitizing hard drives and other media.
  7. Return the PHI (medical records) to the patient, if this requirement is stipulated in any contractual agreements. Many states impose requirements on covered entities to retain this information and make it available for a limited time, as is appropriate.

Health and Human Services encourages all covered entities to consider the steps that other prudent healthcare organizations and health information professionals are taking to protect patient privacy in connection with record disposal.