THE ULTIMATE PRIMER FOR HIPAA COMPLIANCE PART II - THE PRIVACY RULE

In the first part of this series, we addressed why HIPAA was so important, where it came from, and the punitive measures it incorporated as a means to ensure compliance. More importantly, we discussed the general requirements of HIPAA. Today, we’re going to do a deep dive into those requirements, focusing on the most important and heavy aspect of HIPAA legislation – the Privacy Rule.

The Privacy Rule is the fundamental result of HIPAA that defined how data should be handled, and the expectations set against data providers. While HIPAA oversaw great reform in terms of insurance coverage and portability, data providers should be much more concerned about the Privacy Rule, as this group of concepts is the chief governing agent when it comes to data.

Let’s take a look at this rule, and everything it entails.

What is the Privacy Rule?

In its most simple form, the Privacy Rule, officially called the “Standards for Privacy of Individually Identifiable Health Information”, is the first national standard passed in the United States concerning medical and health data. Before this point, data of this nature was covered broadly under a range of identity protections – this proved woefully inadequate and led to a high incidence of identity theft while also resulting in nervousness to transfer data amongst providers, lest they be snared in the complex web of law.

When designing the Privacy Rule, the U.S. Department of Health and Human Services had a single goal in mind – meet all the stated requirements of the HIPAA legislation. In doing this, they covered a wide range of rules and laws that would pertain not only to privacy rights but to the disclosure of activities and use of data to the owners of that data (in other words, it established that patients have the right to know where their data is and what it’s being used for”).

This data was specifically defined as “protected health information”, and was considered the joint domain of the citizen and the entities handling the data, with the entities known as the “covered entities”. While the Privacy Rule specifically addresses client protection, a good portion of this rule is also dedicated to ensuring that medical information can flow from provider to provider while ensuring the general well-being of the public at large.

Because of this, the “Privacy Rule” is very much a balance between protection and usage.

Covered Entities

It should be said that the bulk of the systems covered under the privacy rule are not technical in nature. These include health plans, medical providers, clearinghouses, and insurance adjusters. That being said, there is a very specific classification for businesses that interact with medical data but are not in themselves a medical organization. The documentation for the Privacy Rule calls these organizations “Business Associates”, and designates them as “a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity […]”.

While many have argued that this definition is overly broad, it was intended to be as such – the takeaway from that definition should be that any company handling medical data in any form from a covered entity is subject to legislation under the Privacy Rule. Because of this, data providers are in the unique situation of having to adhere to conceptually complex legislation for an industry that they are not specifically part of, but may indeed do business with. More on these specific regulatory concerns later.

Protected Information

Now that we know who is covered, what is covered? The protected information under the Privacy Rule is dictated as all “individually identifiable health information”, including:

• Past, present, or future medical and mental conditions, disorders, or other such data; and

• Records of care provided and methodologies of delivery and remuneration;

What makes this a complex issue is that a data provider often has no idea what data they’re handling, especially if said data is encrypted. If a destruction provider receives encrypted hard drives, all they know is that the drive is scrambled and obfuscated – there is often no way to know whether this hospital hard drive is simply a workstation of a janitor or security guard, or whether the drive is from a payment processing center.

With this in mind, providers should always approach data as if it contains the most highly sensitive data that can possibly be processed. By assuming the data being destroyed is highly sensitive while erasing drives, you can ensure that your systems are dealt with in the most extreme case. In the worst case, you’re being overly careful, but the data is still being handled in a proper and legal way. In the best-case scenario, you are protecting yourself and handling data in an appropriate manner. Either way, you’ve done right by the law and your consumers.

Data Safeguarding

A major provision of the Privacy Rule is the idea of safeguarding data. This is perhaps the second most important provision in the entire HIPAA guidelines (the first most important being the Security Rule – more on that later). Under the data safeguarding provision, a covered entity and its business associates must at all times maintain appropriate and data-reasonable administrative, physical, and technical safeguards.

While this section was obviously designed for healthcare providers specifically, it has some serious implications for data providers. It might be easy to say “it’s their problem, not mine”, but these provisions cover data providers as well.

When handling medical data, regardless of form, the items must be secured physically behind a lock and key or other such mechanisms. The data must be encrypted or secured in another technical form. There must be security policies in place, as well as handling and chain of custody considerations.

All of this must be done at each stage of data handling, including during the stage of data transmission or destruction that is often engaged in by data providers. This requirement does not expire simply because you are not a medical company – in fact, with the ease of which these solutions are implemented, failing to do so could be easily ruled as willful negligence, incurring an even greater fine than if you were judged to be accidentally negligent.

Conclusion

This was a brief summary of the Privacy Rule, and the expectations it sets forth for all data providers, medical or otherwise. These rules are intense, but it gets even stronger down the line. In the next piece of this series, we’re going to tackle the Security Rule, and what it means for data providers and destruction experts.

While this might seem like a lot to remember, you have to consider the type of data that you’re handling. This data is someone’s life, literally – exposing, even accidentally, some of this data can result in huge issues both personally and financially for many patients, and could result in some serious repercussions for the provider in question.

The easiest way to consider the Privacy Rule is that old adage of the “Golden Rule” – do unto others as you’d want to be done to you. Think of your private data – would you want it handled differently? Secure others’ data as you would your own, and follow these common-sense procedures.