Overview of HIPAA Privacy and Security ImplementationIn 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) (Public Law 104-191). HIPAA was intended to improve health care efficiency and protect individuals’ private health information by requiring the Secretary of the Department of Health and Human Services to establish three kinds of standards for handling such information:
The uniform transaction standards enable health care providers, insurers and health care clearinghouses to exchange medical, billing, and other information and to process transactions quickly and efficiently. Congress recognized, however, that the increasing standardization of electronic data interchange for health care transactions also increased the potential for broader, inappropriate access to people’s medical information. HIPAA’s Privacy and Security Rules are intended to decrease that risk. The HIPAA Privacy Rule has been in effect since 2003; the HIPAA Security Rule went into effect in April 2005. Each of these rules is discussed in some detail below. The transaction requirements are not covered by this overview because they are technical in nature. If you have questions about them, please contact OGC. HIPAA imposes both civil monetary penalties and, in some cases, criminal penalties for violations of the Rules. A violation of one of the Privacy or Security standards could result in a $100 penalty, up to $25,000 for the same violation. The wrongful disclosure of protected health information with the intent to sell the information or otherwise use it for commercial purposes could result in a penalty of up to $250,000, 10 years in prison or both. HIPAA Implementation at YaleHIPAA applies only to health care providers, health plans and health care clearinghouses. Under HIPAA, large entities such as the University may designate those of its constituent parts that play those functions (called “covered components”) to be covered by HIPAA. Yale has done so, and accordingly, the following parts of the University are subject to HIPAA:
HIPAA is a complex statute that affects various functions of these schools and other components, including research, clinical operations, information technology management, contracting, and managing relationships with long-standing partners in health care delivery and training, such as Yale-New Haven Hospital. In compliance with HIPAA, the University has designated a Chief Privacy Officer, who is responsible for on-going compliance with the HIPAA Privacy Rule. Each covered school and component also has designated a Deputy Privacy Officer, responsible for day-to-day HIPAA compliance matters. The University’s Chief Information Officer is the official responsible for compliance with the HIPAA Security Rule. The Chief Information Officer oversees the efforts of the Information Security Offices on both the central campus (at Information Technology Services, or ITS) and at the School of Medicine (at ITS-Med). The Chief Privacy Officer and the Chief Information Officer coordinate their HIPAA compliance efforts, since security and privacy initiatives are often interrelated. Yale has both created policies and procedures and revised existing policies and procedures in order to implement the HIPAA Privacy and Security Rules. These can be found through the University’s main HIPAA website, http://hipaa.yale.edu/, or directly, at http://mire.med.yale.edu/hipaapolicies/. HIPAA training is required for all faculty, staff, trainees, and students working or studying in a covered component. On-line training is offered at www.yale.edu/training/ . In-person training may also be arranged; the Chief Privacy Officer and the Chief Information Officer can assist with such requests. HIPAA Privacy RequirementsHIPAA requires Yale’s covered components to implement appropriate administrative, technical, and physical safeguards to protect the confidentiality and integrity of protected health information. Under HIPAA, “Protected Health Information” or “PHI” means information that identifies an individual and relates to that individual’s physical or mental health or payment for health care. The covered components are further required to develop specific policies and practices in order to comply with a host of standards relating to the privacy of protected health information. HIPAA establishes civil monetary and criminal penalties for a knowing use or disclosure of such information in violation of HIPAA. Even before HIPAA was enacted, the University’s practices were largely consistent with what HIPAA now requires, but HIPAA has resulted in more extensive documentation of such practices and a broader awareness of privacy concerns. A. Rules Concerning the Use and Disclosure of Protected Health Information. HIPAA contains detailed requirements concerning the use and disclosure of protected health information. Covered entities may only use and disclose PHI as permitted by HIPAA or more protective state rules. Each covered component must make reasonable efforts to ensure that it uses, discloses, or requests only the minimum necessary health information (a key HIPAA concept) to accomplish the task at hand. An important exception to that rule is that treating clinicians are not limited to using and disclosing only the minimum necessary information, because such a constraint could seriously impair the quality of care provided. B. Patient Rights Regarding Health Information. HIPAA establishes a number of rights in the individual relating to that person’s protected health information. These include an individual’s right to:
C. Research Using Health Information. In order for protected health information to be used for research purposes, HIPAA requires either a written patient authorization or a waiver of the authorization requirement. Yale’s Human Investigations Committee and its other Institutional Review Boards will make a determination as to whether the authorization can be waived in a given research study or will assist in preparing appropriate consent if the authorization requirement cannot be waived. HIPAA also imposes new requirements on researchers who seek access to health information for a review preparatory to research. Such researchers must give certain assurances to the covered entity relating to the purpose and limited use of the information HIPAA does not apply to research that uses only “de-identified" data. HIPAA requires that 18 specific identifiers be removed in order for the data to be considered de-identified. If a researcher uses health information from which “direct identifiers” have been removed (a “limited data set”), the researcher is not required to obtain the patient’s authorization even though the information is not completely de-identified. However, the researcher would be required to enter a data use agreement with the covered entity that holds the records in order to access the data. D. Business Associates Using Health Information. Contractors that handle protected health information while providing certain functions or activities for a covered component at Yale must agree to use appropriate privacy and security safeguards to prevent use or disclosure of the information other than as permitted by the contract. These obligations must be set forth in a business associate agreement (also known as a “BA Agreement”). The University may be held responsible for the actions of its business associates if (1) it knew of a pattern of activity of the business associate that violated the contract and (2) failed to take reasonable steps to correct the problem. The Procurement Office maintains a database of all third parties with which the University has a business associate relationship in place. The Deputy Privacy Officers can assist in determining whether a business associate agreement is required. If it is, a business associate tracking form should be completed and submitted to the Procurement Office to initiate the process. The tracking form and further instructions are available at www.yale.edu/procurement. E. Administrative Requirements. HIPAA imposes a number of administrative requirements on the University, including the following:
The University’s measures in these areas are described in detail on its HIPAA website. Security RequirementsA. ePHI. Unlike the HIPAA Privacy Rule, which applies to individually identifiable health information captured in any medium (oral, written, electronic), the HIPAA Security Rule applies only to electronic health information. Under the Security Rule, the covered components must implement reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information, or ePHI. These safeguards run the gamut from developing contingency plans that include disaster recovery and emergency mode operations to establishing procedures to properly grant, terminate and restrict access to ePHI. B. Safeguards. Examples of technical safeguards addressed in the HIPAA Security Rule include access controls (unique user ids, emergency access, auto logoff, encryption and decryption), audit controls and transmission security. Some of the Rule’s administrative safeguards include the development of policies and procedures and security awareness and training programs. Finally, some of the physical safeguards contemplated by the Rule are facility access controls for locations where ePHI is housed and proper disposal of media containing ePHI. C. Basic and Above-Threshold Systems. Because the HIPAA Security Rule applies to any system or device that creates, accesses, transmits or receives any bit of ePHI within a covered component, it is a challenge to apply the Rule in an effective and efficient way at Yale. The approach taken by the University is to draw a distinction between (1) systems that do not contain primary source ePHI and are used only by a single person, and (2) systems that contain primary source ePHI (such as an electronic medical record or a medical billing system) or are used by multiple people. This distinction is based on a risk analysis that determined that systems in the second category (called Above-Threshold Systems) require more rigorous protection than those in the first category (called Basic Systems). For example, a laptop computer used by a single person that contains ePHI, but not primary source ePHI, does not require a full-scale contingency plan with a disaster recovery plan and emergency mode operation plan. However, those safeguards are essential to a system that contains or creates primary source clinical or billing data. D. Responsibility for System Compliance. The lead individual who determines use of and access to a system, called a System Owner, bears primary responsibility for HIPAA Security compliance. For Above-Threshold Systems, the System Owner works with System Administrators, data owners and business managers to ensure that their Above-Threshold Systems comply with University security requirements. Responsibility for Basic Systems rests with the individual System Owner. Technical assistance with HIPAA Security compliance is available through a variety of resources identified on the Yale HIPAA Security web site, including assistance from specialists at ITS and ITS-Med. An overview of the University’s implementation of the HIPAA Security Rule, as well as detailed definitions, policies and procedures, are available at http://hipaa.yale.edu/security/. |
