Privacy Officer Desk
Did You Know?
The Health Insurance Portability and Accountability Act (“HIPAA”), as amended, sets forth standards and requirements for both privacy and security of Protected Health Information (“PHI”). There are many nuances to protecting PHI, including specific privacy and security standards. And while the official HIPAA regulation contains the phrase “Administrative Simplification”, those rules and regulations can be anything but simple!
How does all of this work with privacy and security? Isn’t there a difference between the two concepts that requires them to be separately addressed? Yes and no. HIPAA does, in fact, separate the two concepts with the Privacy Rule and the Security Rule, each with individual mandates and requirements. However, the concepts of privacy and security should never be addressed so separately that one is given more weight than the other, or one is ignored in order to meet requirements of the other. The Privacy and Security Rules of HIPAA are intended to work together to protect the rights of individuals and to secure their PHI.
Many laws and regulations address either data security or individual privacy, but few address both as does HIPAA. The requirements for privacy and security under HIPAA are not mutually exclusive. Covered entities and business associates must comply with both the Privacy and Security Rules in even fashion, thus addressing both concepts contemporaneously. HIPAA mandates that covered entities and business associates have both a Privacy Officer and Security Officer, and while many organizations keep these functions very separate and distinct, the officials who serve in those roles should always be in contact and work together in order to provide a comprehensive plan for both privacy and security. An organization’s privacy policies and plans should complement the organization’s security policies and efforts, and vice versa. Compliance under the Privacy Rule does not allow for a “pass” under the Security Rule -- both privacy and security must be accounted for under HIPAA.
The specifications under HIPAA are generally tagged as either “required” or “addressable.” A required specification means that a covered entity or business associate MUST implement that specification. An addressable specification means that a covered entity or business associate must assess if the specification is appropriate and reasonable for its environment and thus determine if implementation is achievable. If the specification as written is deemed to be inappropriate or unreasonable, a party must implement an equivalent alternative measure that satisfies the intent and requirement of the written specification. “Addressable” does NOT mean that the specification may be completely ignored.
Robust security programs must have the following safeguards: technical, physical and administrative, all as set forth under HIPAA with specific standards and requirements. Access and audit controls fall under technical safeguards and are required to protect electronic PHI, or ePHI. Performing a risk analysis and having risk management reviews and procedures in place fall under administrative safeguards and are required to identify and reduce organizational risks that may jeopardize the security of PHI. Workstation security protocols and data back-up and storage procedures fall under physical safeguards and are implemented to provide a safe and secure work environment when accessing ePHI. There are many other safeguards and standards set forth under HIPAA that all covered entities and business associates must comply with, and it is important to stay vigilant with these requirements in order to protect and secure PHI in all forms. Utilizing artificial intelligence, or AI, to address some of these mandatory safeguards can mitigate risk, including reducing the risk of an inappropriate use or disclosure of PHI.
Many states have data security, data protection, and/or breach notification laws, but only 5 states have specific privacy-centered laws:
The laws are in various stages of finalization and roll-out, but all are based upon consumer protection concepts for individuals. These state laws codify protections for individuals who share personal information with businesses, or whose personal information is collected, used, and disclosed by businesses, often through website activity.
While the protections under these laws are not geared specifically to health information, all individuals who interact with businesses will have rights, and in some instances remedies, under these state laws. The privacy laws are loosely based on the European Union’s GDPR, and may provide stand-alone consumer protections, or provide additional protections in conjunction with other data security regulations.
There are 12 additional states considering specific consumer privacy regulations, but those efforts are either on-hold or adjourned at this time.