The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. HIPAA Rules have detailed requirements regarding both privacy and security.
- The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the
- The HIPAA Security Rule covers electronic protected health information (ePHI).
In addition to HIPAA, you must comply with all other applicable federal, state, and local laws.
Guide to Privacy and Security of Electronic Health Information
Need help implementing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules in your health care practice? Check out the Guide to Privacy and Security of Electronic Health Information [PDF - 1.27 MB].
The Office of the National Coordinator for Health Information Technology (ONC), in coordination with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), created the Guide to help you integrate privacy and security into your practice. The Guide covers a variety of topics highlighted below. Download a pdf of the full Guide [PDF - 1.27 MB] to learn more.
HIPAA Basics
The HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). HIPAA gives patients many rights with respect to their health information.
The Guide (especially Chapter 2) [PDF - 493 KB] provides details on the HIPAA Privacy, Security, and Breach Notification Rules, such as:
- What types of information HIPAA protects
- Who must comply with HIPAA
- How patient information can be used and disclosed under the HIPAA Privacy Rule
Patient Health Information Rights
Under the HIPAA Privacy Rule, you have responsibilities to patients, which include:
- Providing a Notice of Privacy Practices (NPP)
- Responding to patients’ requests for:
- Access to their Protected Health Information (PHI)
- Amendments to their PHI
- Accounting of disclosures
- Restrictions on uses and disclosures of their health information
- Confidential communications
Visit Chapter 3 of the Guide [PDF - 248 KB] to learn more about these areas of responsibility.
Electronic Health Records (EHRs) and Cybersecurity
Electronic PHI (ePHI) may exist in your practice in a variety of systems, including Electronic Health Records (EHRs). Because all electronic systems are vulnerable to cyber-attacks, you must consider all of your practice’s systems and technologies when conducting security efforts.
While a discussion of ePHI security goes far beyond EHRs, visit Chapter 4 of the Guide [PDF - 275 KB] to learn more about EHR security and cybersecurity.
Privacy and Security in Meaningful Use
You may be familiar with the Medicare and Medicaid EHR Incentive Programs (also called “Meaningful Use” Programs). The Meaningful Use Programs set staged requirements for providers. Providers receive incentive payments as they demonstrate progressively integrated EHR use.
Some of the Meaningful Use requirements relate to your practice’s obligations under the HIPAA Privacy and Security Rules. Visit Chapter 5 of the Guide [PDF - 254 KB] to learn more about the Stage 1 and Stage 2 Meaningful Use core objectives that address privacy and security.
Sample Seven-Step Approach for Implementing a Security Management Process
Chapter 6 [PDF - 561 KB] describes a sample seven-step approach that can help you implement a security management process in your organization. The approach includes help for addressing security-related requirements of Meaningful Use.
Breach Notification and HIPAA Enforcement
You have responsibilities to report breaches of unsecured PHI. To learn more about these requirements and HIPAA enforcement,< visit Chapter 7 of the Guide [PDF - 323 KB]. CEs and BAs that fail to comply with the HIPAA Rules could face civil and criminal penalties.
Disclaimer
This Guide is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers and professionals to seek expert advice when evaluating the use of this Guide.