HIPAA & HITECH
Privacy & Security
The privacy and security of patient health information is a top priority for PathHub. Federal laws require persons and organizations, including business associates, handling health information to have policies and security safeguards in place to protect patient health information. PathHub is committed to ensuring it, and its business associates, comply with HIPAA and HITECH in regards to the protection and confidential handling of protected health information.
PathHub meets its obligations by periodically reviewing its Compliance Policy and conducting audits for:
- Security Risk Assessment
- Privacy Assessment
- Administrative Assessment
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information
Protection & Confidential Handling of Health Information
The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
The 18 HIPAA Identifiers
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers which are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for such health care, it becomes Protected Health Information (PHI).
If a communication contains any of these identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.
Decedent Research
HIPAA Privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. If the research will include any identifiers linked to living persons or involves accessing death records maintained by the State Registrar, local registrars, or county recorders, the project must be approved in advance.
HITECH Act Definition
The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – is part of an economic stimulus package introduced during the Obama administration: The American Recovery and Reinvestment Act of 2009 (ARRA). The Act was signed into law by President Barack Obama on February 17, 2009.
What are the Goals of the HITECH Act?
The HITECH Act was created to promote and expand the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare providers.
The Act also removed loopholes in the Health Information Portability and Accountability Act of 1996 (HIPAA) by tightening up the language of HIPAA. This helped to ensure business associates of HIPAA covered entities were complying with HIPAA Rules and notifications were sent to affected individuals when health information was compromised.
Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.
HITECH and HIPAA, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH stipulates that technologies and technology standards created under HITECH will not compromise HIPAA privacy and security laws.
HITECH also requires any physician or hospital attesting to meaningful use must have performed a HIPAA security risk assessment as outlined in the Omnibus Rule, or the 2013 digital update to the original 1996 law.
Another example: HITECH established data breach notification rules; HIPAA's Omnibus update echoes those rules and adds details, such as holding healthcare providers' business associates accountable to the same liability of data breaches as the providers themselves.
Business Associates & Business Associate Agreements (BAA)
The HITECH Act requires business associates to comply with the HIPAA Security Rule with regards to ePHI and to report PHI breaches. Business associates must also comply with HIPAA Privacy Rule requirements that apply to covered entities when the associates act on the behalf of those entities.