The attorneys at DiRuzzo & Company represents health care providers regarding their obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Our representation includes disclosures to the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights, and litigation against the federal and state governments seeking to enforce HIPAA.

HIPAA has three main components: (1) the “Privacy Rule,” which sets national standards for when protected health information (“PHI”) may be used and disclosed, (2) the “Security Rule,” which specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information (“ePHI”), and (3) the “Breach Notification Rule,” which requires covered entities to notify affected individuals, U.S. Department of Health & Human Services (“HHS”), and in some cases, the media of a breach of unsecured PHI.

The HIPAA Privacy Rule, found at 45 C.F.R. Parts 160 and 164, Subparts A and E, establishes standards for the protection of PHI held by health care providers (and their business associates/agents) that conduct health care transactions electronically. Health care providers include doctors, chiropractors, dentist, psychologists, medical clinics, nursing homes, and pharmacies; business associates/agents include accreditation, billing, claims processing, consulting, data analysis, financial services, legal services, management administration, and utilization review. The Privacy Rule gives patients important rights with respect to their health information, including rights to examine and obtain a copy of their health records in the form and manner they request, and to ask for corrections to their information. Also, the Privacy Rule permits the use and disclosure of health information needed for patient care and other important purposes.

The Privacy Rule protects PHI, held or transmitted by health care providers, in any form, whether electronic, paper, or verbal. PHI includes information that relates to all of the following: (1) the patient’s past, present, or future physical or mental health or condition, (2) the provision of health care to the patient, and (3) the past, present, or future payment for the provision of health care to the patient. PHI includes many common identifiers, such as name, address, birth date, and Social Security number.

The Security Rule, found at 45 C.F.R. Parts 160 and 164, Subparts A and C, specifies safeguards that health care providers must implement to protect the confidentiality, integrity, and availability of ePHI. Health care providers are required develop and implement policies and procedures to protect the security of ePHI they create, receive, maintain, or transmit. Each health care practice must analyze the risks to ePHI in its environment and create solutions appropriate for size. Specifically, the Security Rule requires that health care providers (1) ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit, (2) identify and protect against reasonably anticipated threats to the security or integrity of the ePHI, (3) protect against reasonably anticipated, impermissible uses or disclosures, and (4) ensure compliance by their workforce.

The Breach Notification Rule, found at 45 C.F.R. § 164.408, requires health care providers to notify affected individuals, and HHS of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. The Breach Notification Rule also requires business associates/agents of health care providers to notify the health care provider of breaches at or by the business associate/agent.

The HHS Office for Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. Violations may result in civil monetary penalties (ranging up to $1.5M per violation). In some cases, criminal penalties enforced by the U.S. Department of Justice may apply. Common noncompliance issues include impermissible PHI uses and disclosures, lack of PHI safeguards, lack of patients’ access to their PHI, use or disclosure of more than the minimum necessary PHI, lack of administrative ePHI safeguards. Importantly, HITECH gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.