The HIPAA Security Rule established national standards to protect electronically stored individual personal health information that was created, received, used, or maintained by Covered Entities. Covered Entities include all health care providers that bill or transmit health information electronically (meaning that most health care providers are Covered Entities). The HIPAA Security Rule sets the minimum levels of administrative, physical and technological safeguards required to ensure the confidentiality, integrity, and security of electronic protected health information (PHI). The provisions of the HIPAA Security Rules are enforced by the HHS Office of Civil Rights through audits and administrative enforcement actions.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Covered Entities, as well as Business Associates of covered entities, must handle and secure patient medical information in compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements, as well as applicable state privacy laws, which may be stricter than the HIPAA requirements. HIPAA is a complex, and sometimes counter-intuitive, regulatory scheme with many requirements that must be met. Compliance with HIPAA security requirements is essential for three primary reasons: 1) failure to comply with the rules can result in the imposition of large administrative penalties (up to $1.5 million per violation type); 2) the remediation of preventable data breaches can result in significant costs to the entity, as well as loss of reputation and standing in the community; and 3) negligent or reckless breaches can lead to costly civil actions by patients whose information was disclosed.
HIPAA Security Rule issues impact health care providers in a multitude of ways:
1) Providing notices to, and obtaining required releases for disclosure from, patients;
2) Handling and securing protected health information in the required manner, including :
-having the necessary physical and technical security measures in place;
-implementing policies and procedures regarding security of PHI; and
-ensuring that personnel have access to the minimum amount of information necessary.
3) Conducting the required HIPAA Security Risk Assessment;
4) Having Business Associates Agreements and ensuring that Business Associates are complying with their obligations;
5) Responding to data breaches; and
6) Defending against audits and enforcement actions brought by the HHS Office of Civil Rights.
The attorneys at Nicholson & Eastin, LLP, along with our technology consultants, assist Covered Entities and their Business Associates understand and implement required security measures, as well as conduct HIPAA Security Risk Assessments. The attorneys at Nicholson & Eastin, LLP also assist Covered Entities and their Business Associates respond to data breaches by conducting the necessary internal investigations to determine the cause of the breach and the disclosure remediation necessary. In the event of an audit or enforcement action by the HHS Office of Civil Rights, we can defend the entity against the imposition of administrative penalties.
Because of the technical and complex nature of the HIPAA and Florida security rules, it is important for Covered Entities and Business Associates to consult with attorneys and technology consultants that are truly familiar with the security rules. If you have a HIPAA security rule question, need a security risk assessment performed, are dealing with a data breach, or receive a notice of audit or complaint from the HHS Office of Civil Rights, please do not hesitate to contact us for a consultation.