Full-time and Part-time Food Service employees must enroll!
If you do not enroll, your benefits will terminate on:
December 31, 2023
The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. It provides privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
The HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other protected health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The HIPAA Security Rule
The provisions of the Security Rule apply to electronic protected health information (ePHI). It sets the standards for ensuring that only those who should have access to EPHI will actually have access. The security standards are divided into the categories of administrative, physical, and technical safeguards. Regulatory definitions of the safeguards can be found in the Security Rule at 45 CFR § 164.304.
- Administrative safeguards: In general, these are the administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. (For more information, see 45 CFR § 164.308 and paper 2 of this series titled “Security Standards – Administrative Safeguards”.)
- Physical safeguards: In general, these are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups. (For more information, see 45 CFR § 164.310 and paper 3 “Security Standards – Physical Safeguards”.)
- Technical safeguards: In general, these are primarily the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted. (For more information, see 45 CFR § 164.312 and paper 4 “Security Standards – Technical Safeguards”.)
HIPAA Breach Notification Rule
This rule is part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This Rule requires HIPAA-covered entities to notify the Secretary of the Department of Health and Human Services about any breach of protected health information within 60 days of its discovery. Affected patients are also sent notifications letters within 60 days of the breach discovery.
HIPAA Omnibus Rule
Introduced important changes to the HIPAA Privacy Rule, Security Rule and Breach Notification Rule. One important change is the requirement of HIPAA-covered entities business associates and subcontractors to implement ePHI protection as required by HIPAA Security Rule. Non-compliance will result in fines. Another important change is the allowing of covered entities not to report a breach provided they can prove it has no significant harm.
Tools and Resources
FAQ
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal (or Protected) Health Information (PHI). It provides privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed.
What is protected health information (PHI)?
Protected health information (PHI) is individually identifiable health information that is held or transmitted by a covered entity (or its business associate) in any form or media, whether electronic, paper, or oral. Individually identifiable health information includes common identifiers such as name, address, social security number, date of birth, or any other information that can be used to identify the individual.
The HIPAA rules refer to “covered entities.” What are they?
A covered entity is any healthcare provider, including hospitals, physicians, pathology labs, radiation facilities, insurance companies, and data processors, that transmits any health information in electronic form for financial and administrative transactions.