What You Need To Know About HIPAA

HIPAA and Health IT

HIPAA is a federal law that protects the privacy of your personal health information. At the same time, it allows health care providers and certain related operations enough access to the information they need to do their jobs effectively. HIPAA includes several rules and provisions that set guidelines and requirements for the administration and enforcement of HIPAA.

The relevant ones for the implementation of health information technology and the exchange of protected health information in an electronic environment are the Privacy Rule and the Security Rule, as well as the HITECH Act which further enforced the two in 2009.

*State laws may have more stringent requirements than federal laws, however, in cases of conflict, federal
law supersedes state law.

Highlights Of The Privacy Rule, The Security Rule, and the HITECH Act

  1. The Privacy Rule, applies to protected health information (PHI) in any form whether paper, oral, electronic, etc. While it requires covered entities to put in place “administrative, physical, and technical safeguards” for protecting PHI, it differs from the Security Rule in that it discusses the cases in which PHI can be used, when authorization is required and what are patients’ rights with respect to their health information. (Page 8335 of the final Security Rule)
    Summary of Privacy Rule

 

  1. The Security Rule applies only to protected health information in electronic form (E-PHI) and builds on the Privacy Rule requirements of “administrative, physical, and technical safeguards.”Unlike the Privacy Rule which is more concerned about patients’ rights and how health information is used and released, the Security Rule sets standards on the processes and technical security measures that should be taken to keep PHI private.It discusses acceptable ways to “implement basic safeguards to protect E-PHI from unauthorized access, alteration, deletion, and transmission.” (Page 8335 of the final Security Rule)* Under the Security Rule, paper to-paper faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail do not count as E-PHI because they did not exist in electronic form before the transmission.

    Thus those activities are not covered by [the Security Rule]” (Page 8342 of the final Security Rule). In contrast, the Privacy Rule applies to all forms of PHI.

    In particular, it calls for attention to:

    • risk analysis and management

    • administrative, technical, and physical safeguards

    • organizational requirements

    • policies, procedures, and documentation requirements

    Security Rule Guidance Material

    The US Department of Health & Human Services (HHS) now also offers a Security Risk Assessment (SRA) tool to help organizations ensure they are compliant with HIPAA’s administrative, technical, and physical safeguards and to expose areas where their PHI may be at risk

    The figure below gives you an idea of the security measures covered by the Security Rule. (from the paper “Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices”)

  2. The HITECH Act essentially added teeth to the HIPAA Privacy and Security Rules by specifying levels of violations and penalties for violations. It also requires periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification.

Who Is Required To Comply With HIPAA?

Not all operations that handle health-related information must follow HIPAA law (such as many schools, state agencies, law enforcement agencies, or municipal offices). Under HIPAA the 2 groups that must follow HIPAA rules are

  • covered entities – health care providers, health plans, and health clearing houses

  • business associates – a person or group providing certain functions or services for a covered entity which require access to identifiable health information, such as a CPA firm, an attorney, or an independent medical transcriptionist
    More business associate FAQs here

Fox Hill Telehealth would be considered the business associate of a covered entity that uses Fox Hill Telehealth to communicating private health information with a client.

HIPAA and VSee Video Conferencing

Is Fox Hill Telehealth video conferencing HIPAA compliant?

Fox Hill Telehealth video chat helps you to be HIPAA compliant in two ways:

1)  It protects data privacy in that all audio/video communication is securely encrypted and transmitted from point-to-point such that even Fox Hill Telehealth does not have access to any identifiable health information that may be communicated.

2)  Fox Hill Telehealth offers the HIPAA-required Business Associate Agreement where Fox Hill Telehealth agrees to be responsible for keeping all patient information secure and to immediately report any breach of personal health information.