HIPAA Privacy And Security Rules


You have to notify the permanent media if you have more than 500 individuals who's information has been breached

When providers think of HIPAA what they almost always have in mind is the Privacy Rule and Security Rule. And all the 164.300 are the security HIPAA rule or the 164.500 are the privacy rule in CFR 164. And so they've flunked the breach notification rule right down between the two of them.. So now all the 164.400 regulations in the HIPAA regulations wasn't all the breach notification rule.

What is a HIPAA breach?

So here's where it gets interesting. In 164.400 they say that the breach notification is effective for breaches of unsecured PHI on or after September 23rd.

So, there may be a law that comes along and changes this or the Department of Health and Human Services may change the regulation but in the meantime, it's in there.

But the problem is now you have to decide. If the information is on breach you have to decide, is this a significant risk or harm situation. And you make sure you document that and all these kinds of things because if you decide wrong, then if somebody winds up being harmed then you'll look pretty bad.

What is unsecured?

There is some guidance on the HHS website. ARRA requires that recent guidance and there is some guidance.  So, whenever you can encrypt of your information, that's what you want to do. If you look at the guidance, based over your (first issue) the NIST guidance about what to do to secure various kinds of communications and data at rest, and things like that.

What you looking for if you can find it, it is not necessarily going to be posted. You're not going to find any stickers in the boxes necessarily. But you're looking for encryption that meets FIPS 140-2. The 140-2 is one of the standards in the Federal Information Processing Standard. And that's a particular definition of how to encrypt things.

Healthcare Compliance Tip: The nice thing is, you don't have to worry about what (FIPS debt) or what algorithm or all these kinds of, arcane kind of questions that people ask about encryption. If somebody tells you look, “Our encryption is FIPS 140-2 a compliant, then it has been invalidated.” Then that means you're going to be okay.

You can make copies of that data if it's been encrypted with FIPS 140-2 software and handout copies on the street corner until you're blue in the face and that doesn't count as a breach, because it's been encrypted, according to proper standards.

Who, what and how to notify?

Let's just keep moving right along here because there's a lot of stuff we can talk about. Who, what and how to notify? There are three slides of these because obviously, there's a lot to it. Obviously, you have to notify the breach, notify the individual of the breach if there's something instead of violation of privacy HIPAA rule. And so again, you have the notion here if it's a breach of unsecured information. Once it's been secured, you don't have to worry about it. And it is considered discovered at the first day, it was known or should have been known. You have 60 days to notify people.

You have to notify without delay, maximum of 60 days for healthcare compliance. And the clock starts ticking on the day you should have known about. If you don't have good security procedures and don't even know that there's been a breach that's taking place, the clock may even expire before you have found out about the breach could be a violation and not even know it until somebody finds a problem under credit card statement or their bank statement or something like that. And speaking of somebody who's had their statements had their accounts compromised in the past, it's not a fun thing. People get pretty cranky about that.

The clock also includes, if you have people who are working for you as your agents that also you won't get to wait to start until they tell you. It's basically if they're working as part of your organization, that's when the clock starts.

And then the notice that you tell individuals, you have to say, “Well, what happened? Why the information was breached? When it was breached? What they should do to protect themselves? What are you doing about it?” And also some ways to get in touch with you. And so that seems its pretty straight forward stuff.

And how do you get this to the individuals? In 164.404 that's where they talk about how you get the information to the individuals. It's by mails, which are what they're looking or a letter. Or if the individual has already said, they prefer email, you can send an email message.

Give information in advance for healthcare compliance and then if a lot of user send you an email, a lot cheaper than all those stamps and envelopes. Stamps and envelopes cost real dollars, okay.

And if the individual is known to be deceased, you can send the information with the next of kin. And if you have no contact information for more than ten individuals, then you have to put a notice on your website homepage for 90 days. Or let the major media know, have add-ons on major newspapers and things like, with the toll-free number active for 90 days. So if you have more tangible that information was breached but you can't track them down, you're going to try and reach out to them.

Also contact which is a lot by phone if you want to let them know, “Hey, listen your information has been compromised. You need to put a stop on your bank account right away because we know it's a debit card,” or something like that.

Plus, 164.406 says, if you have more than 500 individuals who's information has been breached in any one particular jurisdiction, then you have to notify the permanent media. You also have let the Secretary of Health and Human Services know. And if it's over 500, again if it's over 500 individuals, when you notify the individuals, that's when you also have to notify the Secretary of Health and Human Services. And the Secretary of Health and Human Services will have their Wall of Shame on their website.

You have to report to the secretary all the breaches in a year on a regular basis. And that's basically within 60 days after the end of the year.

For healthcare compliance, 412 also requires playing for law enforcement kind of thing if the police or whoever assess so can't notify just yet, keep quiet about it and you have to listen to them.

For expert HIPAA training sessions on HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Business Associates Rule, HIPAA Audits & Enforcement, and others, Visit HIPAA compliance page.