Within HIPAA, How Does Security Differ From Privacy?
Data privacy and security are extremely important in the modern age, but consumers are often left in the dark about what happens to their personal information stored by various companies they do business with. It is especially problematic with sensitive patient data stored by medical organizations that, if leaked, could have damaging and lasting repercussions for the compromised individual.
So, how are each patient's rights protected? Read on to get an overview of what the Health Insurance Portability and Accountability Act (HIPAA), with main focus on understanding how does HIPAA patient data privacy and patient data security rules differ (like the HIPAA minimum necessary rule).
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that began as an effort to protect Americans from losing their health insurance when they change jobs, but quickly became the law about securing private patient data from being sold, overshared, breached and otherwise abused by medical organizations entrusted with keeping it and malicious criminals looking to steal it.
Today, HIPAA is a set of national standards for the physical and electronic safety and confidentiality of protected health information (PHI) within the health and human services (HHS) industry.
What Constitutes "Protected Health Information" (PHI) And Patient ePHI?
HIPAA identifies "protected health information" (PHI) to include the following points of individually identifiable health information:
- Name
- Social Security number
- Address
- Telephone number/fax number
- Email address
- Personal dates (hospital admission/discharge, date of birth/death, etc.)
- Health plan beneficiary number
- Account number
- Medical record number
- Vehicle operating license number
- Vehicle license plate, serial numbers, other identifiers
- Device serial numbers/identifiers
- IP address and web URLs
- Biometric identifiers, such as retinal scans, fingerprints, voiceprints, etc.
- Handwriting and signature
- Full-face photos
- Any other special characteristics/codes/numbers by which a patient can be personally identified
In the modern world, most of patient data are stored in digital format: in HIPAA terms, it is known as electronic protected health information (ePHI).
Who Must Abide By HIPAA Regulations?
HIPAA policies apply to two categories of healthcare organizations, agencies, and individuals, known as "covered entities" and their "business associates".
HIPAA's "Covered Entities"
A covered entity is one of the following healthcare spaces:
- Health Care Providers: These are medical clinics, doctors, psychologists, chiropractors, dentists, pharmacies, nursing homes (applies only if they transmit any data in an electronic form in connection with a transaction for which there exists a HIPAA standard).
- Health Plans: These are health insurance companies, HMOs, company health plans, and government programs that finance health care (Medicaid, Medicare, military/veteran health care programs).
- Health Care Clearinghouses: These are entities entrusted with processing nonstandard health information received from another entity into a standard format, and vice versa.
HIPAA's "Business Associates"
Within HIPAA vocabulary, a "business associate" is "a person or entity that performs certain functions or activities that involve the use or disclosure of of protected health information on behalf of, or provides services to, a covered entity."
A business associate is usually involved with the covered entity in the following capacities:
- claims processing/administration
- data analysis/processing/administration
- quality assurance
- utilization review, benefit management, practice management,
- billing
- pricing
As such, business associates come in a wide variety of authorized persons and companies, such as consultants, third-party administrators, healthcare clearinghouses, independent medical transcriptionists, as well as pharmacy managers and accounting firms whose functions involve accessing patients' protected health information.
HIPAA Compliance Enforcement
HIPAA is a federal law that applies to all eligible health care entities across the USA. HIPAA compliance enforcement is mainly the province of the Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS), though other agencies within the HHS have gotten involved in past cases, such as the US Food and Drug Administration (FDA) and the Center for Medicare and Medicaid Services (CMS).
Differentiating Between HIPAA Privacy And Security Rules
HIPAA actually has more rules than the Privacy and Security rules (there are also Transaction and Code Sets Rule, Unique Identifiers Rule, and Enforcement Rule) but in this article we are focusing on the HIPAA Security and Privacy rules: what they have in common and what sets them apart.
Privacy Vs. Security
Let's quickly define the difference between the notion of data "privacy" and data "security" in general.
Privacy has to do with control over one's own personal information, who sees it, and how it's used.
Security has to do with guarding personal information against malicious threats like data breaches.
When it comes to our personal space, we tend to _seek privacy and confidentiality from people we know/come in contact with -- while we set up physical security measures to stop strangers from stealing our possessions and doing us harm. Data protection works along the same logic.
HIPAA Privacy Rule
The HIPAA Privacy Rule is there to prevent improper uses and unauthorized disclosure of PHI. This set of laws serves to identify and limit:
- who can access PHI
- to whom to disclose PHI
- under what conditions is PHI to be used
The Privacy Rule centers around each individual patient's right to control their PHI. The basic tenet of this rule is to make PHI available to authorized persons only when it directly benefits the patient's treatment or is used for payment: otherwise, PHI should remain confidential.
In a nutshell, the HIPAA Privacy Rule is there to safeguard PHI from the internal carelessness, negligence, and other intentional or accidental abuse by the authorized health care employees who routinely handle PHI as part of their job.
HIPAA Security Rule
While the HIPAA privacy rule concerns itself with the human element involved in ensuring the confidentiality of sensitive information, the HIPAA security rule is all about physically locking up, digitally encrypting, and otherwise shielding patient data from unlawful intrusions and hacks.
The HIPAA security rule is a set of security management processes broken down into three types of safeguards: administrative, technical, and physical.
Technical Safeguards
Technical safeguards have to do with IT management within healthcare organizations. They involve:
- Controlling access to reading, modifying, and communicating PHI via data encryption, automatic logoffs, unique user identifiers, etc.
- Audit controls
- User authentication for each PHI access attempt
- "Information integrity" policies and procedures
Physical Safeguards
Physical safeguards are there for the protection of the hardware containing patient PHI. They involve:
- Strict control to facility access
- Protocol for device control/media use (including proper backup and disposal of PHI-containing hardware)
- Workstation security and surveillance against unauthorized access to the space containing the technology containing PHI
Administrative Safeguards
Administrative safeguards account for the general management of data security and involve:
- Assigning a security official to develop, implement, and oversee administrative security policies and procedures
- Determining security management policies and procedures for detecting and containing data breaches, as well as implementing preventative strategies including risk analysis
- Instituting policies and procedures for employee access to patient data, including formal authorization, supervision, proper clearance, and post-termination protocol
- Restricting unnecessary access to PHI
- Proper security training
- Contingency plans for backing up/recovering data
- Establishing a formal (written) understanding with each business associate about the sensitive treatment of patient PHI
- Evaluating the existing security plans and HIPAA compliance thus within the organization far
In a nutshell, the HIPAA Security Rule is there to protect PHI against external criminal attacks by dishonest parties that were never authorized to access any of these data in the first place.
Key Differences And Similarities Summed Up
As you can see, the differences between HIPAA Privacy Rule and Security Rule come down to focusing on different aspects of achieving the same goal: keeping patient information safe. In a way, it is similar to keeping money in the bank: it is a combination of having trustworthy personnel committed to vigilance (privacy) and investing in the best vault, surveillance system and armed guards (security).
The main technical difference between the HIPAA Privacy and Security rules is that the _security rule only applies to e-PHI. Only electronic versions of identifiable personal information and health records need apply: the moment they are printed out, they lose the protection of the HIPAA Security Rule (but keep the protection of the HIPAA Privacy Rule.)
Also, the HIPAA Security Rule does not apply to oral forms of PHI such as voice recordings, even if they technically exist in electronic format. The Privacy Rule, on the other hand, applies to_all PHI -- electronic, written, and oral/audio-recorded.
Ultimately, these two HIPAA rules are there to complement each other -- to close potential gaps and loopholes in patient's rights from multiple angles.
And the bottom line is that breaking these and other HIPAA rules is unlawful for a covered entity and its business associates, which can result in government fines as well as potential payouts in "damages" to patients seriously harmed by HIPAA violations.
HIPAA Training Is Mandatory: Pick The Best Program For Your Business!
Not only are medical facilities, private medical practitioners, and their various facilitators financially liable for HIPAA violations: their patients, their reputations, and other vital aspects of their business are all compromised by data/confidentiality breaches in profound ways.
It is, hence, truly best to prevent HIPAA violations from happening in the first place. As such, the above-mentioned healthcare covered entities and their business associates are federally required to be HIPAA-compliant. And this includes mandatory (immediate) HIPAA training for all employees within the healthcare industry that handle protected patient information in various capacities.
EasyLlama's Got Your Back With Its Excellent (And Super Easy) HIPAA Training
HIPAA training, as any other compliance training, may sound daunting but, with EasyLlama, it's simple, fast, and impactful.
Designed for today's mobile-reliant workforce, EasyLlama's training is easy and fun for employees to digest. The bite-sized, interactive, real-life scenario-driven modules facilitate the knowledge and understanding of the value of and necessity to protect patient ePHI. As the result, employees become more mindful of and intentional with this dimension of their job.
Companies love how easy and effective EasyLlama's fully compliant e-learning programs are for organizations to implement and for employees to complete.
Choose EasyLlama for your HIPAA training needs and achieve HIPAA compliance success without breaking into sweat!
Written by: Maria Malyk