Clarifying the Confusion – Part II: Understanding HIPAA and Its Revisions
Enacted in 1996, HIPAA requires the HHS to create standards for the use and dissemination of health care information and addresses the security and privacy of health data. The HIPAA provisions were supplemented in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The omnibus rule released in mid-January 2013 by the HHS Office for Civil Rights (OCR) finalizes the HITECH provisions and clarifies some elements of the original HIPAA legislation. The new rule became effective March 26, 2013, and the deadline for compliance is September 23, 2013.
A notable change between the original Act and the final omnibus rule is that a covered entity (CE) is now required to notify the OCR for any breach, unless the organization conducts a risk analysis and can demonstrate a low probability of compromise. Prior to the January update, notification was required only if a significant risk of harm existed.
[Key HIPAA definitions] The HIPAA Security Ruleregulates the use of PHI by CEs. It specifies that CEs must ensure three types of safeguards to protect PHI: administrative, physical, and technical. Administrative safeguards include periodic risk assessments and staff training. Ensuring a locked location for network servers and shielding screens from non-approved viewers are examples of physical safeguards. Technical safeguards include data encryption and the use of secure passwords.
Contrary to what many health leaders have been led to believe, HIPAA provisions do not require the use or avoidance of any specific modes of communication. In fact, text messaging is permissible under HIPAA. The law simply stipulates that a CE must assess its risk related to PHI security; establish policies and procedures to manage that risk; and ensure execution of and provide staff training on the policies and procedures. These regulations apply to providers communicating PHI in any digital form.
Compliance with HIPAA provisions is not an attribute of a particular application or device but rather of a system of policies, processes and technology that support the HIPAA-compliant use of electronic communication.
As a result, there is no such thing as a “HIPAA-compliant app.” While HIPAA legislation does not address specific devices or modes of communication, it is especially relevant to technology that enables electronic communication precisely because of the widespread use of text messaging and the portability and vulnerability to theft of mobile devices.
In part III of our security series, we’ll cover compliance issue and security breaches.