HIPAA & HITECH | Today's Health Data Privacy Laws in the USA - Part 1

HIPAA & HITECH are major regulations in the healthcare industry in the United States of America. HIPAA was enacted in 1996 and aimed to provide privacy protections related to individuals’ health information. HITECH, on the other hand, was actually part of a much larger piece of legislation (The American Recovery and Reinvestment Act of 2009) that was enacted to stimulate the American economy during the Great Recession. To do this, HITECH provided (and still provides) subsidies for companies that invest in new healthcare technologies that lead to improved patient outcomes. 

Notwithstanding its fiscal focus, HITECH did update some of the privacy protections of HIPAA, namely HIPAA’s:

• Notification requirements in the event of a breach
• Restrictions on disclosing and selling health information
• Rules related to marketing 

Because of this, any discussion of HIPAA is not complete without considering HITECH. Additionally, we want to ensure we provide a complete and accurate picture of these two legislations. As a result, this is our third of four articles in series on HIPAA & HITECH::

1. HIPAA | Foundations
2. HITECH | Foundations
3. HIPAA & HITECH | Today’s Health Data Privacy Laws in the USA (this article)
4. HIPAA & HITECH | Third-party Risk Management

In this series, we provide an overview of the HIPAA and HITECH, which constitute the bulk of health data laws in the United States. Our goal is to enable you to meaningfully contribute to healthcare privacy-related discussions at your organization. 

Rights of Individuals

Under HIPAA, individuals have the following rights:

• Right to opt-out of marketing communications
• Right to access PHI
  • Psychotherapy notes
  • Information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action/proceeding
  • PHI maintained by a covered entity that is
  • Subject to the Clinical Laboratory Improvement Amendments of 1988, to the extent that providing access of PHI to the individual would be prohibited by law
  • Exempt from the Clinical Laboratory Improvement Amendments of 1988
• Individuals may obtain a copy of their PHI for as long as PHI records are maintained, except for:
• Right to an accounting of disclosures of PHI
• Individuals may receive an accounting of disclosures of PHI made by a covered entity in the previous six years

Requirements

Security Requirements

Organizations are to:

• Ensure the confidentiality, integrity, and availability of all electronic PHI, including:
  • Protect against any unpermitted uses or disclosures that can be reasonably anticipated
  • Ensure compliance with this by the organization’s workforce
  • Flexibility on implementation is allowed depending on:
    • An organization’s size, complexity, and capabilities
    • Their technical infrastructure, hardware, and software security capabilities
    • The costs of the security measures
    • The probability and criticality of potential risks to electronic PHI
  • Implement policies & procedures:
    • To prevent, detect, contain, and correct security violations, including:
      • Risk analysis
      • Risk management
      • Sanction policy (against noncompliant workforce members)
      • Information system activity review

• • • Limiting physical access to electronic information systems and the facilities they’re housed in, including:
      • Contingency operations
      • Facility security plans
      • Access control and validation procedures
      • Maintain documentation of security-related repairs and modifications to facilities (e.g., hardware, doors, locks, etc.)
    • Which workstations can access electronic PHI
    • Governing identity & access management for systems containing electronic PHI, limiting access to appropriate persons and software programs, including:
      • Unique user identification
      • Emergency access procedures
      • Automatic logoff
      • Cryptography
    • To record and examine activity in systems containing/using electronic PHI
    • As needed to comply with the rest of this Regulation

Privacy Requirements

Covered entities are allowed to use or disclose PHI as follows:

• To the individual
• For treatment, payment, or health care operations
• Incident to a use or disclosure permitted/required by this part
• When required by the Secretary

Business associates are allowed to use or disclose PHI only as permitted in their contracts with covered entities (or as required by law). That said, associates must disclose PHI:

• When requested by an individual
• When required by the Secretary

Covered entities and business associates cannot sell PHI, except when disclosing PHI:

• For public health purposes
• For research purposes (where the only money received is a reasonable cost-based fee to cover the costs to prepare & transmit the PHI)
• For treatment and payment purposes
• For the sale, transfer, M&A, or consolidation of all (or part) of a covered entity and for related to due diligence
• To/by a business associate for activities it’s undertaken on behalf of a covered entity, and the only money received is given by the covered entity for the performance of the activities
• To an individual when requested
• Required by law
• For any other purpose permitted by and in accordance with the applicable requirements of this subpart, so long as the only compensation received is a reasonable, cost-based fee to cover the cost to prepare & transmit the PHI

Health plans may not disclose genetic information for underwriting purposes, except for:

• Determining eligibility for benefits under the plan, coverage, or policy
• Computing the premium or contribution amounts under the plan, coverage, or policy
• Applying any pre-existing condition exclusion under the plan, coverage, or policy
• Other activities related to creating, renewing, or replacing a health insurance/benefits contract
• Underwriting does not include determining medical appropriateness when an individual seeks a benefit under a plan, coverage, or policy

De-Identifying Health Information

How to de-identify health information

In order to make identifying an individual through health information (reasonably) impossible, organizations may choose to de-identify health information. Health information is deemed to be de-identified only if:

• A person with appropriate knowledge of and experience with generally accepted statistical/scientific principles and methods for rendering information not individually identifiable:
  • Applying such principles/methods determines that the risk is very small that the information could be used (alone or in combination with other reasonably available information) to identify an individual; and
  • Documents the methods and results of the analysis that justify such determination

The steps to de-identify health information are as follows:

• The following identifiers of the individual (or their relatives, employers, or household members) are removed:
  • The geographic unit formed by combining all zip codes within the same three initial digits contains more than 20,000 people; and
  • The initial three digits of a zip code for the areas containing 20,000 or fewer people is changed to 000
  • DOB
  • Admission date
  • Discharge date
  • Date of death
  • All ages over 89 and all elements of dates (including year) indicative of such age, unless such ages/elements may be aggregated into a single category of ‘age 90 or older’
• Names
• All geographic subdivisions smaller than a State (including street address, city, county/precinct, zip code (except for the first three digits) and other equivalent geocodes) if:
• All elements of dates (except for the year) directly related to an individual, including:
• Telephone numbers
• Fax numbers
• Email addresses
• SSNs
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• URLs
• IP address(es)
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code (except as permitted by paragraph (c) of this section)

How to re-identify health information

To enable de-identified information to be re-identified, a covered entity may assign a code (or something similar) to a record, so long as the code is not:

• •  Derived from or related to information about the individual
  • Capable of being translated to identify the individual
  • Used or disclosed for any other purpose

Audits

The Secretary of DHHS may audit covered entities and business associates to ensure they are complying with HITECH and HIPAA. Organizations must comply with these audits.