How to Comply with the HIPAA Privacy Rule

Use these links to jump to different sections:

• Who Is Covered by HIPAA?
• What Does HIPPA Protect?
• What Actions Must Covered Entities Take?
• New Jersey’s Encryption Mandate

Today most of us live our lives online. We are used to transmitting personal information via email and social media. But when it comes to certain protected health information (PHI), health care providers are bound by federal and state laws to ensure the security of such data and medical records.

Who Is Covered by HIPAA?

The Health Insurance Portability and Accountability Act of 1996—commonly known as HIPAA—is the main federal law governing data privacy and security in the healthcare field. HIPAA establishes a common set of rules that govern health care providers, health insurance companies, and any other entity that serves as a clearinghouse for PHI. In addition to these “covered entities,” HIPAA also applies to “business associates,” which are individuals and businesses that use PHI on behalf of a covered entity.

What Does HIPPA Protect?

Basically, HIPAA regulations protect anything involving an individual’s past, current, or expected future medical condition, whether related to their physical or mental health. This includes any information related to the individual’s medical treatment, health plans, and any payments for services rendered. HIPAA also covers any individually identifiable health information that may be used to identify a particular individual, such as their name, address, date of birth, and Social Security number.

What Actions Must Covered Entities Take?

It is critical to understand what the law actually requires of covered entities. Aside from maintaining the privacy of PHI, a covered entity or business associate must also take certain affirmative steps to ensure the security of any data in their possession. This includes:

• Making sure any PHI remains confidential (i.e. is not made available or disclosed to any unauthorized individuals or entities)
• Identifying and protecting against “reasonably anticipated threats” to the security of any PHI
• Ensuring all employees and contractors working for the covered entity or business associate complies with HIPAA’s security rules.

In short, all health care entities need to have a well-developed and properly executed plan of technical safeguards in place to ensure HIPAA compliance on an ongoing basis. “Periodic policy and related document review is a must,” says Jill T. Ojserkis, a health care attorney with Cooper Levenson in Atlantic City. “Provider documents must be compliant with HIPAA, applicable state law regarding privacy, and should consider certain hot areas of the Office of Civil Rights (OCR) and state law compliance and enforcement. Particular attention should be paid to the form Notice of Privacy Practice (NPP) that providers give to patients and oftentimes post. Providers need to periodically review required Business Associates Agreements (BAA) and ensure that all business associates not otherwise exempt have entered into these with the provider, as the covered entity, and ensure that the analysis on whether to obtain a BAA is part of the usual contracting process flow.” Being HIPAA compliant is not simply a checklist of security measures and risk assessments to be completed once a year. It requires creating a culture of compliance. Ojserkis says education on HIPAA is important not only for new hires, but something that should be undertaken annually. “Education and re-education on safeguards for PHI, how to address opt-out requests and self-pay requests, how to address requests for disclosures, and the like is essential,” she says.

New Jersey’s Encryption Mandate

Beyond HIPAA’s requirements, New Jersey has taken additional steps to ensure the security of PHI. In 2015, the state adopted legislation requiring the use of “data encryption software” on any electronic devices that may contain electronic health records and PHI. Although HIPAA requires covered entities to “address” encryption as part of their overall compliance planning, New Jersey’s law expressly mandates encryption. What this means in practice is New Jersey health care providers and insurance companies must ensure that any computer, smartphone, tablet, or external storage device that contains any kind of patient information must be encrypted by default. As noted above, this includes personal identifying information. So, if you are a doctor who keeps a patient contact list on your smartphone, you need to make sure that phone is encrypted. This extends to IT vendors as well. Before you enter into an agreement with a vendor, Ojserkis recommends performing security assessments and reference checks. The agreement itself should detail expectations for security and privacy, insurance requirements, “and contain clear language about breach responsibility, financial and otherwise, in the liability and indemnification sections. Most importantly, providers need to ensure that IT vendor agreements contain limitations on use and disclosure of PHI provided to or through them.” A qualified New Jersey health care attorney can provide you with more specific advice tailored to a health care organization’s need. “It is better to pay counsel and consultants for prevention than to pay fines or judgements or find that you are in breach of an agreement or not in compliance with your insurance policies or the law,” Ojserkis says. For more information on this area of law, see our overview of health care law.