HIPAA Privacy & Security Rule

The Health Insurance Portability and Accountability Act

Privacy Rule

The HIPAA Privacy Rule gives patients certains rights regarding personal health information that are collected by covered entities as defined by HIPAA. A covered entity may be a health care provider, a health plan, or a healthcare clearinghouse which transmit information electronically. The goal of the Privacy Rule is to protect the privacy of patients while allowing information to flow when needed to provide quality health care to the patients and the public. An individuals rights include access to records, accounting of disclosures, amendments of health information records, and request for restrictions of disclosure.

The Department of Health and Human Services (HHS), Ofifice of Civil Rights (OCR) administers and enforces compliance to the standards set forth by The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule). A covered entity's failure to comply with the the standards may be subject to civil money penalites and/or criminal penalites depending on their knowledge of the violation.

Civil Money Penalties

	For violation occurring prior to 2/18/2009	For violations occuring on or after 2/18/2009
Penalty Amount	Upt to $100 per violation	$100 to $50,000 or more per violation.
Calendar Year Cap	$25,000	$1,500,000

Criminal Penalties

Knowingly obtain or disclose health information	If violation occurred under false pretenses	Intent to sell, transfer, or use health information for personal gain or to cause harm
Up to $50,000 and 1 year in prison	Up to $100,000 and 5 years in prison	Up to $250,000 and 10 years in prison

Security Rule

The HIPAA Security Rule established national standards to protect electronic health information that a covered entity creates, exchanges, and maintains. The Security Rule took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans". The Security Rule was enacted to specifically deal with Electronic Protected Health Information (e-PHI) and proposed appropriate procedures and measures to protect the confidentiality and security of patient information in an electronic environment. The Security Rule outlines three types of security safeguards required for compliance: administrative, physical, and technical.

Administrative Safeguards:

proper risk assessment associated with e-PHI and measures to reduce this risk, policies for access to e-PHI
policies and procedures for authorizing access to e-PHI
proper training, authorization and supervision of workers using e-PHI
periodic assessment of policies as they pertain to the Security Rule.

Phyical Safeguards:

limiting physical access to facilities while allowing authorized access
proper use and access of workstation or other electronic media
policies and procedures regarding the transfer, removal, disposal and re-use of electronic media

Technical Safeguards

technical policies and procedures to prevent unauthorized access to e-PHI
hardware, software, and /or procedural mechanisms to monitor e-PHI use
policies and procedures to prevent alteration or destruction of e-PHI
technical security measures to prevent unauthorized access to e-PHI when transmitting over a network

HITECH Act

The Health Information Technology for Economic and Clinical Health Act was signed to law in February 17, 2009 and extends the Privacy and Security Provisions of HIPAA to business associates of covered entities. It significantly increased penalties for violations with "a maximum penalty amount of $1.5 million for all violations of an identical provision". It also implemented new rules for the accounting of disclosures of patient information when using electronic health records (EHR) and proposed new measures and procedures specifically to ensure the privacy an security of EHR.

HIPAA Compliance

HIPAA required that covered entities demonstrate compliance to the Privacy Rule on April 14, 2003 and to the Security Rule on April 20, 2005. The Office for Civil Rights (OCR) was given the authority to enforce the Privacy and Security Rules under HIPAA and HITECH on July 27, 2009. Covered entities who fail to comply may be subject to civil or criminal penalties as outlined above.

For further reading visit these informative sites.

[+] [-]

Compliance

White Paper & Docs

DynaPass Features

Creation and distribution of One-Time-Passwords (OTP)
On-request distribution of OTP to mobile phones and other devices
Automatic enabling and disabling of user accounts
Secret individual part of password (prefix)
Customizable password length, characters, and login time
Out-of-band zero-footprint OTP authentication

See Full Features

Live Demo

News & Announcements

JULY 20, 2020

Watch Out: 99.9 Percent of Hacked Microsoft Accounts Don’t Use 2FA

Two-factor authentication (2FA) is the single most effective method of preventing unauthorized access to an online account. Still need convincing? Have a look at these jaw-dropping numbers from Microsoft.

Industry News

RSS Feed Widget

HIPAA standards for the health care industry addresses the concern of privacy and security for electronic protected health information.