Brigitte Volochinsky on HIPAA

Cybersecurity while travellingBrigitte Volochinsky, Esq., CHPC is a healthcare attorney licensed to practice law in New York and New Jersey. Brigitte currently serves as corporate counsel for CarePoint Health, a health care system located in Hudson County, New Jersey. Brigitte has extensive experience in Stark and Anti-Kickback law, healthcare compliance and healthcare privacy regulations, including HIPAA and HITECH. 

LIFARS: What is HIPAA?

Volochinsky, Esq., CHPC: HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. From a regulatory perspective, HIPAA was developed with three principal objectives:

1) to make health insurance portable under the Employee Retirement Income Security Act (ERISA);
2) to create a nationally standardized electronic billing platform; and
3) to prevent healthcare fraud, waste and abuse.

Although not delineated as one of the above principal objectives, individuals often think of HIPAA as a protector of their health care related information. This is also accurate — HIPAA privacy regulations require covered entities and their business associates to develop and follow procedures to ensure the confidentiality and security of its patient’s health information when it is transferred, received, handled or shared.

LIFARS: What type of health information is protected under HIPAA?

Volochinsky, Esq., CHPC: Not all health information is protected under HIPAA. It is important to look to the definition of health information and some of its subsets to fully understand what type of health information is protected.

The definition of health information is broad and includes any information, including genetic information, whether oral or recorded, that is created or received and relates to:

1) past, present or future physical or mental health or condition of an individual;
2) the provision of health care to an individual; or
3) past, present or future payment for the provision of health care to an individual.

Health information is not protected under HIPAA. A subset of health information is individually identifiable health information (IIHI), which is the same thing as health information, but goes one step further and also identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. IIHI, also, is not protected under HIPAA, an additional piece is required for HIPAA to apply.

The missing piece can be any of the following – if IIHI is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium, then IIHI becomes protected health information (PHI) and PHI is subject to the protections of HIPAA.

LIFARS: Who are Covered Entities and Business Associates?

Volochinsky, Esq., CHPC: A Covered Entity (CE) is defined under HIPAA as a health plan, a health care clearinghouse or a health care provider which electronically transmits any health information in an electronic form. Most individuals know that a health plan is the entity that pays for the cost of medical care and a health care provider is a provider of medical or health services. The lesser known type of CE is the health care clearinghouse, which is defined under HIPAA as any public or private entity that either processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and processes or facilitates the processing of health information into a nonstandard format or nonstandard data content for the receiving entity. A simple example of the complexly defined health care clearinghouse, is a billing service company.

A Business Associate (BA) is defined under HIPAA as a person or entity who, on behalf of the CE, participates creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA or provides a service involving the disclosure of the CE’s PHI.

As a quick summary, the CE essentially owns the PHI and the BA is using, disclosing or manipulating the PHI, usually on behalf of the CE. The relationship between a CE and a BA can be complicated and CEs are mandated to get assurances for privacy and security standards from their BAs. The safest practice is to execute a Business Associate Agreement (BAA) between the CE and BA which uses a contract to spell out each party’s duties and obligations including any permitted uses and disclosures of PHI.

LIFARS: Who gets notified of a breach of PHI?

Volochinsky, Esq., CHPC: Following a breach of unsecured PHI, CEs have an obligation to notify the affected individuals, the Secretary of Health and Human Services (the Secretary) and, in certain circumstances, the media. For clarity, unsecured PHI includes PHI that is not secured through the use of a technology or methodology that renders PHI to be unusable, unreadable or indecipherable to any unauthorized person, such as encryption.

CEs are required to notify the affected individual of a breach of PHI without unreasonable delay and such notification must occur within 60 days from the date the breach is discovered. If the breach of PHI has affected more than 500 residents of a state or jurisdiction, in addition to notifying the affected individuals, notice must be provided to prominent media outlets serving that state or jurisdiction without unreasonable delay and in no event later than 60 days from the date of discovery.

CEs are also required to notify the Secretary of the breach. If the breach affects less than 500 individuals, the CE can provide notice to the Secretary on an annual basis. However, if the breach affects more than 500 individuals, the CE must notify the Secretary without unreasonable delay and in no case later than 60 days from the date of discovery.

Contact Brigitte Volochinsky, Esq., CHPC on Linkedin.