Data protection and privacy in the healthcare settings is governed by the Health Insurance Portability and Accountability Act that standardizes protocols regarding these issues. Most healthcare facilities and establishments store and work with patient data and protected health information. As such, the act requires these establishments to deploy security measures that protect individuals that are protected under the HIPAA.
HIPAA compliance covers entities such as establishments that provide treatment, payment, and operates within the healthcare industry as well as associated entities that will have a degree of access to information about these patients and supports the primary functions of healthcare entities.
Under the act, the following types of information are protected:
Biometric identifiers, and other identifying data and more.
The primary objectives of the act were to:
Inherently, there is a lot of emphasis placed towards the value towards individuals rights and freedoms, specifically highlighted in the empowerment of personal choice. Often, health information carries intimate details about a person such that it encompasses: mental and physical condition, social behavior and status, interpersonal relationships, and financial stature.
An emphasis on privacy ensures that individuals are concerned about their privacy, especially that the factors mentioned prior are largely tied to their way of life and identity. A strong protection for the personal privacy of patients then creates societal trust towards the healthcare institution. Furthermore, it protects individuals from discrimination of the social and economic nature.
The Department of Health and Human Services established the Security Rule as a means to standardize the protection of health information by entities that are covered by HIPAA. The rule can be summarized according to categories of safeguards that are meant to protect patient data under the following goals:
Security Management Process
Identification and analysis of potential risks and implementation of appropriate security measures to reduce these vulnerabilities to an appropriate level.
Assignment of a designated security official responsible for the development and implementation of these protocols.
Information Access Management
Limitation of disclosures to a “minimum necessary”. This item of the security rule requires covered entities to authorize access to information only in conservatively appropriate situations.
Workforce Training and Management
Deploying mechanisms to provide authorization and supervision of the workforce that deal with electronic protected health information. This includes the enforcement of appropriate sanctions to those that violate protocols.
Periodic assessment of how covered entities meet the requirements of the security rule.
Facility Access and Control
Limited access and authorization to facilities that contain protected health information.
Workstation and Device Security
Implementation of protocols that specify the use and the access to protected information, as well as protocols that cover the transfer, removal, disposal, and re-use of electronic media.
Implementation of technical protocols that limit authorization to access protected information.
Implementation of hardware, software, and procedural mechanisms to check access and activity in information systems that involve the use of electronic protected health information.
Implementation of protocols of electronic measures that ensures that protected information is not misused, improperly altered, or destroyed.
Implementation of technical security measures that prevents unauthorized access to electronic protected health information that is in the process of transmission over an electronic network.
Under the HIPAA Breach Notification Rules, a full HIPAA compliance requires covered entities to notify patients and the HHS (Department of Health and Human Services) in instances where their health information becomes compromised.
Breaches that affect more than 500 patients will prompt the HHS to issue a notice to the media, whereas smaller breaches require reports.
The following penalties are being implemented:
Violation attributable to ignorance
$100 – $50,000
Violation that occurred despite reasonable vigilance
$1,000 – $50,000
Violation due to willful neglect that is promptly corrected within a span of 30 days
$10,000 – $50,000
Violence due to willful neglect that is not corrected within a span of 30 days
maximum fine of $50,000
The range of the fine is dependent upon the following factors:
Among the cases of breach, the most common disclosures outlined by the HHS are:
The outbreak of COVID-19 once again shone relevance to the issue of health privacy. As many face undue prejudices due to suspicion and/or confirmation of carrying the virus, covered entities from healthcare establishments to companies must ensure compliance to the HIPAA. This is so that social, financial, and emotional harms aren’t exacerbated in reference to the patient.
The Department of Health and Human Services feature training, guidelines, and announcements regarding how privacy protocols and compliance to HIPAA can be approached throughout the public outbreak.
Privacy has always been important, and every individual deserves to conduct their life in a way that isn’t compromised by prejudice.