Skip to content

Instantly share code, notes, and snippets.

@xirkus

xirkus/hipaa_compliance_guidelines.md

Last active June 21, 2021 08:40
Show Gist options
  • Save xirkus/963d336b446bcf0c69b044d4e7f18910 to your computer and use it in GitHub Desktop.
Save xirkus/963d336b446bcf0c69b044d4e7f18910 to your computer and use it in GitHub Desktop.
Download ZIP
Collection of HIPAA Compliance Guidelines
Raw
hipaa_compliance_guidelines.md

Resources

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules

This final rule is needed to strengthen the privacy and security protections established under the Health Insurance Portability and Accountability of 1996 Act (HIPAA) for individual’s health information maintained in electronic health records and other formats.

Notes

  • Failure to abide by HIPAA/HITECH/GINA creates liability by Covered Entities(CE) and their Business Associates (BA). The communication of electronic Protected Health Information (ePHI) should be covered by a Business Associate Agreement (BAA).

  • Governed by the principle of "Minimum Necessary Standard" (MNS).

  • "Satisfactory assurances" with regards to apply the MNS MUST be documented (through written contract/agreement or a memorandum of understanding)

  • Adherence to HIPAA extends to subcontractors of a CE/BA.

  • The transmission of ePHI has conduit exclusions for ISPs/mail systems.

  • ePHI cannot be used for insurance/underwriting purposes

  • sale of ePHI requires a person's authorization/consent unless covered by an exclusion (research being one of them provided that that renumeration is exclusively limited to the preparation of the ePHI).

    "fees charged to incur a profit from the disclosure of protected health information are not allowed."

  • Incident regarding psychotherapy notes being used as blackmail for disclosed information.

  • A breach requires disclosure to the individual and the Secretary (of Health?). A risk assessment must be completed to determine "significant risk of harm"

    "We encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information."

    "This guidance, which was published in updated form within the preamble to the interim final rule and made available on the HHS Web site, specifies that only encryption and destruction, consistent with National Institute of Standards and Technology (NIST) guidelines, renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals such that notification is not required in the event of a breach of such information."

    "reasonable diligence, as defined in § 160.401, means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances."

  • a breach disclosure of 500 or more ePHI records requires a statement to the media within a the geographcially affected region.

  • compliance to HIPAA/HITECH guidance falls into two categories: Required and Addressable. Addressable means that non-compliance MUST be documented, otherwise the guidance is to be adhered to.

    "Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."

    "Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a)"

    "(a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required)."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment