Title II of HIPAA has two rules that are often confused: the Privacy Rule and the Security Rule. Privacy and security are closely related, but the portions of the HIPAA statute are distinct.
When you hear that a system is “HIPAA compliant” that almost certainly means that the system meets the requirement of the HIPAA Security Rule. It does not imply that any data stored in the system necessarily satisfies the HIPAA Privacy Rule.
The Security Rule requires “covered entities” to have administrative, physical, and technical safeguards in place to protect data. Administrative safeguards are policies and procedures that demonstrate compliance with HIPAA. Physical safeguards concern physical access to hardware etc. Technical safeguards concern things like computer security.
The Privacy Rule regulates the use and disclosure of PHI, protected health information. In particular, the Privacy Rule describes how healthcare data can deidentified and made available for secondary use. The primary avenue is HIPAA Expert Determination, a service we regularly provide. Healthcare data is no longer considered PHI if a qualified, experienced expert determines that the risk of an individual being identified from the data is very small.
The other avenue for making healthcare data available for secondary use is the Safe Harbor provision. This provision says the data do not contain 18 categories of information. These range from obvious identifiers such as names and email addresses to less obvious potential identifiers such as detailed dates of service. The Safe Harbor provisions meet the letter of the law, but may not be adequate to protect patient privacy. The provisions may also be overly restrictive in some ways, leading companies to seek out expert determination.
The Security Rule and the Privacy Rule protect patient data in complementary ways. The Security Rule protects access to the data, while the Privacy Rule protects the content of the data, depending on the context in which the data is used.
If a covered entity securely transfers PHI to someone who is not allowed to receive the data, this violates the Privacy Rule. If the entity only allows authorized personnel to access data, but fails to take precautions to prevent intrusion, this violates the Security Rule.
***
We’ve helped many companies—law firms, insurance agencies, universities, healthcare organizations, etc.— to ensure data privacy. If you are seeking expert determination, data privacy consulting, or just want to ask some questions to better understand HIPAA, please reach out for a free consultation. We’d love to chat.
Trusted consultants to some of the world’s leading companies
