What are the three rules of Hipaa? | emPower

1

• Empower eLearning - https//www.empowerelearning.
  com/

2
The three rules of HIPAA The basics you need to
know

• Neglecting the three HIPAA rules can lead to
  large fines, loss of face, and for an employee
  worker loss of job. Businesses can lose up to
  1.5 million dollars as fines.
• So, if you are covered under HIPAA, you must
  comply with the three HIPAA rules.

3
The three HIPAA rules

• The Health Insurance Portability and
  Accountability Act (HIPAA) lays out three rules
  for protecting patient health information.  
• The Privacy Rule 
• Thee Security Rule
• The Breach Notification Rule
• These three rules set national standards for the
  purpose.
• These standards address the issue of protecting
  the health information, which could be used for
  identifying a person

4
1. The Privacy Rule

• The standards set by the Privacy rule address
  subjects such as
•  
• Which organizations must follow the HIPAA
  standards
• What is protected health information (PHI)
• How organizations can share and use PHI
• Permitted usage and disclosure of PHI
• Patients rights over their health information

5
1. The Privacy Rule

• Healthcare entities covered by HIPAA include
• Health plans 
• Health care clearinghouses 
• Health care providers 
• HIPAA also applies to business associates, who
  conduct healthcare transactions for covered
  entities. 

6
Usage and disclosure limitations 

• The privacy rule restricts the usage of health
  information, which could identify a person (PHI).
  Covered entities cannot use or disclose PHI
  unless
• Its permitted under the Privacy rule, or
• The individual has authorized it in writing.
• The Privacy rule does not restrict de-identified
  health information. 

7
2. The Security Rule

• The security rule sets the standards for the
  protection of PHI in electronic format (ePHI). 
• The Security rule standards cover
• Which organizations must follow the security rule
• What health information is protected under the
  security rule
• What safeguards must in place for the purpose
• The security rule covers all healthcare providers
  who use ePHI. It also covers business associates
  of such providers. 

8
All the covered entities must protect all ePHI
that they create, receive, store, or send. They
must 

• Ensure the confidentiality, integrity and
  availability of the PHI
• Protect the ePHI against all threats to its
  security and integrity 
• Protect it against impermissible use or
  disclosure
• Train employees, and ensure compliance with the
  security rule
• Adapt suitable policies and procedures
• The covered entities are also required to perform
  risk analysis, and create a risk management plan
  to mitigate the risk to ePHI. 

9
The risk analysis process should at least include
the following steps.  

• Identify potential risks to patient health
  information
• Create a risk management plan 
• Put in place administrative, physical, and
  technical safeguards
• Conduct HIPAA training, and train workers to
  follow HIPAA policies and procedures
• Document their risk analysis process
• Conduct risk analysis yearly to identify and
  mitigate new risks

10
3. The breach notification rule 

• HIPAA considers all PHI usage or disclosures that
  arent permitted under the Privacy rule as a
  breach. 
• The breach notification rule requires covered
  entities to send alerts upon discovery of a
  breach. Once a covered entity becomes aware of a
  breach, the alerts have to be sent within next 60
  days.
• Covered entities are required to alert
• Affected individuals
• Health and Human Services (HHS)
• Media, if necessary 

11
Business associates of a covered entity need to
alert their covered entity too.   

• If the breach affects more than 500 people, the
  HHS must be notified immediately. The HHS would
  post it on their website. The covered entity
  would also need to post the message on their
  website.
• Organizations may also choose not to send alerts,
  but only if they can prove that there is low
  probability of the PHI being compromised. 

12
Reportable Breaches and Exceptions

• Organizations should consider all impermissible
  uses and disclosures as a breach of PHI. But,
  they need to send alerts only for unsecured PHI.
  Besides this, the breach notification rule is
  flexible under three more circumstances.
• If it was unintentional or done in good faith,
  and was within the scope of the authority.
• If it was done unintentionally between two people
  permitted to access the PHI.
• It the organization has a good faith belief that
  the person to whom the disclosure was made would
  not be able to retain the PHI.

13
Reportable Breaches and Exceptions

• Under any case, the organization should ensure
  that such incidents dont reoccur. 
• Breach alerts are required only for unsecured
  PHI. If you secured it as specified by
  this guidance, then you dont need to send the
  alerts. 
• The HHS Office for Civil Rights enforces the
  three HIPAA rules. Violations of the HIPAA rules
  may result in fines and penalties. In some cases,
  criminal penalties may also apply. 
• If you want to know more about the three HIPAA
  rules, you may visit the HHS website.  

14
Contact Us

• Visit - https//www.empowerelearning.com/blog/th
  e-three-rules-of-hipaa-the-basics-you-need-to-know
  /
• Phone - 502 400 9994 (US) 8128123650 (IND)
• Email - info_at_empowerelearning.com
• Address - 12806, Townepark way, Louisville USA
  Kentucky 40243