1. WHAT IS PROTECTED HEALTH INFORMATION?
All “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. RULE OF THUMB: If it contains any type of health data (including payment information) and identifies the individual or there is a reasonable basis to believe it can be used to identify the individual, it is PHI.
2. WHO IS A COVERED ENTITY?
Health plans, health care clearinghouses, health care providers (includes physicians) conducting certain financial and administrative transactions electronically (e.g., claim submission, billing, and fund transfers). Actively-practicing physicians should assume “covered entity” status.
3. WHO IS A BUSINESS ASSOCIATE?
A person or entity to whom a covered entity discloses PHI so as to carry out, assist with, or perform a function on behalf of the covered entity (includes lawyers, vendors, subcontractors, experts, court reporters), except for employees of the covered entity.
4. WHAT IS A BUSINESS ASSOCIATE AGREEMENT?
A required contract that provides compliance with HIPAA security rule provisions mandating administrative, physical, and technical safeguards for PHI. A BAA must include restrictions on use and disclosure of PHI and set forth mandatory notification requirements to the Department of Health & Human Services (HHS) if a PHI security breach occurs.
5. HOW IS PHI “SECURED”?
PHI can be secured by destroying it (which renders it unusable) or complying with the encryption guidance standards set by HHS. Proper encryption ultimately avoids the breach notification obligations in event of unauthorized use or disclosure of PHI.
6. WHAT CONSTITUTES “UNSECURED” PHI?
PHI contained in hard copy form, as well as electronic storage or transmission of non-encrypted PHI.
7. WHAT IS A PHI “BREACH”?
Any impermissible disclosure of PHI is a breach unless “low probability that PHI was disclosed.”
8. ARE PEER REVIEW ACTIVITIES SUBJECT TO HIPAA?
Peer review conducted through the proper channels falls into the exception for “health care operations.” But common pitfalls (see reverse) exist that may expose physicians to HIPAA liability, so be cautious whenever transmitting PHI to any third party.
9. WHAT PENALTIES EXIST FOR HIPAA VIOLATIONS?
Criminal/civil penalties include fines ($100 to $50,000) and prison terms (1 year to 10 years). Intent is considered.
10. USE GOVERNMENT RESOURCES FOR COMPLIANCE
Find sample BAA contract language, notices of privacy practices, security compliance guidance, mobile device security compliance, and more by exploring the HHS’s web site.