Shift Into
Your Best Business Model

HIPAA and Technology: Compliance Insights

by | Apr 1, 2020 | General Counsel

HIPAA Overview: Privacy Rule and Security Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the privacy and availability of health insurance coverage and medical information, which required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The law’s primary goals include:
  • Protecting health insurance coverage for workers and their families in the event that the insured employee changes or loses a job;
  • Safeguarding the security and confidentiality of patient health information; and
  • Establishing standards for the electronic exchange of health care information.

The US Department of Health and Human Services (HHS) issued HIPAA Privacy Rule (Privacy Rule) and HIPAA Security Rule (Security Rule). The Privacy Rule serves to implement the requirements of HIPAA. The Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called a “covered entity.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

HIPAA Security Rule

The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.

Covered Entities, Business Associates, and PHI

In general, the protections of the Privacy Rule apply to information held by covered entities and their business associates. HIPAA defines a Covered Entity as 1) a health care provider that conducts certain standard administrative and financial transactions in electronic form; 2) a health care clearinghouse; or 3) a health plan. A Business Associate is a person or entity (other than a member of the covered entity’s workforce) that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involves the use or disclosure of protected health information. HIPAA generally requires that Covered Entities and Business Associates enter into contracts with their Business Associates to ensure that the Business Associates will appropriately safeguard protected health information. The Business Associate sample contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the Business Associate, based on the relationship between the parties and the activities or services being performed by the Business Associate. The Business Associate may use or disclose protected health information only as permitted or required by its Business Associate contract or as required by law. Protected Health Information (PHI) is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify such individual. The meaning of PHI includes a wide variety of identifiers and different information recorded throughout the course of routine treatment and billing. Collecting PHI is a necessary component of the healthcare industry, and it needs to be attended to with the proper safeguards.

Technologies and HIPAA

On February 17, 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted into the law to promote the adoption and meaningful use of health information technology. Today HIPAA and HITECH compliance is a challenge for every healthcare organization. But now smart assistants (e.g., Google’s Assistant, Amazon’s Alexa and Apple’s Siri), which utilize voice recognition and artificial intelligence, add additional concerns. Physicians and providers need to ascertain whether or not the smart assistant meets the Security Rule’s technical, administrative and physical safeguards. They need to make sure that the recorded audio and the privacy statements are not being shared with third parties. They must also ensure that the privacy statements meet the requirements of state, federal and international laws. In April 2019 consumer technology company, Amazon, made waves in health care when it announced that its Alexa Skills Kit, a suite of tools for building voice programs, would be compliant with HIPAA, which protects the privacy and security of certain health information. The purpose of the voice assistant is to allow patients, caregivers, and health plan members to use Alexa Skills Kit to manage their healthcare at home through voice commands. The voice assistant makes it easier for patients to perform healthcare-related tasks, access their health data, and interact with their providers. Google Assistant and Google Home devices have also taken the consumer market by storm. Google Assistant has become a widely used virtual assistant and tests have shown it to be one of the best performing voice assistants on the market, although the breakthrough into healthcare has not yet been realized. While the dictation feature on Apple devices is convenient and has the potential to be used in healthcare, its speech to text processing takes place in its data centers rather than on the device itself. That means any PHI dictated to the device will be transferred to Apple’s data centers. Regardless of the controls that are in place to ensure data cannot be intercepted, without a business associate agreement from Apple, the use of the dictation feature with PHI would be considered the HIPAA violation. Have more questions regarding the Health Insurance Portability and Accountability Act (HIPAA) and Technology? Schedule a free consultation with us today!