Once HIPAA had been signed into law, the US Department of Health and Human Services set about creating the first HIPAA Privacy and Security Rules.
The Privacy Rule had an effective compliance date of April 14, 2003, and it defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
Instructions were issued on how PHI should be shared and that permission should be sought from patients before using their personal information for marketing, fundraising or research. It also gave patients the right to withhold information about their healthcare from health insurance providers when their treatment is privately funded.
The HIPAA Breach Notification Rule
If a data breach occurs which exposes the PHI of more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights must be notified “without unreasonable delay”, and certainly within 60 days of the discovery of the breach. The report should be made via the OCR Breach reporting web portal. Breach Notification letters must also be sent to all affected individuals. Data breaches involving fewer than 500 individuals require notifications to be sent to all affected individuals without unreasonable delay, and within 60 days of the discovery of the breach. The media does not need to be informed of these small scale data breaches, even when they involve the compromising of Social Security numbers and healthcare data.
HIPAA Safety Rule
The Patient Safety and Quality Improvement Final Rule (Patient Safety Rule) establishes a framework by which hospitals, doctors, and other health care providers may voluntarily report information to Patient Safety Organizations (PSOs), on a privileged and confidential basis, for the aggregation and analysis of patient safety events.
The Final Omnibus Rule of 2013
The most recent act of legislation in HIPAA history was the Final Omnibus Rule of 2013. The rule barely introduced any new legislation, but filled gaps in existing HIPAA regulations – for example, specifying the encryption standards that need to be applied in order to render ePHI unusable, undecipherable and unreadable in the event of a breach.
Many definitions were amended or added to clear up grey areas – for example the definition of “workforce” was changed to make it clear that the term includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or Business, is under the direct control of the covered entity or Business.
The Privacy and Security Rules were also amended to allow patient´s health information to be held indefinitely (the previous legislation had stipulated it be held for fifty years), while new procedures were written into the Breach Notification Rule. New penalties were also applied – as dictated to covered entities that fell afoul of the HIPAA Enforcement Rule.