HJBR Mar/Apr 2020

30 MAR / APR 2020 I  HEALTHCARE JOURNAL OF BATON ROUGE COLUMN NURSING The Health Insurance Portability andAccountabilityAct, or HIPAA, represents far reaching legislation that affects all healthcare providers and their business associates across the nation. Most recently, it received significant attention when a well-known actor was treated in a Chicago hospital, and his protected health information (PHI) was improperly accessed by as many as 50-60 hospital employees. Those employees were later fired. 1 HIPAA SECURITY COMPLIANCE: LSBN’S RESPONSIBILITY TO PROTECT HEALTH INFORMATION IT IS UNLIKELY that any patient in the United States who has ever visited a phy- sician, clinic, hospital or healthcare pro- viding organization is not familiar with HIPAA, especially the Privacy Rule, which establishes national standards for the pro- tection of certain health information. The Security Rule operationalizes the Privacy Rule, establishing protections that health organizations must institute to secure electronic protected health information (ePHI).2 Within the Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) ensures that both the Privacy and Security Rules are enforced with voluntary compliance activities and monetary penalties. 2 Protected Health Information is defined in the Code of Federal Regulations as information that is … collected from an individual and … relates to the past, present, or future phys- ical or mental health or condition of an individual; … that identifies the individual or with respect to which there is a reasonable basis to believe that information can be used to identify the individual” 3 Prior to HIPAA, there was no generally accepted standard for protecting health information. New technologies were rap- idly emerging, and the healthcare industry was moving away from paper systems to such things as electronic health records and electronic information systems for radiology, pharmacy, and laboratory sys- tems. The major goal of the Security Rule is to protect patients’ PHI while ensuring flexibility and scalability for healthcare organizations that are diverse in size and structure. The key elements are summa- rized below. l Who is covered by the Security Rule? Health plans, health care clearinghous- es, and any health care provider who transmits health information in elec- tronic form in connection with a trans- action for which the Secretary of HHS has adopted standards under HIPAA and their business associates. l Business associates: Covered entities may disclose protected health informa- tion to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and admin- istration of the business associate. (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)) l What information is protected? The HIPAA Privacy Rule protects the pri- vacy of individually identifiable health information, called protected health