Certified Information Privacy Professional (CIPP): US - Health Insurance Portability and Accountability Act, HIPAA, Privacy Rule, Security Rule, HITECH

CIPP/US – HIPAA (Privacy Rule, Security Rule, HITECH)

What This Is

HIPAA is the U.S. federal law that protects the privacy and security of protected health information (PHI) held by health?care providers, health plans, and their business partners. The Privacy Rule sets limits on how PHI may be used or disclosed; the Security Rule requires safeguards for electronic PHI (ePHI); and HITECH (the Health?Information Technology for Economic and Clinical Health Act) expands breach?notification duties and incentivizes electronic health?record adoption.

Real?world example: A regional hospital (a Covered Entity) contracts with a cloud?based analytics vendor to run population?health reports. The vendor must sign a Business Associate Agreement (BAA) and implement the technical safeguards required by the Security Rule, while the hospital must ensure the analytics use is permitted under the Privacy Rule and that any breach is reported within the HITECH?mandated 60?day window.

Key Terms & Provisions

• Covered Entity (CE): Any health?care provider, health?plan, or health?care clearinghouse that transmits PHI electronically. Obligation: Must comply with both the Privacy and Security Rules.
• Business Associate (BA): A person or entity that performs a function or service on behalf of a CE that involves PHI. Obligation: Must sign a BAA and follow the Security Rule; liable for breaches.
• Protected Health Information (PHI): Individually identifiable health information (e.g., diagnosis, treatment, payment) that is created, received, or maintained by a CE or BA.
• Privacy Rule – “Use & Disclosure” Exceptions: Permitted uses include treatment, payment, health?care operations, and a limited “minimum necessary” standard for disclosures not otherwise required.
• Security Rule – Administrative Safeguards: Policies and procedures (e.g., risk analysis, workforce training, incident response) required to protect ePHI.
• Security Rule – Physical Safeguards: Controls over physical access to facilities and devices (e.g., locked server rooms, workstation use policies).
• Security Rule – Technical Safeguards: Technology?based protections (e.g., access control, encryption, audit logs).
• HITECH – Breach Notification: Any unsecured PHI breach affecting 500+ individuals must be reported to the HHS Office for Civil Rights (OCR) and the media within 60 days; smaller breaches must be reported to the affected individuals and the Secretary of HHS.
• HITECH – “Safe Harbor” for Encryption: If ePHI is encrypted using NIST?approved methods at the time of breach, the breach is not considered “unsecured” and may avoid notification obligations.
• HIPAA Enforcement – Civil Penalties: Tiered fines ranging from $100 to $50,000 per violation (maximum $1.5?million per calendar year) for willful neglect.
• HIPAA – Individual Rights: Patients may request access, amendment, an accounting of disclosures, and an “opt?out” of certain marketing communications.

Step?by?Step / Process Flow

1. Identify the Actor – Determine whether the organization is a Covered Entity, Business Associate, or neither (no HIPAA obligations).
2. Map PHI Flows – Conduct a “minimum?necessary” inventory: locate where PHI is stored, transmitted, and processed (paper, email, cloud, mobile devices).
3. Perform a Risk Analysis (Security Rule) – Evaluate threats to ePHI, assign likelihood/impact scores, and prioritize remediation.
4. Implement Safeguards – Deploy administrative (policies, training), physical (facility controls), and technical (encryption, audit logs) safeguards aligned with the risk analysis.
5. Execute a Business Associate Agreement (BAA) – For every vendor handling PHI, sign a BAA that mirrors the Security Rule requirements and outlines breach?notification duties.
6. Monitor & Respond – Continuously audit access logs, run vulnerability scans, and have an incident?response plan that triggers HITECH breach notifications within 60 days.

Common Mistakes

• Mistake: Assuming HIPAA applies only to “hospitals.”
  Correction: Any entity that transmits PHI electronically—clinics, dental offices, tele?health platforms, and even some school health services—are Covered Entities.

• Mistake: Treating “de?identified data” as automatically exempt from all HIPAA rules.
  Correction: De?identification must follow the Safe Harbor or Expert Determination methods; otherwise the data remains PHI and is subject to the full rule set.

• Mistake: Believing that a BAA alone satisfies the Security Rule.
  Correction: The BAA is a contract; the BA must still conduct its own risk analysis and implement the required safeguards.

• Mistake: Ignoring the “minimum necessary” standard for internal uses (e.g., staff accessing whole patient charts when only a single data element is needed).
  Correction: Apply role?based access controls and limit data pulls to the smallest amount necessary for the task.

• Mistake: Forgetting the 60?day breach?notification deadline under HITECH.
  Correction: Maintain a breach?response playbook that starts the clock as soon as a breach is discovered; late reporting can trigger additional penalties.

CIPP Exam Insights

1. HIPAA vs. State Privacy Laws: The exam often asks which rule pre?empts state statutes. HIPAA provides a baseline; state laws may be more protective (e.g., California’s Confidentiality of Medical Information Act) and are not pre?empted unless they conflict.
2. Covered Entity vs. Business Associate: Remember that only CEs can directly disclose PHI for treatment, payment, and health?care operations; BAs must act under the authority of a CE and are limited to the functions outlined in the BAA.
3. HITECH “Safe Harbor” for Encryption: A frequent trap—if ePHI is encrypted at the time of breach, no breach notification is required. The exam may present a scenario where a laptop is stolen but the data was encrypted; the correct answer is that notification is not required.
4. Individual Rights Scope: The exam tests the difference between the right to access (any PHI) and the right to request amendment (only if the information is inaccurate or incomplete).

Quick Check Questions

1. Scenario: A tele?health startup (a Business Associate) discovers that a cloud server storing ePHI was accessed by an unauthorized third party. The data was encrypted with AES?256.
   Answer: No breach notification is required because the data was encrypted using a NIST?approved method, satisfying HITECH’s safe?harbor provision.

2. Scenario: A hospital wants to share a patient’s lab results with a pharmaceutical company for a clinical trial. The patient has not signed a research authorization.
   Answer: The disclosure is prohibited unless the hospital obtains a written authorization from the patient that meets HIPAA’s research?use requirements; otherwise it violates the Privacy Rule’s “use & disclosure” limits.

3. Scenario: A health?plan employee copies an entire patient database onto a USB drive for a “quick review” of a single claim.
   Answer: This violates the minimum necessary standard; the employee should have accessed only the specific claim data needed, not the whole database.

Last?Minute Cram Sheet

1. HIPAA Privacy Rule – 45?C.F.R. §§?164.500?164.534 (governs PHI use & disclosure).
2. HIPAA Security Rule – 45?C.F.R. §§?164.308?164.312 (admin, physical, technical safeguards).
3. HITECH breach?notification deadline: 60 days from discovery (OCR & media).
4. Safe Harbor encryption: NIST?approved algorithms (e.g., AES?256)-breach not “unsecured.”
5. Maximum civil penalty per violation: $50,000 (willful neglect) – $1.5?million per year per provision.
6. Covered Entity definition: Provider, health?plan, or clearinghouse that transmits PHI electronically.
7. Business Associate Agreement (BAA) requirement: Must be in writing, signed by both parties, and include the Security Rule obligations.
8. Individual rights under HIPAA: Access, amendment, accounting of disclosures, and opt?out of marketing.
9. Minimum Necessary Rule: Applies to all disclosures except treatment, payment, and health?care operations.
10. Exam trap: “HIPAA applies to all health?related data.” False – only PHI (identifiable health information) is covered; de?identified data is exempt.

Use this guide to cement the core HIPAA concepts, run through the practical steps, and avoid the common pitfalls that show up on the CIPP/US exam. Good luck!