Health Care Privacy Part 2
The health care privacy part 2 is incorporated into the Health Insurance Portability and Accountability Act (HIPAA) Rule, commonly known as “HIPAA Part 2,” establishes national standards for safeguarding protected health information (PHI). Covered entities must implement administrative, physical, and technical safeguards to protect PHI. It also grants individuals rights to access and restrict certain uses and disclosures of their PHI.
Business associates are required to comply, ensuring confidentiality, integrity, and availability of PHI.
Individuals with questions or concerns can contact the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR is responsible for enforcement, providing guidance, and assisting covered business associates, and individuals in compliance. They offer a toll-free hotline (1-800-368-1019) for inquiries and complaints, available Monday to Friday from 8:00 a.m. to 6:00 p.m. Eastern Time. Regional offices are also available in each state to offer assistance.
It is complemented by the Security Rule, which focuses on securing electronic protected health information (ePHI). It requires covered organizations and business associates to implement safeguards for the confidentiality, integrity, and availability of ePHI.
Part 1 is essential, outlining requirements for PHI handling. Enacted in 2000 and periodically updated, it sets standards for compliance with administrative, physical, and technical safeguards.
The HHS Office for Civil Rights provides a wealth of resources on their website, including guides, fact sheets, and tools for compliance. They can access these resources to ensure adherence to regulations and understand their rights and obligations.
This law is enforced by the HHS Office for Civil Rights, conducting audits and investigations to verify compliance. Non-compliance can result in significant penalties, including fines and legal action. Individuals can file complaints with the OCR or seek remedies through state agencies or courts for violations.
Several cases have exemplified the repercussions of non-compliance. For instance, the University of Rochester Medical Center settled potential violations for $3 million due to the loss of unencrypted devices containing ePHI. Similarly, a former employee of a Florida hospital received a four-year prison sentence for identity theft and sale of personal information.
These cases highlight the gravity of non-compliance, emphasizing the need for associations, and individuals to prioritize compliance and the security of protected health information.