Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Summary of HIPAA and its policies, and their implications for ISPG
CMS Slack Channel- #ispg-privacy-agreement-consults
How does HIPAA apply at ISPG?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of Protected Health Information (PHI). To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. Since ISPG implements both security and privacy policies within CMS, it’s important that all CMS employees familiarize themselves with HIPAA and its impact on the work we do.
HIPAA Privacy Rule
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Included in the Privacy Rule is the concept of minimum necessary disclosure. It states that protected health information (PHI) should not be used or disclosed when it is not necessary. In some cases, it may be required to provide some patient information that provides a low risk of identification. HHS offers guidance for identified / de-identification procedures to comply with the Privacy Rule.
HIPAA Security Rule
The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule engages the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals' "electronic protected health information" (e-PHI). The HIPAA Security Rule is designed to be flexible, scalable, and technology-neutral, which enables it to be adaptive and seamlessly integrate with detailed frameworks such as FISMA. The HIPAA Security Rule only applies to covered entities and their business associates as defined within HIPAA.
Security Rule safeguards
An important step in protecting electronic protected health information (e-PHI) is to implement safeguards that establish the foundation for a covered entity’s security program. It’s recommended that CMS staff and all covered entities review these safeguards so that they have an understanding of how the HIPAA Security Rule applies to their specific circumstances:
Who is impacted by the HIPAA Privacy and Security Rules?
There are specific designations for internal and external stakeholders who have obligations under the HIPAA Privacy and Security Rules.
Covered entities
Covered entities are defined in the HIPAA rules as:
- Health insurance companies
- HMOs
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
The only two covered entities at HHS are Centers for Medicare and Medicaid Services (CMS) and Indian Health Service (IHS).
Hybrid entities
A hybrid entity under HIPAA is a single legal entity that is a covered entity whose business activities include both covered and non-covered functions and that designates certain units as health care components. These entities include:
- State public health agencies and their Immunization Information Systems (IIS)
- Employers and employer health plans
Business associates
A business associate is a vendor or subcontractor who has access to Protected Health Information (PHI). The HIPAA Rules require that covered entities like CMS and their business associates enter into contracts or Business Associate Agreements. Business Associate Agreements ensure that the business associates will appropriately safeguard protected health information.
The Business Associate Agreement also serves to clarify and limit the uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.
Examples of business associates include:
- Third-party administrator that assists a health plan with claims processing
- Consultant that performs utilization reviews for a hospital
When can PHI be shared?
There are exceptions to the Privacy Rule's general prohibition to disclosure for PHI:
When must PHI be shared?
There are times when PHI must be disclosed.
Individual Access or HHS Investigation/Enforcement
HIPAA and the Privacy Act
How does the HIPAA Privacy Rule affect one’s rights under the Privacy Act? According to HHS, covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act. Learn more at the HHS website.
HIPAA and Systems of Record
Does the HIPAA Privacy Rule create a government database with all individuals' personal health information? According to HHS, no – the Privacy Rule does not create such a government database or require a physician or any other covered entity to send medical information to the Federal government for a government database or similar operation. Learn more at the HHS website.
HIPAA resources from HHS
Learn more about HIPAA, including FAQs, at the HHS website.
Related documents and resources
Information about the policies and programs that support the protection of sensitive information entrusted to CMS by beneficiaries and healthcare providers
Information about the federal agencies, laws, and policies that govern security and privacy activities at CMS
The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.