Skip to content
ABA Ops Compass

4.43 · On the Job

HIPAA Privacy and Security

More actions

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) directed the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To implement that directive, HHS issued the HIPAA Privacy Rule and the HIPAA Security Rule (45 CFR Parts 160 and 164). The Office for Civil Rights (OCR) within HHS is responsible for enforcing both rules through voluntary compliance activities and civil money penalties. In Florida, patient medical records are also protected by Florida Statutes Sections 456.057 and 395.3025.

The Privacy Rule

The Privacy Rule, formally titled the Standards for Privacy of Individually Identifiable Health Information, establishes a national set of standards for protecting certain health information, known as protected health information (PHI). The Privacy Rule applies to covered entities, including health care providers such as the Company, and to their business associates.

Notice of Privacy Practices

The Company provides each patient with a Notice of Privacy Practices that explains how the patient's PHI may be used and disclosed and outlines the patient's rights regarding that information, including the rights to inspect, amend, request restrictions on, and receive an accounting of disclosures of the patient's records.

Minimum Necessary Standard

Employees may use, request, or disclose only the minimum amount of PHI necessary to accomplish the intended purpose. Access to PHI is limited to those workforce members who need it to perform their job duties.

The Security Rule

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) set a national standard for safeguarding certain health information that is held or transmitted in electronic form. The Security Rule operationalizes the Privacy Rule by requiring covered entities to implement administrative, physical, and technical safeguards to protect electronic PHI (e-PHI).

  • Administrative safeguards include written policies and procedures, security training, designation of a Privacy Officer and a Security Officer, workforce access management, and routine risk analysis.
  • Physical safeguards include facility access controls, workstation security, and policies governing the handling, transport, and disposal of devices and media that store e-PHI.
  • Technical safeguards include unique user credentials, automatic logoff, encryption where appropriate, audit controls, and integrity and transmission security controls.

Breach Notification

In the event of an impermissible use or disclosure of unsecured PHI, the Company will follow the federal HIPAA Breach Notification Rule and applicable Florida law, including notification to affected individuals, to HHS, and, where required, to the media, within the timelines required by law.

Any employee who becomes aware of a possible privacy or security incident must immediately notify the HIPAA Privacy Officer or Human Resources.