??? pgHead ???
 
  • Why does the Privacy Rule exist?
  • An individual's rights under the HIPAA Privacy Rule
  • A covered entity's responsibilities under the HIPAA Privacy Rule
  • HIPAA Privacy Rule requirements

Take the lead in data protection best practices with our unified SIEM solution!

Disclaimer: This guide cites guidance and documents about HIPAA published on the HHS website and the U.S Government Publishing office.

Why does the Privacy Rule exist?

The HIPAA Privacy Rule addresses the privacy of individuals' health information and governs its use and disclosure. Found in Sections 164.500–164.534 of the Code of Federal Regulations (CFR), it prohibits covered entities (comprising healthcare providers, plans, and clearinghouses) from using or disclosing protected health information (PHI) other than as permitted. It shields all personally identifiable health data that resides with covered entities and their associates, but does not extend these protections to ePHI held by non-covered entities (e.g., health apps, or health related tech devices like FitBits).

Here's a guide by the HHS to determine whether you're a covered entity or not.

The primary goals of the Privacy Rule are to:

  • Protect the confidentiality of patient information.
  • Give individuals control over their health information or medical records.
  • Simplify the way healthcare information is handled.

The rule outlines specific rights for individuals regarding their PHI, including their right to:

  • Inspect and obtain a copy of their PHI.
  • Request corrections to inaccurate or incomplete PHI.
  • Request a list of disclosures of their PHI.
  • Request limitations on how their PHI is used or disclosed.
  • Request PHI communications through alternative means (e.g., secure email).

A covered entity's responsibilities under the HIPAA Privacy Rule

In addition to empowering individuals with rights with regards to their PHI, the Privacy Rule also requires covered entities to handle PHI with care.

  • The rule specifies situations where covered entities can use or disclose PHI without an individual's authorization, such as for treatment, payment, healthcare operations, public health activities, and certain legal proceedings.
  • Covered entities must use and disclose only the minimum amount of PHI necessary to achieve the purpose.
  • Covered entities must implement safeguards to protect PHI from unauthorized use, disclosure, or access. These safeguards are explicitly covered in the HIPAA Security Rule.
  • Covered entities must develop policies and procedures to comply with the Privacy Rule.

HIPAA Privacy Rule requirements:

The following section discusses these standards of the Privacy Rule:

  • 164.502: This establishes the general rules regarding the uses and disclosures of PHI. The reasons for and the circumstances under which PHI can be used and disclosed by the covered entity is made clear here.
  • 164.504: This details the responsibilities of both covered entities and business associates while handling PHI. Policies and safeguards need to be implemented for ensuring that the privacy of PHI is maintained.
  • 164.522: This establishes the right of individuals to request covered entities to restrict the use and disclosure of PHI, except under certain circumstances.
  • 164.524: This establishes the right of individuals to have access to their health data. Covered entities that handle individuals' data must provide them this access, except under certain circumstances.
  • 164.526: This gives individuals the right to ask the covered entity to modify or amend the PHI it has about them, except under certain circumstances.
  • 164.528: An individual has the right to information about all the disclosures made by the covered entity for a period of up to the prior six years, except under certain circumstances.

164.502 Uses and disclosures of protected health information: General rules.

164.502(a): Standard for CEs and BAs to use and disclose PHI
  • 164.502(a)(1) Covered Entities: Permitted Uses and Disclosures

    • A covered entity (healthcare provider, health plan, or healthcare clearinghouse) can use or disclose PHI (protected health information) only with the patient's authorization (except for certain situations outlined in the rule).
    • This means you generally need a patient's consent for most uses and disclosures of their PHI.
    • Covered entities can also use or disclose PHI for treatment, payment activities, or healthcare operations as permitted by 164.506 of the rule. Simply put, for rendering of healthcare services, payments, and other activities like disease related surveys, a covered entity a hospital for example, would not need authorized consent from the individual. However, for information like an individual's psychotherapy notes, or health information that is being shared for marketing purposes, a covered entity MUST take consent before disclosing this information.
  • 164.502(a)(2) Covered Entities: Required Disclosures to Patients

    • Covered entities are obligated to disclose PHI to a patient when they request it under 164.524 or 164.528 (these sections deal with a patient's right to access and amend their medical records).
    • The Secretary of HHS (Health and Human Services) can also request PHI disclosures for investigations under certain circumstances.
  • 164.502(a)(3) Business Associates: Permitted Uses and Disclosures

    • Business associates (companies that partner with covered entities to deliver specific services and therefore need access to PHI) can only use or disclose PHI as permitted by their contract with the covered entity or as required by law. An example of a business associate are companies that handle the process of submitting claims to insurance companies or government payers (such as Medicare or Medicaid) for the healthcare services rendered by doctors. They are responsible for translating the medical services provided into universally recognized medical codes (ICD-10, CPT, HCPCS, etc.), which are then used for billing purposes. They ensure accuracy in coding and documentation to maximize reimbursement.
    • These associates also handle healthcare data and cannot use or disclose PHI as per HIPAA.
  • 164.502(a)(4) Business Associates: Required Uses and Disclosures

    • Business associates are required to disclose PHI under certain circumstances:

      (i) When the Secretary of HHS requests it for investigations

      (ii) When a covered entity needs the information to fulfill a patient's right to access their medical records. For example, a patient with a condition wants to apply for a clinical trial and hence requests access to their medical records from the healthcare facility that usually treats them. This healthcare facility uses the services of a cloud storage company (a business associate) to store ePHI. As per HIPAA, the business associate is required to disclose this information to the research facility conducting the clinical trial of the patient to fulfill their request.

  • 164.502(a)(5) Prohibited Uses and Disclosures

    • There are specific prohibitions on how PHI can be used or disclosed:

      (i) Genetic Information for Underwriting: Health plans cannot use or disclose a patient's genetic information for making decisions about eligibility or premiums.

      (ii) Sale of PHI: Covered entities and business associates generally cannot sell PHI. There are some exceptions, such as for public health purposes or when PHI is de-identified (stripped of personal identifiers).

164.502(b) Standard: Minimum Necessary Disclosure only
  • Covered entities and business associates should practice and implement considerable measures that limit the use and exposure of PHI.
  • This helps to protect patient privacy by not sharing more information than needed.
  • There are some exceptions to this requirement, such as disclosures to healthcare providers for treatment or disclosures to patients themselves.
164.502(c) Standard: Uses and Disclosures of PHI Subject to an Agreed Upon Restriction
  • If a covered entity agrees to restrict how a patient's PHI is used or disclosed, they must follow that restriction except under certain exceptions. For example: A patient can request a hospital (covered entity) not to disclose a psychological condition they have to their family. The covered entity can agree to this but can also break this agreement if the patient's life is in danger.
164.502(d) Standard: Uses and Disclosures of De-identified Protected Health Information
  • Covered entities can create de-identified PHI (information where a patient cannot be reasonably identified) or disclose PHI to a business associate solely for this purpose.
  • This allows for broader use of healthcare data for research or public health purposes without privacy concerns.
  • Once information is properly de-identified according to HIPAA standards, it is no longer considered PHI.
164.502(e) Standard: Disclosures to Business Associates
  • A covered entity can allow a business associate to access ePHI and also permit them to create, receive, maintain, or transmit PHI on its behalf. This can only be permitted if the covered entity receives relevant assurances that the business associate will implement security measures that safeguard the data.
  • The assurances are established through a business associate agreement.
164.502(f) Standard: Deceased Individuals
  • Covered entities must still comply with HIPAA rules regarding the PHI of deceased individuals for 50 years after their death.
164.502(g) Standard: Personal Representatives for a patient
  • The rule specifies who can act as a personal representative for a patient regarding their PHI.
  • This typically applies to adults and emancipated minors.
  • There are specific considerations for unemancipated minors, where parents or guardians may have a role, but also situations where the minor has the right to access their own healthcare information.
164.502(h) Standard: Confidential Communications
  • Covered healthcare providers and health plans must follow specific rules regarding how they communicate PHI to maintain confidentiality.
164.502(i) Standard: Uses and Disclosures Consistent with Notice
  • A covered entity that is required to have a notice explaining their HIPAA practices must follow what they disclose in that notice regarding PHI use.

164.504 Uses and disclosures: Organizational requirements

164.504(a) Definitions
  • Plan administration functions: This defines functions performed by a group health plan sponsor specifically for managing the plan, excluding functions related to other benefits offered by the sponsor.
  • Summary health information: This refers to data that may include a person's identifiable health information but is summarized. It excludes details like specific diagnoses but includes things like claims history and types of claims experienced.
164.504(b)-164.504(d) Reserved
164.504(e) Standard: Business associate contracts
  • 164.504(e)(1) Standard: This sets the requirement for contracts between covered entities (e.g., health plans) and business associates (e.g., billing companies) to comply with specific provisions.

    • Clause (i) specifies compliance options for the contract.
    • Clause (ii) states a covered entity is not compliant if they knew about a pattern of violations by a business associate and didn't take reasonable steps to address it.
    • Clause (iii) extends the same requirement to subcontractors of business associates.
  • 164.504(e)(2) Implementation specifications: Business associate contracts

    This section details specific requirements for the contracts between covered entities and business associates.

    • Clause (i) restricts how a business associate can use or disclose protected health information. It allows use for proper management of the business associate and data aggregation services related to the covered entity's healthcare operations, but only with certain limitations.
    • Clause (ii) outlines a series of obligations for the business associate, including:
      • Maintaining confidentiality of the information.
      • Implementing safeguards to protect the information.
      • Reporting any unauthorized uses or disclosures.
      • Ensuring subcontractors follow the same rules.
      • Making the information available for patient access, amendment, and accounting of disclosures.
      • Cooperating with audits by the Secretary of Health and Human Services (HHS).
      • Returning or destroying protected health information upon termination of the contract (if feasible).
    • Clause (iii) grants the covered entity the right to terminate the contract if the business associate materially breaches its terms.
  • 164.504(e)(3) Implementation specifications: Other arrangements

    This section outlines alternative compliance methods for specific situations:

    • Clause (i) allows covered entities that are both government entities to use memorandums of understanding instead of contracts.
    • Clause (ii) allows disclosure to business associates required by law to perform a function, but only if the covered entity tries to obtain standard assurances and documents the attempt if unsuccessful.
    • Clause (iii) allows omitting termination authorization from arrangements if it conflicts with legal obligations.
    • Clause (iv) permits using data use agreements for limited data sets disclosed to business associates for healthcare operations functions.
  • 164.504(e)(4) Implementation specifications: Other requirements for contracts and other arrangements

    This section allows some additional uses and disclosures of protected health information by business associates:

    • Clause (i) permits use for the business associate's own management and administration or to fulfill legal responsibilities.
    • Clause (ii) allows disclosure for the same purposes as clause (i) if:
      • The disclosure is required by law.
      • The business associate obtains assurances of confidentiality from the recipient.
  • 164.504(e)(5) Implementation specifications: Business associate contracts with subcontractors

    This section clarifies that the requirements in sections (e)(2) through (e)(4) also apply to contracts between business associates and their subcontractors.

164.504(f) Standard: Requirements for group health plans
  • 164.504(f)(1) Standard: This sets the rules for when a group health plan can disclose protected health information to the plan sponsor.

    • Clause (i) generally requires plan documents to restrict the plan sponsor's use and disclosure of this information. Exceptions exist for summary health information and participation information.
    • Clause (ii) allows disclosure of summary health information for obtaining premium bids or modifying the plan, upon request by the plan sponsor.
    • Clause (iii) allows disclosure of information on plan participation or enrollment status.
  • 164.504(f)(2) Implementation specifications: Requirements for plan documents

    This section details what the group health plan documents must specify:

    • Clause (i) requires the documents to establish permitted and required uses/disclosures for the plan sponsor, following the limitations of this subpart.
    • Clause (ii) requires the plan sponsor to certify that their documents comply and agree to specific restrictions on using the information. These restrictions include:
      • Maintaining confidentiality and ensuring any agents they share the information with do the same.
      • Not using the information for employment decisions or other plan benefits.
      • Reporting any unauthorized uses or disclosures.

164.522: Right to Request Privacy Protections for Health Information

This regulation lays down individuals' rights regarding their PHI. It covers two main areas:

1. Right to request restriction on how PHI can be used or disclosed by covered entities.

2. Right to receive confidential communications about PHI.

164.522(a)(1) Permission to Request Restrictions:
  • Individuals have the right to request that a covered entity (such as a healthcare provider, health plan, or healthcare clearinghouse) restrict how they use or disclose PHI. This applies to information used for treatment, payment, or healthcare operations, as well as disclosures permitted under specific circumstances.
  • However, the covered entity is not obligated to agree to the request (except in the situation explained in (a)(1)(vi) below).

    164.522(a)(1)(ii) Exceptions:

    • Even if an individual requests a restriction, the covered entity can still use or disclose PHI in certain situations, such as for emergency treatment if the information is necessary.

    164.522(a)(1)(iii) - 164.522(a)(1)(v) Additional Information on Restrictions:

    • If the covered entity agrees to a restriction, they cannot use or disclose PHI in violation of it.
    • If the information is needed for emergency treatment, they can use it or disclose it to a healthcare provider for that purpose.
    • The covered entity must request the healthcare provider who receives the information during an emergency not to further use or disclose it.
    • Restrictions do not prevent certain mandatory uses or disclosures of PHI, such as for public health activities or reporting suspected abuse.

    164.522(a)(1)(vi) Mandatory Agreement to Restrict Disclosure for Specific Situations:

    The covered entity must agree to an individual's request to restrict disclosure to a health plan if:

    • The disclosure is for payment or healthcare operations (and not otherwise required by law).
    • The PHI pertains only to a healthcare service for which the individual (or someone else on their behalf) has already paid the covered entity in full.
164.522(a)(2) Terminating a Restriction:

A restriction can be terminated by the covered entity in several ways:

  • The individual agrees to it in writing or verbally along with documentation.
  • The covered entity informs the individual they are ending the agreement (but this cannot apply to restrictions under (a)(1)(vi) and is only effective for future PHI).
164.522(a)(3) Documentation Requirement:

The covered entity must document any restrictions requested by individuals.

164.522(b)(1) Standard:Right to Request Confidential Communications :
  • Healthcare providers must permit individuals to request and must fulfill reasonable requests to receive communications about their PHI through alternative means or locations.
  • Health plans must also permit this, but only if the individual clearly states that disclosing the information could endanger them.
164.522(b)(2) Conditions for providing confidential communications:
  • The covered entity may require a written request for confidential communication.
  • They can also ask for details about how payment will be handled (if applicable) and specify the alternative method preferred for receiving communications.
  • A healthcare provider cannot require an explanation from the individual as to why they want confidential communication.
  • A health plan may require a statement from the individual saying disclosure of the information could endanger them.

164.524: An Individual's Right to Access Protected Health Information (PHI)

This regulation outlines an individual's right to access their protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It details the following:

164.524(a) Standard: Right of Access
  • 164.524(a)(1) Generally, individuals have the right to inspect and obtain a copy of their PHI maintained in a designated record set by a covered entity. This applies to information used for treatment, payment, or healthcare operations, with some exceptions.

    (i) Exceptions to the Right of Access:

    • Psychotherapy notes
    • Information compiled in anticipation of, or for use in, legal proceedings
  • 164.524(a)(2) In specific situations, a covered entity may deny access to PHI without offering an opportunity for review:

    • When the information falls under the exceptions listed in 164.524(a)(1).
    • For correctional institutions or healthcare providers acting under their direction, if access would jeopardize the safety or security of the individual, other inmates, or staff.
    • For research involving treatment, if access would temporarily impede the research and the individual consented to this denial beforehand.
    • When the PHI was obtained confidentially from a non-healthcare provider and revealing the source is likely.
  • 164.524(a)(3) In other situations, a covered entity can deny access, but the individual has the right to a review of the denial:

    • A licensed healthcare professional believes access could endanger the individual or another person.
    • The PHI references another person (not a healthcare provider), and access could cause them substantial harm.
    • The request comes from the individual's personal representative, and access could cause substantial harm to the individual or another person.
  • 164.524(a)(4) If access is denied under 164.524(a)(3), the individual has the right for a review by a designated healthcare professional who wasn't involved in the initial decision.
  • 164.524(a)(5) Sometimes access to certain protected health information (PHI) may be restricted. This applies when the information originates from a confidential source outside the healthcare provider network and granting access could reasonably reveal that source's identity. This safeguards the privacy of individuals who provide sensitive health information in good faith.
164.524(b) Implementation Specifications: Requests and Timing
  • 164.524(b)(1) Individuals can submit a request (written or otherwise, as specified by the covered entity) to access and inspect or obtain a copy of their PHI in a designated record set.
  • 164.524(b)(2) The covered entity must act on the request within 30 days, either:
    • Granting the request (in whole or part) and providing access as per (c) below.
    • Issuing a written denial following the requirements of (d) below.
    • An extension of up to 30 days may be granted with justification and notification to the individual.
164.524(c) Implementation Specifications: Providing Access

When granting access, the covered entity must:

  • Fulfill the individual's request regarding the format (inspection, copy, or both). If readily producible, the requested format should be used. Otherwise, a readable hard copy or an agreed-upon format will be provided.
  • If the PHI is electronic and the individual requests an electronic copy, the covered entity must provide it in the requested format if readily producible. Otherwise, an agreed-upon electronic format will be used.
  • With the individual's prior agreement, a summary or explanation of the PHI can be offered instead of full access. Fees for such summaries/explanations may apply.
  • The covered entity must arrange a convenient time and place for access (inspection or obtaining a copy) or mail the copy as requested. They can discuss details with the individual to facilitate timely access.
  • If an individual directs the PHI copy to another designated person, the covered entity must fulfill that request with proper written authorization.
164.524(d) Implementation Specifications: Denial of Access

When denying access (in whole or part), the covered entity must:

  • Provide access to any other accessible PHI, excluding the denied portion.
  • Issue a timely, written denial in plain language explaining the reason for the denial. Also include the complaint process if the individual wants to dispute the denial with the covered entity (as per 164.530(d)) or the Secretary (as per 160.306), including contact information.
  • If the covered entity doesn't maintain the requested PHI but knows its location, they must inform the individual where to request access.
  • For denied access requests with a requested review, a designated healthcare professional not involved in the initial decision will review the case. The individual will be promptly notified of the review's outcome and any further actions.
164.524(e) Implementation Specification: Documentation

The covered entity must document and retain the following :

  • Designated record sets subject to individual access.
  • Titles of the persons or offices responsible for receiving and processing requests for access by individuals.

Since illegitimate access of patient's medical records are in direct violation of HIPAA privacy laws, a SIEM solution like ManageEngine Log360 can help you monitor whether unauthorized entities are accessing ePHI. You can also choose to be notified of this event and also apply automated workflows that respond to these incidents.

164.526: Amendment of Protected Health Information (PHI)

This regulation outlines an individual's right to request amendments to their protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It details the following:

164.526(a) Standard: Right to Amend

(1) An individual has the right to request that a covered entity (e.g., healthcare provider, health plan, or healthcare clearinghouse) amend their PHI or a record about them in a designated record set. This right applies as long as the PHI is maintained in that record set.

(2) A covered entity can deny an amendment request if they determine the PHI or record in question:

  • Wasn't created by them, unless the individual can provide a reason to believe the originator is no longer available.
  • Isn't part of the designated record set.
  • Wouldn't be accessible for inspection under 164.524 (Right of Access).
  • Is already accurate and complete.
164.526(b) Implementation Specifications: Requests for amendment and timely action

(1) Individuals can submit a request (written or otherwise, as specified by the covered entity) to amend their PHI in a designated record set. The covered entity may require a written request with a reason for the amendment.

(2) The covered entity must act on the request within 60 days, either:

  • Granting the amendment (in whole or part) and taking actions as per (c) below.
  • Issuing a written denial following the requirements of (d) below.

An extension of up to 30 days may be granted with justification and notification to the individual.

164.526(c) Implementation Specifications: Accepting the Amendment

If the amendment request is granted (in whole or part), the covered entity must:

(1) Make the appropriate amendment to the PHI or record. This includes identifying affected records and appending or linking to the location of the amendment.

(2) Inform the individual of the accepted amendment and obtain their agreement to notify relevant parties who received the original PHI and need the update (as per (c)(3) below).

(3) Make reasonable efforts to inform and provide the amendment within a reasonable timeframe to:

  • Individuals identified by the patient as having received the PHI and needing the amendment.
  • Individuals or business associates known to have the original PHI who may have relied on it to the patient's detriment.
164.526(d) Implementation Specifications: Denying the Amendment

If the amendment request is denied (in whole or part), the covered entity must:

(1) Issue a timely, written denial in plain language explaining:

  • The reason for denial according to (a)(2) above.
  • The individual's right to submit a written statement disagreeing with the denial and how to do so.
  • That the individual can request the amendment request and denial be included with future disclosures of the disputed PHI (if they don't submit a disagreement statement).
  • The complaint process with the covered entity (as per 164.530(d)) or the Secretary (as per 160.306), including contact information.

(2) Allow the individual to submit a written statement disagreeing with the denial and their basis for disagreement. The covered entity can reasonably limit the statement length.

(3) May prepare a written rebuttal to the individual's disagreement statement. If a rebuttal is prepared, a copy must be provided to the individual.

(4) Maintain a record of the disputed amendment, including:

  • The record or PHI in question.
  • The individual's amendment request.
  • The covered entity's denial.
  • The individual's statement of disagreement (if any).
  • The covered entity's rebuttal (if any).

(5) Include the following with future disclosures of the disputed PHI:

  • The materials appended according to (d)(4) above, or an accurate summary, if the individual submitted a disagreement statement.
  • The individual's amendment request and denial, or an accurate summary, if the individual requested it and didn't submit a disagreement statement.

For standard transactions under part 162 that cannot include additional material, the covered entity may transmit the required information separately.

164.526(e) Implementation Specification: Actions on Notices of Amendment

A covered entity informed by another covered entity about an amendment to an individual's PHI (as per (c)(3) above) must amend their designated record sets accordingly (as per (c)(1) above).

164.526(f) Implementation Specification: Documentation

The covered entity must document the titles of personnel responsible for receiving and processing amendment requests and retain this documentation as required by 164.530(j).

Unauthorized tampering of ePHI can lead to serious penalties for covered entities. Log360's file integrity monitoring capabilities can track unauthorized changes made to important files and folders—especially ones containing patient health information.

164.528: Accounting of Disclosures of Protected Health Information (PHI)

This regulation outlines an individual's right to receive an accounting of disclosures of their protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. It details the following:

164.528(a) Standard: Right to an Accounting of Disclosures
  • 164.528(a)(1) Individuals have the right to receive a report of PHI disclosures made by a covered entity (e.g., healthcare provider, health plan, or healthcare clearinghouse) in the six years prior to the request date. However, there are exceptions:
    • Disclosures for treatment, payment, and healthcare operations (as per 164.506).
    • Disclosures to individuals about their own PHI (as per 164.502).
    • Disclosures incidental to permitted or required uses (as per 164.502).
    • Disclosures made with an authorization (as per 164.508).
    • Disclosures for facility directory or notifications about care (as per 164.510).
    • Disclosures for national security or intelligence purposes (as per 164.512(k)(2)).
    • Disclosures to correctional institutions or law enforcement (as per 164.512(k)(5)).
    • Disclosures as part of a limited data set (as per 164.514(e)).
    • Disclosures that occurred before the covered entity's compliance date.
  • 164.528(a)(2)(i) A covered entity can temporarily suspend an individual's right to receive an accounting if a health oversight agency or law enforcement official requests it (as per 164.512(d) or (f)). The suspension lasts for the time specified by the agency/official, provided they give a written statement explaining why the accounting would impede their activities and for how long.
  • 164.528(a)(2)(ii)If the agency/official statement is made orally, the covered entity must:
    • Document the statement, including who made it.
    • Temporarily suspend the accounting.
    • Limit the suspension to no more than 30 days from the oral statement, unless a written statement is provided during that time.
  • 164.528(a)(3) Individuals can request an accounting for a period less than six years.
164.528(b) Implementation Specifications: Content of the Accounting

The covered entity must provide a written accounting that meets these requirements:

(1) Except for the exceptions in (a), the accounting must include all PHI disclosures (to the individual or their business associates) during the requested timeframe (six years or less).

(2) For each disclosure (except as noted in (b)(3) or (b)(4)), the accounting must include:

  • The date of the disclosure.
  • The name and, if known, the address of the entity or person who received the PHI.
  • A brief description of the PHI disclosed.
  • A brief explanation of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

(3) For multiple disclosures to the same entity/person for a single purpose within a timeframe, the accounting may include:

  • The information required in (b)(2) for the first disclosure.
  • The frequency or number of disclosures during the timeframe.
  • The date of the last such disclosure.

(4) For disclosures for research purposes involving 50 or more individuals ( 164.512(i)), the accounting may include (for disclosures potentially involving the individual's PHI):

  • The name of the research protocol or activity.
  • A plain-language description of the research, including its purpose and selection criteria.
  • A brief description of the type of PHI disclosed.
  • The timeframe when the disclosures occurred (including the date of the last one).
  • The name, address, and phone number of the research sponsor and researcher.
  • A statement that the individual's PHI may or may not have been disclosed for that specific research.

If the covered entity provides an accounting for research disclosures as in (b)(4), and it's likely the individual's PHI was disclosed, the covered entity must assist the individual in contacting the research sponsor and researcher (upon request).

164.528(c) Implementation Specifications: Provision of the Accounting

(1) The covered entity must respond to an accounting request within 60 days, either by:

  • Providing the requested accounting.
  • Providing a written statement explaining the delay and the date by which the accounting will be provided if there are delays.

Log360 can provide reports on who accessed ePHI and when, how many times the ePHI has been accessed, and whether there were any unauthorized accesses.

What is a HIPAA waiver?

A HIPAA waiver is a permission granted by a special committee that allows healthcare providers to use a patient's medical information for certain purposes without their direct consent. This is typically used in research settings.Normally, patients have control over their medical information and can decide who can see it. HIPAA requires a patient's authorization for using their PHI for purposes beyond treatment, payment, or healthcare operations. A HIPAA waiver can be granted by an Institutional Review Board (IRB) or Privacy Board if certain criteria are met. These criteria ensure the research poses minimal risk to patient privacy and the information is used appropriately.

ManageEngine's Log360 offers specific reports tailored to HIPAA requirements specifically the Security Rule, Privacy Rule, and Data Breach Notification Rule.

The question of non-covered entities

While HIPAA does not mandate non-covered entities to comply with HIPAA, it is still very important that all organizations follow similar privacy standards when it comes to protecting patient health information.

  • Even if not a HIPAA covered entity, other regulations might apply. The Federal Trade Commission (FTC) enforces data privacy laws and can penalize the mishandling of personal information, including health data.
  • Many states have specific privacy laws mandating the protection of personal information, often including health data. Failing to comply could lead to legal repercussions.
  • Patients entrust you with their sensitive health information. Keeping it confidential and secure fosters trust and strengthens your reputation within the industry.
  • Data breaches are a growing concern. Implementing robust security measures protects patient information and minimizes the risks associated with cyberattacks.