{
  "id": "R43991",
  "type": "CRS Report",
  "typeId": "REPORTS",
  "number": "R43991",
  "active": true,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 440415,
      "date": "2015-04-17",
      "retrieved": "2016-04-06T19:12:33.716153",
      "title": "HIPAA Privacy, Security, Enforcement, and Breach Notification Standards",
      "summary": "The Privacy Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, comprises a set of federal standards governing the use of personal health information. The Privacy Rule generally applies to individually identifiable health information created and maintained by payers and providers of health care, collectively referred to as covered entities. The rule establishes certain individual rights, including the right to inspect and obtain a copy of one\u2019s health information; describes the circumstances under which covered entities are permitted to use or disclose health information; and requires covered entities to put in place administrative, physical, and technical safeguards to protect health information from unauthorized access, use, or disclosure.\nBroadly speaking, the Privacy Rule prohibits a covered entity from using or disclosing \u201cprotected health information\u201d (PHI) except as expressly permitted or, in two instances, required by the rule. The Privacy Rule describes a wide range of circumstances under which it is permissible to use or disclose PHI. In so doing, the rule seeks to preserve the discretion that health care professionals have traditionally exercised when using or disclosing patient information. For all uses or disclosures of PHI that are not otherwise permitted or required by the rule, a covered entity must obtain a patient\u2019s written authorization.\nUnder the Privacy Rule, covered entities generally may use or disclose PHI for the purposes of treatment, payment, and other routine health care operations. Under certain other circumstances, the rule requires covered entities to give individuals the opportunity to object to the use or disclosure of their PHI. The rule also permits the use or disclosure of PHI for various specified activities not directly connected to treatment (e.g., research, law enforcement, public health).\nThe Privacy Rule does not specify the types of safeguards that need to be implemented to protect PHI from misuse. That is the purpose of the companion HIPAA Security Rule, under which each of the safeguards\u2014administrative, physician, and technical\u2014is composed of a number of standards. The security standards are designed to be scalable to the size and complexity of the covered entity, as well as technology-neutral. They include implementing security management policies and procedures, workforce security procedures, facility access controls, and controls on access to information technology (IT) systems. Each standard consists of one or more implementation specifications (i.e., detailed instructions for implementing the standard). Covered entities have considerable discretion and flexibility in how they implement the security standards.\nThe Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 included a series of modifications to the HIPAA privacy and security standards. Many of the changes were enacted to address the concerns of privacy advocates and other stakeholders. The HITECH Act created a notification requirement for breaches of unsecured (i.e., unencrypted) PHI, increased the civil monetary penalties for violating HIPAA, and expanded and strengthened enforcement activities by the Office for Civil Rights. It also made business associates of covered entities (i.e., companies and consultants with whom covered entities share PHI to help them operate) directly liable and subject to civil and criminal penalties for HIPAA violations.",
      "type": "CRS Report",
      "typeId": "REPORTS",
      "active": true,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "http://www.crs.gov/Reports/R43991",
          "sha1": "faa6ee6701e7041e8c7db3b912295d73b21ba65b",
          "filename": "files/20150417_R43991_faa6ee6701e7041e8c7db3b912295d73b21ba65b.html",
          "images": null
        },
        {
          "format": "PDF",
          "encoding": null,
          "url": "http://www.crs.gov/Reports/pdf/R43991",
          "sha1": "135603235c06bf87b1eefe3281417e2583387ff8",
          "filename": "files/20150417_R43991_135603235c06bf87b1eefe3281417e2583387ff8.pdf",
          "images": null
        }
      ],
      "topics": []
    }
  ],
  "topics": []
}