HIPAA Policies to Protect Patient's Personal Information

In 1996 the United States came up with a policy to protect the data called the Health Insurance Portability and Accountability Act, known as HIPAA. One of the aspects which applies to DBA of HIPAA is privacy rule which covers Personal Health Information (PHI) in any of the formats either digital, oral, or paper. This rule will guarantee that the user can access their information at any time. This rule will require the organization to appoint a privacy official to train employees on the process and procedures [1].

Developing a database which is compliant to HIPAA will involve many elements. For creating a database which is compliant to HIPAA needs proper planning and configuration. Few of them are as follows, Data Encryption – Health Data must be encrypted in all forms while it is in the database or in transit. Encryption should make sure that there are no hacks or leaks. Encryption Key Management – Proper management of keys, initialization vectors needs to be in place. Data Store – If there are subsystems that are storing encrypted BLOB’s then they shouldn’t have any knowledge of what they are storing. Unique User IDs – Unique ID has to be given to each user and sharing can’t be done. Authentication – Authentication has to be done by the database who will access PHI. Authorization – Roles and privileges should be given to users of the database to control access to PHI. Audit Logs – As per HIPAA each and every activity has to be logged and archived for at least six years. Database Backup – Database has to be fully tested and stored with encryption. Infrastructure – Dedicated infrastructure should be in place for HIPAA compliant database with high security. HIPAA trained personnel – Any issue related to PHI has to be supported the personnel trained on HIPAA policies. Data disposal – Data which is not needed has to be disposed of securely with NIST standards. Business Associate Agreements – A legal contract has to be placed between the parties which transmit PHI data [2].

HIPAA penalties for violating the policies are classified into two categories i.e. Civil Violations and Criminal Violations. When a covered entity does not follow the compliance and doesn’t resolve it Office for Civil Rights (OCR) will decide to impose penalty [3]. The penalties are classified into four tiers, First Tier - A fine of $100 - $50,000 per incident will be imposed if the entity did not know about the violation. Second Tier – A fine of $1000 - $50,000 per incident will be imposed on the covered entity knew of the violation even though did not act with willful neglect. Third Tier – A fine of $10,000 - $50,000 per incident will be imposed on the covered entity acted with willful neglect and rectified the problem within 30 days. Fourth Tier – A fine of $50,000 up to $1.5 million will be imposed on the covered entity who acted on the willful neglect and didn’t correct the mistake [4].

Criminal violations are taken care by Department of Justice (DOJ) and these are classified into three tiers, Tier 1 – The Covered entity has violated with no knowledge will be sent to prison for up to a year. Tier 2 – The covered entity stole the PHI and violated policy willful will be sent to prison for up to 5 years. Tier 3 – The covered entity stole PHI for personal gain will be sent to prison for up to 10 years [5]. The penalties for violations are properly imposed by OCR and DOJ. Because PHI is very sensitive and it can’t be used in any form that would affect the individual.

Safe Harbor is one of the methods introduced as part of HIPAA to protect patient personal information. This method provides the guide to apply privacy rule to de-identify the patient personal information so that it can be used in public health work for research and seek advice while remaining compliant with HIPAA. There are few elements which are proposed under Safe Harbor which will de-identify the patient personal information like Names, unique numbers, Dates, geographic identifiers, records which are unique to the patient [6].