I had no idea that there were so many “levels” of HIPAA and patient rights. All the different rules and regulations for the special topics, the depth of the Patient Safety Rule, the involvement of the OCR. Even though there was an overwhelming amount of information to research through, a lot of it seemed somewhat familiar. This paper discusses some points I found that I actually learned about.

What is HIPAA? HIPAA is the Health Insurance Portability and Accountability Act founded in 1996. This act was issued by the US Department of Health and Human Services (HHS). The rules of HIPAA follow the HIPAA Privacy Rule, which consist of safeguards that protect patient’s privacy and health information. HIPAA states rules and regulations as to who is permitted to access Personal Health Information (PHI) without patient consent.

There is a Security Rule in place that protects health information which is electronically stored (e-PHI). A covered entity creates this e-PHI, receives, maintains or transmits this information in electronic form. Some of the safeguards that are in place are physical, technical and administrative (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26) Summary of the HIPAA Security Rule).

Administrative Simplification is a part of HIPAA and the Affordable Care Act (ACA) which requires a covered entity to adopt standard electronic transactions, codes, operating rules and identifiers in order to become a more efficient electronic sharing entity in the healthcare industry (HHS Office of the Secretary, Office for Civil Rights, & OCR. (2013, July 26) Summary of the HIPAA Security Rule).

I also learned the steps to take for a Cyber Attack. I’ve always had an IT department to take care of it, but hopefully someday, I’ll be in a management position and might be responsible for something like this.

1. Call your IT department or an outside company to help fix any technical problems from the attack and/or to stop the event.
2. Report the incident to state or local law enforcement, FBI and/or the Secret Service. Do not include any confidential information.
3. All cyber threat indicators should be reported to federal and info-sharing and analysis organization (ISAOs). Again, do not include any confidential health information.
4. An assessment must be done to determine if any PHI has been breached. If the assessment finds that there has been a breach, see step 5. If the assessment determines that no breach has occurred, then all documentation of the event must be kept and retained, including how it was found that no breach occurred.
5. If a breach occurred, the event must be reported to the OCR ASAP, no later than 60 days after the determination that the breach occurred. If the breach affects 500 people or more, then those affected must be notified. (My entity just experienced a cyber-attack! What do we do now? A quick response checklist from the HHS, Office for Civil Rights (OCR). (n.d.)).

I also learned quite a bit more about the things that The Office for Civil Rights (OCR) is responsible for. The OCR handles complaints filed with the HIPAA Privacy and Security Rules. One way they do this is to perform compliance reviews to make sure that covered entities are in compliance. They also perform outreach and education to enhance compliance with the Privacy and Security Rules ((HHS Office of the Secretary, Office for Civil Rights, & OCR. (2017, June 7) Enforcement Process). OCR may or may not take action on cases presented to them. Normally, they will take action if the case involves a covered entity, such as a health insurance company, a physician, a hospital, etc. They won’t accept cases that involve a non-covered entity, such as employers, schools, workers comp carriers, etc. Once OCR accepts a complaint, the complainant and the covered entity are both informed and are asked to present information (sometimes very specific) related to the incident. If the OCR finds an action that may possibly be a violation of the criminal provision of HIPAA, they may refer that action to the Department of Justice (DOJ) for investigation. Otherwise, OCR reviews the evidence that it collected in each case. If they determine that a violation has been made and the entity is not in compliance, OCR may try to resolve the case with the covered entity by corrective action, voluntary compliance and/or resolution agreement. Most of these issues are resolved this way by the OCR. They then notify both the complainant and the covered entity in writing of the case result. If the covered entity fails to take action in the resolution of the issue that satisfies OCR, OCR may decide to inflict civil money penalties (CMPs) on the covered entity. If that happens, the covered entity may request a hearing where an HHS