.While many of us have (hopefully) finished our
Security Rule (“SR”) Assessments and Remediation, the Privacy Rule (“PR”)
necessitates substantially more thought and effort, particularly in light of
the considerable changes that are slated to be implemented in 2021. Consider
Subpart E — Individually Identifiable Information Privacy. Some people are
confused about the distinctions between Personal Health Information
(“PHI”) and Personally Identifiable Health Information
(“PII”). It is an oversimplification to say that because PII does not
contain any health information, it does not require the same precautions and
protections as PHI. Because PII allows for the identification of a specific
individual, it is equally harmful in the hands of the “bad guys.”
Components include names, addresses, license numbers, and addresses. Of course,
if this information falls into the hands of the wrong person, it may be quite
sensitive (e.g., Cyber Security, Credit Card Theft). According to HHS Guidance
on PII, any representation of information that allows the identity of an
individual to whom the information relates to be fairly inferred by either
direct or indirect means is considered PII. Furthermore, PII is defined as
information: I that directly identifies an individual (e.g., name, address,
social security number or other identifying number or code, telephone number,
email address, etc.) or (ii) that an agency intends to use in conjunction with
other data elements to identify specific individuals, i.e., indirect
identification. (These data items might comprise a mix of gender, race, birth
date, geographic indication, and other characteristics.) Furthermore,
information that allows a specific individual to be contacted physically or
online is the same as personally identifiable information. This information can
be kept on paper, electronically, or in another manner.
The subject of whether PII should be regarded in
the same way as PHI is frequently raised. Well, nearly often, the answer is
yes. Consider that PII can be harmful to persons if it is revealed to others
who do not require it. All sensitive data, including PHI, requires extensive
safeguarding. The Privacy Rule mandates that PHI and PII be secured by
developing (and executing as appropriate) policies and processes for data
restoration in the event of data loss. The Privacy Rule uses and discloses
protected health information: basic guidelines say that under the law, a
parent, guardian, or other person acting in loco parentis has the power to act
in the best interest of an unemancipated child AND the covered entity must
regard this person as a personal representative. However, if the minor has the
capacity to act as an individual in relation to health care services, the minor
may consent not only to the health care service and retain records, but the
minor may also request or reject access to the personal representative. So, either
there was no restriction of access to the parent in this case, or Peter was an
emancipated minor. Staff must, however, be present in both cases.
Confidential information privacy includes health data, intellectual property, military defense secrets, and so on. The HIPAA Privacy Rule revisions are a wake-up call to the healthcare industry: get your act together or face the consequences. Over the previous year, OCR has already demonstrated a readiness to impose severe CMPs on entities that fail to furnish PHI to patients in a timely way. Something (or someone) cracked in Washington and realized that without patient participation, we would never be able to transform healthcare from a disease system to a wellness system. Our present strategy is unsustainable and will have severe unforeseen consequences. Consider the COVID epidemic. We have no idea how frequently they will occur on this magnitude. Okay, the Spanish Flu occurred approximately a century ago, but it is only one data point. What about Ebola, HIV, the reintroduction of malaria, and so on? These were never on the same level as the others, but they may have been.
The rationale for engaging in a public policy debate is that if the law moves slowly, healthcare, the most insular business in the United States, moves even slower. It is poorly unprepared for a move to a more consumer-centric focus. Most compliance budgets are considerably underfunded in dealing with present difficulties, let alone something that flips the paradigm right under their feet.” “This is only one illustration of the complexity and processes connected with existing PR.” Changes in the future, regardless of the Regime, may have a significant influence on PR compliance efforts. There will be new rules, revisions to existing regulations, marginally altered regulations, and maybe removed regulations. To remain compliance with the regime, firms will need to retrain their employees and implement new rules and processes..
