“HIPAA 101” Briefing Focused on Health Information Privacy and Security Issues

To clear up prevalent misconceptions associated with the Health Information Portability and Accountability Act (HIPAA), the Healthcare Leadership Council (HLC) hosted a “HIPAA 101” briefing on Capitol Hill.  Experts discussed the details of the privacy and security rules, and clarified how privacy and security do not share the same meaning.

David Bloch, the principal legal counsel for Medtronic, discussed important concepts regarding the HIPAA privacy rule.  He explained how covered entities may use or disclose personal health information (PHI) for treatment, payment, and healthcare operations.  Authorization is required for the use of PHI in research, unless it has been de-identified.  Patients may request an accounting of disclosures from HIPAA covered entities in order to see who has had access to their PHI.

Kim Gray, the global chief privacy officer at IMS Health, focused on the HIPAA security rule.  She noted that covered entities must have reasonable safeguards to protect health data from unauthorized use.  Administrative and technical safeguards are both required, as well as physical safeguards to avoid security breaches.  HIPAA security standards are flexible and scalable so that varying organizations are able to determine what is appropriate according to their individual circumstances.