A Legal Guide to PRIVACY AND DATA SECURITY 2024

entities to provide this accounting of disclosures. However, there are also a number of exceptions in which the entity is not required to provide the accounting. Restrictions on Sharing Data with Third Parties. Unless the HIPAA Privacy Rule establishes regulatory permission for a covered entity to use or disclose PHI for a specific purpose, either generally (such as treatment or payment) or subject to a particular process (such as disclosures to law enforcement or judicial or administrative proceedings), the Privacy Rule requires covered entities to obtain “authorization” from the individual. The Privacy Rule outlines specific requirements governing procedural and substantive requirements for obtaining authorization. Authorization is designed to obtain informed consent from consumers about how their PHI will be used or disclosed. Business Associate Agreements. Covered entities are permitted to disclose PHI to business associates if the parties enter into an agreement that generally requires the business associate to: 1) use the information only for the purposes required or permitted by the covered entity; 2) safeguard the information from misuse; and 3) help the covered entity to comply with its duties under the Privacy Rule. In addition, the Privacy Rule and Security Rule set forth very specific requirements for what needs to be included in these business associate agreements. When a covered entity has knowledge that its business associate has materially breached or violated the applicable agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation and, if such steps are unsuccessful, to terminate the contract. Data Security Requirements. The HIPAA Security Rule requires covered entities and business associates to implement data protection policies and reasonable security procedures, including: 1) administrative safeguards, which generally include administrative activities such as assigning responsibility for the security program to the appropriate individuals and requiring security training for employees; 2) physical safeguards, which include physical mechanisms required to protect electronic systems, such as limiting access to electronic PHI to authorized

20

Made with FlippingBook - Online Brochure Maker