1. PRIVACY RULE CONSIDERATIONS
Most people believe that their medical information is 100-percent protected, but according to the rules of the Health Insurance Portability and Accountability Act or HIPAA, health care providers can share information with family members in certain circumstances of reduced mental or physical capacity in adults or share data with parents or guardians in the cases of minors. Generally, HIPAA regulations prevent sharing or exposing confidential information in electronic, written and oral forms. This means that websites have a duty even when discussing health records over the phone where they could be overheard by unauthorized people. In many cases, outside service providers may need access to information in order to provide medical services, so these cases are exempted from the privacy restrictions. The privacy rule applies to computer information about patients, conversations between doctors and medical staff, billing information, medical charts and prescription information.
2. SECURITY RULE CONSIDERATIONS
National standards of security protect information in medical private practice databases, eCommerce customer lists where medical records are part of the database, medical clearinghouses, pharmacies, insurance companies and other covered entities and business associates. The HIPAA security rule has three components: technical safeguards, administrative safeguards and physical safeguards. Some of the major highlights of security-rule regulations include -- but aren't limited to -- the following points:
- Performing periodic risk analyses to determine physical and digital vulnerabilities
- Reducing risks to acceptable levels
- Regularly reviewing system activities, digital logs and audit trails
- Authorizing and supervising the employees who have access to PHI
- Protecting PHI from unauthorized parent companies, subcontractors and partner organizations
- Sending regular updates to staff members about security issues and training employees to recognize malware, malicious software and other virtual and real-world threats
- Implementing a system of access controls
- Providing encryption and decryption tools
- Facilitating safeguards like automatic logoffs
- Establishing mandatory policies for using work stations and mobile devices
3. ENFORCEMENT RULE CONSIDERATIONS
The HIPAA Enforcement Rule mostly concerns penalties and investigations when companies are found to be noncompliant, but eCommerce companies do have some enforcement responsibilities through the administrative section of the security rule. These include getting authorization forms for disclosing information to third-party sources, providing customers with a Notice of Privacy Practices and drawing up Business Associate Agreements for partners to acknowledge their responsibilities under HIPAA.
4. BREACH NOTIFICATION RULE CONSIDERATIONS
Many eCommerce companies will never deal with breach notifications, but many will. Breaches occur when unauthorized people gain access to protected health information is some manner that's not permitted under the HIPAA Privacy Rule. These breaches include unauthorized access to physical areas, inadvertent disclosures, stolen or misplaced documents and digital hacks. If any of these situations occur, covered entities must:
- Determine if PHI is compromised.
- Assess the type and amount of data involved.
- Find out who used the PHI illegally or to whom information was disclosed.
- Chronicle steps taken to mitigate the breach.
- Ascertain if the breach was closed or information returned before being used or if the breach occurred inadvertently under a covered associate’s or entity’s authority.
- Send notices of incidents that are determined to be breaches to each patient's last known address by first class mail or email if electronic notifications are authorized.
- The notice must be written in easy-to-understand language and include a summary of how the situation occurred, the date of exposure and other relevant details.