Chapter 2: HIPAA for Mental Health Practitioners
Part 1: HIPAA Privacy Standards vs. Security Standards
HIPAA also set up privacy and security standards, which can be easy to confuse. For clarity's sake, here's the difference:
- Privacy standards establish who has the right to disclose and use protected health information (PHI) and under what circumstances, whether the information is expressed orally, in writing, or through electronic transmission. The standards also mandate that "reasonable steps" must be taken to secure PHI according to the HIPAA Privacy Rule.
- Security standards offer guidance on what administrative, physical, and technical measures should be taken to protect electronically stored or transmitted PHI from corruption by viruses, theft by cybercriminals, and transmission on unsecured channels.
Privacy standards dictate how information can be used and security standards dictate how information must be protected.
Both the HIPAA Privacy and Security Rules seek to protect and secure electronic "individually identifiable health information," which includes…
- The individual's past, present, or future physical or mental health or condition.
- Healthcare procedures and services provided to the individual.
- The past, present, or future payment for the healthcare the individual received (including diagnoses, treatments, prescriptions, etc.).
- The patient's name, address, birth date, Social Security Number, and other identifiers.
Next: Part 2: So How Should You Protect e-PHI, Anyway?