Privacy & Security

Overview

Ensuring the privacy, security, and confidentiality of personal health information has been a fundamental principle for the health information management (HIM) profession throughout its 80-year history. Today, HIM professionals continue to face the challenge of maintaining the privacy and security of patient information, an effort that grows in complexity as information becomes more and more distributed in electronic systems. The challenge of this responsibility has also increased due to the constantly changing legislative and regulatory environment.

Regulations have impacted privacy and security:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • The American Recovery and Reinvestment Act of 2009 (ARRA)
  • Modifications to the HIPAA Privacy, Security, and Enforcement Rules the Health Information Technology for Economic and Clinical Health Act; Final Rule

The Privacy Rule sets the floor providing baseline requirements to preserve the overall confidentiality of protected health information (PHI) regardless of type (e.g. verbal, paper, electronic).

  • Protects individuals’ health records and other individually identifiable health information created, maintained, or received by or on behalf of covered entities and their business associates
  • Protects individuals’ PHI by regulating the circumstances under which covered entities may use and disclose protected health information 
  • Covered entities are required to have contracts or other arrangements in place with business associates that perform functions for or provide services to, or on behalf of, the covered entity
  • Gives individuals rights with respect to their protected health information, including rights to examine and obtain a copy of their health records and to request corrections

The Security Rule applies only to protected health information in electronic form

  • Requires covered entities to implement certain administrative, physical, and technical safeguards to protect electronic information
  • Covered entities have contracts in place with their business associates that all business associates will appropriately safeguard the electronic protected health information they receive, create, maintain, or transmit on behalf of the covered entities

The Final HITECH Omnibus Rule strengthens privacy and security protections through

  • Extending compliance with HIPAA to business associates and their subcontractors
  • Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes
  • Prohibiting the sale of protected health information without appropriate authorization
  • Expanding individual rights to access of their protected health information electronically
  • Providing easier access of immunization records from a covered entity to a school
  • Removing HIPAA Privacy protections for PHI of an individual deceased more than 50 years
  • Prohibiting the use of genetic information for underwriting purposes
  • Finalizing breach notification requirements
  • Expanding individual's rights to obtain restrictions on certain disclosures of protected health information to health plans

If you have question or would like to learn more about the HITECH Rule, please read our HITECH FAQs.

HIM's Role

As the demands for health information become more diverse, health information management (HIM) professionals use their expertise to protect health information and sure the right information is available to the right people at the right time. Successful privacy, security, and confidentiality programs depend on HIM professionals for their expertise on the applicable laws and regulations impacting the appropriate management of healthcare data. HIM professionals ensure privacy and security programs meet compliance and regulatory requirements from the point of creation and implementation and continuously maintained thereafter.

In a time of changing regulations and continuous technology advancement, holding a privacy and security credential has become paramount. AHIMA’s Certified in Healthcare Privacy and Security (CHPS) credential is the only combined privacy and security credential in the industry and is one that is held by many HIM professionals. It is a true attestation to the qualifications and skills set of an HIM professional working in the privacy and security arena. Individuals who achieve the CHPS designation validate their commitment to advancing the management of privacy, security, and confidentiality practices.

HIM professionals hold diverse roles such as organizational and corporate privacy officers, compliance officers, and risk managers, to name a few, and are change agents in policy development and maintenance.

Sample job descriptions include:

Privacy Officer
Healthcare Compliance and Privacy Office
Security Officer

HIM professionals advocate for strong privacy and security programs as electronic health record (EHR) systems are implemented and upgraded. HIM professionals provide the functional requirements for electronic health information, taking into account federal and state laws, including e-discovery, to ensure appropriate access, use, and disclosure of health information.

HIM professionals can also impact privacy, security, and confidentiality standards, laws, and regulations outside of their organization in multiple ways.

  • Volunteering on state health information technology (HIT) and health information exchange (HIE) initiatives
  • Responding to public comment periods
  • Participating on standards development groups such as HL7 and HIEs