Safeguarding the Privacy and Security of Health Information

Emerging and constantly evolving threats to the data of health care providers, health plans, and business associates give rise to frequently re-visiting an organization’s policies, procedures, education, and employee training that address compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Threats may include ransomware, phishing, hacking, and theft of mobile devices that contain health information. As these threats continue to become more sophisticated, so too should preventive and responsive policies and procedures that are in place to protect this targeted information.

Health care providers, health plans, and health care clearinghouses, or collectively covered entities, are subject to the HIPAA Privacy Rule. The Privacy Rule includes patient rights to their health information and use and disclosures of personal health information (“PHI”), including permitted and prohibited uses. Generally, covered entities are permitted to use and disclose PHI for the purposes of treatment, payment, and health care operations, although exceptions do apply. These permitted and prohibited uses and disclosures, as applicable to specific health care organizations, must be outlined and available to the organization’s patients in the form of a Notice of Privacy Practices. Additional state laws also apply to the use and disclosure of certain health information, such as Iowa Code chapter 228, which provides for heightened safeguards pertaining to the disclosure of mental health and psychological records.

Individuals and businesses such as accountants, billing companies, software providers, IT support, attorneys, cleaning services, and even paper shredding companies who work with covered entities and, as a result come into contact with PHI or electronic personal health information (“ePHI”), carry obligations to protect this sensitive information under the Security Rule. These individuals and businesses, referred to in the regulation as Business Associates, are required to have a Business Associate Agreement in place to ensure that they, along with the covered entity, are taking precautions to protect the security of PHI in compliance with HIPAA.

An important step in complying with the Security Rule is to conduct an initial security risk assessment. The results of this assessment will guide the organization through applying administrative, technical, and physical safeguards that are tailored to those specific risks that the organization faces. Upon an annual or other review of the policies and procedures that implement these safeguards, an organization may decide to conduct an updated security risk assessment to determine the organization’s information security needs at that given point in time. After reviewing policies and procedures, an organization should strive to instill a culture of compliance through training and education specific to its HIPAA compliance plan so that each member of its workforce will guard against these threats.

To read more about the HIPAA Privacy and Security Rules, visit or

If you have questions about how these regulations may apply to your business, please contact any BrownWinick attorney in the Health Law Practice Group.