LEARNING OBJECTIVES
To obtain an overview of HIPAA, to understand the scope, mechanics, and basic rights and obligations under the HIPAA Privacy Rule, to learn about the HIPAA Security Rule and Breach Notification Rule, to understand how state law regulates health data beyond HIPAA.
Length: Approximately 1 hour
Written by: Professors Daniel J. Solove and Paul M. Schwartz
Instructor: Professor Daniel J. Solove
COURSE DESCRIPTION
This course provides an overview of the regulation of health privacy in the United States. The course explains the basic structural elements of HIPAA – how it applies, what types of entities it regulates, how it defines protected health information (PHI), and how it regulates business associates. It discusses the responsibilities of organizations under HIPAA, the rules governing the use and disclosure of PHI, and patient rights. The course also provides an introduction to the HIPAA Security Rule as well as the Breach Notification Rule. Additionally, the course covers the enforcement of HIPAA by the HHS’ Office for Civil Rights. Beyond HIPAA, the course discusses the role in regulating health care privacy and security by state tort law and statutory law, as well as the protections in the U.S. Constitution for health data.
CERTIFICATE
To obtain a broad overview of privacy law, to understand the key issues involved, to learn how privacy law works, and to understand the differences and similarities between various privacy laws.
COURSE OUTLINE
About this Course
Introduction
State Tort Law
Breach of Confidentiality Tort
Duty to Notify Torts
HIPAA’s Applicability and Scope
Covered Entities
Hybrid Entities
PHI
Definition of PHI
De-Identification: The 18 HIPAA Identifiers
Business Associates
Definition of a Business Associate
Data Protection Along the Chain of Custody
Business Associate Agreements
Responsibilities of Organizations Under HIPAA
Governance Provisions
Privacy Official
Policies and Procedures
Workforce Training
Documentation
Assessments
Notice of Privacy Practices
Confidentiality
The Minimum Necessary Rule
Use and Disclosure of PHI Under HIPAA
Authorization
Mandatory and Permitted Disclosures
Mandatory Disclosures
Permitted Disclosures
Disclosures for Marketing and Fundraising
Accounting for Disclosures
.
HIPAA Patient Rights
Right of Access
Right of Amendment
Right to File a Complaint
The Right to Request Restrictions
HIPAA Security Rule
ePHI
Administrative, Physical, and Technical Safeguards
HIPAA Breach Notification Rule
Definition of a “Breach”
Notification
HIPAA Enforcement
HIPAA Enforcement Measures and Penalties
OCR Monetary Penalties
Audits
Private Common Law Lawsuits
Health Privacy Beyond HIPAA
State Statutes
Constitutional Law
Conclusion
COURSE READINGS
Required Readings
Handout: HIPAA’s Scope
Handout: HIPAA De-Identification
Handout: TeachPrivacy HIPAA Security Rule Checklist
Handout: TeachPrivacy HIPAA Enforcement Guide
Article: Daniel J. Solove, HIPAA Turns 10: Analyzing the Past, Present, and Future Impact,
84 Journal of AHIMA 22 (April 2013)
.
Recommended Readings
Book: Daniel J. Solove & Paul M. Schwartz, Privacy and the Media
(Aspen 3rd edition 2018)
Handout: TeachPrivacy, HIPAA Training Guide
Handout: TeachPrivacy, HIPAA Audit Guide and Protocol Checklist