LEARNING OBJECTIVES
To obtain an overview of HIPAA, to understand the scope, mechanics, and basic rights and obligations under the HIPAA Privacy Rule, to learn about the HIPAA Security Rule and Breach Notification Rule, to understand how state law regulates health data beyond HIPAA.

Length: Approximately 1 hour

Written by: Professors Daniel J. Solove and Paul M. Schwartz

Instructor: Professor Daniel J. Solove

COURSE DESCRIPTION
This course provides an overview of the regulation of health privacy in the United States. The course explains the basic structural elements of HIPAA – how it applies, what types of entities it regulates, how it defines protected health information (PHI), and how it regulates business associates. It discusses the responsibilities of organizations under HIPAA, the rules governing the use and disclosure of PHI, and patient rights.  The course also provides an introduction to the HIPAA Security Rule as well as the Breach Notification Rule. Additionally, the course covers the enforcement of HIPAA by the HHS’ Office for Civil Rights. Beyond HIPAA, the course discusses the role in regulating health care privacy and security by state tort law and statutory law, as well as the protections in the U.S. Constitution for health data.

CERTIFICATE
To obtain a broad overview of privacy law, to understand the key issues involved, to learn how privacy law works, and to understand the differences and similarities between various privacy laws.

About this Course
Introduction
State Tort Law

Breach of Confidentiality Tort
Duty to Notify Torts

HIPAA’s Applicability and Scope

Covered Entities
Hybrid Entities
PHI

Definition of PHI
De-Identification: The 18 HIPAA Identifiers

Business Associates

Definition of a Business Associate
Data Protection Along the Chain of Custody
Business Associate Agreements

Responsibilities of Organizations Under HIPAA

Governance Provisions

Privacy Official
Policies and Procedures
Workforce Training
Documentation
Assessments

Notice of Privacy Practices
Confidentiality
The Minimum Necessary Rule

Use and Disclosure of PHI Under HIPAA

Authorization
Mandatory and Permitted Disclosures

Mandatory Disclosures
Permitted Disclosures
Disclosures for Marketing and Fundraising
Accounting for Disclosures

HIPAA Patient Rights

Right of Access
Right of Amendment
Right to File a Complaint
The Right to Request Restrictions

HIPAA Security Rule

ePHI
Administrative, Physical, and Technical Safeguards
HIPAA Breach Notification Rule

Definition of a “Breach”
Notification

HIPAA Enforcement

HIPAA Enforcement Measures and Penalties
OCR Monetary Penalties
Audits
Private Common Law Lawsuits

Health Privacy Beyond HIPAA

State Statutes
Constitutional Law

Conclusion

Required Readings

Handout: HIPAA’s Scope
Handout: HIPAA De-Identification
Handout: TeachPrivacy HIPAA Security Rule Checklist
Handout: TeachPrivacy HIPAA Enforcement Guide
Article: Daniel J. Solove, HIPAA Turns 10: Analyzing the Past, Present, and Future Impact, 84 Journal of AHIMA 22 (April 2013)

Recommended Readings

Book: Daniel J. Solove & Paul M. Schwartz, Privacy and the Media (Aspen 3rd edition 2018)
Handout: TeachPrivacy, HIPAA Training Guide
Handout: TeachPrivacy, HIPAA Audit Guide and Protocol Checklist