This is a summary of key elements from Brothers Healthcare Notice of Privacy Practices and HIPAA’s Security Rule. This includes who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information. Because it is an overview of the Security Rule, it does not address every detail of each provision, to view HIPAA’s complete Security Rule and Privacy Policy please visit the U.S Department of Health & Human Services.
Brothers Healthcare never has and never will give your personal information to a third party. Your personal information; e.g. name, email address, home address, telephone number, cell phone number, language, health information or any other personal information is strictly used by Brothers healthcare for educating and informing willing participants of matters dealing with bleeding disorders and other areas of health.
Brothers Healthcare Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We understand that medical information about you and your health is personal. Brothers Healthcare is required by law to maintain the privacy of your health information, to follow the terms of this Notice, and to provide you with this notice of our legal duties and privacy practices with respect to your health information. We are required to follow the terms of the Notice that is currently in effect. Additional copies of this notice may be obtained for you upon request.
Brothers Healthcare does not share personal information with third parties for marketing/promotional purposes.
How Brothers Healthcare May Use or Disclose Your Health Information
Brothers Healthcare protects the privacy of your health information. For some activities, we must have your written authorization to use or disclose your health information. However, the law permits Brothers Healthcare to use or disclose your health information for the following purposes without your authorization:
- For Treatment. Information obtained by the Pharmacy will be used to dispense prescriptions to you. We may disclose health information about you to pharmacist(s) and other persons who are involved in dispensing your prescription.
- For Payment.We may use and disclose your health information so that your pharmacy services may be billed to, and payment may be collected from you, an insurance company or a third party.
- For Health Care Operations.We may use and disclose health information about you for pharmacy operations. Unless you provide us with alternative instructions, we may send refill reminders and other materials related to your health care to your home. These uses and disclosures are necessary to run the Pharmacy and make sure that you receive quality customer service.
- As Required by Law. We will disclose health information about you when required to do so by federal, state or local laws.
- To Avert a Serious Threat to Health or Safety. We may use and disclose health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
- Public Health Risk. We may disclose health information about you for public health activities. These activities generally include the following: (1) to prevent or control disease, injury or disability; (2) to report reactions to medication or problems with products; (3) to notify people of recalls of products they may be using; (4) to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (5) to notify the appropriate government authority if we believe a person has been the victim of abuse, neglect or domestic violence (we will only make this disclosure if you agree and when required or authorized by law).
- For Health Oversight Activities.We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities, which are necessary for the government to monitor the health care system, include audits, investigations, inspections and licensure.
- Lawsuits and Disputes. If you are involved in a lawsuit or dispute, we may disclose health information about you in response to a court order or administrative order. We may also disclose health information about you in response to a subpoena, discovery request or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request (which may include written notice to you) or to obtain an order protecting the information requested.
- For Specific Government Functions. Brothers Healthcare may disclose health information for the follow specific government functions, including the State Board of Pharmacy: (1) health information of military personnel, as required by military command authorities; (2) health information of inmate, to a correctional institution or law enforcement official; (3) in response to a request from law enforcement, if certain conditions are satisfied; and (4) for national security reasons.
When Brothers Healthcare May Not Use or Disclose Your Health Information
Except as described in this Notice, Brothers Healthcare will not use or disclose your health information without your written authorization. If you do authorize Brothers Healthcare to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.
You Have the Following Rights With Respect to Your Health Information
- You have the right to request restrictions on certain uses and disclosures of your health information. Brothers Healthcare is not required to agree to a restriction that you request. If we do agree to any restriction, we will put the agreement in writing and follow it, except in emergency situation. We cannot agree to limit the uses or disclosures of information that are required by law.
- You have the right to inspect and copy your health information as long as the Pharmacy maintains the health information. Your health information usually will include prescription and billing records. To inspect or copy your health information, you must submit a written request. We may charge a fee for the costs of copying, mailing or other supplies that are necessary to grant your request. We may deny your request to inspect and copy in certain limited circumstances. If you are denied access to your health information, you may request that the denial be reviewed. You have a right to choose to obtain a summary instead of a copy of your health information.
- You have the right to request that Brothers Healthcare amend your health information that is incorrect or incomplete. To request an amendment, you must submit a written request (form available from your pharmacist), along with the reason for the request. Brothers Healthcare is not required to amend health information that is accurate and complete. Brothers Healthcare will provide you with information about the procedure for addressing any disagreement with a denial.
- You have a right to receive an accounting of disclosures of your health information we have made after April 14, 2003 for the purpose other than disclosures (1) for Brothers Healthcare treatment, payment or health care operation, (2) to you based upon your authorization and (3) for certain government functions. To request an accounting, you must submit a written request to the store location providing services. You must specify the time period, which may not be longer than six years.
- You may request communications of your health information by alternative means or at alternative locations. For example, you may request that we contact you about health matters only in writing or at a different residence or post office box. To request confidential communication of your health information, you must submit a written request to the store location providing services. Your request must state how or when you would like to be contacted. We will accommodate all reasonable requests.
If you would like to exercise one or more of these rights, contact or submit a written request to:
Brothers Healthcare, Attn: Mary Blahut, 11705 Slate Ave Suite 200 Corona, CA 92505
Summary of HIPAA Security Rule, from the U.S. Department of Health & Human Services
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.
This is a summary of key elements of the Security Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Privacy and Security Rules are obligated to comply with all of their applicable requirements and should not rely on this summary as a source of legal information or advice. To make it easier to review the complete requirements of the Security Rule, provisions of the Rule referenced in this summary are cited in the end notes. Visit our Security Rule section to view the entire Rule, and for additional helpful information about how the Rule applies. In the event of a conflict between this summary and the Rule, the Rule governs.
Statutory and Regulatory Background
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Secretary of HHS to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information.
HIPAA called on the Secretary to issue security regulations regarding measures for protecting the integrity, confidentiality, and availability of e-PHI that is held or transmitted by covered entities. HHS developed a proposed rule and released it for public comment on August 12, 1998. The Department received approximately 2,350 public comments. The final regulation, the Security Rule, was published February 20, 2003.2 The Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI. The text of the final regulation can be found at 45 CFR Part 160and Part 164, Subparts A and C.
Who is Covered by the Security Rule
The Security Rule, like all of the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). For help in determining whether you are covered, use CMS’s decision tool. Read more about covered entities in the Summary of the HIPAA Privacy Rule.
Business Associates
The HITECH Act of 2009 expanded the responsibilities of business associates under the Privacy and Security Rules. HHS is developing regulations to implement and clarify these changes. See additional guidance on business associates.
What Information is Protected
Electronic Protected Health Information. The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule and here. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI).3The Security Rule does not apply to PHI transmitted orally or in writing.
General Rules
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.4
The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.5
HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.
Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:
- Its size, complexity, and capabilities,
- Its technical, hardware, and software infrastructure,
- The costs of security measures, and
- The likelihood and possible impact of potential risks to e-PHI.6
- Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.7
Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, by helping to determine which security measures are reasonable and appropriate for a particular covered entity, risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
A risk analysis process includes, but is not limited to, the following activities:
- Evaluate the likelihood and impact of potential risks to e-PHI;8
- Implement appropriate security measures to address the risks identified in the risk analysis;9
- Document the chosen security measures and, where required, the rationale for adopting those measures;10and
- Maintain continuous, reasonable, and appropriate security protections.11
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents,12 periodically evaluates the effectiveness of security measures put in place,13 and regularly reevaluates potential risks to e-PHI.14
Administrative Safeguards
Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.15
Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).16
Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.17 A covered entity must train all workforce members regarding its security policies and procedures,18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.1
Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.20
Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.21 Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media.22 A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).23
Technical Safeguards
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).24
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.25
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.26
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.27
Required and Addressable Implementation Specifications
Implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.28
Organizational Requirements
Covered Entity Responsibilities. If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation.29 Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
Business Associate Contracts. HHS is developing regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.
Policies and Procedures and Documentation Requirements
A covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.30
Updates. A covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).31
State Law
Preemption. In general, State laws that are contrary to the HIPAA regulations are preempted by the federal requirements, which means that the federal requirements will apply.32 “Contrary” means that it would be impossible for a covered entity to comply with both the State and federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.33
Enforcement and Penalties for Noncompliance
Compliance. The Security Rule establishes a set of national standards for confidentiality, integrity and availability of e-PHI. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for administering and enforcing these standards, in concert with its enforcement of the Privacy Rule, and may conduct complaint investigations and compliance reviews. Learn more about enforcement and penalties in the Privacy Rule Summary and on OCR’s Enforcement Rule page.
Compliance Dates
Compliance Schedule. All covered entities, except “small health plans,” must have been compliant with the Security Rule by April 20, 2005. Small health plans had until April 20, 2006 to comply.
Copies of the Rule and Related Materials
See our Combined Regulation Text of All Rules section of our site for the full suite of HIPAA Administrative Simplification Regulations and Understanding HIPAA for additional guidance material.
End Notes
[1] Pub. L. 104-191
[2] 68 FR 8334.
[3] 45 C.F.R. § 160.103.
[4] 45 C.F.R. § 164.306(a).
[5] 45 C.F.R. § 164.304.
[6] 45 C.F.R. § 164.306(b)(2).
[7] 45 C.F.R. § 164.306(e).
[8] 45 C.F.R. § 164.306(b)(iv).
[9] 45 C.F.R. § 164.308(a)(1)(ii)(B).
[10] 45 C.F.R. § 164.306(d)(3)(ii)(B)(1); 45 C.F.R. § 164.316(b)(1).
[11] 45 C.F.R. § 164.306(e).
[12] 45 C.F.R. § 164.308(a)(1)(ii)(D).
[13] 45 C.F.R. § 164.306(e); 45 C.F.R. § 164.308(a)(8).
[14] 45 C.F.R. § 164.306(b)(2)(iv); 45 C.F.R. § 164.306(e).
[15] 45 C.F.R. § 164.308(a)(2).
[16] 45 C.F.R. § 164.308(a)(4)(i).
[17] 45 C.F.R. § 164.308(a)(3) & (4).
[18] 45 C.F.R. § 164.308(a)(5)(i).
[19] 45 C.F.R. § 164..308(a)(1)(ii)(C).
[20] 45 C.F.R. § 164.308(a)(8).
[21] 45 C.F.R. § 164.310(a).
[22] 45 C.F.R. §§ 164.310(b) & (c).
[23] 45 C.F.R. § 164.310(d).
[24] 45 C.F.R. § 164.312(a).
[25] 45 C.F.R. § 164.312(b).
[26] 45 C.F.R. § 164.312(c).
[27] 45 C.F.R. § 164.312(e).
[28] 45 C.F.R. § 164.306(d).
[29] 45 C.F.R. § 164.314(a)(1).
[30] 45 C.F.R. § 164.316.
[31] 45 C.F.R. § 164.316(b)(2)(iii).
[32] 45 C.F.R. § 160.203.
[33] 45 C.F.R. § 160.202.