HIPPA Policy

---

While HIPAA is the federal standard, Nevada state laws augment HIPAA compliance. Some of the key differences and overlaps include the following:

HIPAA provides a clear framework for the protection of patient health information through the Privacy Rule and Security Rule:

• Privacy Rule:
  • Applies to all "covered entities" (healthcare providers, health plans, healthcare clearinghouses) and their "business associates" (third-party vendors handling health information).
  • Requires written consent for the release of Protected Health Information (PHI) except in specific circumstances like emergency care or public health reporting.
  • Mandates that patients have rights to access their own health information, request corrections, and request restrictions on certain uses and disclosures of their PHI.
• Security Rule:
  • Specifies security safeguards for electronic protected health information (ePHI), including access controls, encryption, and secure transmission standards.
  • Requires risk analysis and the implementation of reasonable security measures based on the nature and scope of the information being handled.
• Breach Notification Rule:
  • Covered entities must notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases, the media if there’s a breach of unsecured PHI.
  • This rule is designed to ensure that individuals know if their data has been compromised, giving them a chance to mitigate risks (like identity theft).

Nevada’s state laws provide extra layers of protection and specific requirements that healthcare providers and entities must follow:

• Nevada Revised Statutes (NRS) Chapter 629 (Medical Records Privacy):
  • This chapter is directly concerned with the handling of medical records and the privacy of patient health information in Nevada.
  • Key provisions include that consent must be obtained from patients before any medical records are disclosed to third parties, unless it’s for purposes directly related to patient care or in cases where state or federal law mandates disclosure (e.g., public health reporting).
  • Retention of Medical Records: It also outlines how long healthcare providers must retain medical records. In Nevada, records should generally be kept for at least five years after a patient’s last visit.
• Nevada Data Privacy Law (SB 220 – 2019):
  • Though not specifically focused on healthcare, this law addresses consumer privacy for residents of Nevada, especially with regard to the use of personal data by businesses.
  • SB 220 grants Nevada residents the right to opt-out of the sale of their personal data and opt-out of the use of certain types of information in a manner similar to the California Consumer Privacy Act (CCPA). While not strictly healthcare-related, it adds an additional layer of data protection for Nevada residents.
• NRS 439B.720 (Health Information Exchanges):
  • This law outlines requirements for healthcare information exchanges (HIEs), which facilitate the sharing of patient health information between healthcare entities.
  • It mandates that health information exchanged via these platforms is subject to both state privacy protections and HIPAA requirements.
  • It specifies that healthcare entities must ensure appropriate safeguards to prevent unauthorized access, tampering, or disclosure of sensitive health information.
• Nevada’s Medical Identity Theft Law:
  • The law requires that victims of medical identity theft receive notifications when their medical records are used fraudulently.
  • Healthcare providers must notify patients of suspected identity theft, and records must be corrected to ensure accurate medical histories.

Nevada's Electronic Communications Privacy Law (NRS 200.620-200.640): 

• This law provides safeguards against the unauthorized interception or disclosure of electronic communications, including healthcare communications (e.g., telemedicine).
• It specifically focuses on patient consent for communications, particularly in digital formats, which aligns with HIPAA’s overarching privacy principles.

While HIPAA outlines national breach notification rules, Nevada law has additional requirements. Under Nevada law:

• Breach Notification: If personal health data is breached (whether through electronic or physical means), covered entities must notify affected individuals within 60 days of the breach.
• Notification Content: Nevada requires that breach notifications include specifics about the nature of the breach, the type of data involved, and steps individuals should take to protect themselves.

Additionally, under the Nevada Privacy of Personal Information Law (NRS 603A), the state has specific rules for how healthcare organizations must handle breach notifications related to medical records. A business must disclose a health data breach to the Nevada Attorney General’s Office if the breach affects more than 1,000 Nevada residents.

Healthcare providers in Nevada must take extra precautions to meet both HIPAA and state-level regulations. Here are key strategies:

• Data Protection Policies and Procedures: Providers must develop internal policies that outline how patient data is protected in line with both HIPAA and Nevada state law. This includes encryption, access controls, and secure handling of physical and electronic health records.
• Staff Training: Regular training on both federal (HIPAA) and state (Nevada-specific) regulations ensures that all employees understand their obligations in handling patient data.
• Incident Response Plan: A comprehensive plan should be in place to address potential data breaches, including internal investigations, notifications to patients and authorities, and mitigation steps.
• Third-Party Business Associates: Business associates in Nevada must be carefully vetted to ensure compliance with both HIPAA and Nevada’s medical records laws. Written agreements should clearly outline their obligations, and regular audits should be conducted to ensure they’re following the regulations.
   

Both HIPAA and Nevada state laws impose penalties for violations of privacy and security provisions.

• HIPAA Enforcement:
  • Penalties can range from civil fines (up to $50,000 per violation) to criminal penalties for more egregious violations.
  • The Office for Civil Rights (OCR) at HHS is responsible for enforcing HIPAA compliance and investigating complaints.
• Nevada State Penalties:
  • Nevada has its own penalties for breaches of medical records and patient privacy, which can range from fines to civil litigation if the state or patient sues for violations.
  • Violators of NRS Chapter 629 could face up to $25,000 in fines, while violations of data security laws could lead to similar or greater penalties.

For healthcare providers in Nevada, ensuring compliance with both HIPAA and state-specific regulations is crucial. The Privacy Rule and Security Rule set by HIPAA provide the framework, while Nevada's medical records laws add additional layers of protection, particularly around patient consent, breach notifications, and the exchange of health information. Failing to comply with these regulations can lead to hefty fines, legal action, and reputational damage. Healthcare organizations must therefore implement robust privacy, security, and data handling practices to meet both federal and state standards.

01/30/2025