The Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides data privacy and security provisions to protect medical information in the United States. It ensures that health information about patients is protected from being disclosed without the patient’s consent or knowledge.

The HHS Office for Civil Rights enforces HIPAA, conducts audits, and imposes penalties for noncompliance. HIPAA violation penalties are primarily financial but may also include incarceration in severe cases.

HIPAA compliance

To ensure HIPAA compliance, companies that deal with protected health information (PHI) must implement physical, process, and network security measures. All organizations providing treatment, payment, and operations in healthcare are considered covered entities. Business associates who have access to patient information and provide support in treatment, payment, or procedures must meet HIPAA requirements as well.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of PHI by covered entities.

Covered entities are specified in the HIPAA Privacy Rule as healthcare clearinghouses, health plans, and healthcare providers.

The Privacy Rule sets out standards for how patients can understand and control the use of their health information and ensures its protection. This is done while allowing the flow of health information needed to provide high-quality healthcare. The Privacy Rule permits substantial uses of data while protecting the privacy of people seeking medical care.

The Privacy Rule guarantees individuals the right to receive upon request their PHI from healthcare providers covered by HIPAA.

Covered entities must also sign an agreement with a HIPAA business associate that imposes specific safeguards on the PHI that the business associate uses or discloses.

What information is protected under HIPAA?

Under the HIPAA Privacy Rule, any identifiable health information held by a covered entity or business associate is protected. The information may be digital, paper-based, or verbal.

When health information is combined with a personal identifier, the data becomes PHI. There are 18 HIPAA identifiers, including:

• Name, address, birthdate, social security number, biometric identifiers, Web URL and IP address.
• A past, present, or future physical or mental health condition.
• Payment information concerning past, current, or future care.

PHI is a subset of Personally identifiable information (PII) that refers explicitly to information processed by HIPAA-covered entities.

The US Department of Health and Human Services (HHS) issued the HIPAA Privacy and HIPAA Security rules to implement HIPAA requirements.

HIPAA Security Rule

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a set of requirements for all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This kind of information is called electronically protected health information or ePHI.

To comply with the HIPAA Security Rule, covered entities are obliged to:

• Ensure the integrity, confidentiality, and availability of all ePHI.
• Protect against impermissible uses or disclosures not allowed by the rule.
• Detect and safeguard against anticipated information security threats.
• Certify workforce compliance.

HIPAA defines three other significant rules that all organizations (including online software) must follow to store, record, or share PHI. Read about them here:

• Enforcement Rule
• Breach Notification Rule
• Omnibus Rule

You may also like:

• Is Google Analytics HIPAA-compliant?
• Is your analytics project HIPAA-compliant? A complete checklist with 32 questions
• How PHI and PII impact your HIPAA compliance and marketing