What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that mandated the development of national standards to protect sensitive patient health information from being revealed without the patient's knowledge or authorization. It requires applicable entities to have data privacy and security controls in place to protect health information at all costs.
Understanding the basic terms in HIPAA
Protected Health Information (PHI)
This includes information such as name, address, date of birth, medical record number, Social Security Number, account number, etc. which can be used as common identifiers to associate with a person. There are 18 identifiers in HIPAA which include Certificate/license numbers, Vehicle identifiers, IP addresses, Biometric elements, Full face photographic images among others.
Covered Entity
This includes health care providers (doctors, clinics, dentists, etc), health plans (health insurance companies, company health plans, etc.), and health care clearinghouses (entities that help other entities in processing non-standard health information into standardized forms)
Business Associate
This includes an entity that provides services such as claims processing or administration; data analysis quality assurance; billing; benefit management among others to a covered entity that involves the use or disclosure of protected health information.
HHS and OCR
The Health and Human Services (HHS) is a US Federal Department that is responsible for protecting the health of all Americans and providing essential human services and the Office of Civil Rights (OCR) is responsible for enforcing the HIPAA Rules regarding health information privacy.
Whom does HIPAA apply to?
HIPAA applies to all Covered Entities including healthcare providers/healthcare clearinghouses and Business Associates.
What are the 4 HIPAA Rules?
Privacy Rule
This rule protects all "individually identifiable health information" held in electronic, paper, or oral forms by business associates and covered entities.
Security Rule
This rule requires administrative, physical, and technical safeguards to be in place to protect a patient’s PHI which is electronically stored (referred to as ePHI).
Breach Notification Rule
This rule clarifies the definition of a breach and states breach notification requirements for applicable covered entities and business associates in the event of a breach of unsecured protected health information.
Enforcement Rule
This rule defines the establishment of mandatory federal privacy and security breach reporting requirements, fines, and penalties enforced by the regulators for non-compliance to HIPAA regulations among other stipulations.
Are there any recent updates to the HIPAA Regulations?
- In January 2021, the HIPAA Safe Harbor Bill was passed which requires healthcare organizations to have recognized cybersecurity practices in place to improve their defenses against cyberattacks and data breaches.
- In March 2020, OCR announced no penalties would be imposed on healthcare providers in association with the good faith provision of telehealth services for the purpose of diagnosis and treatment.
- In April 2020, OCR announced no sanctions and penalties would be imposed on business associates or their covered entities for using and disclosing PHI to Federal public health authorities and health oversight agencies.
- In 2019, OCR has adopted a new penalty structure for non-compliance with HIPAA Rules by reducing the maximum fine in the first three tiers