You know that you have questions about HIPAA. Fortunately, you've come to the right place. Accountable has specialized in helping organizations achieve and maintain compliance with HIPAA for over a decade. We've seen and heard it all.
HIPAA was created with the original intention of helping more Americans gain health insurance coverage and ensuring that employees would not lose their health insurance if they changed jobs. While its initial function primarily focused on regulating the health insurance industry, the act also allowed the Department of Health and Human Services (HHS) to set standards for the safeguarding of identifiable health information by legitimizing and protecting an individual's rights to their healthcare information as well as seeking to increase the efficiency and effectiveness of the healthcare industry as a whole. The scope of the law was later defined and expanded via the passage of the Privacy Rule, Security Rule, HITECH Act, and other expansions of the original HIPAA law.
For more information: History of HIPAA
HIPAA stands for the Healthcare Insurance Portability and Accountability Act and was signed into law in 1996 and has since grown into the most well known and impactful healthcare laws in the United States.
HIPAA is built around safeguarding an individuals Protected Health Information, as defined by the privacy rule, is any information within a person’s medical record that can identify them and is held by a covered entity. Under HIPAA and the Privacy Rule, there are 18 specific identifiers that must be handled with certain safeguards.
For more information: What is PHI
PHI is any information that can be used to identify an individual, even if the link appears to be tenuous. HIPAA has laid out 18 identifiers for PHI. If a record contains any one of those 18 identifiers, it is considered to be PHI. If the record has these identifiers removed, it is no longer considered to be Protected Health Information and it is no longer under the restrictions defined by the HIPAA Privacy Rule. These are the 18 Identifiers for PHI:
Full names or last name and initial
All geographical identifiers smaller than a state,
Dates (other than year) directly related to an individual such as birthday or treatment dates
Phone Numbers including area code
Social Security number
Medical record numbers
Health insurance beneficiary numbers
Bank Account numbers
certificates/drivers license numbers
Vehicle identifiers (including VIN and license plate information)
Device identifiers and serial numbers;
Web Uniform Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including fingerprints, retinal, genetic information, and voice prints
Full face photographs and any comparable images that can identify an individual
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
The rule of thumb is that if any of the information is personally recognizable to the patient or if it was utilized or discovered during the course of a healthcare service, it is considered to be PHI.
For more information: Protected Health Information
HIPAA Applies to Covered Entities (Clinics, Hospitals, healthcare facilities, insurance companies as well as business associates who come into contact with PHI as part of their operating agreements with covered entities.
A Covered Entity is anyone that provides treatment, payment, or operations in healthcare.The HIPAA law breaks those organizations down into three categories: Healthcare Providers, Health Plans, and Healthcare Clearinghouses.
For more information: HIPAA Covered Entities
A Business Associate is a person or organization that performs certain functions for a covered entity that involves the usage or exposure to Protected Health information. In order to protect both parties in the event of a breach, Business Associates are required to adhere to HIPAA and sign a Business Associate Agreement.
For more information: HIPAA Business Associates
HIPAA compliance is the continual process of complying the rules and regulations of HIPAA. It can be broken into several manageable basic steps. These steps are:
1) Understanding what patient privacy entails
2) Knowing the core rules of HIPAA and their required mandates
3) Understanding the roles security and privacy play in the use of Electronic Health Records (EHR)
4) Completing Security Risk Analysis and Management and correcting discovered vulnerabilities
5) Disaster preparedness
6) Ongoing HIPAA training
7) Understanding business associate agreements and other collaborations
For more information: What is HIPAA Compliance
Covered entities which are organizations or entities providing treatment, payment, and operations in healthcare, and business associates who are vendors and service providers who have access to patient information and provide support in treatment, payment, or operations, must meet HIPAA compliance standards.
All in all, companies that deal with PHI must have physical, technical, and administrative security measures in place and follow those procedures in order to be considered in compliance with HIPAA.
For more information on HIPAA Compliance: Basics of HIPAA Compliance
Violations of HIPAA can look different depending on the type of healthcare business that is being operated. However, the bottom line is that whenever a violation occurs it can only mean that protected health information (PHI) was not properly safeguarded. A violation of HIPAA can be due to:
Unsecured/Unencrypted Patient Records
Breach due to Lack of Employee Training
Improper disposal of PHI
Loss or Theft of Devices Need one more example
An intrusion from a hacker or a physical theft of records
For more information on HIPAA Violations and their Penalties: Cost of HIPAA Violations
The Privacy Rule is focused on protecting the rights of an individual and their ability to control and access their own PHI. It also outlines how medical organizations can use the data for necessary functions such as treatment, operations, and payment. Aside from those uses, the PHI must remain confidential.
The HIPAA Security Rule is only concerned with the protection of ePHI that is created, received, or used electronically. For example, the Security Rule covers ePHI which can be stored on a computer, transmitted over the internet, and then downloaded onto a jump drive. Organizations are required to implement robust physical, technical, and administrative safeguards to protect patient ePHI.
For more information: HIPAA Privacy Rule vs the Security Rule
The two types of standards underneath the Security Rule are “Addressable Standards” and “Required Standards. A required standard is something that all covered entities and business associates must implement just as is stated by the law. There is a much smaller degree of flexibility with a required specification and typically comes with a clear sense of direction and instruction in terms of implementing it into your business operations.
On the other hand, an addressable requirement provides flexibility for organizations as they can implement the standard as it appears, implement an alternate form of reaching the intended compliance standard, or not implement the standard at all which comes with a huge caveat.
For more information: Addressable vs Required Implementation Standards
Compliance refers to adhering to the proper rules in accordance with the guidelines and requirements of HIPAA in order to safeguard individually identifiable health
Certification is the process in which an organization or individual is awarded a document that signals the completion of an education course or process.
HIPAA certification just means that an organization has participated in and completed a process that is meant to instruct and train the organization staff in how to comply with HIPAA. With that in mind, a certification is not a recognizable measure of compliance. A HIPAA certification course or framework should be viewed as a toolkit; the organization now has access to meaningful tools and instructions to help it become compliant with the laws that make up HIPAA.
For more information: HIPAA Certification vs HIPAA Compliance