HIPAA

 What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law intended to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. It consists of two major components:

1. The Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
2. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

Who does it apply to?

Any organization defined under the law as a “Covered Entity” or a “Business Associate” must comply with the provisions of this law and subsequent legislation (summarized in the OmnibusFinal Rule).

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

What am I protecting?

Under HIPAA, any information about health status, provision of health care, or payment for health care that can be linked to a specific individual must be protected and is referred to as “Protected Health Information (PHI)“. There are 18 data elements defined by HIPAA that must be present in order to link health information to an individual.

1. Names
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

The disclosure of PHI should always be restricted to covered entities or business associates with a need-to-know only, and must also be protected by certain required security controls at all times.

What else do I need to know?

Enforcement & Auditing

The Health & Human Services’ (HHS) Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. Violation of these rules can result in the imposition of civil money penalties against responsible individuals as well as the organization.

The HHS is also required to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Breach Notification Requirements

A "breach" is, generally defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.

Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the news media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

Lastly, states generally have breach notification laws that may also apply. Consult your legal counsel or applicable state law.