What is HIPAA and How Does it Affect You?

What is HIPAA and How Does it Affect You?

The Health Insurance Portability and Accountability Act (HIPAA) established industry standards for healthcare organizations and the vendors that service them. HIPAA law was enacted to ensure that protected health information (PHI) is properly safeguarded. PHI is any individually identifiable health information that the Department of Health and Human Services (HHS) classifies into 18 identifiers:

  1. Patient names
  2. Geographical elements (such as a street address, city, county, or zip code)
  3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device attributes or serial numbers
  14. Digital identifiers, such as website URLs
  15. IP addresses
  16. Biometric elements, including finger, retinal, and voiceprints
  17. Full face photographic images
  18. Other identifying numbers or codes

HIPAA law mandates that PHI must be secured with administrative, technical, and physical safeguards.

  • Administrative: ensure that staff members are properly trained in the handling of PHI. Organizations must have policies and procedures that are updated regularly to account for any changes in business processes.
  • Technical: protect the cybersecurity of an organization including firewalls, encryption, and data backup.
  • Physical: secure an organization’s physical site where PHI is stored or maintained. This may include an alarm system and locks.

Covered Entities and HIPAA
A covered entity (CE) is an organization involved in the payment, treatment, operations, billing, or insurance coverage of a patient. This includes doctors, pharmacies, health insurance companies, and healthcare clearinghouses. Covered entities work with PHI as part of their regular job functions. HIPAA law requires CEs to access only the “minimum necessary” PHI to perform their job. For example a nurse doesn’t need access to a patient’s billing information, just as a billing company doesn’t need access to patient’s medical information.

Business Associates and HIPAA
Business associates (BAs) are the vendors that service covered entities. BAs don’t work directly with PHI but may come into contact with it as part of their job. This can be a healthcare attorney, accountant, or consultant. Business associate agreements (BAAs) must be signed by each of a covered entities’ business associates before they can transmit PHI. A BAA limits the liability for each party signing it as it states that both organizations agree to be HIPAA compliant. It also states that each party is responsible for their own HIPAA compliance.

How to Become HIPAA Compliant
HIPAA regulations can be confusing to navigate as the law was written to cover anyone working in healthcare, from a one doctor practice to a large hospital group. The law only states that organizations must implement “reasonably appropriate” safeguards to protect PHI. However, determining what is reasonably appropriate for your organization is difficult. When developing your HIPAA compliance program, it is best to consult an expert to ensure that you are doing all that is required by law.

Download Free HIPAA Checklist