The Health Insurance Portability and Accountability Act (HIPAA) established industry standards for healthcare organizations and the vendors that service them. HIPAA law was enacted to ensure that protected health information (PHI) is properly safeguarded. PHI is any individually identifiable health information that the Department of Health and Human Services (HHS) classifies into 18 identifiers:
- Patient names
- Geographical elements (such as a street address, city, county, or zip code)
- Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device attributes or serial numbers
- Digital identifiers, such as website URLs
- IP addresses
- Biometric elements, including finger, retinal, and voiceprints
- Full face photographic images
- Other identifying numbers or codes
HIPAA law mandates that PHI must be secured with administrative, technical, and physical safeguards.
- Administrative: ensure that staff members are properly trained in the handling of PHI. Organizations must have policies and procedures that are updated regularly to account for any changes in business processes.
- Technical: protect the cybersecurity of an organization including firewalls, encryption, and data backup.
- Physical: secure an organization’s physical site where PHI is stored or maintained. This may include an alarm system and locks.
Covered Entities and HIPAA
A covered entity (CE) is an organization involved in the payment, treatment, operations, billing, or insurance coverage of a patient. This includes doctors, pharmacies, health insurance companies, and healthcare clearinghouses. Covered entities work with PHI as part of their regular job functions. HIPAA law requires CEs to access only the “minimum necessary” PHI to perform their job. For example a nurse doesn’t need access to a patient’s billing information, just as a billing company doesn’t need access to patient’s medical information.
Business Associates and HIPAA
Business associates (BAs) are the vendors that service covered entities. BAs don’t work directly with PHI but may come into contact with it as part of their job. This can be a healthcare attorney, accountant, or consultant. Business associate agreements (BAAs) must be signed by each of a covered entities’ business associates before they can transmit PHI. A BAA limits the liability for each party signing it as it states that both organizations agree to be HIPAA compliant. It also states that each party is responsible for their own HIPAA compliance.
How to Become HIPAA Compliant
HIPAA regulations can be confusing to navigate as the law was written to cover anyone working in healthcare, from a one doctor practice to a large hospital group. The law only states that organizations must implement “reasonably appropriate” safeguards to protect PHI. However, determining what is reasonably appropriate for your organization is difficult. When developing your HIPAA compliance program, it is best to consult an expert to ensure that you are doing all that is required by law.