Who and What HIPAA Protects

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI).

PHI is any demographic information – names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos, for example.

Any of this information that is transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards.

Who Needs to Be Compliant?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.

Covered entities are organizations that collect, create, or transmit PHI electronically. Examples include healthcare providers, healthcare clearinghouses, and health insurance providers.

Business associates are organizations that encounter PHI in any way over the course of its work. Common examples include billing companies, IT providers, shredding companies, and email hosting services.

HIPAA Rules

HIPAA regulations are made up of several rules created between 1996 and now.

The HIPAA Rules that you should be aware of include:

HIPAA Privacy Rule
This rule is mainly concerned with providing parameters for safely handling PHI. To ensure this is done properly, the Privacy Rule defines how organizations and individuals can use and disclose PHI.

PHI can be disclosed without permission when it’s been properly de-identified by either the “safe harbor” method – stripping all PHI from a record– or the “expert determination” method – having a statistician apply statistical or scientific principles to determine the probability that the information couldn’t identify the patient.

HIPAA Security Rule
The HIPAA Security Rule sets national standards for the maintenance, transmission, and handling of electronic PHI (ePHI). It also outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place.

Specifics of the regulations must be documented in any organization’s HIPAA Policies and Procedures and staff must be trained on these annually, with documented results.

HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule is a set of standards that must be followed in the event of a data breach. There are two kids of breaches: major and minor. Organizations are required to report all breaches, but the steps for reporting change depending on the type of breach.

A minor breach is one that affects fewer than 500 individuals in a single event. The Rule requires businesses to gather data on all minor breaches that occur over the course of a year and report them within 60 days of the end of the calendar year in which they occurred.

A major breach is one that affects more than 500 individuals in a single event. The Rule requires that these be reported within 60 days of discovery. Any affected individuals must be notified upon discovery of the breach as well.

GINA, HITECH, and the Omnibus Rule

To fully understand HIPAA, it’s imperative to understand the updates that have been made to the law.

GINA
In 2008, the Genetic Information Nondiscrimination Act (GINA) was enacted by the Office for Civil Rights. GINA strengthens privacy rights and protects individuals against discrimination based on genetic information.

Under GINA Title II businesses are prohibited from discriminating based on genetic information to help protect employees. By prohibiting discrimination based on genetic information, GINA encourages people to receive genetic testing, which can help them receive early diagnoses for certain diseases.

HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) was created in 2009 and updated privacy requirements increased penalties for HIPAA violations, and formalizes a structured process for handling and reporting PHI breaches.

Furthermore, this Act confirms that business associates are required to comply with HIPAA and allows for auditing of covered entities and business associates to ensure they are compliant.

Omnibus Rule
The Omnibus Rule, which was created in 2013, focuses on updating privacy, security, and enforcement requirements by reinforcing limitations on uses and disclosures of PHI for things like marketing and fundraising. It also expanded patient rights for receiving electronic copies of their health information.