A man working on a computer with a headset.


HIPAA stands for the Health Insurance Portability and Accountability Act. It was created in 1996 and implemented by the United States Department of Health and Human Services. It was designed to address the use and disclosure of an individual’s health information, specifically information that is sensitive. Through the HIPAA Privacy Rule, an individual can have his or her health information protected while also allowing necessary information to be given to doctors and medical staff and personnel to ensure that the individual’s needs are provided for and to create higher quality healthcare for that patient.

This rule applies to covered entities, such as health plans, health care clearinghouses, and health care providers who are in charge of transmitting health information in any form when needed (e.g., a doctor sending health information over to a hospital for a patient), as well as any vendor of those companies who come in contact with Protected Health Information (PHI).

Covered Entities

Every health care provider who uses electronic means to transmit health information in specified transactions is considered a covered entity. What is a specified transaction? These transactions can include the following:

  • Claims
  • Benefit eligibility inquiries
  • Referral authorization requests

But fundamentally, PHI is data that includes Personally Identifiable Information (PII) and a diagnosis.

HIPAA Privacy Rule

Also known as the Standards for Privacy of Individually Identifiable Health Information, the HIPAA Privacy rule established guidelines for health care providers to determine who has access to a patient’s information.

Individual and group medical plans are also protected under HIPAA. These plans include but are not limited to:

  • Health
  • Dental
  • Vision
  • Prescription drug insurance
  • Health maintenance organizations
  • Medicare
  • Medicaid
  • Private health care insurance providers

What Is Considered Protected Health Information?

HIPAA’s Privacy Rule protects every field of Individually Identifiable Health Information maintained or transmitted by a covered entity. Transmission can be in any form — media, electronic or physical documents, or spoken. Protected Health Information (PHI) that typically falls under the privacy rule includes:

  • Demographic data
    • Name
    • Address
  • Birthdate
  • Social security numbers
  • Medical history

But as we said before, the hallmark of PHI is PII + a diagnosis.

HIPAA Security Rule

The HIPAA Security Rule sets guidelines for covered entities in regards to their maintenance of sensitive data and the safeguards protecting it. Under the HIPAA Security Rule, electronically transmitted personal health information is not available and will not be disclosed to unauthorized persons or parties. This ensures that any improper use or disclosure of PHI is prohibited and will carry heavy consequences should the confidentiality be breached. It also protects one’s PHI from being altered or destroyed in any unauthorized way. The only individual who has access and usage of a patient’s personal health information is the patient and any authorized user, such as his or her health care provider.

The U.S. Department of Human Health and Health Services understands that not all covered entities are large corporations, some are small providers. This is why the HIPAA Security Rule is flexible to allow covered entities to make decisions on solutions that are feasible for their needs. However, the Department of Human Health and Human Services has standards that these solutions have to meet. Covered entities are required by law to make decisions and take actions that take into consideration their

  • Size
  • The complexity of the data they handle.
  • The companies capabilities and limitations
  • Hardware and software infrastructure in use and available to them
  • The cost of their proposed security measures
  • The potential threats and impacts of those threats on their patient’s PHI

It is also a requirement that covered entities continue to monitor and adjust their strategies to meet and continue to protect their patient’s personal health information in an online environment.

Risk Analysis and Management

Covered entities, under the administrative safeguards in the Security Rule, are required by law to perform regular risk analysis as part of their security management. Risk analysis includes the following:

  • Evaluating the likelihood and impact of potential threats on a patient’s electronic PHI
  • Understanding and implementing the best security measures that protect the data from the potential threats
  • Documenting the security measures and the rationale for using those measures
  • Maintaining the security measures and reevaluating regularly to ensure measures are still matching up to potential threats

Administrative Safeguards

Administrative safeguards include the following:

  • Security Management Process. Identifying and analyzing potential threats to PHI and implementing security strategies to minimize those threats.
  • Security Personnel. All covered entities must have security personnel able to implement policies and procedures for protecting, communicating, and authorizing access to patients’ PHI.
  • Information Access Management. Policies and procedures need to be set in place, allowing access to PHI to an authorized user.
  • Workforce Training and Management. All employees working for a covered entity must be properly trained to handle and oversee security policies and procedures protecting PHI. There must also be appropriate and strict action taken against those who violate the set procedures.
  • Evaluation. Periodic assessment of security policies and procedures performance to see how it is measuring up to HIPAA Security Rules Requirements.

Physical Safeguards

Physical safeguards are as follows:

  • Facility Access and Control. Physical access to its facilities is mandatory to ensure only authorized personnel is allowed access to sensitive information.
  • Workstation and Device Security. Policies and procedures must be in place to protect the transfer, removal, disposal, and re-use of electronic media to protect sensitive information.

Technical Safeguards

Technical safeguards are as follows:

  • Access Control. Technical policies and strategies must be implemented and ensure that only authorized personnel has access to protected health information.
  • Audit Controls. Hardware, software, and procedural mechanisms must be able to record and examine access and activity relating to information systems that contain or handle PHI.
  • Integrity Controls. Strategies must be implemented to ensure that PHI is not altered or destroyed without prior authorization.
  • Transmission Security. Technical security measures must be put in place to safeguard access to PHI that is being transmitted over an electronic network, such as email.

If you still have questions concerning HIPAA and the laws surrounding it, do not hesitate to give the team at Blue Jean Networks a call. Our experts can help you understand fully the different procedures, guidelines, and requirements as set by HIPAA and help you come up with strategies to carry them out. Contact our team today!