HIPAA stands for the Health Insurance Portability and Accountability Act. It was created in 1996 and implemented by the United States Department of Health and Human Services. It was designed to address the use and disclosure of an individual’s health information, specifically information that is sensitive. Through the HIPAA Privacy Rule, individuals can have their health information protected while allowing necessary information to be given to doctors, medical staff, and personnel. This ensures that the individual’s needs are provided for and creates higher quality healthcare for that patient.
This rule applies to covered entities, such as health plans, health care clearinghouses, and health care providers who are in charge of transmitting health information in any form when needed (e.g., a doctor sending health information over to a hospital for a patient), as well as any vendor of those companies who come in contact with Protected Health Information (PHI).
Covered Entities
Every health care provider who uses electronic means to transmit health information in specified transactions is considered a covered entity. What is a specified transaction? These transactions can include the following:
- Claims
- Benefit eligibility inquiries
- Referral authorization requests
But fundamentally, PHI is data that includes Personally Identifiable Information (PII) and a diagnosis.
HIPAA Privacy Rule
Also known as the Standards for Privacy of Individually Identifiable Health Information, the HIPAA Privacy rule established guidelines for health care providers to determine who has access to a patient’s information.
Individual and group medical plans are also protected under HIPAA. These plans include but are not limited to:
- Health
- Dental
- Vision
- Prescription drug insurance
- Health maintenance organizations
- Medicare
- Medicaid
- Private health care insurance providers
What Is Considered Protected Health Information?
HIPAA’s Privacy Rule protects every field of Individually Identifiable Health Information maintained or transmitted by a covered entity. Transmission can be in any form — media, electronic or physical documents, or spoken. Protected Health Information (PHI) that typically falls under the privacy rule includes:
- Demographic data
- Name
- Address
- Birthdate
- Social security numbers
- Medical history
But as we said before, the hallmark of PHI is PII + a diagnosis.
HIPAA Security Rule
The HIPAA Security Rule sets guidelines for covered entities regarding their maintenance of sensitive data and its safeguards. Under the HIPAA Security Rule, electronically transmitted personal health information is not available and will not be disclosed to unauthorized persons or parties. This ensures that any improper use or disclosure of PHI is prohibited and will carry heavy consequences should the confidentiality be breached. It also protects one’s PHI from being altered or destroyed unauthorizedly. The only individual with access to and use of a patient’s personal health information is the patient and any authorized user, such as their health care provider.
The U.S. Department of Human Health and Health Services understands that not all covered entities are large corporations. Some are small providers. This is why the HIPAA Security Rule is flexible, allowing covered entities to decide on feasible solutions for their needs. However, the Department of Human Health and Human Services has standards that these solutions must meet. Covered entities are required by law to make decisions and take actions that take into consideration their
- Size
- The complexity of the data they handle.
- The company’s capabilities and limitations
- Hardware and software infrastructure in use and available to them
- The cost of their proposed security measures
- The potential threats and impacts of those threats on their patient’s PHI
It is also a requirement that covered entities continue to monitor and adjust their strategies continuously to protect their patient’s personal health information in an online environment.
Risk Analysis and Management
Under the administrative safeguards in the Security Rule, covered entities are required by law to perform regular risk analysis as part of their security management. Risk analysis includes the following:
- Evaluating the likelihood and impact of potential threats on a patient’s electronic PHI
- Understanding and implementing the best security measures that protect the data from the potential threats
- Documenting the security measures and the rationale for using those measures
- Maintaining the security measures and regularly reevaluating to ensure measures are still matching up to potential threats
Administrative Safeguards
Administrative safeguards include the following:
- Security Management Process. Identifying and analyzing potential threats to PHI and implementing security strategies to minimize those threats.
- Security Personnel. All covered entities must have security personnel able to implement policies and procedures for protecting, communicating, and authorizing access to patients’ PHI.
- Information Access Management. Policies and procedures need to be set in place, allowing access to PHI for an authorized user.
- Workforce Training and Management. All employees working for a covered entity must be trained to handle and oversee security policies and procedures protecting PHI. There must also be appropriate and strict action taken against those who violate the set procedures.
- Evaluation. Periodic assessment of security policies and procedures performance to see how it measures up to HIPAA Security Rules Requirements.
Physical Safeguards
Physical safeguards are as follows:
- Facility Access and Control. Physical access to its facilities is mandatory to ensure only authorized personnel is allowed access to sensitive information.
- Workstation and Device Security. Policies and procedures must be in place to protect the transfer, removal, disposal, and re-use of electronic media to protect sensitive information.
Technical Safeguards
Technical safeguards are as follows:
- Access Control. Technical policies and strategies must be implemented to ensure that only authorized personnel can access protected health information.
- Audit Controls. Hardware, software, and procedural mechanisms must be able to record and examine access and activity relating to information systems that contain or handle PHI.
- Integrity Controls. Strategies must be implemented to ensure that PHI is not altered or destroyed without prior authorization.
- Transmission Security. Technical security measures must be implemented to safeguard access to PHI transmitted over an electronic network, such as email.
If you still have questions concerning HIPAA and the laws surrounding it, do not hesitate to give the team at Integris a call. Our experts can help you fully understand the different procedures, guidelines, and requirements set by HIPAA and help you develop strategies to carry them out. Contact our team today!
