The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that introduced regulations in healthcare regarding patient privacy and individuals’ medical records.
Its many provisions include stringent codes on the transfer of electronic medical data and protection of patient health information (PHI).
The HIPAA privacy rule protects personal health information and covers healthcare providers, health plans, and healthcare clearinghouses. Covered entities can be defined as anyone providing treatment, payment, and operations in healthcare.
A provision with the privacy rule also covers the business vendors and subcontractors that service HIPAA-covered entities. As such, anyone working in healthcare, in any capacity, must be HIPAA compliant.
What information does HIPAA cover? Under HIPAA, health information is any data that is created or received by a covered entity.
Information protected under HIPAA includes:
- Patients’ individually identifiable health information such as their full name, date of birth, address, Social Security number, and medical record number (MRN)
- A person’s diagnosis or treatment provided
- Billing information about a patient
- Details of a patient’s past, present, or future physical or mental health condition
What Is HIPAA Compliance?
The HIPAA standard sets limits and conditions on the use and disclosure of patient information. It requires anyone dealing with protected health information to provide the safeguards necessary to secure sensitive patient data.
There are three HIPAA rules:
1. HIPAA Privacy Rule
As the foundational piece of the HIPAA standard, the privacy rule dictates when and how authorized personnel can access patient information. Entities must adhere to the “minimum necessary rule” which was put in place to ensure healthcare organizations would access only the PHI needed to perform their job function.
The privacy rule covers any PHI created, transmitted, or maintained in any medium or format.
To be HIPAA compliant, healthcare companies must adhere to appropriate policies and procedures to ensure PHI is handled according to HIPAA standards. The first step to HIPAA compliance is understanding the privacy rule by ensuring all employees are trained on HIPAA standards.
2. HIPAA Security Rule
The security rule requires covered entities and their business associates to protect patients’ health information stored or transmitted electronically. As a result, covered entities and their associates must have physical, network, and process security measures in place in order to be HIPAA compliant.
3. The Breach Notification Rule
Now, this rule requires HIPAA-covered organizations to report any security breaches that occur. Large-scale breaches affecting 500 or more patients must be reported to the affected patients, media, and U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) within 60 days of discovery and displayed on the OCR breach portal.
Those affecting less than 500 patients must be reported within 60 days from the end of the Calendar year (March 1st) to the affected patients and the HHS OCR.
What Doesn’t HIPAA Protect
It’s also just as crucial to discuss what is not covered under the HIPAA standard. A lot of organizations that may handle health information aren’t required to comply with HIPAA regulations.
- Life and long-term insurance companies
- Agencies dealing in Social Security and welfare benefits
- Workers’ compensation insurers (unless they’re considered covered entities)
- Direct to consumer (DTC) genetic testing companies
- Gyms and fitness institutions and mobile applications
- Agencies and companies that conduct screenings at health fairs, pharmacies, and any public spaces for conditions such as high blood pressure, spinal alignment, and cholesterol levels
HIPAA does not apply to education and employment records, even when they include medical information. For instance, a child’s K-12 health records from school nurse visits are not subject to HIPAA regulations.
Under HIPAA, patients have a right to see and get a copy of their health records and get notified of how their information will be used or shared.
Should you have any questions about HIPAA, please contact the attorneys at Danz Law, PLLC., www.danzlaw.net.