Part I – An Overview
If you work in the healthcare field, or if you have ever been seen as a patient for healthcare services, you have most likely heard the term “HIPAA” being used. You may have also received some additional information as to what it is, and what it means for you. Did you know however, that HIPAA doesn’t only apply to you as a patient, or to healthcare professionals and facilities, but may also apply to other types of organizations? Any organization which possesses protected health information about individuals, whether it be employees, or customers, may also be legally required to safeguard that information under the Health Insurance Portability and Accountability Act (“HIPAA”). This limited series about HIPAA aims to shed some light on this regulation, as well as the various rules and requirements which fall under it. Continue reading below to see if your organization is subject to the requirements outlined by HIPAA.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act, also known as “HIPAA,” is a U.S. law enacted in 1996 setting national standards for protecting certain health information. The law was established to provide protection for individuals’ medical records and protected health information (“PHI”). PHI is considered any information which can reasonably be used to identify an individual, and that is created, used, received, or disclosed in connection with the provisioning of healthcare.
There are several provisions which aim to protect the privacy and security of PHI, which include requirements for how this information can be used, accessed, disclosed, and transmitted. HIPAA also provides individuals with additional rights regarding their health information, such as the right to access and request corrections to their records. HIPAA applies to a wide range of organizations known as covered entities, which can include healthcare providers, health plans, healthcare clearinghouses, and their business associates, which are generally service providers performing certain functions for the covered entities.
What is a covered entity?
A covered entity is an organization which is subject to the requirements set forth by HIPAA. These organizations are required to comply with HIPAA’s privacy and security rules to ensure the protection, security, and confidentiality of PHI. Covered entities include:
- Healthcare Providers: This can include doctors, hospitals, nursing homes, clinics, and other medical providers that access, use, store, transmit or disclose PHI in connection with certain transactions or services.
- Health Plans: This includes group health plans, employer funded health plans, individual health insurance plans, Medicare, Medicaid, and other government-funded health plans.
- Healthcare Clearinghouses: These are organizations that facilitate the processing of nonstandard health information they receive from another entity, into a standard format, or vice versa.
What is a business associate?
A business associate is a person or entity that performs certain services, functions, or activities, on behalf of a covered entity, that involve the use or disclosure of PHI. While a business associate is not a covered entity, it is still subject to some of the same requirements under HIPAA. Some examples of services, functions, or activities that may establish your organization as a business associate include:
- Claims processing and billing
- Quality assurance
- Patient safety activities
- Legal, accounting, consulting, or administrative services
- Utilization review and data analysis
If an organization or individual meets the definition of a business associate, they must enter into a written agreement with the covered entity, known as a business associate agreement, or “BAA”, which ensures that they will implement the appropriate safeguards to adequately protect the PHI they receive on behalf of the covered entity. The BAA must specify the permitted and required uses and disclosures of the PHI by the business associate.
Why is HIPAA important and what does it require my organization to do?
HIPAA is important for organizations to comply with because it helps to ensure that PHI is being handled in a secure manner. If organizations fail to comply with these requirements, they may be subject to significant fines and penalties, which may lead to a loss of public confidence, as well as potential damage to the organization’s reputation. Additionally, compliance with HIPAA helps organizations ensure that proper controls are in place to protect the sensitive information they possess, while also reducing the likelihood of potential data breaches.
HIPAA requires covered entities to implement appropriate safeguards needed to protect the privacy and security of the PHI. These safeguards include administrative, technical, and physical controls which help to ensure the confidentiality, integrity, and availability of this information. These controls also help organizations against the unauthorized use, access, transmission, or disclosure of PHI. Some specific requirements under HIPAA include:
- Implementing organizational polices and procedures which outline how to protect the confidentiality, integrity, and availability of PHI;
- Ensuring that only those employees with a “need-to-know” access, have access to PHI;
- Enforcing physical safeguards to protect PHI from authorized access or disclosure, such as restricting access to physical PHI and the facilities in which it is stored;
- Implementing technical safeguards which secure the PHI, such as encrypting data while in transit and while at rest;
- Training employees on HIPAA requirements and the importance of protecting PHI; and,
- Conducting risk assessments to identify and address potential vulnerabilities in the handling PHI.
Covered entities are also required to comply with HIPAA’s requirements regarding the use and disclosure of PHI. For example, organizations must obtain an individual’s written consent before they can use or disclose their PHI for most intended purposes. Covered entities must also notify individuals in the proper timeframe if it is discovered that their PHI was involved in a breach. There are also more stringent requirements to this notification if it is discovered that more than 500 individuals were involved in the breach, and this would include a mandatory notification to the Secretary of the Department of Health and Human Services (HHS). Therefore, it is important that organizations comply with HIPAA and other regulations which protect an individual’s health information.
Please be sure to lookout for additional parts of this series which will further discuss the various rules encompassed within HIPAA, including the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Omnibus Rule. Also, did you know that BD Emerson specializes in conducting various organizational assessments, including HIPAA assessments, and can help your organization meet and maintain the requirements of this regulation? If you believe your organization is subject to compliance with HIPAA, and you have not yet implemented a HIPAA compliance program to meet these requirements, please allow us to help by contacting us at email@example.com or firstname.lastname@example.org.