The Ultimate Guide to

The Health Insurance Portability and Accountability Act (HIPAA)

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. HIPAA requires that covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment and operations) must meet a set of rules.

What is the Health Insurance Portability and Accountability Act (HIPAA)?

HIPAA mandates that every covered entity and business associate with access to Personal Health Information (PHI) must have technical, physical, and administrative safeguards to protect the integrity of PHI. And, should a breach of PHI occur, organizations must follow a procedure to notify affected parties. HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

HIPAA compliance requires effort. Organizations must make significant investments, including identifying gaps in compliance by conducting self-audits, creating remediation plans to reverse compliance violations, developing policies and procedures, documenting all efforts they take to become HIPAA compliant, creating an incident management process and more.

Failure to comply with HIPAA has serious consequences. The breach of electronic PHI may result in substantial fines, criminal charges and civic action lawsuits. The Office for Civil Rights of the Department of Health and Human Services does not consider ignorance of HIPAA regulations a justifiable defense.

To be HIPAA compliant, covered entities must meet three core requirements:

1 The Privacy Rule

HIPAA protects the privacy of Protected Health Information (PHI) via the HIPAA Privacy Rule, which establishes standards for protecting medical records and other PHI and sets limits and conditions on using and disclosing PHI without patient authorization. This rule also gives patients the right to access copies of their health records and ask providers to make corrections to their PHI.

2 The Security Rule

All covered entities must establish security standards that protect all created, received, used, or maintained electronic PHI (ePHI). According to OCR, the security rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.”

3 Notification in Case of Breach of Unsecured Protected Health Information

If a HIPAA-compliant organization experiences a breach, they are required to notify certain parties — including individuals, the media, and the Secretary of Breaches of Unsecured Information — depending on the type and size of the breach.

OCR defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Breaches include not just those caused by hackers or malware, but also by employees inappropriately disclosing information or leaving it where unauthorized users can see.

Learn More About HIPAA Compliance

A brief history of HIPAA

Why was HIPAA created?

Before HIPAA, the health insurance industry was regulated by a mix of state and federal laws. Most commercial group health plans were governed by state laws, while the majority of employer-sponsored and individually purchased health plans were subject to the Employee Retirement Income Security Act of 1974 (ERISA) and the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA).

As a result, employees were at risk of losing health insurance benefits or being denied health insurance if they changed jobs. This scenario not only affected employees, but also made it difficult for employers to attract skilled workforces, especially in evolving industries like technology.

HIPAA was created to resolve this issue by increasing the portability of health insurance between jobs and prohibiting practices that denied or limited access to health care benefits, including increased premiums for employees with pre-existing conditions. Rather than applying to employer-sponsored and individually purchased health plans, HIPAA applies to all health insurance plans.

How do I become HIPAA compliant?

Guide

To learn how to become HIPAA compliant, check out our in-depth guide

HIPAA Compliance: Why It Matters and How to Obtain It

Ready to see how Hyperproof can help with HIPAA compliance?

Get Started

Trusted By

HIPAA: Frequently Asked Questions

HIPAA aims to simplify administration of health claims, thereby reducing fraud and system abuse in healthcare spending. By introducing stronger penalties for fraud and abuse, and by instructing the Secretary of Health and Human Services (HHS) to standardize transaction code sets, HIPAA creates a mechanism for better policing healthcare transactions. HIPAA also accounts for the increasing volume of patient medical and payment information transmitted electronically and includes standards to ensure the confidentiality, integrity, and availability of electronically-transmitted health data, otherwise known as the HIPAA Privacy Rule.

HIPAA applies to health plans, healthcare clearinghouses, and healthcare providers that transmit information electronically in connection with a transaction for which HHS has published standards.

Insurance companies that pay for medical care or equipment secondary to a primary insurance (i.e. auto insurance) are not covered by HIPAA. Also, healthcare professionals such as counselors and therapists are also not covered by HIPAA if they bill patients directly. Financial institutions that process payments on behalf of health plans and healthcare providers are not covered by HIPAA even though the transaction may disclose patient medical and payment information. School medical centers are not covered by HIPAA because students´ health records are considered to be part of their educational records under FERPA. However, exceptions to this exception exist if the medical center also provides treatments for members of the public.

HIPAA compliance forms, often referred to as authorization or release forms, serve as official documents permitting covered entities to handle Protected Health Information (PHI) outside the standard contexts of treatment, payment, or healthcare operations. These crucial forms provide comprehensive descriptions of how PHI may be specifically used or disclosed.

For instance, an authorization form might grant healthcare providers the authority to utilize PHI in various scenarios such as:

Coordinating medical treatment or care.
Processing payments for health services.
Supporting healthcare-related activities and administrative operations.
Sharing information with legal counsel as part of an injury lawsuit.
Allowing a designated healthcare agent to access a patient’s PHI.

In addition to these examples, the forms play an important role in regulating how PHI is shared and ensuring that any release of information aligns with patient preferences and complies with HIPAA regulations. Hyperproof offers sophisticated tools to help organizations manage these forms and maintain HIPAA compliance with ease.

Protected Health Information (PHI) is defined as any individually identifiable health information relating to an individual’s health, health care, or payment for health care. The HIPAA Privacy Rule lists 18 personal identifiers that must be removed from a designated record set before the set can no longer be subject to HIPAA standards:

Names or part of names
Geographical identifiers
Phone number details
Details of email addresses
Medical record numbers
Account details
Vehicle license plate details
Website URLs
Fingerprints, retinal, and voice prints
Any other unique identifying characteristic
Dates directly related to a person
Fax number details
Social Security Number details
Health insurance beneficiary numbers
Certificate or license numbers
Device identifiers and serial numbers
IP address details
Complete face or any comparable photographic images

A PHI breach is an event where Protected Health Information (PHI) is used or disclosed in a way that could potentially compromise patient privacy and security, as outlined by HIPAA’s Breach Notification Rule. In such cases, healthcare entities are required to notify affected individuals promptly.

The rule sets forth that any impermissible use or exposure of PHI is presumed a breach unless it’s proven there’s a low likelihood the PHI has been compromised. This is determined through a 4-factor test, assessing:

The nature and extent of the involved PHI, including potential for rei-dentification
The unauthorized individuals who accessed the PHI
Confirmation if the PHI was actually acquired or viewed
Measures taken to mitigate the risk

Immediate breach notification to patients and the U.S. Department of Health & Human Services (HHS) is mandatory unless a “low probability” of risk is conclusively demonstrated. In clear-cut situations of compromise, entities can bypass the risk assessment and proceed with notifications to mitigate harm.

Note: if non-health data is maintained in a separate database that doesn’t contain PHI, it is not PHI, nor is it protected by the HIPAA Privacy Rule. There are also new potential identifiers that have emerged since the Privacy Rule’s publication that are not covered, like social media aliases and details about emotional support animals.

HIPAA violations typically occur from the following: