What is HIPAA Compliance? Hospitals and Healthcare
What is HIPAA?
The Health Insurance Portability and Accountability Act or HIPAA for short is a federal law that was enacted to safeguard the protected health information or PHI of American citizens. The United States Congress initially passed this act in 1996 to provide regulations for handling and sharing patient data. As technology began to advance, it became easier for doctors to share patient data quickly in order to provide better medical care. Conversely, it also became a source of abuse. As such, HIPAA was passed to help protect both the patient and health care providers.
The law requires healthcare providers to protect patient’s personal health data, keep it confidential, and use precautions when transferring data electronically. The regulation has built-in industry-wide standards for processing health care billing and other health data. Through careful policies, HIPAA lowers the risk of fraud and abuse to both the patient and the health care provider. An essential feature of HIPAA, it allows for extended health insurance coverage for employees when they are between jobs or switching employers.
What Does “Protected Health Information” Mean?
Anyone who works in the healthcare industry needs to know how to handle patient data. HIPAA mandates protected health information or PHI. Under the regulation, what is included under the definition of PHI?
Under the guidelines, HIPAA issues best practices and safety measures to ensure confidentiality, integrity, and PHI availability. PHI or protected health information can include any of the following details:
- Any geological location smaller than a person’s state.
- Phone or fax numbers.
- Email addresses.
- Social Security numbers.
- Medical record identifying numbers.
- Account numbers.
- License numbers.
- Health insurance beneficiary data.
- Full face images.
- Finger or voiceprints.
There are like many other data points that could be considered personally identifying and in a health record. If it is not explicitly listed, the healthcare workers generally refer to common sense and do not disclose any data without the patient’s consent.
Does HIPAA Apply Outside the US?
Some people may be wondering if U.S. citizens who receive medical treatment outside of the U.S. still fall under the jurisdiction of HIPAA. HIPAA does not have international or extraterritorial jurisdiction, as HIPPA regulations only apply to individuals treated within the United States, both citizens, and non-citizens. As securing data has become a pivotal facet of so many businesses in our current economic climate, many healthcare companies that handle massive amounts of patient data outsource data processing and storage to companies that are not located in the US.
This is one area in which the HIPAA law does compare to other customer-related privacy legislation like the GDPR, or General Data Protection Regulation, and the California Consumer Privacy Act or the CPPA for short. These consumer privacy laws apply to anyone who wants to do business with residents of these areas. As such, HIPAA regulations do require companies that contract data services for organizations or agencies that must follow HIPAA; these companies must also comply.
Do Pandemics Change HIPAA Laws?
In the midst of a global emergency like the current COVID19 pandemic, many people may also be wondering if laws such as HIPAA will continue to be enforced. There is no concrete answer to this question, as provisions in the HIPAA law allow for the guidelines that healthcare providers must follow to be altered or otherwise changed during times of emergencies. With this being said, the applicability and scope of HIPPA come down to ensuring that the health and safety of the public is a priority over the privacy of a single patient’s data.
This is not to say that healthcare providers are not still responsible for safeguarding the PHI of their patients. What has changed with the rise of the pandemic is that within provider discretion, information is given to help health departments and other agencies determine the level of disease in the community. This can also include data that can assist certain federal agencies with contact tracing.
What is Defined as a Breach Under HIPAA?
HIPAA regulations stipulate that all agencies, businesses, or organizations that are required to follow HIPAA privacy laws report any instance of a data breach within their system. Under HIPAA, a data breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” HIPPA states that a leak of information is not considered a breach unless the covered patient or healthcare provider can indicate a low risk that the data has been compromised under the following guidelines or risk analysis:
- First, the provider and patient should understand the nature and extent of the data involved in the breach, including the specific types of identifiers (birthdates, social security numbers) taken and how this data could be used for re-identification;
- It helps to know who the disclosure of information was made and its relation to being used fraudulently;
- Someone should determine whether the protected health data was actually acquired or viewed – or is it just suspected; and
- What mitigation efforts have been taken to reduce further risk to the patient or future breaches.
What Does it Mean to be “HIPAA Compliant”?
Many businesses and healthcare agencies claim that they are ‘HIPAA compliant.’ However, HIPPA provides no single definition regarding what it means to be compliant under the law. According to Tim Cimbura, CEO and software engineer, there is no real definition of HIPAA compliance.
For example, according to the Office of Civil Rights, a company can claim that they are HIPAA compliant if they are “engaging in reasonable faith efforts to follow the policy’s healthcare privacy regulations”. Overall, if companies are putting in the effort to become HIPAA compliant, they may be initiating the following steps:
- The company regularly schedules a security risk analysis (SRA) and has had one completed recently.
- There has been an active risk management process planned, initiated, and implemented.
- The company has trained its employees and has a handbook on policies and procedures available that specifies how data should be protected throughout the process.
- All business associates and staff should have signed privacy agreements on file.
- Documentation that demonstrates that the company has performed all the above tasks or remedied any shortcomings. This could include additional training options for staff that is hired after the date of yearly policy training.
Do You Know Where Your PHI is Located?
An essential part of HIPAA compliance is having reliable control of your data. When a healthcare agency or business seeks the advice of a privacy expert to help them review their privacy policies, one of the first questions asked by the advisor is, “Can you show me where your PHI is located?” If the response is shrugged shoulders or eyes looking at the ceiling, then you know you have already failed.
Any entity that must follow HIPAA regulations is required to know three critical pieces of information.
- What Personal Health Information (PHI) data do they handle?
- Where is the PHI located on their system?
- How is the PHI or data processed?
Keeping PHI secure is an essential part of HIPAA compliance. Once you have concrete answers to the above questions regarding the type of PHI that is handled, you have also built a defense baseline. You know that data must remain secure 100% of the time; this is where you build your wall, erect a moat, or draw a line in the sand. Your security should stop any breach long before getting to this part of your system, but it should never get into this area.
Breaches do happen; some intelligent hackers are criminally intent on doing what is wrong for several reasons. HIPAA regulations are in place to make sure that healthcare providers take precautionary steps to protect their data. They are even using encryption or anonymization of data stored so that any breached data cannot be deciphered. The idea is that while you know a storm might come, as a company, you have prepared to meet it head-on.