What is HIPAA Compliance?
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act. The United States Congress initially passed this act in 1996 to provide regulations for handling and sharing patient data.
As technology began to advance, it became easier for doctors to share patient data quickly in order to provide better medical care. It also became a source of abuse. The HIPAA regulations were passed to help protect both the patient and health care providers.
It requires healthcare providers to protect patients’ personal health data, keep it confidential, and use precautions when transferring data electronically. The regulation has built-in industry-wide standards for processing health care billing and other health data.
Through careful policies, HIPAA lowers the risk of fraud and abuse to both the patient and the health care provider.
An essential feature of HIPAA, it allows for extended health insurance coverage for employees when they are between jobs or switching employers.
What Does “Protected Health Information” Mean?
Anyone who works in the healthcare industry needs to know how to handle patient data. HIPAA mandates protected health information or PHI. Under the regulation, what is included under the definition of PHI?
Under the guidelines, HIPAA issues best practices and safety measures to ensure confidentiality, integrity, and PHI availability. PHI or protected health information can include any of the following details:
- Any geological location smaller than a person’s state.
- Phone or fax numbers.
- Email addresses.
- Social Security numbers.
- Medical record identifying numbers.
- Account numbers.
- License numbers.
- Health insurance beneficiary data.
- Full face images.
- Finger or voiceprints.
There are like many other data points that could be considered personally identifying and in a health record. If it is not explicitly listed, the healthcare workers generally refer to common sense and do not disclose any data without the patient’s consent.
Does HIPAA Apply Outside the US?
If a US citizen is getting medical treatment outside the US, are they still covered by HIPAA? The answer is no. HIPAA regulations apply to anyone treated within the United States, both citizens, and non-citizens. This makes sense when it comes to data handled directly by healthcare providers and patients. What about companies that are offshore?
Securing data today is big business. Many healthcare companies that handle massive amounts of patient data outsource data processing and storage to companies that are not located in the US. This is one area in which the HIPAA law does compare to other customer-related privacy legislation like the GDPR, or General Data Protection Regulation, and CCPA or California Consumer Privacy Act. These consumer privacy laws apply to anyone who wants to do business with residents of these areas. HIPAA regulations require companies that contract data services for organizations or agencies that must follow HIPAA; these companies must also comply.
Do Pandemics Change HIPAA Laws?
With a global emergency like the current COVID19 pandemic, are HIPAA laws still enforced? Not entirely. It is during a state of emergency that guidelines under HIPAA can be reviewed. It comes down to that the health and safety of the public is a priority over the privacy of a single patient’s data.
This is not to say that healthcare providers are suddenly lax with your info. Health agencies are still following the rules. What is changed is that within provider discretion, information is given to help health departments and other agencies determine the level of disease in the community. This can also include data that can assist certain federal agencies with contact tracing.
What is Defined as a Breach Under HIPAA?
HIPAA regulations stipulate that all agencies, businesses, or organizations that are required to follow HIPAA privacy laws report any instance of a breach. A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” It is considered a breach unless the covered patient or healthcare provider can indicate a low risk that the data has been compromised under the following guidelines or risk analysis.
- First, the provider and patient should understand the nature and extent of the data involved in the breach, including the specific types of identifiers (birthdates, social security numbers) taken and how this data could be used for re-identification;
- It helps to know who the disclosure of information was made to and its relation to being used fraudulently;
- Someone should determine whether the protected health data was actually acquired or viewed – or is it just suspected; and
- What mitigation efforts have been taken to reduce further risk to the patient or future breaches.
What Does it Mean to be “HIPAA Compliant”?
Many businesses and healthcare agencies claim that they are ‘HIPAA compliant.’ What exactly does this mean? According to Tim Cimbura, CEO and software engineer, there is no real definition of what this means.
According to the Office of Civil Rights, a company can claim that they are HIPAA compliant if they are engaging in reasonable faith efforts to follow the policy’s healthcare privacy regulations. Overall, if companies are putting in the effort to become HIPAA compliant, they may be initiating the following steps:
- The company regularly schedules a security risk analysis (SRA) and has had one completed recently.
- There has been an active risk management process planned, initiated, and implemented.
- The company has trained its employees and has a handbook on policies and procedures available that specifies how data should be protected throughout the process.
- All business associates and staff should have signed privacy agreements on file.
- Documentation that demonstrates that the company has performed all the above tasks or remedied any shortcomings. This could include additional training options for staff that are hired after the date of yearly policy training.
Do You Know Where Your PHI is Located?
An essential part of HIPAA compliance is having reliable control of your data. When a healthcare agency or business seeks the advice of a privacy expert to help them review their privacy policies, one of the first questions asked by the advisor is, “Can you show me where your PHI is located?” If the response is shrugged shoulders or eyes looking at the ceiling, then you know you have already failed.
Any entity that must follow HIPAA regulations is required to know three critical pieces of information.
- What Personal Health Information (PHI) data do they handle?
- Where is the PHI located on their system?
- How is the PHI or data processed?
Keeping PHI secure is an essential part of HIPAA compliance. Once you have concrete answers to the above questions regarding the type of PHI that is handled, you have also built a defense baseline. You know that data must remain secure 100% of the time; this is where you build your wall, erect a moat, or draw a line in the sand. Your security should stop any breach long before getting to this part of your system, but it should never get into this area.
Breaches do happen; some intelligent hackers are criminally intent on doing what is wrong for several reasons. HIPAA regulations are in place to make sure that healthcare providers take precautionary steps to protect their data. They are even using encryption or anonymization of data stored so that any breached data cannot be deciphered. The idea is that while you know a storm might come, as a company, you have prepared to meet it head-on.