The Healthcare Insurance Portability and Accountability Act (HIPAA) has become an ingrained facet of security and privacy efforts since it was signed into law in 1996. This decisive, game-changing legislation for the healthcare industry provides requirements that serve to cultivate a safe environment for patient data, offering a multi-dimensional set of security provisions and data privacy requirements.
The HIPAA Privacy Rule is one of the many vital aspects of the groundbreaking legislation, adding one more reason that it is so crucial for healthcare organizations to achieve and maintain HIPAA compliance.
What Is the HIPAA Privacy Rule?
Healthcare organizations and physicians have access to essential personal information from patients regarding account and identity information, as well as confidential health information. Without the proper protection, such information could be used in ways that could negatively impact patients’ lives in many ways. Therefore, patients expect that their confidential information is kept private, which proves challenging in the digital age where hackers and other cybercriminals relentlessly seek to steal this very type of information, and human error in health organizations can create pathways to disastrous breaches.
Enacted in 2002, the HIPAA privacy laws were designed and implemented to protect the confidentiality of patients’ protected health information (PHI) without obstructing the flow of information necessary to provide optimal treatment. These laws serve to control who can obtain access to PHI, to whom it can be disclosed, and the conditions under which such information can be used.
These laws—and the HIPAA Privacy Rule, specifically—apply to entities beyond healthcare providers and the organizations they work with. HIPAA privacy laws apply to any business that has any degree of access to healthcare information about a patient that—if were to fall into the wrong hands—could cause direct risk, damage and harm to the patient, in terms of reputation or finances. Thus, other entities subject to HIPAA privacy laws include the following:
- Employer that provide in-house healthcare plans
- Health insurers
- Healthcare clearinghouses
Basically, any entity associated with healthcare organizations—or more specifically, those that have access to PHI—must comply with all HIPAA privacy laws.
For over nearly two decades, the HIPAA Privacy Rule has established a comprehensive set of national standards focused on protecting individual patients’ medical records and any other personal health information. Also known as the Rule, it requires appropriate safeguards necessary to protect the privacy and confidentiality of PHI. The Rule also sets special limits and conditions on the uses and disclosures of that information when there is no patient authorization. Further, the Rule provides patients with rights over their health information, including the right to request corrections to their information and to examine and obtain a copy of their health records.
What Type of Information Is Protected by HIPAA Privacy Laws?
HIPAA privacy laws protect information known as “individually identifiable health information,” which is any information that serves to expose a patient’s identity in the following ways:
- Any aspect of the patient’s physical or mental condition in the past, present or future
- Any healthcare treatment and services provided to the patient
- Any payment made by the patient for the provision of care in the past, present or future
- Dates of birth, death or treatments
- Social Security numbers
- Telephone numbers
- Vehicle registration numbers
- Driver license numbers
- Medical records numbers
- Credit card information
- Finger and voice prints
- Electronic images or photographs
- Examples of a patient’s handwriting and signature
- Any other identifiable information
- Administrative services
- Data analysis
- Claims processing
- Quality assurance
- Billing, payment and collections
- Data storage
- And many others
The inclusion of payments made by patients means that the individually identifiable health information extends its criteria to include patient information that includes the following;
Covered entities should keep in mind that HIPAA privacy laws do not extend to data saved in written format. Only electronic text, images and videos that contain individually identifiable health information are covered and protected by HIPAA privacy laws.
Does the HIPAA Privacy Rule Apply to Your Organization?
The HIPAA Privacy Rule—and all other HIPAA privacy laws—applies to all covered entities and any of their business associates (BA). Again, a covered entity is a health care provider, health plan or a healthcare clearinghouse. The Rule also applies to subcontractors, also known as business associates of business associates. These businesses must also become and remain HIPAA compliant.
Therefore, if your organization has any access to PHI, or has the remote capability of gaining access to PHI, HIPAA privacy laws apply to your business, and you must achieve and maintain full compliance for the duration of any engagement that provides you with any access to any PHI.
Additionally, covered entities beginning an engagement with a vendor or service organization, which will have access to PHI, must create and sign a written business associate agreement (BAA), which is amenable to both parties. The BAA defines the terms of the engagement, in relation to PHI, and lays out precisely how all PHI will be used, disclosed and protected. The BAA also indicates that the BA is as responsible as the covered entity in the event of a breach.
Different types of businesses, which may be subject to HIPAA privacy laws include the following:
Is Your Organization HIPAA Compliant?
Are you considering signing a BAA with a promising client? Do you need tips on compliance as a service organization? Our team at I.S. Partners, LLC. can help you sort through the complexities of the HIPAA Privacy Rule and all the associated laws so you can become and remain confidently compliant for the tenure of your business arrangement.