HIPAA in a Nutshell

HIPAA in a Nutshell

The HIPAA regulations require healthcare organizations to follow a set of standards. However, these standards are written in a way which poses more questions than answers. What do you really need to do to be HIPAA compliant? To take the guesswork out of HIPAA, HIPAA in a nutshell is discussed below.

HIPAA in a Nutshell: The Three HIPAA Rules

Really, the HIPAA regulation can be broken down into three major components, the Privacy, Security, and Breach Notification Rules. These Rules are meant to ensure the confidentiality, integrity, and availability of protected health information.

HIPAA in a Nutshell: What is Protected Health Information?

Before we get into what each of the HIPAA Rules entails, it is important to understand what protected health information consists of. Protected health information (PHI) is any individually identifiable health information related to the past, present, or future provision of healthcare. The Department of Health and Human Services (HHS) classifies PHI into 18 identifiers.

HIPAA in a Nutshell

Patient names  

Geographical elements

Dates related to the health or identity of individuals 

Telephone numbers

Fax numbers

Email addresses

Social Security numbers

Medical record numbers

Health insurance beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifiers

Device attributes or serial numbers

Digital identifiers, such as website URLs 

IP addresses

Biometric elements, including finger, retinal, and voiceprints

Full face photographic images 

Other identifying numbers or codes

Why Compliancy Group

HIPAA Compliance is an important part of your business, so why not use someone you can trust? Compliancy Group is the only compliance firm to be listed on both Inc. 2020 Best Places to Work and 2020 Inc. 5000 list of the fastest-growing private companies in America. By working with us, you are welcomed into the safety of our family.

Put your trust in us

HIPAA in a Nutshell: HIPAA Privacy Rule

As a healthcare organization, by the nature of your work, you most likely use and disclose PHI. It is permitted to use and disclose PHI (without patient authorization) for the purposes of treatment, payment, and healthcare operations. As part of the HIPAA Privacy Rule, healthcare workers should only have access to the PHI that they need to perform their job functions, known as the minimum necessary standard. As such, to ensure HIPAA compliance, healthcare organizations are required to issue unique login credentials for each employee, enabling them to designate different levels of access to PHI based on the employee’s job role. Additionally, access to PHI must be tracked and documented with audit logs to ensure adherence to the minimum necessary standard, and minimize the risk of insider breaches.

The HIPAA Privacy Rule also establishes patient rights in regards to their PHI. This includes the HIPAA right of access which requires healthcare organizations to provide patients access to their medical records within 30 days of the request. It also prohibits organizations from overcharging patients for access to their medical records. The HIPAA right of access has become more prominent as of late, as the HHS’ Office for Civil Rights (OCR) has issued nine right of access fines in 2020 so far.

So now that we have discussed the permitted uses and disclosures of PHI, and how you can control and monitor access to PHI, you may be wondering how you can protect PHI from unauthorized access. This is where the HIPAA Security Rule comes into play.

HIPAA in a Nutshell: HIPAA Security Rule

The HIPAA Security Rule requires you to:

Ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit;

Identify and protect against reasonably anticipated threats to the security or integrity of the information;

Protect against impermissible uses or disclosures of ePHI that are reasonably anticipated; and

Ensure compliance by their workforce.

This is accomplished by implementing administrative, technical, and physical safeguards to secure PHI. 

Administrative. Administrative safeguards require you to conduct self-audits to identify gaps in your security measures, and to address those gaps with remediation efforts. This also requires you to have documented policies and procedures that dictate how your organization will follow the HIPAA Rules. To ensure a culture of compliance within your organization, employees must be trained annually on your organization’s policies and procedures, and HIPAA basics.  

Technical. Technical safeguards ensure that your electronic protected health information (ePHI) – PHI stored electronically – is secure. This is accomplished through access controls (unique login credentials), audit controls (audit logs that track access to ePHI), integrity controls (policies and procedures), and transmission security (encryption). 

Physical. Physical safeguards ensure the security of your physical location, and your paper PHI. This includes installing alarm systems, locking cabinets or rooms that store PHI, and installing CCTV cameras.

Since every organization has different security requirements, when implementing security measures, you must consider the following:

Your size, complexity, and capabilities;

Your technical hardware, and software infrastructure;

The costs of security measures; and

The likelihood and possible impact of the potential risk to ePHI.