What is HIPAA: A HIPAA Introduction

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to create industry standards for organizations working in healthcare. HIPAA is a complex set of rules and regulations with several components. A HIPAA introduction is discussed below.

A HIPAA Introduction: What is PHI?

Protected health information (PHI) is any individually identifiable health information. The Department of Health and Human Services (HHS) classifies PHI into 18 identifiers.

  1. Patient names  
  2. Geographical elements (such as a street address, city, county, or zip code)
  3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device attributes or serial numbers
  14. Digital identifiers, such as website URLs 
  15. IP addresses
  16. Biometric elements, including finger, retinal, and voiceprints
  17. Full face photographic images 
  18. Other identifying numbers or codes 

A HIPAA Introduction: The HIPAA Privacy Rule

The HIPAA Privacy Rule applies specifically to covered entities (CEs) as they work directly with PHI. The HIPAA Privacy Rule dictates the proper use and disclosure of PHI. This Rule requires CEs to use and disclose PHI for a specific purpose, known as the HIPAA minimum necessary standard. The minimum necessary standard states that CEs and their employees should only access PHI to perform a specific job function. As such, employees should be designated different levels of access to PHI based on their job. For instance, a Nurse doesn’t need access to a patient’s billing information, so they should not be granted access to view this information.

A HIPAA Introduction: Policies and Procedures

As mentioned above, organizations are required to adhere to the minimum necessary standard. Developing policies and procedures dictates the proper uses and disclosures of PHI. Policies and procedures must be customized to apply directly to the organization, to account for the nuances of their business. Policies and procedures must be reviewed annually to adapt to any changes in business processes. To ensure compliance to policies and procedures, employees must also be trained annually. 

A HIPAA Introduction: The HIPAA Security Rule

The HIPAA Security Rule states that covered entities and business associates (BAs) have an obligation to ensure the confidentiality, integrity, and availability of PHI. This is accomplished through administrative, physical, and technical safeguards.

Administrative: requires workforce members to be trained annually on HIPAA standards, and their organization’s policies and procedures. Training ensures that employees adhere to the proper uses and disclosures of PHI.

Physical: requires organizations to secure their physical site with protections such as locks, an alarm system, CCTV cameras, etc.

Technical: requires the implementation of access controls, audit controls, integrity controls, and transmission security.

As part of this requirement, organizations must complete annual self-audits. Self-audits allow organizations to assess their safeguards to ensure that they are sufficient to protect PHI. Organizations that find gaps in their safeguards must address gaps with remediation efforts.

A HIPAA Introduction: Business Associate Agreements

Business associate agreements (BAAs) are legally binding contracts signed between a CE and their BA, or between a BA and another BA. BAAs are required to be signed with each organization’s business associates before it is permitted for the business associate to create, receive, transmit, store, or maintain PHI on the organization’s behalf. If a business associate is unwilling or unable to sign a BAA, the organization should find another business associate to work with.

A BAA: 

Dictates the protections that must be in place to safeguard PHI

Determines which signing party is required to report a breach should one occur

Limits the liability of each signing party, as they are each responsible for monitoring and maintaining their own compliance

A HIPAA Introduction: Breach Notification

Organizations working in healthcare are required to report a breach or suspected incident. Depending on the size of the breach or incident (how many patients were affected) reporting requirements differ. 

Meaningful Breach: affecting 500 or more patients, a meaningful breach must be reported within 60 days of discovery to the HHS, affected patients, and the media. Meaningful breaches are subject to public display on the HHS’ Office for Civil Rights (OCR) breach portal, known colloquially as the “wall of shame.”

Minor Breach: affecting less than 500 patients, minor breaches must be reported within 60 days from the end of the calendar year in which the breach occurred. Minor breaches must be reported to the HHS and affected patients.