The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a series of national standards that health care organizations must have in place to safeguard the privacy and security of protected health information (PHI). PHI is any demographic, individually identifiable information that can be used to identify a patient. Common examples of PHI include names, addresses, emails, telephone numbers, full facial photos.
There are two types of organizations outlined in HIPAA regulation, including:
- Covered Entities (CE): Health care providers, health insurance plans, and health care clearinghouses. CEs are involved in the direct creation of PHI and must be compliant with the full extent of HIPAA regulation.
- Business Associates (BA): Any organization hired by a CE (or other BA) who will necessarily encounter PHI throughout the work they’ve been hired to perform. Common examples of BAs include IT providers, practice management firms, physical storage providers, cloud storage providers, email encryption, data back-up, and many others. BAs are not required to comply with the HIPAA Privacy Rule in its entirety but must adhere to the rest of the regulatory standards that apply.
Since it was first enacted in 1996, HIPAA has undergone many changes, revisions, and additions. Collectively, these have come to be known as the HIPAA rules. The HIPAA Rules include:
- HIPAA Privacy Rule: The Privacy Rule sets national standards for the privacy, integrity, and availability of PHI. The Rule outlines safeguards that must be in place to ensure that PHI is kept private. The Rule also establishes guidelines for patients’ rights to access their medical records, in addition to uses, disclosures, and authorizations that CEs must have in place.
- HIPAA Security Rule: The Security Rule sets national standards for maintaining the security of PHI through a series of Technical, Physical, and Administrative safeguards that CEs and BAs must implement.
- HIPAA Breach Notification Rule: The Breach Notification Rule outlines the processes that HIPAA-beholden entities must follow in the event of a data breach. Depending on the number of individuals affected by a given breach, there are different timelines and notification standards that the Rule requires.
- HIPAA Omnibus Rule: The Omnibus Rule made several significant changes to HIPAA regulation, specifically regarding the role of BAs. Since the Rule first went into effect in 2013, BAs have been under regulatory obligation to become HIPAA compliant. Additionally, the Omnibus Rule set stricter rules for the execution of Business Associate Agreements, which will be discussed later in this piece.
TPM by United Systems is a proud partner of The Compliance Group.
Read more: https://compliancy-group.com/hipaa-basics/