Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires most organizations in the healthcare sector to protect most kinds of patient data from inappropriate access.
Whom HIPAA Applies To
There are three types of healthcare organizations that are obliged to comply with HIPAA’s data control requirements: any healthcare provider who, in the words of the U.S. Department of Health & Human Services (HHS), “electronically transmits health information in connection with certain transactions” (including transactions such as claims and benefit eligibility inquires), health plans (including health, dental, and vision insurers and health maintenance organizations), and healthcare clearinghouses (including billing services).
Types of Data That It Applies To
Healthcare organizations that are subject to HIPAA are required to protect any data that can be classified as “individually identifiable health information,” which the HHS defines as any “information that relates to:
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”
The HIPAA Privacy Rule
In order to comply with HIPAA, healthcare organizations have to satisfy two different, though somewhat overlapping sets of requirements: the HIPAA Privacy Rule, which applies to all forms of information, “whether electronic, paper, or oral,” and the HIPAA Security Rule, which only applies to electronic data.
To satisfy the requirements of the HIPAA Privacy Rule, healthcare organizations must:
Implement “reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure” of individually identifiable health information. The HHS gives as examples: shredding documents before disposing of them and securing documents with “lock and key or pass code.”
“Develop and implement written privacy policies and procedures,” and maintain the records of these policies and procedures for at least six years “after the later of the date of their creation or last effective date”
Train their employees to follow these privacy policies and procedures
“Designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.”
(The Privacy Rule also dictates when and how healthcare organizations can “use or disclose” their patients’ data without the patients’ express consent, how to obtain patients’ consent when required, and the right of patients to request access to their data and to request changes to it. Because we’re only focusing on the aspects of HIPAA that are directly related to IT in this article, however, we won’t be getting into the disclosure aspects of the Privacy Rule here.)
For the conclusion of this article, including explanations of the HIPAA Security Rule, Business Associate Contracts, and the law’s breach notifications requirements, check out, “How to Comply with HIPAA, Part 2.”