Introduction to HIPAA
HIPAA is an acronym for Health Insurance Portability and Accountability Act, which was a law passed in 1996. Generally, HIPAA was written to protect individuals who receive healthcare by requiring healthcare organizations to protect their patients’ identifiable information. Covering the entirety of HIPAA can be quite a daunting task, so I’ll keep the introduction fairly simple and provide the big picture for organizations.
First, if you work in healthcare or provide services that manage patient data for healthcare organizations, it’s critical you are familiar with some of HIPAA’s terminology. The first term everybody should be aware of is “Covered Entity”.
Covered Entity: A health care provider, a health plan, or a health care clearinghouse.
The terms above are pretty broad, so it’s easier to present some practical examples. If you provide healthcare, or healthcare insurance, you are likely a covered entity. This includes doctors, dentists, clinics, hospitals, nursing homes, insurance providers, and more! There is one unique specific exception, but that will be for a later blog.
Protected Health Information (PHI), or individually identifiable health information held or transmitted by a covered entity or business associate.
PHI is a commonly referenced term in the healthcare industry. Essentially, it’s patient data that can uniquely identify a patient, and it’s not as simple as just a name. HHS.gov lists 18 identifiers, but some of those are very vague, including the 18th, which is “any other unique identifying numbers, characteristic, or code[s].” What could that possibly mean? In some instances, merely the case alone could be used to identify a patient. Imagine a small town has a fire with one victim, and an ER nurse at the nearest hospital posts on social media that they had to treat a burn victim. Did the nurse in this scenario disclose PHI?
Business Associate: a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
This doesn’t include direct employees of covered entities, because employees are technically covered entities. If you provide services to a covered entity, do you have to comply with HIPAA? Not necessarily, it depends on whether your company or employees access services or systems that store or transmit PHI. However, covered entities should have a Business Associate Agreement (BAA) with any business associate that may provide these services, and the agreements should include language that clearly lays out the responsibilities of each party.
The takeaway that I hope you get from today’s article is: HIPAA is a law that applies to most healthcare organization in the United States, and the act defines Covered Entity, Business Associate, and requirements for all applicable parties to protect PHI.