A PrivacyAffairs.com survey reported that 70 percent of Americans had been impacted by healthcare data breaches, which includes 230,954,151 health records that have been lost, stolen, or exposed over the past decade. Amidst the COVID-19 pandemic, health care providers have become an increasingly popular target for cybercriminals lurking on the web. Indeed, there are numerous examples of significant health care breaches from Anthem (78.8 million affected in 2015) to Premera Blue Cross (11 million affected in 2015). Whether you are a new health care provider or just thinking about becoming one, you must understand HIPAA compliance and why it’s essential for protecting patients’ sensitive information. Keep reading to discover everything you need to know about this term.
What Is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 refers to a series of regulatory standards that define how businesses and covered entities must protect and secure patient data. In the health care industry, this is referred to as protected health information (PHI). The Department of Health and Human Services (HHS) is responsible for regulating HIPAA compliance, while the Office for Civil Rights (OCR) enforces these compliance standards. Specifically, the OCR enforces these standards by providing regular guidance regarding new health care issues and investigating common HIPAA violations. Indeed, health care organizations have a huge responsibility to meet HIPAA compliance requirements, so they can do their part to protect the privacy, security, and integrity of patient health information.
What Is PHI?
Protected health information (PHI) describes any demographic information used to identify a patient of a health care organization. This information can be stored on paper or electronically. If the PHI is sent, stored, or accessed electronically, it is known as electronic protected health information (ePHI). The HIPAA Security Rule regulates ePHI, which was a rule added to HIPAA regulations to meet the evolving needs of medical technology.
Examples of PHI include:
- Birth dates
- Contact information (address, phone number, email, etc.)
- Death dates
- Digital images
- Financial records
- Medical record numbers
- Social Security numbers
- Treatment dates
- Voice recordings
- Any other type of unique identification
Who Must Be HIPAA Compliant?
According to HIPAA regulations, there are two main types of organizations that must meet compliance. These organizations include covered entities and business associates. A covered entity is an organization that collects, creates, or sends PHI digitally, such as a hospital or dentist's office. A business associate refers to an organization that encounters PHI through contracted work for a covered entity, such as a billing company or web hosting provider. The examples below list common examples of organizations but do not include everything because there is a wide range of businesses that must meet compliance.
Covered Entities include:
- Assisted living
- Company health plans
- Community health departments
- Government-issued health care plans
- Health plans
- Health care clearinghouses
- Nursing homes
Business Associates include:
- Billing companies
- Cloud storage providers
- EHR platforms
- Email hosting providers
- Faxing companies
- Hosting providers
- IT providers
- Physical storage providers
- Practice management firms
- Shredding companies
- Third-party consultants
The HIPAA Rules Defined
Since 1996, several rules have been established to address the everchanging needs of PHI within today’s digital landscape. The following list discusses key regulations that relevant parties should understand and be mindful of.
- HIPAA Privacy Rule defines national standards for patients’ rights to PHI. Specifically, the rule tells covered entities how and when authorized parties can access PHI. The Privacy Rule is designed to protect the privacy of PHI, set limits on the access and use of PHI, and grant patients’ rights over their health information. Patient rights include requesting copies of medical records and contacting an organization to correct PHI.
- HIPAA Security Rule defines national standards to ensure that ePHI is protected, maintained, transmitted, and stored based on HIPAA compliance. This rule applies to covered entities and business associates because both likely share ePHI. To protect ePHI, the Security Rule requires administrative, physical, and technical security measures to be enforced in health care organizations. Additionally, HIPAA requires employees to receive yearly training on critical policies and procedures regarding this rule.
- HIPAA Breach Notification Rule refers to standards that covered entities and business associates must follow if a data breach occurs involving PHI or ePHI. The specific rules depend on the size and scope of the breach. Indeed, companies must report all breaches to the HHS OCR.
- HIPAA Omnibus Rule is an addition made to HIPAA regulation for business associates. This rule requires these businesses to meet HIPAA compliance and regulations based on the Business Associate Agreements (BAAs). Covered entities and business associates must follow these rules before any PHI or ePHI can be sent or shared.
Protect What Matters Most for Patients
As you can see, HIPAA compliance is a complex set of regulations designed to protect and secure patients’ sensitive health information. These regulations help businesses and health care organizations meet requirements and avoid becoming another news headline due to a small or large-scale data breach.
Data breaches are devastating for everyone involved, from the patients with exposed, lost, or stolen data to the organizations that face hefty fines and lawsuits. Indeed, we hope this article helped clarify what HIPPA compliance is and why it is a vital piece of your organization’s overall security strategy when it comes to PHI.
Additionally, tokenization is another security solution that can help organizations implement data privacy and security measures necessary to prevent data from being exposed in a breach without interfering with critical business operations. If you would like to learn more about our tokenization services for health care organizations, contact TokenEx today.