What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a standards regulation that gives guidelines for the proper and lawful disclosure and use of protected health information (PHI).

The Office of Civil Rights enforces HIPAA, while the Department of Health and Human Services regulates it.

There are many different HIPAA rules, but when you hear HIPAA invoked, it’s typically dealing with the Privacy Rule. The Privacy Rule relates to PHI rights.

Other HIPAA rules, such as the Security Rule and the Breach Notification Rule, further aim to set safety standards for health information and personal identifying information (PII).

Protected health information is any information that identifies a client or patient in a facility. Social security numbers and medical records are examples.

PHI can be electronic protected health information (ePHI) when it is stored, accessed, or transmitted electronically. This is also regulated by HIPAA security codes.

Get a demo from a Dovetail expert

Our team can give you a demo, help you choose the right plan and ensure you get the most out of Dovetail.

Request a demo

HIPAA’s privacy rules and standards apply differently to covered entities, business associates, and hybrid entities.

Covered entities

HIPAA rules define covered entities as health plans, healthcare providers that use electronically transmittable information, and healthcare clearinghouses.

Covered entities can be people, institutions, or organizations. Researchers are also included, such as those running clinical trials.

Healthcare is defined as supplies, services, and care that are related to a person’s health, such as counseling, preventative care, rehab, procedures, therapeutic care, and diagnostic care. Healthcare also includes the sale and disbursement of drugs, durable medical equipment, devices, and other prescribed items.

Business associates

A business associate assists or acts on behalf of the covered entity. It may be a person or another entity.

Business associates may be used to de-identify PHI, carry out data aggregation, or prepare data sets.

They must have a written contract or another arrangement with the covered entity. With this in place, the covered entity can disclose PHI to the business associate as long as the associate safeguards the information.

A covered entity cannot authorize the business associate to use that information or disclose the information in a way that violates the HIPAA Privacy Rule.

Hybrid entities

Hybrid entities perform both a covered entity’s and business associate’s functions (covered and non-covered functions).

The checklist incorporates the guidelines set out by HIPAA’s Security and Privacy rules.

General rules

All covered entities are required to keep reasonable safeguards in the administrative, physical, and technical fields for all protected health information. Specifically, HIPAA states that they must:

1. “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;

3. Protect against reasonably anticipated, impermissible uses or disclosures; and

4. Ensure compliance by their workforce.”

Here’s an explanation of some of those terms:

• Confidentiality is defined as not disclosing ePHI or making it available to anyone who is unauthorized to see the information.

• Integrity means not destroying or altering ePHI in an unauthorized way.

• Availability is defined as ePHI being on-demand and usable for anyone who is authorized to access it.

Administrative safeguards

The administrative safeguards deal with

• Security personnel—officers responsible for overseeing the covered entity’s policies and procedures

• Security management processes—the measures implemented that can reasonably lower the risks and vulnerabilities of ePHI

• Information access management—defined as the policies and procedures for ePHI access that comply with the HIPAA Privacy Rule

• Workforce training and management—requires workers who deal with ePHI to be trained in policy and procedure. Procedures are needed to deal with workers who violate policies

• Evaluation—completed regularly to ensure all policies and procedures meet the requirements set out by the Security Rule

Physical safeguards

Physical safeguards involve controlling access to the covered entity’s facility and implementing workstation, device, and electronic media security. Access to the facility must be limited so that only authorized individuals can view and use workstations.

Technical safeguards

The technical safeguards below oversee access, audit, and integrity control and the transmission security of ePHI.

• Access control—technical policies that safeguard ePHI from unauthorized access

• Audit control—the hardware or software implemented to keep ePHI contained with mechanisms that examine its access and activity

• Integrity control—ensures ePHI is not destroyed or altered electronically

• Transmission security—measures that keep ePHI safe from being transmitted over unsecured networks by unauthorized parties

Organizational requirements

Organizational requirements are broken down into two groups:

• Covered entity responsibility—if the entity knows of any practice carried out by the business associate that violates their Privacy Rule obligation, the entity must take measures to end it.

• Business associate contract—the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 regulates the business associate’s contract and obligations. The act gives the Department of Health and Human Services (HHS) authority to set up programs to improve healthcare safety, quality, and efficiency by promoting health IT.

Documentation, policies, and procedures must be reasonable and comply with the Security Rule. The covered entity must keep these for six years after their creation or their last effective date of use.

The covered entity is expected to review these periodically and update them for any environmental or organizational change that may affect them in relation to ePHI.

The following things need to be in place for basic compliance:

• Written procedures, standards, and policies that go over the conduct required

• A compliance committee with a compliance officer to oversee HIPAA requirements

• Effective HIPAA training and education throughout the company

• Company-wide internal monitoring of compliance with auditing

• Good, open, and effective lines of communication

• Well-understood disciplinary guidelines that enforce HIPAA standards

• Quick and efficient responses to any offense and solid corrective action

The Office for Civil Rights enforces the Privacy and Security Rules for HIPAA, with enforcement beginning April 14, 2003.

HIPAA was written to be enforced in the US. However, the code was also written to protect US citizens’ data no matter where they live. So, theoretically, HIPAA applies outside of the US when the citizen is living abroad or has health data outside of the US.

HIPAA protects clients and patients from having their personal identifying and health information exposed and leaked to unauthorized individuals without their consent.

Some entities without HIPAA coverage that may still handle sensitive information include insurance agencies (such as life and worker’s compensation), employers that are not covered entities, and administrative agencies.