HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, which is a federal law that protects the health information of individual citizens. HIPAA imposes a laundry list of requirements on companies, and failure to comply with those requirements can result in severe penalties. If your company works with health information in any way, it is important to determine whether your company is subject to this law and if it is meeting HIPAA’s requirements.
HIPAA protects individually identifiable health information in any form: written, electronic, or otherwise. This includes information related to an individual’s mental health or condition, any health care the individual received, and the individual’s payment for health care, as long as the information identifies the individual or can reasonably be used to identify the individual. Common identifying information includes names, addresses, birth dates, and social security numbers.
HIPAA imposes regulations only on “covered entities,” which are:
If these entities or their “business associates” handle protected health information, they are subject to HIPAA. Business associates receive, create, maintain, and/or transmit protected health information. Not all, but most of HIPPA’s requirements apply to business associates.
HIPAA’s requirements for covered entities and their business associates are many and complex, but can be generally grouped into three categories: Administrative, Security, and Privacy.
Administratively, HIPAA requires companies to take actions that protect and standardize the transmission of protected health information. For example, companies must obtain a National Provider Identifier and use it routinely, as well as use correct medical data code sets.
HIPAA tackles security from several different angles, addressing physical security as well as policies and procedures necessary to preserve a secure environment. For example, HIPAA requires companies to conduct a risk analysis, impose sanctions on workers who fail to comply with security measures, implement a data backup plan, create policies and procedures which establish a user’s right to a workstation or program, and maintain standard documentation and records, among others.
HIPPA’s privacy requirements are some of its most stringent. First and foremost, HIPAA requires a valid authorization from an individual before his or her protected health information can be disclosed. Further, companies are required to provide their clients with a notice of privacy practices, designate a privacy official, and to notify customers, the media, and the government in the event of a data breach.
The Health Insurance Portability and Accountability Act is not the only law that protects health information. Most states regulate companies that handle health information, and, when the requirements of state law are stricter than those of HIPAA, companies must comply with them. If a company operates nationally or across multiple states, it should consult with legal counsel to identify the requirements of state law in addition to HIPAA.