HIPAA Healthcare Security

The HIPAA Healthcare Security Rule applies to health plans, healthcare clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

It protects most ‘identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper or oral.

The Privacy Rule calls this information Protected Health Information (PHI).

What is PHI?

PHI under US law is any information in a medical record that can be used to identify an individual that was created in the course of providing a healthcare service e.g diagnosis or treatment.

Practical examples of PHI are

  • Patient names
  • Addresses — In particular, anything more specific than state, including street address, city, county, precinct, and in most cases zip code, and their equivalent geocodes.
  • Dates — Including birth, discharge, admittance, and death dates.
  • Telephone and fax numbers
  • Email addresses
  • Social Security numbers
  • Driver’s License information
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certification/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Names of relatives
  • Internet Protocol (IP) address numbers
  • Biometric identifiers — including finger and voice prints.
  • Full face photographic images and any comparable images.

Who has to comply with HIPAA?

HIPAA classifies those who must comply into three groups:

  • Covered entities (CEs) – A covered entity is anyone who provides treatment, payment and operations in healthcare. According to the U.S. Department of Health & Human Services (HHS) Healthcare Providers, Health Plans, and Healthcare Clearinghouses are all Covered Entities.
  • Business associates (BAs) – A Business Associate is a vendor or subcontractor who has access to PHI. Examples include services for medical transcription, insurance processing, and network management. Additionally, the subcontractors of business associates who handle ePHI are also subject to the rules.
  • Workforce – All employees, volunteers, and trainees of a covered entity or business associate. This includes anyone who is under the “direct control” of the organization, whether or not they are paid.

Why do I need to be HIPAA Security Compliant?

The HIPAA law requires all health care Covered Entities (CEs) and their Business Associates (BAs) to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

HIPAA Healthcare Security Components