Any medical information that can be connected to a specific patient is considered “protected healthcare information” (PHI) and is covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance requires a serious approach to protecting data.
HIPAA compliance is critical for organizations that handle healthcare data, not only to protect patient privacy but also to protect the bottom line. Data breaches must be reported and HIPAA non-compliance can result in hefty fines. Any organizations handling healthcare data must be HIPAA compliant.
HIPAA has rules that require organizations to protect patient privacy and secure patient data.
The rules include:
Individually identifiable health information is covered by the HIPAA Privacy Rule. This data includes information about a patient’s mental or physical health, medical treatments, or payment history. This rule requires organizations to protect data “in any form or media, whether electronic, paper, or oral” when it contains personal information such as name, phone number, birth date, Social Security Number, or any other personal identifier.
The HIPAA Privacy Rule governs how organizations can use patient data, what data they can disclose without the patient’s permission, and to whom. The rule also guarantees patients the “Right to Access” most of their personal health information and obtain copies of their medical records. Organizations handling PHI must create and apply written privacy policies and they must notify patients (in writing) about these policies. They also must provide annual HIPAA training for their staff.
The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. The Security Rule tells organizations how to secure the PHI they handle. Specifically, it provides standards protecting electronically protected health information (ePHI). The Security Rule explains how that data should be handled, maintained, and transmitted.
To comply with the Security Rule, organizations must have administrative, physical, and technical safeguards in place.
The Omnibus Rule defines the role of business associates and outlines the criteria for Business Associate Agreements (BAAs).
The Omnibus Rule adds provisions required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to HIPAA obligations. The HITECH Act incentivizes the use of electronic health records (EHR). It also increased security and privacy protection requirements and the legal and financial liability for non-compliant organizations.
The Breach Notification Rule requires organizations to notify the U.S. Department of Health and Human Services (HHS) Office for Civil Right (OCR) when a data breach of ePHI has occurred. A data breach is defined by HHS as “an impermissible use or disclosure of under the Privacy Rule that compromises the security or privacy of the protected health information.” The Breach Notification Rule profiles which types of breaches must be reported and how.
Breaches are categorized as “minor breaches” (those affecting fewer than 500 people) and “meaningful breaches” (those affecting more than 500 individuals). HIPAA requires organizations to report both minor and meaningful breaches to OCR, however they have different reporting procedures. All meaningful breaches are published on OCR’s Breach Notification Portal, or “Wall of Shame” for the public to review.