What is HIPAA?
So what is HIPAA and who does it benefit? The acronym stands for: Health Insurance Portability and Accountability Act. This act was passed by the US Congress in 1996 in attempt at major healthcare reform. There were 2 main objectives the act was created for:
- To help people who are between jobs to maintain their health insurance and that of their families. This is the Insurance Portability part of the act.
- To help protect the privacy of citizens with regards to personal and medical information, the so-called private health information. This is the Accountability part of the act.
Health Insurance Portability
HIPAA gave American workers and their families the ability keep their health insurance when losing or changing jobs. Before the act was passed, it was very difficult for people with existing medical problems to get health insurance. Losing their job would sometimes mean they wouldn’t be able to get health insurance anymore. If they did manage to get health insurance, a long exclusion period would often apply.
HIPAA successfully improved portability and continuity of health insurance coverage for American workers.
Health Insurance Accountability
The Health Insurance Accountability part of HIPAA consists mainly of the Privacy Rule and the Security Rule.
HIPAA Privacy Rule
The HIPAA Privacy Rule applies to covered entities, which are defined by HIPAA as any health plan, healthcare clearinghouse or health care provider that handles health information in electronic form.
The HIPAA Privacy Rule states that covered entities can only use or disclose protected health information (PHI) if they have retrieved written individual authorization from the involved patient, or without authorization in certain cases where prohibition would interfere with the effective operation of the healthcare system. These exceptions include:
- Using or disclosing PHI for a person’s own treatment, payment, or other necessary health care activities.
- Disclosing PHI to another healthcare provider (whether covered by the Privacy Rule or not) if they require this information for treatment of the patient.
- Disclosing PHI to another healthcare provider for payment matters.
Whenever private health information needs to be used or shared, the US Department of Health & Human Services website Health Information Privacy section states that it should only include the minimum PHI that is necessary for the proper functioning of the health care system.
HIPAA Security Rule
The HIPAA Security Rule defines the security standards that are to be adhered to by covered entities when health data is created, maintained, received or transmitted electronically.
To be HIPAA, your electronic PHI needs to be secured by:
Physical safeguards: the data must be stored in a place that uses authorized access. There also have to be policies in place that govern the use of computers and data.
Technical safeguards: Access control needs to be set up that makes sure only those with authorization can access electronic PHI. This includes unique user IDs for personnel, the use of an automatic log off system, an emergency access procedure and encryption.
Technical policies: Integrity controls should be set up to make sure PHI has not been modified or destroyed. Offsite backups should be made and IT disaster recovery set up.
Network security: A secure network is necessary to prevent any unauthorized access of PHI