What Entities and Information Does HIPAA Protect?
An individual’s medical and healthcare records often contain sensitive identifying information that many bad actors would like to get their hands on.
It’s no surprise, then, that 95% of identity theft incidents come from stolen healthcare records.
Health records have to be protected at all costs, which is why Congress implemented HIPAA in 1996. HIPAA is designed to prevent medical record breaches that can negatively affect individuals and entities in numerous ways.
Read on for a brief recap of HIPAA, and learn what information it protects, who it covers, and how you can ensure that your entity remains HIPAA compliant.
A Brief Recap: What is HIPAA?
One of the main goals of HIPAA is to protect the privacy of individuals’ medical records and other personal health information. This includes information about an individual’s medical history, treatment, test results, and health insurance coverage, also known as “protected health information” (PHI).
The HIPAA Privacy Rule covers any medical information that can be used to identify a patient. PHI may include diagnoses, treatment information, medical test results, and prescription information if these records possess a certain one or more of the 18 HIPAA identifiers, such as contact information, birth date, and ethnicity.
What Entities Does HIPAA Cover?
HIPAA applies to all healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically. If they possess personal patient health records and/or conduct certain financial transactions electronically, HIPAA applies. Even if these covered entities contract out to Business Associates (BAs), they are still obligated by Congress to abide by the Privacy Rule.
According to the HHS website, “The HHS does not have the authority to regulate employers, life insurance companies, or public agencies that deliver social security or welfare benefits.”
How Does HIPAA Protect ePHI?
HIPAA requires that healthcare providers and other covered entities implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI.
Another important aspect of HIPAA is its Security Rule, which sets national standards for securing electronic PHI (ePHI). This includes implementing administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.
These safeguards are designed to protect ePHI from unauthorized access, use, disclosure, alteration, and destruction. Examples of these safeguards include implementing firewalls, encryption, regularly monitoring network activity, and conducting periodic security risk assessments.
What Are the Rights of an Individual Under HIPAA?
HIPAA requires healthcare providers and other covered entities to notify individuals of their rights to access and control their PHI and to provide them with a notice of privacy practices. This notice must be provided to the individual when they first receive care and must also be made available on the covered entity’s website.
HIPAA includes a provision known as the “breach notification rule,” which requires covered entities to notify individuals, the Department of Health and Human Services (HHS), and, in some cases, the media if their PHI has been compromised. This helps to ensure that individuals are aware of a potential breach of their PHI and can take steps to protect themselves.
The HIPAA Privacy Rule also gives individuals the legal right to access and obtain copies of their medical records from their healthcare and health plan providers. Meaning if a patient requests to see an important medical document from a covered entity, then the request can’t be denied.
As more records exist online and security and privacy breaches become more prevalent, it is more important than ever that individuals understand their rights and that covered entities take the proper steps to ensure consistent HIPAA compliance.
If you want to learn more about ensuring HIPAA compliance, get in touch with the experts at HIPAA One by Intraprise Health.