This is intended to offer a broad overview of HIPAA, including an explanation of what it’s all about, as well as what kinds of businesses, organizations and individuals it affects.
Let us begin with the most basic information about this government mandate. The acronym “HIPAA” is short for the Health Insurance Portability and Accountability Act of 1996. Those who are familiar with the law and its requirements joke about the common misspelling of the acronym by those who know little about it, but that is likely due to a general misunderstanding on the part of individuals who have never worked in healthcare or a related industry. A lot of people, particularly those who work in IT, can recall at least one occasion when they received some correspondence from vendors or consultants who misspelled the acronym as “HIPPA.”
While one of the chief goals of HIPAA is to safeguard Protected Health Information (PHI), it involves much more than that. The law also establishes regulations regarding the way data must be shared electronically, and how to extend authorizations allowing access to individual health information.
PHI is sometimes referred to as “personal health information.” PHI consists of just what one might think it would; it includes personal identifying information such as name, DOB, SSN, phone number, insurance ID, as any individual medical data. That data could be anything from details about an ongoing medical condition, prescriptions, lab test results, or health payment records. There is much more that can be elaborated on the specifics of PHI, but for the purposes of this article, the basic definition of the acronym will suffice.
HIPAA is intended to safeguard PHI, and to enforce rules governing electronic transmissions of PHI and healthcare transactions. HIPAA can be boiled down to three major components:
I. Privacy: This part of HIPAA focuses on protecting PHI and establishes the rules for how and when PHI is released, and to whom. This portion of HIPAA also affords individuals proprietorship over their medical records, and the ability to access those records or to correct the information contained within them.
II. Security: This part of HIPAA includes regulations concerning the security of the systems used to store, share, process, or access PHI. This component of HIPAA deals with electronic PHI or ePHI for short. This portion of the law does not necessarily offer guidance on how best to keep technology secure; therefore some features are left open for interpretation. Another important aspect to understand is that some specifications are labeled as either addressable or required, the latter meaning they are steps that must be completed. When it comes to addressable specifications, entities must either execute the implementation in question as it is written, execute an acceptable alternative or not implement anything because it is neither reasonable nor needed. In these cases, it is critical that determinations pertaining to any addressable specifications are carefully documented.
III. Administrative: This aspect of HIPAA centers around the proper coding needed for exchanging health data that applies to the financial side of healthcare such as insurance claims. This portion of HIPAA aims to make it much easier to share data from an administrative standpoint, in that the business will not need to track a vast amount of code sets. A typical code set seen in these financial transactions is NCPDP, which relates to pharmacies.
In general, entities that are impacted by HIPAA fall under one of two categories:
I. Covered Entities: Health plans, health care clearinghouses and health care providers who electronically transmit any health information in connection with certain transactions fall under this category.
II. Business Associates. These are defined as any business partner, individual or subcontractor who carries out services for a Covered Entity and who might also transmit, access, process or provide storage for PHI. The addition of subcontractors is the result of a change to HIPAA that was enacted in 2013. Note: A Covered Entity can also be a Business Associate.
Congratulations! After reading this article, you now have a basic understanding of HIPAA. Future articles will go more in depth on the intricacies of its provisions.