Should you be Considering HIPPA Compliance? What is HIPPA Anyway?

DISCLAIMER: We are not lawyers and we advise you to seek your own legal council when dealing in the regulatory environment. This article is for informational purposes only and is not legal advice. Remote Cloud Consulting Inc. cannot be held liable for any decisions made as a result of reading this article.

The increasing proliferation of the digital world has created whole new industries and occupations. It has also offered a staggering level of convenience and accessibility for individuals and organizations of all sizes. But any innovation also brings new challenges, obstacles, and issues that need resolution.

When it comes to the online world, no issue is as consistently glaring and troublesome as privacy and data security. On the one hand, consumers are concerned about how healthcare organizations and insurance handle their personal and financial information. But on the other hand, you have businesses and other organizations who want to ensure they comply with data privacy regulations so they can get down to the business of running a business.

That’s why lately, we’ve been exploring different aspects of data privacy with articles about the GDPR and COPPA. Now it's time to round out the series by spotlighting HIPAA's take on privacy.

What is HIPAA, Anyway?

If you have health insurance and value your personal information and privacy, you need to know this!

HIPAA stands for the Health Insurance Portability and Accountability Act, a US Federal statute signed into law in 1996. The rule accomplishes three things:

• Create a set of consistent national standards to protect patients’ personal information and medical records.
• Grant patients increased control over their health information.
• Establish boundaries and guidelines for using and releasing health records.

So, HIPAA is all about protecting the privacy of American patients and limiting what organizations can do with that data by providing guidance in areas like usage and disclosure of sensitive health information. So far, so good.

The Main Components of HIPAA

HIPAA breaks down into three fundamental rules.

We have seen the three things that HIPAA set out to do, and now we will check out its three main rules. Once we’re done here, we will see that HIPAA has a lot of things that come in threes!

• Privacy Rules. These rules control how covered groups, including health insurers, health care clearinghouses, medical service providers, and employer-sponsored health plans, can use and disclose Protected Health Information (PHI) that they hold while conducting certain transactions. Protected Health Information covers payment for health care, health status, and health care provision. In addition, PHI includes data such as patient names, Social Security numbers, various diagnoses, and payment history. Some information can be disclosed without requiring the patient's permission to facilitate things like healthcare operations, payments, and treatments. However, other PHI disclosures require the patient's consent.
• Security Rules. While the Privacy rules cover the PHI information on paper (hardcopy) and electronic PHI (better known as ePHI), the Security Rules focus solely on ePHI. The Security Rules break down into three distinct security safeguards. Each safeguard has its procedures, standards, and specifications for maintaining patient privacy.
  • Administrative. Sets of procedures and policies created to demonstrate how to achieve compliance.
  • Physical. It involves controlling physical access to protected data, including facility security plans, visitor sign-in, maintenance records, and visitor escorts. This safeguard also covers hardware and software access and proper use of the facility’s workstations, plus restrictions and guidelines for removing, transferring, disposing, and re-using ePHI and electronic media.
  • Technical. This safeguard covers computer system access, electronic transmissions, and all related documentation. Additionally, this includes unique user IDS, automatic log-off, emergency access procedures, and data encryption/decryption.

• Breach Notification Rules. This one’s fairly straightforward. Any organization suffering from a PHI breach must report the situation. The procedure differs according to how many people are affected. If the breach affects 500 or more patients, it must be reported to Health and Human Services OCR, the affected patients, and the media. If the breach affected fewer than 500 patients, it must be reported to both the HHS OCR and the patients involved.

Space doesn’t permit us to go into exact excruciating detail of the various standards and practices, but you can check out HIPAA for yourself here.

What HIPAA Does for Patients

Here’s why HIPAA is so crucial in today’s security-conscious environment.

At its fundamental level, HIPAA gives patients the peace of mind that their private medical information is being kept safe, and access is limited to only the appropriate parties at the right times. In addition, it gives patients a measure of control over their data, which is a very valuable benefit. After all, if, for example, someone is battling a chronic condition, the last thing they need to be added to their worries is the security of their personal medical information.

HIPAA is a huge step in promoting and preserving patients’ rights. The thoroughness of the rules and severity of the non-compliance penalties give testimony to the seriousness of the matter. In addition, HIPAA safeguards privacy and dignity.

Companies that must comply with HIPAA include doctors, clinics, dentists, hospitals, psychologists, chiropractors, nursing homes, and pharmacies.

What HIPAA Does Not Do

HIPAA has its limitations, something that the COVID pandemic has made clear.

Like any other set of rules, HIPAA isn’t all-encompassing. There are areas where the regulations don’t reach. For instance, here’s a list of organizations that don’t have to follow HIPAA standards:

• Employers/Private companies
• Most law enforcement agencies
• Life insurers
• Airlines
• Many state and municipal agencies
• Most school districts and/or schools
• Worker compensation carriers

Consequently, here are some examples of health information not protected by HIPAA:

• Health information found in education records
• Health information found in employment records
• Health information about an individual who has been dead for over 50 years
• Health information that has been de-identified. That term means that all personally identifiable items have been deleted

HIPAA has been in the news of late, thanks to COVID-19. Some have cited HIPAA as a reason why they don’t have to divulge whether or not they’ve received their COVID vaccinations. However, according to the Department of Health and Human Services, asking about someone’s vaccination status is not a HIPAA violation, as HIPAA regulations only apply to health plans, healthcare providers, and health care clearinghouses.

HIPAA, the Digital World, and Compliance

Here is how today’s ongoing data security concerns affect HIPAA compliance.

The good news is that today’s electronic data is easier to create, store, edit, and retrieve than its hardcopy counterparts. The bad news is that the security and privacy stakes are much higher, with more opportunities for things to go wrong.

The United States Government, mindful of the increased risk of electronic data, passed a new act to supplement the original HIPAA. This new act was called the Health Information Technology for Economic and Clinical Health (HITECH) Act (kudos for a spot-on acronym!), which boosts penalties for health organizations that break the HIPAA Privacy and Security Rules. The HITECH Act came about as a response to the development and ubiquity of modern health technology, and the increased use, transmission, and storage of electronic health information.

Data security is a big deal in today’s digital landscape. With more of our lives residing online and especially in the cloud, all that sensitive information (personal, financial, medical) means that the stakes are higher than ever. It doesn’t help matters that cybercrime is on the rise.

HIPAA regulations give businesses and other organizations the incentive to develop and implement a viable data protection strategy. A sound data protection strategy should serve three purposes:

• Conform to HIPAA and HITECH rules and regulations for audit, access, data transmission, integrity controls, and device security.
• Create and maintain trust from patients and health care providers by guaranteeing the availability and security of Personal Health Information.
• Establish and perpetuate greater visibility and control of the entire organization’s sensitive data.

Where Do I Go from Here?

How to keep your HIPAA ducks in a row.

If your business or organization falls within the parameters of a healthcare provider, then it’s essential to make sure that your policies and procedures conform to HIPAA standards. That’s why it’s vital to have a resource available to you that can help you sort through the demands, rules, and regulations, especially as they pertain to the information stored in the cloud. More organizations are turning to the cloud for data storage, software subscriptions, and virtual machines, so the more you comprehend the rules, the better prepared your organization will be.

The Internet is a crazy, exciting place, but it comes with its share of challenges, rules, and regulations. When you need answers and guidance, check out a knowledgeable consultant or lawyer who can show you the way.