The HIPAA, otherwise known as Health Insurance Portability and Accountability Act, was substantiated in 1996 by U.S. legislation. Aim of HIPPA act is to secure patient private information and make sure health information is not disclosed to anybody without patient consent. And if disclosed, patient should be notified.
However, due to frequent data breaches in the healthcare sector, the U.S. government established a new law called HIPAA Omnibus Rule in 2013. The underlying purpose of this act is to ensure the privacy and security of the medical information handled by health care providers and insurance companies.
According to the new law, health care providers and third-party business associates are mandated to abide by the HIPAA compliance act.
The Two Components of HIPAA
Privacy Rule
As the name implies, it emphasizes securing the individual’s health information, including various data like treatment information, lab reports, insurance details, and more. It restricts the sharing of personal information without the concern of the individual.
Security Rule
It is about the safety measures to be taken by healthcare organizations to safeguard the patient’s details. This security rule involves physical and technical measures to protect the integrity of the patient’s information.
The Covered Entities Under the HIPAA Compliant
The HIPAA act applies to all the covered entities that come under the roof of health care and services. The U.S Department of Health and Human Services (HHS) states that all the health care providers, health plans, and healthcare clearinghouses club together under the HIPAA compliance act.
- The health care providers include hospitals, doctors, clinics, laboratories, nursing homes, and pharmacies.
- The health insurance companies, health plans, and HMOs (health maintenance organizations) are clustered together as health plans.
- The healthcare clearinghouse can also be called a third-party service provider. It is because they are directly involved with patient care but are needed to organize and maintain the patient records in the digital medium for easy sharing with other covered entities.
Types of Health Information Collected
There are two types of information: PHI (public health information) and CHI (consumer health information).
In this case, access to the patient’s records is restricted based on the use of the data. Therefore, it is essential to understand the difference between PHI and CHI to understand the implication of the HIPAA act on information collection.
| Public Health Information (PHI) | Consumer Health Information (CHI) |
|---|---|
| It is also known as protected health information, as one can use it to identify the individual via medical records. | It involves the medical information collected from a group of individuals. It does not identify the personal individuals. |
| The medical records include diagnosis and treatment details and also the billing information from the insurance companies. | It includes information on health, medical conditions, and other medical terms. |
| Public health information cannot be accessed or used without the individual’s consent. | The government and NGOs can access consumer health information for awareness programs, statistics, and healthcare development plans. It does not require an individual’s approval. |
| The covered entity handles public health information and is secured by vendors and service providers. | Consumer health information involves information collected through online means like software applications, IOT devices, and healthcare devices. |
What Makes HIPAA Compliance Important?
The surge in the cyber-attacks like data breaches has created a greater concern in the storage and utilization of medical records. The instances of theft of medical information from the database have increased exponentially. It makes the healthcare industry a potential target for hackers.
HIPAA compliance helps the covered entities secure the patients’ medical records through administrative, physical, and virtual methods.
- Standard ProtocolThe HIPAA act has created standard rules and procedures to collect, store and use PHI (personal health information) and CHI (consumer health information).
- Patient ControlIt restricts the usage of medical records and prevents the illegal use of personal information. As a result, the patient has more control over their medical records.
- CybersecurityIt helps the covered entities and related service providers safeguard the medical information’s privacy, preventing cyber threats like data theft and data breaches.
- AccountabilityIt makes the healthcare providers and other service providers accountable for any leak or theft of the patient’s health information. In case of any violations, civil and criminal proceedings can be done against the organization.
- Limited AccessThis act limits the accessibility to health information. It lays certain circumstances under which the data can be retrieved and used. It also enables users to track their details and monitor their usage. Below image shows number of breaches due to unauthorized access to PII data.
- Privacy RightsUnder this act, individuals can retrieve their medical records whenever needed. It could be either health care or medical bill reimbursement.
The Information Secured Under HIPAA
The HIPAA act particularly protects the PHI (personal health information) that can be used to identify the individual. This information can be either physical or digital. The health care data protected under HIPAA include,
- Personal DetailsName, age, address, phone number, date of birth, SSN (Social Security Number), and other personally identifiable numbers.
- Medical InformationIt includes all diagnoses and treatments given to the individual. The information could be regarding both physical and mental health. Some examples are laboratory reports, scan documents, hospital records, and more. It also includes future interprets or opinions of the medical practitioners.
- Financial InformationThis part involves the health care expenses and the insurance claims if any. One can trace back such information to find the details of the individual.
It is important to be aware of the details that do not come under HIPAA compliance. They are employment details, education records, and other non-identifiable information.