Skip to content
Sashiraj Chandrasekaran
TwitterLinkedInStackOverflowGitHubEmail

HIPAA

Standards3 min read

An overview of HIPAA and the different considerations/safeguards of HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA requires healthcare institutions to implement processes that will ensure the confidentiality of patients’ personal data and health information.

Knowledge of HIPAA guidelines is mandatory for anyone working in the healthcare industry.

Key reasons for HIPAA - Privacy and Security of patient's health data.

Why is HIPAA necessary?

..* To protect individual - Protect privacy and dignity of the individual. To protect identity of the patient.

..* To benefit society - Protect patients involved in research from harm. Ensure confidentiality of the research.

What is Protected Health Information?

Any health information which relates to the physical or mental health or the provision of or payment for healthcare or identifies the individual is considered as Protected Health Information. This could include demographic information as well.

Examples -

  1. Names
  2. Geographical subdivisions smaller than a state
  3. All elements of dates except year
  4. Phone numbers
  5. Fax numbers
  6. email address
  7. Social Security Numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers/serial numbers/license plate numbers
  13. Device identifiers
  14. URLs
  15. IP address
  16. Biometric identifiers
  17. Full face photographic images and other images
  18. Any other unique identifying number, characteristic or code.

Privacy Rule

Notice of Privacy Practices must be provided to all patients to keep them informed on how their data will be used. This must be in plain language and displayed prominently and in the doctor's office/website and other places.

Security Rule

Protect the privacy of the PHI. Allow flexibility to allow for growth and new technology. Requires appropriate administrative, physical and technical safeguards to ensure the confidentitality, integrity and security of electronic PHI.

CIA triad should be maintained.

Confidentiality - Protect against unauthorized access to the protected information.

Integrity - Detect any modification. Ensure the data cannot be modified accidentally or by anyone without the necessary access.

Availability - The data should be accessible and available for the purposes for which it has been collected.

Basic Requirements

..* Ensure the confidentiality, integrity and availability of all e-PHI they create, receive, maintain or transform

..* Identify and protect against reasonably anticipated threats to the security or integrity of the information

..* Protect against reasonably anticipated, impermissible uses or disclosures.

..* Ensure compliance by their workforce.

Privacy vs Security

Privacy rule focuses on the right of an individual to control the use of his/her personal information. PHI should not be divulged or used by others against their wishes.

Secutity rule focuses on administrative, technical and physical safeguards especially for electronic records. Protection of PHI from unauthorized access, whether external or internal, stored or in-transit are all a part of the security rule.

Applyication of Security Rules

Physical Safeguards

..* Facility Access and Control - A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

..* Workstation and Device Security - A covered entity must implement policies and procedures to specify proper use of/access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal and reuse of electronic media to ensure appropriate protection of PHI.

Administrative Safeguards

..* Security Management Process - Covered entity must identify and analyze risks to PHI and implement security measures

..* Security Personnel - Covered entity must designate security official who is responsible for developing and implementing security policies and procedures.

..* Information Access Management - Covered entity must implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role.

..* Workforce Training - Covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. Workforce must be trained and appropriate sanctions must be placed on employees who violate the policies and procedures.

..* Evaluation - Covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

Technical Safeguards

..* Access Control - Covered entity must implement technical policies and procedures that allow only authorized persons to access e-PHI

..* Audit Controls - Covered entity must implement hardware, software and procedural mechanisms to record and examine access to activity in information systems that contain e-PHI.

..* Integrity Controls - Covered entity must implement policies and procedures to ensure e-PHI is not improperly altered or destroyed. Electronic measures should be in-place to ensure that the information hasn't been altered or destroyed.

..* Transmission Security - Covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Covered Entities

..* Health Plan - An individual or group plan that provides or pays for medical costs. Insurance etc

..* Healthcare clearing houses - Any company/service which process healthcare related claims and management.

..* Healthcare provider - Hospitals/Doctors/Medical care suppliers

..* Business Associates - Companies/person/entity which deal with any aspect of healh information.

Exceptions when PHI can be shared without consent

PHI can be shared to avoid interfering with an individual's access to quality healthcare.

..* Can be shared with the patient

..* Can be shared with any entitites within the hospital who are involved in the treatment process (includes nurses, doctors, anasthesiologist)

..* Can be shared with payment providers to check if insurance covers etc

© 2022 by Sashiraj Chandrasekaran. All rights reserved.
Theme by LekoArts