With the passage of HIPAA, the Department of Health and Human Services issued an important regulation to protect patients’ health and personal information: the Privacy Rule. Before we dig into the details of what the HIPAA Privacy Rule is and which types of information it protects, we’ll help you answer the most important question — is your organization required to follow the HIPAA Privacy Rule?
HIPAA defines organizations that have obligations under the Privacy Rule as either covered entities or business associates. Let’s look at covered entities first since they have the greatest requirements under the HIPAA Privacy Rule.
The HIPAA Privacy Rule applies to health plans, healthcare clearinghouses, and other healthcare providers that conduct certain financial and administrative transactions electronically. Collectively, these entities are called covered entities and are bound by the HIPAA privacy standards. Let’s take a closer look at each of these groups:
Health plans — According to the Centers for Medicare & Medicaid Services, health plans include health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs that pay for healthcare (like Medicare, Medicaid, and military and veterans’ health programs).
Healthcare clearinghouses — The CMS states that clearinghouses include “organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.”
Healthcare providers — Healthcare providers that “conduct certain financial and administrative transactions electronically,” and thus are covered under the HIPAA Privacy Rule, can include but aren’t limited to:
No prior HIPAA knowledge? Learn how Strike Graph can simplify HIPAA compliance for your organization. Schedule a demo today.
Business associates are organizations or individuals that contract with covered entities to perform some of their essential functions. Business associates can include the following groups:
In order to engage a business associate, a covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with HIPAA.
It’s important to note that a covered entity (health plan, healthcare clearinghouse, or healthcare provider) can also be a business associate of another covered entity.
HIPAA does not give the Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies through this regulation. For example, HHS doesn’t have the authority to regulate life insurance companies, employers, or public agencies that deliver social security or welfare benefits.
The HIPAA Privacy Rule protects all "individually identifiable health information" — known as protected health information (PHI) — held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.
The rule not only sets national standards to protect patients' medical records and other PHI but also requires reliable measures to protect PHI privacy, gives individuals rights over their PHI, and establishes authorized actions and the required disclosures that apply to PHI.
Knowing that the HIPAA Privacy Rule covers all PHI is one thing. Knowing exactly what that means in real life is another. Broadly speaking, there are three types of information you’ll want to understand in the context of the HIPAA Privacy Rule: individually identifiable health information, summary health information, and de-identified health information.
Individually identifiable health information — which, as we mentioned above, is also known as protected health information (PHI) – is information, including demographic data, that relates to an individual’s past, present or future physical or mental health or condition, and the provision of healthcare to the individual. It also includes the past, present, or future payment for the provision of healthcare to the individual, including that which identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Additionally, summary health information is information that may be individually identifiable health information. It also must meet the following criteria:
De-identified health information neither identifies nor provides a reasonable basis to identify an individual, and there are no restrictions on the use or disclosure of de-identified health information. There are two ways to de-identify information:
The second method is only adequate if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.
Having a system — like Strike Graph — that simplifies the complicated requirements of HIPAA compliance can make all the difference. Our platform is designed to reduce the stress, effort, and cost of HIPAA compliance.
Most importantly, Strike Graph sets you up for future growth beyond HIPAA. Once you’ve set up your controls and evidence for HIPAA, you can easily apply them to any framework your organization needs to keep growing. Strike Graph supports ISO 27001, SOC 2, PCI DSS, GDPR, and CCPA.