HIPAA is a dictionary in and of itself. With so many terms — like summary health information — floating around the Health Insurance Portability and Accountability Act of 1996 (HIPAA), it can be difficult to untangle what they each mean and how they relate to each other. 

As a quick refresher, HIPAA is a collection of medical privacy regulations for healthcare organizations handling sensitive personal health information, or PHI. It sets the standard for security, privacy, and integrity of patient data.

To understand summary health information, we’ll first need to talk about an important component of HIPAA — the Privacy Rule.

The HIPAA Privacy Rule

The HIPAA Privacy Rule applies to healthcare clearinghouses, health plans, and other healthcare providers that conduct transactions electronically. It sets national standards to protect patients' medical records and other personal health information, or PHI, and requires reliable measures to protect PHI privacy.

The following rights and requirements are also established by the HIPAA Privacy Rule:

• Individuals' rights over their health information, including rights to access and review a copy of their records and request modifications
• Authorized actions and the required disclosures that apply to such data

In short, the Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).”

What is protected health information (PHI)?

Protected health information is defined by HIPAA as information, including demographic data, that relates to any of the following:

• The individual’s past, present, or future physical or mental health or condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health care to the individual and identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual

Individually identifiable health information includes many common identifiers such as name, address, birth date, Social Security Number, demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.

While the HIPAA Privacy Rule provides federal protections for PHI held by covered entities and gives patients an array of rights with respect to that information, it also permits the disclosure of PHI needed for patient care and other important purposes.

What is summary health information?

According to HIPAA, summary health information is information that may be individually identifiable health information and meets both of the following criteria: 

• Summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan 
• Has had the information described at § 164.514(b)(2)(i) deleted, except that the geographic information described in § 164.514(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code

In other words, summary health information is information that summarizes claims history, claims expenses, or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan and that is stripped of all individual identifiers other than five digit zip code.

What can summary health information be used for?

Except as prohibited by § 164.502(a)(5)(i), the group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for one of the following purposes:

• Obtaining premium bids from health plans for providing health insurance coverage under the group health plan 
• Modifying, amending, or terminating the group health plan

What’s the Privacy Practices Notice?

The Privacy Rule requires that each covered entity, with certain exceptions, provide a notice of its privacy practices, known as the Privacy Practices Notice. This notice must include the following information:

• Describe the ways in which the covered entity may use and disclose protected health information
• State the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice
• Describe individuals’ rights, including the right to complain to the United States Department of Health and Human Services (HHS) and to the covered entity if they believe their privacy rights have been violated
• Include a point of contact for further information and for making complaints to the covered entity

When it comes to distributing this notice, covered entities — whether direct treatment providers or indirect treatment providers (such as laboratories) or health plans — must meet the following requirements:

• Supply to anyone on request
• Distribute no later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery)
• Post the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice
• In emergency treatment situations, furnish the notice as soon as practicable after the emergency abates

A covered entity must also make its notice electronically available on any web site it maintains for customer service or benefits information.

Simplify and speed up HIPAA compliance

As you can see, the ins and outs of achieving and maintaining HIPAA compliance are complex. Luckily, no company has to navigate this process on their own. 

Strike Graph’s flexible, right-sized system simplifies and speeds up the complicated requirements of HIPAA compliance, saving your company time and money. Our platform takes you from risk assessment to compliance:

• Tailor your compliance approach with our risk assessment tool.
• Reduce documentation effort with our extensive library of ready-to-use controls and evidence.
• Build a culture of HIPAA compliance across your organization.
• Ensure ongoing compliance with penetration testing.