HIPAA is a dictionary in and of itself. With so many terms — like summary health information — floating around the Health Insurance Portability and Accountability Act of 1996 (HIPAA), it can be difficult to untangle what they each mean and how they relate to each other.
As a quick refresher, HIPAA is a collection of medical privacy regulations for healthcare organizations handling sensitive personal health information, or PHI. It sets the standard for security, privacy, and integrity of patient data.
To understand summary health information, we’ll first need to talk about an important component of HIPAA — the Privacy Rule.
The HIPAA Privacy Rule applies to healthcare clearinghouses, health plans, and other healthcare providers that conduct transactions electronically. It sets national standards to protect patients' medical records and other personal health information, or PHI, and requires reliable measures to protect PHI privacy.
The following rights and requirements are also established by the HIPAA Privacy Rule:
In short, the Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).”
Ready to get started? Set up a demo today to learn how Strike Graph can simplify the HIPAA compliance process for your company today.
Protected health information is defined by HIPAA as information, including demographic data, that relates to any of the following:
Individually identifiable health information includes many common identifiers such as name, address, birth date, Social Security Number, demographic information, medical histories, test and laboratory results, mental health conditions, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.
While the HIPAA Privacy Rule provides federal protections for PHI held by covered entities and gives patients an array of rights with respect to that information, it also permits the disclosure of PHI needed for patient care and other important purposes.
According to HIPAA, summary health information is information that may be individually identifiable health information and meets both of the following criteria:
In other words, summary health information is information that summarizes claims history, claims expenses, or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan and that is stripped of all individual identifiers other than five digit zip code.
Except as prohibited by § 164.502(a)(5)(i), the group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for one of the following purposes:
The Privacy Rule requires that each covered entity, with certain exceptions, provide a notice of its privacy practices, known as the Privacy Practices Notice. This notice must include the following information:
When it comes to distributing this notice, covered entities — whether direct treatment providers or indirect treatment providers (such as laboratories) or health plans — must meet the following requirements:
A covered entity must also make its notice electronically available on any web site it maintains for customer service or benefits information.
As you can see, the ins and outs of achieving and maintaining HIPAA compliance are complex. Luckily, no company has to navigate this process on their own.
Strike Graph’s flexible, right-sized system simplifies and speeds up the complicated requirements of HIPAA compliance, saving your company time and money. Our platform takes you from risk assessment to compliance: