What is HIPAA? The Health Insurance Portability and Accountability Act
was enacted in 1996.
It required the Secretary of the Department of Health and Human Services (HHS) to publish standards for the electronic exchange, privacy and security of health information and to write privacy regulations if Congress did not do so within three years after the law was passed. Congress did not act so HHS wrote the privacy regulations.
The HIPAA Regulations establish federal protection for individually identifiable health information (protected health information) created by a covered entity (healthcare provider). Protected Health Information or PHI is identifiable health information that is oral, paper or electronic and relates to healthcare of the individual whether in the past, present or future for individuals living or deceased.
There are many different identifiers that may be used with the healthcare information that makes the information PHI.
In addition to name, there are other identifying numbers such as medical record number, admitting number, social security number, and insurance number.
The Privacy Rule establishes the permissible uses of PHI by the covered entity for treatment payment and healthcare operations. Responsibilities for the covered entity include safeguarding PHI using administrative, physical and technical safeguards. The covered entity may use a Business Associate to help perform some of its activities that are covered by the Privacy Rules.
The covered entity must establish policies and procedures, train all members of the workforce and provide notice to individuals on how it is permitted to use their PHI.
Who or what is a Covered Entity?
A covered entity is a health plan, healthcare clearinghouse or healthcare provider who transmits bills for services electronically. They are covered by the HIPAA Privacy Rules.
What is a Business Associate?
A Business Associate is an individual or organization that is not a member of the covered entities workforce that provides a service to the covered entity that requires the use, disclosure or access to PHI. For example, third party billing companies, quality, risk management, legal services, EMR and software vendors with access to PHI are Business Associates.