HIPAA Basics: Understanding the Health Insurance Portability and Accountability Act of 1996

Get all the basics about HIPAA, HIPAA compliance, passwords, & review a HIPAA FAQ!

HIPAA Introduction

Today's world is full of hackers and cyber threats and these threats are increasing exponentially. Healthcare data is so valuable because it typically has a collection of an individual's personally identifiable information such as names, addresses, emails, telephone numbers, facial photos, dates of birth, and social security numbers. Other sources such as financial typically only have one form of information. A single healthcare data record may be valued up to $250 compared to $5 for a credit card record. Therefore, it is of the utmost importance that patient healthcare information is kept private and secure, and this must be a top priority for all healthcare providers. HIPAA Federal laws require organizations that are stewards of healthcare information to have policies and security safeguards in place that are monitored and audited.

What Does HIPAA Stand For?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.

What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the Federal law that all healthcare organizations must comply with to provide privacy and security of PHI so that information is not disclosed without patient permission.
The HIPAA Security Rule covers electronic protected health information (ePHI), but it is only part of information covered in the Privacy Rule.

What is the HIPAA Security Rule?

The HIPAA Security Rule protects a subset of information that is covered by the Privacy Rule that is, in essence, individually identifiable health information that a healthcare entity uses in any electronic transaction (i.e. create, receive, maintain, or transmit). Electronic protected health information (ePHI) is the proper HIPAA term. The Security Rule does not apply to PHI transmitted orally or in writing and is typically stored on paper.
Covered entities must do the following to comply with the Security Rule:
  • Guarantee the confidentiality, integrity, and availability of all ePHI
  • Anticipate and thwart threats to the security of the information
  • Prevent the impermissible uses or disclosures of ePHI
  • Train the health care entities employees and contractors
The Department of Health and Human Services Office for Civil Rights enforces HIPAA rules. Covered entities should be aware that HIPAA violations may result in both civil or criminal penalties.

What is the HIPAA Privacy Rule?

The US Department of Health and Human Services (HHS) developed the HIPAA Privacy Rule which covers protected health information (PHI) in any form. It is also a guideline to implement requirements for HIPAA. The disclosure of patient health information (protected health information or PHI) by entities must be in accordance with the Privacy Rule. This rule details individuals' rights to so that patients know how their health information is being maintained and used. The goal of the Privacy Rule is to benefit the public and promote their well-being and high-quality healthcare. It also tries to balance important uses for healthcare information such as medical research and population health initiatives while at the same time protecting privacy for patients.
There are two types of organizations are regulated by the HIPAA rules:
  1. Covered Entities (CE)
    Healthcare providers, health plans, and healthcare clearinghouses. CEs directly create PHI must adhere to all the HIPAA regulations. Examples of healthcare provider services are claims, benefit inquiries, and referrals for which HHS has established standards. The following are examples of health plans that pay the cost of the following medical care: health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid, and long-term care insurers. An employer-sponsored group health plans (less than 50 participants and solely managed by the employer) is also a covered entity. A healthcare clearinghouse typically processes healthcare information for other covered entities.
  2. Business Associates (BA)
    This could be any organization hired by a CE or another business associate who will most likely interact with PHI in the course of their work. Examples are information technology service providers, software companies servicing healthcare, practice management firms, data storage providers including back-up, encrypted email, chat, and text. Business associates are required to comply with the HIPAA security rule.

HIPAA Permitted Uses and Disclosures

The following are permitted uses whereby covered entity can disclose protected health information without the consent of a patient:
  1. Disclosure to the patient
  2. Healthcare organization activities related to treatment, payment and general operations
  3. Public interest and benefit activities
  4. Public health activities
  5. Victims of domestic violence, abuse or neglect
  6. Judicial proceedings
  7. Law enforcement
  8. Identification of deceased persons
  9. Cadaveric organ, eye, or tissue donation
  10. Scientific research; limited datasets for public health and research
  11. To prevent or mitigate a serious threat to health or safety
  12. Government functions
  13. Workers' compensation
The US Department of Health & Human Services (HHS) website offers:
  • Details on the Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.
  • HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.

What Are the Three Primary Parts of HIPAA?

Keeping patient data private and confidential requires compliance with the following three primary parts:
  1. Administrative Requirements
  2. Physical Security Requirements
  3. Technical Security Requirements

Administrative Requirements

Patient data must have integrity and be accessible by authorized parties. The privacy procedures should be documented in writing.
  • An information technology executive should be appointed in charge of data security and HIPAA compliance.
  • Employees that have access to patient data should be identified and documented.
  • The organization's privacy policies must be communicated to all employees. Each employee should understand how these policies are relevant to their job.
  • Business associate agreements (BAA) should be signed with all third parties that have access to patient data indicating their understanding of HIPAA security and privacy rules.
  • A plan should be put in place for both backup of data on a daily basis and disaster recovery.
  • An annual security assessment must be performed.
  • A plan should be put in place so that in the event of a data breach the organization can communicate with patients and mitigate any further data breaches.

Physical Security Requirements

Physical theft and loss of mobile devices can happen. These requirements help prevent physical theft and loss of devices that may have patient information.
  • Desks and access to computers should be secured and away from public view.
  • Visitors should need to sign in and access should be restricted to insecure areas.
  • Care should be taken with disposing of hardware and software making sure that any hard disks are properly disposed and all data deleted.
  • Physical safety best practices should be the topic of training for all employees and contractors including how to secure cell phones and other mobile devices.

Technical Security Requirements

These requirements will protect the health care organization's network and devices.
  • Any PHI information sent by email should be encrypted. Any cloud-based email should also utilize encryption.
  • Firewalls and intrusion detection and prevention systems should be implemented to protect the network.
  • Employees need to be trained on phishing schemes on how to identify and avoid them.
  • All data needs to be backed-up on a continuous basis in case of deletion or changes.
  • Strong passwords should be used and contain letters, numbers, and special characters. Alternatively, NIST recommends using phrases that are easy to remember and hard to guess so that employees will not write these passwords down on paper. Also, two factor authentication (2FA) should be used wherever possible. Third party data transfers should require a password, hardware tokens or a confirmation phone call.
  • Double-keying, checksum, and other techniques should be used to prevent data input errors.
  • The organizations network configuration should be well documented and kept up to date.
  • Utilizing specialized security consultants to assure that HIPAA requirements are met. The HIPAA rules evolve, and technology is always rapidly changing.

What Are the 5 Office Guidelines for Complying with HIPAA?

  1. Privacy Rule
    PHI and medical records are protected by the privacy rule. There are limits and conditions on uses and disclosures requiring patient authorization. This rule also ensures that every patient has the right to obtain a copy of their records, request corrections, as well as the right to inspect.
  2. Security Rule
    Relates to standards, methods and procedures to protest ePHI on storage, accessibility and transmission. There are three safeguard levels of security discussed above and they are administrative, technical and physical. Risk management and analysis policies and procedures are also addressed in this rule.
  3. Transactions Rule
    Addresses HIPAA transactions, including ICD-9, ICD-10, HCPCS, CPT-3, CPT-4 and NDC codes. The safety, accuracy and security of medical records and PHI can be achieved by using these codes.
  4. Identifiers Rule
    This rule specifies that there are three unique identifiers for covered entities:
    • National Provider Identifier (NPI)
    • 10-digit number
    • National Health Plan Identifier (NHI), used by health plans/payers under Medicare & Medicaid Services (CMS)
    • Standard Unique Employer Identifier, used by any organization in a HIPAA transaction and it is the Employer Identification Number (EIN)
  5. Enforcement Rule
    This rule comes from the ARRA HITECH ACT for violations and expands penalties under HIPAA Privacy and Security. It addresses the five areas related to covered entities and business associates:
    • HIPAA security and privacy requirements
    • Federal privacy and security breach reporting requirements
    • New privacy/disclosure requirements on sales and marketing efforts
    • New criminal and civil penalties and enforcement for HIPAA non-compliance
    • Business associate agreements must include new security requirements

What Does It Mean to be HIPAA Compliant?

The Health Insurance Portability and Accountability Act (HIPAA) was established in the U.S. in 1996 to protect an individual's personal health care information. Healthcare institutions are required to meet all standards and comply with the appropriate security measures in order to safeguard patient data.
Under HIPAA, several things must be protected including any patient healthcare information that is written, spoken or electronic. Electronic data can be faxed, printed, copied or emailed and includes lab reports, insurance claims, consent forms and patient records.
Safeguarding patient data is a key concern among healthcare Chief Information Officers all over the world, as healthcare is a target of most information attacks.
If a healthcare organization hosts data with a HIPAA compliant provider, there must be certain administrative, physical and technical safeguards in place that are required by the U.S. Department of Health and Human Services (HHS).
Physical safeguards include limited facility access with required authorized access. All covered entities must have usage and access policies regarding workstations and electronic media. Part of this safeguarding effort requires standards for transferring, removing, disposing, and reusing electronic media and protected health information.
Technical safeguards of HIPAA compliance require restrictions on access to protected health data. In other words, authorization is required to access the health record. This form of protection includes the use of user IDs, emergency access procedures, automatic log off and encryption and decryption of data.
Also, on the technical side of HIPAA compliance, tracking logs must be implemented to keep a record of activity of hardware and software. This practice helps to identify the source or cause of any security violations with greater ease.
Policies should also be put into place to ensure that personal health data is not altered or destroyed. Disaster recovery and offsite backups are necessary to ensure that any electronic media errors or failures can be resolved quickly, and that patient health information can also be accurately recovered. Failure to comply with these guidelines and requirements could lead to significant fines and other legal action from the Federal government. Ensuring compliance can prove to be a tremendous challenge.

HIPAA Compliance Checklist

  1. Determine annual audits/assessments that are required for your healthcare organization. Perform an organization wide assessment and evaluate your security against HIPAA requirements. Review the US Department of Health and Human Services office for civil rights audit protocol.
  2. Launch an internal HIPAA compliance audit and assessment. Document the results of this work in case you need it to support an outside audit by the government. Consider using a third-party compliance organization to conduct the audit alongside your organization.
  3. Document all aspects of building and implementing your compliance program.
  4. Appoint a security and compliance team in your organization and designate a HIPAA Compliance Officer.
  5. Calendar annual HIPAA training for all employees and contractors. Make sure that your staff understands everything that is required from them for your organization to remain HIPAA compliant. Make sure that all people involved understand the civil and criminal penalties for noncompliance.
  6. Document all employee training activities including attestations that employees attended such training and understood the materials. This may be needed in the case of an outside audit.
  7. Put a process in place that is understood by all employees to report breaches. Make sure that all employees are aware of what constitutes a HIPAA breach. A system should be put in place to track security incidents and report on all breaches.
  8. Establish an annual review that assesses compliance activities against the latest HIPAA rules.
  9. Continuously assess and manage risk by building a risk management program and integrate continuous monitoring.

HIPAA Password Requirements

HIPAA regulations require the use of passwords for securing accounts that have access to ePHI. A strong password that is greater than 8 characters and has other characteristics is a common authentication method. The HIPAA regulations refer to "password management" as an addressable rather than a required safeguard. Addressable means that it cannot be ignored. A password must be used to secure an account unless an equivalent level of protection can be provided by another means. An example would be biometric authentication which can serve as a HIPAA compliant alternative to passwords.
A good HIPAA password policy should cover creating passwords, changing passwords, and safeguarding them. Since password best practice has changed overtime HIPAA regulations do not mention specifics about password length, etc. The National Institute of Standards and Technology (NIST) provides excellent guidance. This password guidance is included in the NIST Digital Identity Guidelines – Authentication and Lifecycle Management Special Publication.
Currently, NIST recommends using a minimum of 8 characters which will make passwords less susceptible to brute force attacks. Also, it is important to include random and complex combinations of characters and numbers. There are also secure password generators online. NIST and other security organizations recommend long passphrases that are easy to remember such as, "mississippi-witchcraft-ocean-twin bed". They are very secure and difficult to guess or brute force attack. They are even more secure than long passwords, even with special characters.
An interesting point to note is that NIST does not recommend enforcing password changes. If users know that they are going to have to continuously come up with new passwords, they have a tendency of making them weaker overtime. Some cyber security best practices are to always create new passwords and never to reuse old passwords.
Password should always be encrypted and also salted (the use of unique, random string of characters while in both transit and at rest. If these passwords or obtained through a hack they will not be useful if they are encrypted.
It is a best security practice to use two factor authentication (2FA). If 2FA is enabled nobody can gain access to the application with only the username and password. They would also need a one-time password that is generated from a device and entered in real time.

HIPAA Medical Record Destruction

Patient information that needs to be protected (PHI) can include both paper and electronic medical records. The HIPAA Privacy Rule also applies to the disposal of PHI, but it does not specify any specific method of disposal. Often PHI can also be converted from paper form to an electronic medical record (EMR). Organizations should assess the risks to patient privacy when creating disposal procedures to meet the rule as well as to prevent identify theft. The Privacy Rule suggests that PHI in paper form can be disposed of by, "shredding, burning, pulping, or pulverizing the records so that it is not readable and cannot be reconstructed".
The Privacy Rule also recommends disposing of PHI on electronic media by, "clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding)".
Many Covered Entities hire a Business Associate to dispose of PHI. They must execute a Business Associated Agreement (BAA) specifying the safeguarding of PHI through the disposal process.

HIPAA FAQ

What is the Difference Between Security and Privacy in HIPAA?

HIPAA addresses security and privacy of ePHI. They are distinct and work together.
  • Privacy: Specifies the rights people have to control how their personal health information is used. PHI must be kept confidential and maintained in accordance with the patient's desire. It covers all formats including electronic, paper and conversations. Maintaining the physical security of PHI is a key element of this rule.
  • Security: Specifies the administrative, technical and physical safeguards relating to ePHI. All of these safeguards should keep ePHI data away from unauthorized access. In most cases, ePHI is maintained on disk drives, memory cards, and removable devices.

Who is Required to Follow HIPAA?

Covered Entities

  • Health plans, health insurance companies, HMOs, company health plans, Medicare, and Medicaid.
  • Healthcare providers doing any business electronically. This includes medical doctors, clinics, hospitals, nursing homes, pharmacies, and all other licensed health care professionals such as dentists.
  • Healthcare clearinghouses that process health information they receive from other entities.

Business Associates

Contractors and subcontractors of a covered entity that can access health information of the covered entity:
  • Billing companies, claims processing companies
  • Health plan administration companies
  • Outside professional service firms: attorneys, CPAs and information technology experts
  • Medical records storage companies

What is the Standard for Accessing Patient Information?

Healthcare organizations must provide easy access for patients and their personal representatives to view and obtain a copy of their health information no later than 30 calendar days from receiving such a request. When individuals can access their health information, they can better take care of themselves through self-monitoring. They can better track their progress against treatment plans as well as fix any errors in their medical records. There is a movement going on called patient-centered healthcare. With so many new innovative technologies patients can now access their data in real-time and share it with their healthcare professionals for faster diagnosis.
The HIPAA Privacy Rule provides patients with a legal right to view and obtain copies of their health information maintained by providers or health plans. Individuals can inspect their healthcare records as well as obtain a copy.
There are only two categories of information that are excluded from this right to access. The personal notes of a mental health professional taken during psychotherapy sessions are excluded from health records. Also, any information put together in anticipation of a civil, criminal or administrative action is also excluded.
Request a Live Demo
See It In Action
Assess Your Needs
Download Tool
Try Giva's 30 Day Trial
Sign Up Today