The Healthcare Insurance Portability and Accountability Act (HIPPA) is comprised of several rules which covered entities must follow. A covered entity (CE) is a healthcare provider, health plan, or healthcare clearinghouse. Third-party service providers to the healthcare and insurance industries (“Business Associates”) may also be required to comply with HIPAA rules. The most important rules are the Privacy Rule and the Security Rule, knowledge of which is essential for any employee in the healthcare industry.
The Privacy Rule of Healthcare Insurance
The Privacy Rule of 2003 was introduced to regulate the use and disclosure of protected healthcare information (PHI) held by CEs and their BAs. The Privacy Rule protects the private information of healthcare patients from access by unauthorized individuals while simultaneously allowing for the efficient disclosure of PHI to parties with permission to use it.
The Privacy Rule aims to protect what is known as “Individually Identifiable Health Information”; information which can be used to reveal the identity of the patient. This covers a wide range of data; names, addresses, date of birth, Social Security numbers, credit card, and billing information, vehicle registration plate numbers, examples of a patient’s handwriting, and videos and images of the patient’s injuries which may show an identifiable body part.
The Privacy Rule states that healthcare organizations must receive the patient’s permission (authorization) to disclose information to third parties. Some exceptions to this rule include when the disclosure to a third party is related to a healthcare operation, treatment, or payment for a service.
The ‘Minimum Necessary’ Rule is a part of the HIPAA Privacy Rule. This means that healthcare workers must only disclose the minimum amount of PHI necessary to fulfill the purpose for which it is needed. This is an important rule to follow for all employees in the healthcare industry as it is particularly pertinent to the day to day workflows of healthcare staff.
The Security Rule of Healthcare Insurance
The HIPAA Security Rule was introduced in 2003 to deal specifically with electronic PHI (ePHI), although it still pertains to physical PHI. It was created to establish national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a CE.
The Security Rule mandates that CEs should employ appropriate safeguards to ensure the “confidentiality, integrity, and availability” of ePHI.
The Security Rule does not introduce rigorous and strict guidelines that all CEs must adopt; it allows for each organization to assess their situation and determine what safeguards are most appropriate for their practices and customers.
The Security Rule breaks down the types of safeguards into three categories:
Administrative safeguards include policies and procedures that clearly explain how the entity complies with HIPAA.
Physical safeguards require the implementation of physical controls to protect data and to prevent it from being stolen or accessed by unauthorized individuals.
Technical safeguards include controlling access to computer systems and the protection of communications containing PHI transmitted electronically over open networks to prevent ePHI being intercepted and accessed by anyone other than the intended recipient.