Whether dealing with simple applications or constructing complex medical treatment tools, businesses looking to enter the burgeoning market of health care services will need to become familiar with the Health Insurance Portability and Accountability Act (HIPAA). The law has wrought transformative change in the U.S. healthcare market, but its labyrinthine strictures can prove difficult to navigate. This is the first in a series of 3 posts that cover HIPAA’s background, its requirements, and HIPAA compliance strategies for startups and small businesses. The aim of this series is to make the privacy provisions of HIPAA accessible and understandable to startups and small businesses.
Passed by Congress in 1996, HIPAA aimed to protect Americans by enacting stringent new standards for the storage, sharing, and use of private medical information. HIPAA tasked the U.S. Department of Health and Human Services (HHS) with implementing these regulations. To achieve this, the HHS put in place two specific rules: The “Privacy Rule” and the “Security Rule.”
HIPAA’s “Privacy Rule” established national standards for protected health information (PHI). The Privacy Rule governs the use and dissemination of PHI, and attempts to strike a balance between protection of individual privacy and promotion of the type of information exchange necessary for effective and efficient health care. As such, the Privacy Rule was designed to be flexible, able to adapt to changes while achieving some measure of consistency across the gargantuan spectrum of American health care.
Whereas the Privacy Rule governs the use and dissemination of protected health information, the Security Rule governs the measures that covered entities must put in place to secure PHI held or transferred in electronic form (e-PHI). Similar to the Privacy Rule, the Security Rule is designed to strike a balance between protection of e-PHI and advancement of technology in health care.
HIPAA’s privacy provisions apply to two specific types of organizations: “Covered entities” and “business associates.”
HIPAA’s rules are primarily directed at covered entities, which must follow both the Privacy Rule and the Security Rule. Covered entities include:
In addition to covered entities, HIPAA also regulates the conduct of “business associates” engaged in the exchange of sensitive medical information. Business associates include institutions that provide services to covered entities in capacities where health information is transmitted. Business associates typically provide legal, accounting, consulting, management, and administrative services such as data analysis, billing, and claims processing. Law firms, accountants, software vendors, Internet Service Providers, cloud storage companies, and other such institutions may be considered business associates under HIPAA’s Privacy Rule. All business associates retained by covered entities are required to contractually agree to comply with HIPAA’s rules. HIPAA casts a wide net when examining associates of covered entities, but actions that do not involve the use or disclosure of protected health information do not warrant HIPAA application.
According to the HHS, the Privacy Rule protects:
All ‘individually-identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media.
PHI includes any information relating to:
HIPAA’s definition of PHI shares common DNA with the larger field of personally-identifiable information (PII). Organizations with strong PII protections can easily adapt to the world of PHI security. For more information on how to develop airtight PII procedures, read our post on the subject.
For more information on the basics of HIPAA, please visit the U.S. Department of Health and Human Services here.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.