How To: Understanding HIPAA Compliance

Cole PrudenHIPAA Compliance, PHI, PII

An illustrative picture with a hippo for HIPAA by PII Tools

For many readers, when they hear the words “the Health Insurance Portability and Accountability Act (HIPAA)”, their eyelids immediately start to droop. But I’m sure getting slapped with an annual $1.5 million fine would wake them up! Whether you’re the one handling the data or the actual patient looking to protect your rights, it’s time to become a HIPAA expert now!

Introduced in 1996, HIPAA was created to modernize the flow of healthcare information and protect PII that pertains to healthcare. (Never heard of “PII”? Then we’ve got the perfect article for you: PII in all its forms.)

To sum it up nicely, HIPAA is a US-based federal statute created to address 3 main objectives:

  1. Modernize the flow of healthcare information
  2. Stipulate how PII maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft
  3. Address limitations on healthcare insurance coverage

However, before HIPAA could actually protect anyone’s private healthcare information, it needed to clearly identify the exact types of PII in need of protection.

How HIPAA Identifies PII

HIPAA identifies PII by using 18 identifiers. To save you some time looking them up yourself, you’ll find them all listed below:

1. Name

2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)

3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)

4. Telephone number

5. Fax number

6. Email address

7. Social Security number

8. Medical record number

9. Health plan beneficiary number

10. Account number

11. Certificate or license number

12. Vehicle identifiers and serial numbers (including license plate numbers)

13. Device identifiers and serial numbers

14. Web URL

15. Internet Protocol (IP) Address

16. Finger or voice print

17. Photographic image (photographic images are not limited to images of the face)

18. Any other characteristic that could uniquely identify the individual

 

Before moving on, you also need to know the difference between PII (Personal Identifiable Information) and PHI (Protected Health Information). In short, PII transforms into PHI (think of it as going one level higher in terms of importance) when PII is used in conjunction with your physical or mental health, healthcare, or the payments you make for your healthcare.

Does HIPAA Apply to Me, and What About My Rights?

HIPAA applies directly to a number of healthcare organizations and entities that create, hold, or transmit PII. Examples of these are all healthcare providers and their business associations (lawyers, financial offices, accounting departments, etc.) as well as doctors, nurses, hospital and pharmacy staff, and even health plan agents and healthcare clearinghouses.

Most importantly, however, HIPAA pertains to the people it protects: You and me. HIPAA delegates how the institutions and individuals mentioned above interact with and share your personal data. Thanks to HIPAA, you don’t have to worry about your private health issues becoming front-page news or sold to third-party data collectors just because your doctor turns out to be a scumbag.

Let’s discuss the rights you have under HIPAA. You have the right to:

  • Keep your information private, whether in electronic or written format
  • Access; i.e., the right to see or obtain a copy of your medical records
  • Submit a request to fix a mistake in your medical records
  • Submit a written statement of disagreement that will be kept in your medical records, stating you do not agree with certain information
  • Know how your information is used and shared
  • Obtain a report stating who has seen your information (Accounting of Disclosures)
  • Say how you want to be contacted, e.g., what telephone number to reach you at, or e.g., whether or not they can leave a voice message
  • Request that your information not be shared with certain entities

If you’re more of a visual learner, check out this video on the official HIPAA website to learn more about your specific rights and how to apply them.

5 Main HIPAA Rules

Now we know whom HIPAA affects + each person’s rights under HIPAA. Next comes the 5 main rules HIPAA enforces:

  1. Privacy Rule – protects an individual’s PHI and medical records by placing limits and conditions on the various uses and disclosures that can and cannot be made without patient authorization. This is also the rule that gives patients the right to inspect and obtain a copy of their records and request corrections be made to their file.
  2. Security Rule – defines and regulates the standards, methods, and procedure related to the protection of electronic PHI on storage, accessibility, and transmission. This includes 3 safeguard levels of security, which you can read about in detail here.
  3. Transaction Rule – standardizes the electronic exchange of patient-identifiable, health-related information. This allows for the electronic exchange of information from computer to computer without human involvement.
  4. Identifiers Rule – the use of 3 unique identifiers for covered entities who use HIPAA-regulated administrative and financial transactions. The 3 identifiers are used to distinguish covered healthcare providers, health plans and payers, and employee entities in HIPAA transactions.
  5. Enforcement Rule – includes directives for compliance, investigation, and penalties for violations. It also details the procedures and monetary fines for imposing civil penalties on covered entities that violate HIPAA requirements.

As each rule contains more information than can be summarized here, check out HIPAA for Individuals online for greater detail.

Becoming HIPAA Compliant

Once you have a better understanding of HIPAA, it’s time to implement what you’ve learned in your business practices. And don’t think just because you don’t work at a hospital or run a health insurance company, that HIPAA doesn’t apply to you. If you or your company comes into contact with health-related PII in any shape or form, here are a few things you can do to become HIPAA compliant:

  • Name a HIPAA Privacy Officer. They are responsible for developing a HIPAA-compliant privacy program if one doesn’t already exist, or enforcing it if there is already one in place. This is a great place to start, as having someone dedicated to HIPAA makes you much less likely to run into any violations.
  • Train employees working with PII of the new privacy and security policies put in place by your new HIPAA Privacy Officer and ensure that they have a basic knowledge of the regulation.
  • Implement a sensitive data discovery tool to locate and remediate non-compliant data.
  • Establish a data leak notification protocol.
  • Regularly conduct risk assessments and self-audits.

Not sure how to use a sensitive data discovery tool to find HIPAA-protected data? Then PII Tools has the solution for you.

HIPAA and Its Benefits

The Health Insurance Portability and Accountability Act exists to protect patients’ PII and PHI, while also providing them the means to take control of their information and how it is used. Even though this topic may bore some people to pieces, you now have a leg up on any of your more-than-shady competitors, as you stay HIPAA compliant and they move toward betraying the trust of their clients. Or if you were just looking to discover more about how HIPAA protects the individual, you’re now in the driver’s seat when it comes to using your rights. Either way, the more you know, the more HIPAA can benefit you.

Find Out How PII Tools Will Help You With HIPAA Compliance