HIPAA

What is HIPAA?

The U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. It amended the Employee Retirement Income Security Act (ERISA) and the Public Health Service Act (PHSA). The purpose of HIPAA is to codify national standards that protect sensitive patient health information from disclosure without the patient’s consent or knowledge.

Many healthcare practices use HIPAA-compliant messaging software to send secure, interactive messages to patients. These products comply with HIPAA regulations, and professionals can safely use them across various devices and cloud

HIPAA Software

Software that mention hipaa as a feature or term.

Paubox

Zoom Workplace

Spruce Health

Jotform

Vanta

Box

Why is HIPAA important?

HIPAA gives patients more control over their health information and enables them to understand how their information may be used. As a national standard, HIPAA establishes clear and necessary boundaries that consistently protect the privacy of health information. It holds violators accountable with various penalties and punishments. Finally, HIPAA balances the line between safeguarding personal privacy and disclosing data that protects public health.

HIPAA Privacy Rule

The U.S. Department of Health and Human Services (HHS) issues the HIPAA Privacy Rule, which implements HIPAA requirements. One of the goals of the Privacy Rule is to ensure individuals’ health information is protected adequately, while at the same time balancing a necessary flow of this information for healthcare and public health protection purposes. 

The Privacy Rule also addresses the use and disclosure of protected health information (PHI) by covered entities. 

Covered entities subject to the Privacy Rule include:

• Healthcare providers. All providers, regardless of company size, who electronically transmit health information are subject to the Privacy Rule. Health information may involve claims, benefit eligibility, and referral requests.

• Health plans. Health, dental, vision, Medicare, Medicaid, long-term care, and sponsored health plans are all types of health plans considered covered entities. 

• Healthcare clearinghouses. Any entity or third party between healthcare providers and insurance payers that process nonstandard information from another entity into a standard format is considered a covered entity. 

• Business associates. Individuals or organizations using or disclosing individually identifiable health information are covered entities. Types of services might include claims and billing.

HIPAA Security Rule

The HIPAA Security Rule protects a subset of electronic information under the Privacy Rule, including individually identifiable information created, received, or maintained by a covered entity. This information is known as electronic protected health information (ePHI). The Security Rule does not apply to written or verbal PHI.

The Security Rule mandates three types of safeguards.

• Administrative: All administrative actions, policies, and procedures to protect ePHI and manage personnel related to ePHI fall into the administrative category. Administrative safeguard standards include security management processes, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation, and business agreements.
• Physical: The physical safeguard category refers to the physical location where ePHI is stored or maintained. Physical safeguard standards include facility access and control and workstation and device security.
• Technical: Under this category, technical safeguards apply to the technology and policies and procedures for the defined technology that protects and secures ePHI. The technical safeguard standards include access, audit controls, integrity, and authentication. 

HIPAA best practices

Businesses should prioritize HIPAA and support compliance efforts through various best practices. These include:

• Implementing safeguards to comply with the Security Rule. The Security Rule outlines administrative, physical, and technical safeguards. Businesses must ensure they understand the three types and implement the necessary practices to comply with each accordingly. For example, an administrative safeguard may involve training the workforce on PHI protection, and a physical safeguard might establish a badge entry system to secure a facility.

• Conducting HIPAA risk assessments. A HIPAA risk assessment identifies and uncovers a company’s vulnerabilities and weaknesses that may lead to violations. These assessments should also test all safeguards for accuracy.

• Developing policies and procedures to comply with Privacy and Security Rules. For the highest likelihood of success, companies should appoint a privacy representative to manage the HIPAA compliance process. This person and their team are responsible for developing, documenting, and maintaining all policies and procedures supporting the Privacy Rule and Security Rule. 

• Training employees on HIPAA compliance and procedures. In addition to mandated HIPAA compliance training (anyone who handles PHI must complete mandatory training), companies can develop their employees' understanding with further training. Refresher training should be provided periodically as defined by the organization. As part of training, business leaders need to convey the consequences of violating HIPAA to employees. 

• Monitoring and updating policies over time. HIPAA compliance policies should not be drafted once and forgotten. Instead, businesses can increase their effectiveness by monitoring and updating policies as the organization grows over time. 

Discover more about HIPAA messaging in the cloud to ensure compliance standards are upheld.