HIPAA Basics

Information Covered under HIPAA

The Privacy Rule protects most individually identifiable health information held or transmitted by a Covered Entity (CE) or its Business Associate (BA), in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information, including demographic information, that relates to:

• The individual’s past, present, or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual.

In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.

For example, a medical record, laboratory report, or hospital bill would be PHI if information contained therein includes a patient’s name and/or other identifying information.

Covered Entities

Healthcare Provider

This includes providers such as:

• Doctors
• Clinics
• Physical and Occupational Therapists
• Dentists
• Chiropractors
• Nursing Homes
• Pharmacies

A Health Plan

This includes:

• Health insurance companies
• HMOs
• Company health plans
• Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs

A Health Care Clearinghouse

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Business Associates

No Business Associate Agreement?  $31K Mistake

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.  The Privacy Rule lists some of the functions or activities, as well as the particular services, that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.

Functions and Activities

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. 

Examples of Business Associates

• A third party administrator that assists a health plan with claims processing. 
• A CPA firm whose accounting services to a health care provider involve access to protected health information. 
• An attorney whose legal services to a health plan involve access to protected health information. 
• A consultant that performs utilization reviews for a hospital. 
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 
• An independent medical transcriptionist that provides transcription services to a physician. 
• A pharmacy benefits manager that manages a health plan’s pharmacist network.  

Privacy Rule

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). 1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

The Privacy Rule addresses:

• Uses and disclosures of protected health information
• Uses and disclosures to carry out treatment, payment, or health care operations
• Uses and disclosures for which an authorization is required
• Uses and disclosures requiring an opportunity for the individual to agree or to object
• Uses and disclosures for which an authorization or opportunity to agree or object is not required
• Notice of privacy practices for protected health information
• Rights to request privacy protection for protected health information
• Access of individuals to protected health information
• Accounting of disclosures of protected health information

The Security Rule

The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. 

Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. 

The Security Rule addresses:

• Security Standards
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational requirements
• Policies and procedures and documentation requirements

Citation

Department of Health and Human Services. Health Information Privacy.  HIPAA for Professionals