Businesses that handle PHI (Protected Health Information) are governed by HIPAA (the Health Insurance Portability and Accountability Act): a wide-ranging set of rules that help to keep individuals’ sensitive information from being disclosed. In a recent blog, we uncovered what HIPAA compliance is, and why the regulations can present significant challenges to almost any organization.
Here, we’ll explore the regulations in slightly more depth—starting with the five main provisions of HIPAA. Read on to improve your understanding of what it takes to become HIPAA compliant.
According to HIPAA Exams, the word discretion has two distinct meanings—and both of them lay at the heart of HIPAA. Firstly, and most obviously, HIPAA compels businesses to treat customer data with discretion: preventing it from being shared with any person or organization without the necessary permissions.
Secondly, patients have the discretion to decide how, why and if their data is used. Failure to comply with either of these principles would be considered a breach of the HIPAA privacy rule. This rule also gives every patient the right to inspect and obtain a copy of their records and request corrections to their file.
While the privacy rule is focused on whether businesses share data or not, the security rule governs how organizations protect their data from being accessed. The security rule outlines three different types of safeguards: administrative, technical and physical.
The administrative safeguards dictate that organizations have the right staff and processes in place to stay compliant. The technical safeguards outline the IT tools you need to control data access, including data encryption and watertight authentication. As you might expect, the physical safeguards are designed to ensure organizations devote sufficient resources to protecting their data from physical theft.
Data sharing is a vital part of efficient healthcare—whether it’s a treatment center reviewing a new patient’s medical history, or an insurer being notified that they’re required to pay for a specific treatment. But these data transactions are also a potential hotspot for loss or oversharing of patient data.
That’s why every organization that takes part in these transactions must use specific codes that ensure the safety, accuracy, and security of medical records and PHI. If an organization provides information that doesn’t correspond with the code they’re using, they could be in breach of HIPAA regulations.
Bad faith actors could pose as a healthcare organization to steal sensitive data. So to ensure that businesses are only sharing PHI with other HIPAA-recognized entities, HIPAA requires every organization to identify themselves using a unique number. These identifiers have different configurations depending on whether the organization in question is a healthcare provider, an insurer, or an employer—helping to protect customers and businesses from theft.
Learn more about the three identifiers for covered entities here.
In February 2015, regulators added the enforcement rule to HIPAA. This rule expands on the privacy and security rules and increases the criminal and civil penalties for any breach. It also establishes some mandatory federal privacy and security breach reporting requirements and stipulates that all new security requirements must be included in all Business Associate contracts.
The above should act as a solid introduction to HIPAA compliance. But before you can start digging deeper and implementing the five rules, you’ll need to learn how to find and identify PHI within your organization. HIPAA specifies 18 data types that constitute PHI. If any of these attributes can be found within a dataset, that data is subject to HIPAA rules. The data types in question are:
Protegrity helps you preserve customer privacy—without compromising critical processes or data analytics. With role-based access, advanced encryption capabilities, and our patented, Vaultless Tokenization technology, PHI is easily accessible in the right hands, and almost impenetrable in the wrong ones. That means you can protect your customers from the distress that comes with data loss, and protect your business from the reputational and financial damage that comes with a HIPAA breach.