A Complete Guide To HIPAA Law: How It Keeps Your Privacy Protected

September 13th, 2017

HIPAA law was made to protect your health data. But increasing data breaches often raise questions. Learn what HIPAA regulations mean to your privacy.

HIPAA stands for Health Insurance Portability and Accountability Act. Back in 1996, the ever-charming president Bill Clinton signed the papers to enact HIPAA law. The law aims to protect patient’s right to privacy through a secured electronic transmission and storage of health data.

It won’t be an exaggeration if we say the HIPAA regulations came into existence at the right time. In fact, this was the same time patient information began to take a leap from papers to computers.

Before we dig deeper to reveal the current status of HIPAA law, it is of paramount importance that we first learn what it means. After reading this article, you will have insight of HIPAA law, related rules, and what you can do to keep your data safe.

A Quick Overview of HIPAA Law: Learn the Basics

HIPAA law represents a set of standards for various electronic health information transactions which include:

  • Claims
  • Enrollment
  • Eligibility
  • Payment
  • Coordination of benefits

In addition, it also makes provisions for the security of electronic health information systems. Under the HIPAA law, all the providers and health plans have to implement the standards in the transactions that the law covers.

Know the Purpose of HIPAA Law

Initially, the single major purpose of HIPAA law was to help the consumers stick to their insurance coverage. However, over time, its role expanded and so did its purpose. In its more mature form, the purpose covers the following:

  • Standardization of electronic transmission of billing and payments.
  • Provision for a unique health identifier for individuals, employers, health plans, and providers.
  • Implementation, monitoring, and assessment of security standards which help to keep individually identifiable health information (IIHI) confidential and integral. HIPAA law defines IIHI as a part of the entire health information obtained from either an individual or a provider. As the name suggests, the information is useful to identify the individual and his/her personal health condition and status of payment.

What Entities Does HIPAA Law Cover?

Essentially, any organization or activity that involves the flow of electronic health information comes under the supervision of HIPAA regulations. Specifically, the following entities are covered:

Know the Entities that HIPAA Law Does Not Cover

Well, this is complicated. Thus, you should have a clear understanding of how other federal privacy laws act. If you find it hard to make sense of the jargon, you may consult an expert.

For example, a major portion of school health records lies well outside the reach of HIPAA regulation. Nonetheless, they are covered by another similar law called the Family Educational Rights and Privacy Act (FERPA).

Likewise, many other areas that electronically transmit health information still lie outside the HIPAA law. These areas may involve anything from nutritional counselors and alternative medicine practitioners to the vendors of non-prescription health foods. Most notably, the medical and health apps from non-HIPAA covered entities are something you should be wary of.

What are the Privacy Rule and Security Rule in HIPAA Law?

Privacy rule and Security rule are the new rules issued to implement HIPAA law. Each rule has its own set of standards and both were issued by the U.S. Department of Health and Human Services (HHS) in 2000’s. Are these rules same? Definitely not. We will find out why.

Privacy Rule and Security Rule: Know the Differences

You can differentiate between these two rules by knowing what each rule actually aims to protect.

Privacy Rule

  • Protects an individual’s “protected health information” (PHI) by regulating its use and disclosure. Note that PHI includes all IIHI. All the organizations that come under the scope of Privacy rule are called “covered entities”. The covered entities include health plans, health care clearinghouses, and health care providers.
  • Is applicable to PHI regardless of the form it is in. Meaning, the Privacy rule covers the written, electronic or oral form of PHI.
  • Does not protect IIHI maintained in an organization that is not in the “covered entities” list.
  • Is not applicable to the information that has been de-identified. De-identified information does not identify an individual or provides no ground for the identification of whose information is involved.

What Conditions Might Cause Disclosure of Your PHI Without Your Authorization?

Rarely, your PHI can be disclosed even in the absence of your consent. These include disclosures to:

  • Business associates.
  • State and federal agencies as a part of some public health programs or research.
  • Researchers.
  • Law enforcement officials.
  • Courts: to coordinate with a judicial procedure after the court has issued an order for the PHI.

Security rule

  • Sets the standards for how a patient’s “electronic protected health information” (e-PHI) must be protected. That said, it does not apply to the paper or oral form of PHI.

Key Takeaway

  • Privacy Rule protects all IIHI no matter which forms they are in. While Security rule only covers the electronic health information transmission or storage. Thus, you may consider the latter as a subset of the former.

Has HIPAA Law Been Successful in Curbing Health Data Breaches?

Yes, but partly.

After reading all these laws and regulations, let’s get to know the real-life scenario. No doubt, HIPAA law has been instrumental in cutting down the incidents of data breaches in health care industry. Yet, some loopholes and discrepancies persist. For the same reason, every other day, a massive data breach hits the headlines. Let’s look at what happened with health data security this year.

As of July 3, a total of 149 breaches have made their way to the so-called “wall of shame”, reports the Department of Health and Human Services. These breaches have disclosed health information of 2.7 million individuals.

The “wall of shame” is a website that enlists the breaches affecting 500 or more individuals.

Top Health Data Breaches in 2017, So Far

Entity # Individuals Affected Breach Type
Commonwealth Health 697,800 Theft
Airway Oxygen 500,000 Hacker
Urology Austin 279,663 Hacker
Harrisburg Gastroenterology 93,323 Hacker
VisionQuest Eyecare 85,995 Hacker

Source: U.S. Department of Health and Human Services

Why You Need to Work to Protect Personal Health Information

Whenever a health data breach comes to light, experts opine “The Value of Healthcare Data is More Than Credit Card Information”. Interestingly, this is very true.

According to Infosec. Institute, the price of a single piece of health information on the black market is up to $363. Notably, the price is very high compared to what the credit card information sells for. It sells for just $2.

Even worse, criminals can use health information for a longer duration than credit card information. In essence, the breached data acts as a long-term asset with a very high return on investment.

So, what are you doing to stay safe?

In the next section, we will explain the ways to ensure the safety of patient health information.

Top 4 Ways To Ensure Health Data Safety

  1. Breach reporting. It is a procedure in which an individual or organization reports the breach incident to the concerned authority. In fact, detection and subsequent breach reporting form the foundation for the remedial action. Regrettably, the pace at which the organizations respond to healthcare breaches is nothing short of a shame. According to a 2016 Protenus report, it takes at least 233 days for the organizations to detect a health data breach in their system. The duration further extends if an insider is involved in the crime. In fact, in such case, it may take as long as 607 days to get a hint of a malicious activity.
  2. Risk analysis. In fact, risk assessment is more of a preventive action rather than a remedial action. That said, an organization should always be ready to confront a breach long before it happens. Exploring the vulnerabilities and weak links in the system offers a great way to not lose valuable data at the hands of the hackers. Moreover, the reports of a risk analysis help to select, implement, and continuously monitor the security measures. That way, an organization can substantially reduce its risk. Then comes the next step which is to anticipate an attack. In fact, it’s like a fire drill.
  3. Transport encryption. Encryption is the act of converting health information into some codes that only an authorized person can unlock. It enables a secure pathway for data transmission between the source and destination. Most importantly, it is common in a data breach event that the hackers hijack the information midway (i.e. through a man-in-the-middle attack). But with transport encryption, that data is rendered unusable to the hackers.
  4. Authentication. In simple terms, authentication makes you eligible to access the data. You can assert your identity and gain your authority for the access by using a password, code, fingerprint or other means. As an example, your fingerprint can act as a means of authentication to log into the personal information on your smartphone.

How does HIPAA Law applies to your electronic communications?

Find out from LuxSci’s HIPAA-complaince eBook series which covers email, email marketing, web sites, and web forms:

Read the eBooks