In 2022, HIPAA collected over $133 million from more than 126 violations. Even a single HIPAA violation can cost you thousands of dollars. That's why you need to understand HIPAA basics for providers and business associates.
What is HIPAA, and who does it apply to? If HIPAA applies to your company, what rules do you need to consider? We are answering all your HIPAA questions next, so keep reading for the answers you've been searching for.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, and its purpose is to safeguard patients and their protected health information (PHI).
HIPAA is a federal law the US Department of Health and Human Services (HHS) passed in 1996.
What Is PHI?
Protected health information is any information about a patient that a healthcare professional receives or creates. There are three general categories that PHI falls under:
- PHI about a patient's physical or mental health status
- PHI about the services a patient received via a healthcare provider
- PHI about a patient's payments made for health care
- PHI that could be used to identify a patient (e.g., name, birth date, social security number, address)
HIPAA covers PHI that is written down or delivered orally. The more recent HIPAA Security Rule also governs instances of ePHI, or electronic PHI, stored in digital patient health records.
- How Has HIPAA Changed Healthcare?
- HIPAA Compliance Checklist 2023
- Essential HIPAA Compliant Intake Forms for Healthcare Pros
Who Does HIPAA Apply To?
Covered entities and their business associates must adhere to HIPAA rules. Below, we will explain what each of these terms means and whether or not they apply to your organization.
Covered entities include healthcare providers of any size or practice and any healthcare clearinghouses that process nonstandard information received into a standard format or vice versa.
Some health plan providers are also covered entities. If you are a health insurer with 50 or fewer participants, you may not have to comply with HIPAA. However, a business employer must administer and maintain the plan for your company to qualify.
The HITECH Act of 2009 created a new category of businesses that must follow HIPAA: business associates.
A business associate is any company that provides services to a covered entity that pertains to one or more of the following functions:
- Medical claims processing
- Healthcare data analysis
- Patient care plan utilization reviews
A company that discloses or otherwise uses PHI is also a business associate and must follow HIPAA rules. For example, as a telehealth platform, Upvio is required to comply with the main HIPAA rules.
What Are the 5 Main HIPAA Rules?
The 5 main HIPAA rules include the Privacy Rule and the Security Rule. If you are a covered entity or business associate, you must also follow the Breach Notification, Transaction, Indentifiers, and Enforcement rules.
The Privacy Rule
The Privacy Rule puts safeguards in place to protect written and oral forms of PHI. This rule includes guidelines around the following:
- The patient's right to access, review, and request corrections to their own health information
- A healthcare provider's right to access PHI
- A healthcare provider's right to refuse access to PHI
This HIPAA rule also covers the standard policies covered entities must put in place to ensure the safety of PHI.
The Security Rule
The Security Rule is virtually identical to the Privacy Rule. However, instead of placing standards around protecting written and oral PHI, it safeguards the creation, storage, transfer, and accessibility of electronic PHI (e-PHI).
Covered entities and their business associates must put in place Administrative, Technical, and Physical safeguards to protect PHI.
Administrative safeguards require the assignment of a HIPAA compliance team. The Technical safeguard enforces encryption and authentication requirements for electronically delivered PHI. And Physical safeguards help to ensure the security of hardware and software systems that store PHI.
The Identifiers Rule
The Identifiers Rule mandates the use of specific business identification numbers. Covered entities must use the following IDs:
- Healthcare providers: National Provider Identifier (NPI) numbers
- Health plan providers: National Health Plan Identifier (NHI) numbers
- All other covered entities: Standard Unique Employer Identifier number (AKA Employer Identification Number (EIN))
If you are a covered entity or business associate, you must use these ID numbers on your HIPAA administrative and financial information.
The Transaction Rule
The Transaction Rule specifically applies to billing and coding. The most important thing to understand about this rule is which codes you must use to be HIPAA compliant.
These codes include ICD-9, ICD-10, CPT-3, CPT, 4, HCPS, and NDC.
The Enforcement Rule
The Enforcement Rule puts in place consequences for covered entities and business associates that fail to comply with HIPAA. It includes guidelines for reporting breaches of PHI.
This rule also sets the groundwork for HIPAA fines. In 2015, HIPAA increased the penalties for violations, especially for companies that fail to report them.
The Breach Notification Rule
The Breach Notification Rule is a subset of the Enforcement Rule. It explains the standard way to notify HIPAA when and if a breach of PHI occurs. The exact standard process depends on the type of PHI breach in question.
When Can You Disclose PHI?
PHI refers to any individually identifiable health information that is held or transmitted by a covered entity or business associate. The HIPAA Privacy Rule is designed to protect patient privacy while allowing necessary information to flow between healthcare providers and other entities.
The HIPAA Privacy Rule names 12 instances in which a covered entity or business associate may disclose PHI without the patient's permission. They include but are not limited to the following:
- If a law enforcement agency needs to access the record: PHI can be disclosed to law enforcement agencies if required by law, such as for an investigation or to report a crime.
- If the patient is or was a victim of violence, domestic or otherwise, PHI may be disclosed to report the incident to the appropriate authorities.
- If breaching the patient's record will prevent a life-threatening injury or illness, PHI may be disclosed to facilitate the necessary care.
As mentioned, you can also disclose PHI when and if a patient asks for a copy of their own health record, because patients have the right to access and obtain a copy of their health records. Covered entities are obliged to disclose the requested PHI to the patient.
By understanding the HIPAA Privacy Rule and the circumstances under which PHI can be disclosed, healthcare organizations can improve the quality and effectiveness of their services while protecting patient privacy. Implementing technology tools and training staff on HIPAA compliance will help medical practices to manage PHI disclosure securely and efficiently.
HIPAA training for healthcare providers.
HIPAA training is a critical component of compliance for healthcare providers. The purpose of HIPAA training is to ensure that all workforce members who handle protected health information (PHI) or electronic protected health information (ePHI) understand their obligations under the HIPAA Privacy and Security Rules.
HIPAA training should be provided to all employees, volunteers, contractors, and other workforce members who have access to PHI or ePHI. This includes medical staff, administrative personnel, IT professionals, and anyone else who comes into contact with patient information.
HIPAA training should cover the following topics:
- HIPAA privacy and security regulations: Employees should be familiar with the HIPAA Privacy and Security Rules, which outline the requirements for the protection of PHI and ePHI.
- PHI and ePHI: Employees should understand the difference between PHI and ePHI and the types of information that are considered sensitive under HIPAA.
- Patient rights under HIPAA: Employees should be aware of the patient's right to access their medical records, request amendments to their records, and file complaints about the use of their PHI.
- Breach notification requirements: Employees should be aware of the breach notification requirements under HIPAA, including the requirement to notify patients and the HHS in the event of a breach.
- Risk assessments and contingency planning: Employees should understand the importance of conducting risk assessments and developing contingency plans to protect PHI and ePHI in the event of a breach.
- Business associate agreements: Employees should understand the importance of business associate agreements and how they apply to PHI and ePHI.
- Security best practices: Employees should be familiar with security best practices, including password protection, data encryption, and the use of secure communication channels.
HIPAA training should be provided to new employees and volunteers as part of their orientation and to existing employees and volunteers at least once a year. Additional training may be required if there are changes to HIPAA regulations or policies.
Healthcare providers should keep records of workforce training to demonstrate compliance with HIPAA regulations. This includes documenting the content of the training, the date of the training, and the names of the employees who received the training.
By providing HIPAA training to all workforce members who handle PHI or ePHI, healthcare providers can ensure that their employees understand their obligations under HIPAA and the importance of protecting patient privacy and confidentiality. This can help prevent HIPAA violations and ensure compliance with the law.
Looking for a Telehealth Partner That Knows the HIPAA Basics?
We hope these HIPAA basics have helped you reach a better understanding of this federal law. Adhering to HIPAA is critical. After all, a single breach can cost your organization thousands of dollars in fines or even jail time.
That's why it's crucial to partner with a HIPAA-compliant telehealth platform like Upvio, which can help you with everything from appointment scheduling to setting up your telemedicine business.
Whether you're an established medical center looking to expand your telehealth offerings or a small practice just starting out, Upvio has the tools and support you need to succeed. With our fully HIPAA-compliant products, you can be confident that your patients' sensitive information is always secure.