If your company collects, stores, or exchanges health data, it is crucial that you understand the Health Insurance Portability and Accountability Act (HIPAA). HIPAA can be an intimidating topic but is fundamental to safely handling health data. Over this blog series, we will break down and demystify important HIPAA terms that will equip you to better understand important data privacy concepts vital to successfully deploying your health technology.
Was HIPAA put in place to protect electronic data?
HIPAA was originally written and enacted in the mid-1990s. Even then—when the internet was in its infancy and before smart phones and broadband paved the way for the more diverse and sophisticated health tech landscape that exits today—it was clear that national standards were needed to protect and secure individuals’ personal health information regardless of whether it was in paper or electronic format. However, HIPAA does not cover every piece of information that organizations collect, store, or exchange. HIPAA only applies to what is called Protected Health Information (PHI). (which we will explain further in our next blog)
What does “national standard” really mean? HIPAA is a federal law that sets a minimum standard for all 50 states. Some states also have complementary laws which create additional obligations and responsibilities for certain businesses and providers. Elevation can help you navigate the rules that apply specifically to your health tech platform.
So, who does HIPAA apply to?
HIPAA applies to three comprehensive categories of businesses and organizations, as follows:
- First, “Covered Entities” (CEs)—this category includes a broad range of direct health care providers (e.g., health care professionals, hospitals, clinics, etc.), as well as health insurance companies and health information clearinghouses.
- Second, “Business Associates” (BAs)—this category includes most tech vendors that create, receive, maintain, or transmit personal health information on behalf of CEs, or from other vendors (e.g., claims processing or administration, data analysis, quality assurance, billing, benefit management; practice management, etc.).
- BAs are required to enter into what is called a “Business Associate Agreement” with the CEs/BAs they are sharing personal health information with. The Agreement is a contract that defines how PHI will be used and protected by the BA, as well as the consequences for any breaches or violations.
- Finally, HIPAA also applies to companies that did not sign a BA agreement but otherwise meet the BA definition because they collect PHI from health care professionals, hospitals, health insurance companies, vendors, or other similar BAs/CEs.
In the coming blogs, we will breakdown what PHI includes, unlock the fundamental parts of HIPAA, and present important HIPAA compliance tips. Reach out to us if you or your organization need further HIPAA training or compliance help.