What is HIPAA?

Enacted in 1996, HIPAA applies to entities that handle protected health information, known as covered entities. This includes healthcare providers, health plans, and their business associates.

HIPAA compliance involves adhering to a series of regulatory standards that outline what constitutes the lawful use and disclosure of protected health information (PHI). PHI is any demographic information that can be used to directly or indirectly identify a patient or client of a HIPAA-regulated entity. This information includes names, addresses, phone numbers, social security numbers, medical records, billing information, and more.

Key HIPAA rules

• HIPAA Privacy Rule: This rule establishes standards for protecting PHI and gives individuals rights over their health information, such as the right to access, request amendments, and control the disclosure of PHI.

• HIPAA Security Rule: This rule defines the requirements for safeguarding PHI in digital settings. It mandates that HIPAA-bound entities implement measures to protect PHI from unauthorized access, alteration, and destruction in an online setting. This includes encryption, access controls, audit logs, and more.

• HIPAA Breach Notification Rule: This rule requires HIPAA-bound entities to promptly notify individuals and US government agencies in the case of a breach of unsecured health data.

HIPAA aims to protect the privacy and security of individuals’ health information, enabling a quality standard of healthcare and efficient healthcare operations. HIPAA requires that covered entities conduct annual audits of their organization to assess any gaps and document all efforts to become compliant. 

Non-compliance with HIPAA can result in significant penalties and reputational damage, especially since affected individuals may have the right to take legal action against the responsible party.