What Information Does HIPAA Protect?
According to official sources, information protected by HIPAA includes all "individually identifiable health information" submitted in paper, oral, or electronic form by any of the covered entities and/or any associated collaborating business partners.
Such information includes demographic and medical records (health condition, provision of health care, payment for treatment) of individuals regarding their past, present, and future, which can be potentially used to identify an individual.
Each covered entity must present patients and prospective customers with the explicit policy on data privacy and safety, whether that information is gained in person, via a HIPAA website, a HIPAA-compliant forms plugin, or other submitted forms process.
Failure to do so could lead to trouble if you transfer that information to another healthcare professional with the patient or customer's written permission (which can include online digital signatures).
When Authorization Is Required
EPHI might be used without the authorization of the individual who provided it when it comes to consultation for treatment, healthcare operations, payments associated with these activities, or any other activity as specified by the Privacy Rule.
However, authorization is required when ePHI is to be used for marketing purposes, or when a specific form of ePHI (i.e., psychotherapy notes) is to be used for legal defense in court, such as where an individual has filed a lawsuit against the associated practitioner.
Five Rules of HIPAA
There are five rules covering most of the important aspects of HIPAA one needs to be aware of (this list is not exhaustive).
- According to HIPAA’s Privacy Rule, patients are allowed to access (and amend) their ePHI, have to be alerted upon the usage of their ePHI, and information is to be shared with external parties only under strict guidelines. According to HIPAA's Privacy Rule, patients are allowed to access (and amend) their ePHI, have to be alerted upon the usage of their ePHI, and information is to be shared with external parties only under strict guidelines. The "P" in HIPAA, which stands for "Portability," means that the patient or customer has the legal right to take their medical information with them anywhere. You must also honor all requests to remove their information from your records.
- The HIPAA Security Rule complements the previous rule and governs the secure transmission, maintenance, and handling of specifically ePHI, with three levels of data protection (technical, administrative, and physical safeguards), with several security standards naming requested and suggested implementations. Technical protection involves securing platforms, websites, and servers (whether on-premises or in the cloud). Administrative safeguards include training staff to protect information to fight against social engineering attacks (i.e., phishing). Physical safeguards require covered entities to take steps to secure computers, tablets, and server rooms.
- The HIPAA Breach Notification Rule sets guidelines that must be followed in the event of a data breach to ensure that the covered entity mitigates the event and that a similar violation will not happen again. HIPAA violations include data loss through stolen storage devices, hacking of electronic health records, data breach from a business associate, loss of information kept on HIPAA cloud storage physical break-in of offices where PHI is stored, or accidental exposure of PHI to the wrong patient.
- The HIPAA Enforcement Rule refers to the obligation of HIPAA compliance for eCommerce platforms to notify prospective customers about the fate of their data.
- The Omnibus Rule covers the mandatory HIPAA compliance of business associates to other covered entities with a business associate agreement (BAA).