The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a set of specific rules that control how healthcare providers and insurers handle private patient data. Most people are aware that medical records are private, but many are unaware of exactly why or how. For example, some people mistakenly think that HIPAA exists to prevent insurance companies from seeing patient records. That's not quite right — HIPAA rules protect individual privacy and can apply to several different organizations. Let’s dive deep and talk about the top three myths about HIPAA!
What is HIPAA?
HIPAA boils down to three main concepts: (1) Everyone has a right to privacy when it comes to their medical records, (2) No one can be denied coverage based on pre-existing conditions, and (3) All protected health information (PHI) must remain private. Beyond these basics, HIPAA enforces compliance regulations around: using and disclosing patient data; securing paper and electronic documents (e.g., shredding sensitive paperwork); protecting patients' medical info when they leave or change jobs; and more. In the case of a HIPAA violation, organizations could face costly fines, so it is important to educate your workforce about how to remain in compliance with HIPAA.
Myth #1: HIPAA Only Applies to Healthcare Providers
When patients think about the privacy of their medical records or PHI, they primarily think about the healthcare providers who access this information. This type of organization is called a covered entity, which collects, generates, or transmits PHI. Covered entities include any person or organization that provides healthcare to patients, such as a medical clinic, hospital outpatient department, and an urgent care provider.
However, HIPAA is also applicable to business associates that provide services for a healthcare organization. A business associate is any organization that comes into possession of PHI during the course of work it has been contracted to perform on behalf of a covered entity. Examples of business associates include medical billing companies, software developers, and website hosting companies. Organizations should also have a Business Associate Agreement (BAA) in place to ensure compliance, which is a contract that details the responsibilities of each party involved in this relationship, including how PHI is protected.
Myth #2: HIPAA Only Applies to Medical Data
According to HIPAA regulations, Protected Health Information or PHI is considered any individually identifiable health information related to the past, present, or future physical or mental condition of an individual. However, PHI also goes beyond just typical medical data of patients. PHI can also include demographic details that link directly to such health information. This means that any data collected by a doctor, hospital, clinic, pharmacist, or health plan falls under the protection of HIPAA.
There are a number of PHI identifiers including names and physical/email addresses; all elements of dates related to an individual's birth, admission to a healthcare facility, or date of death; telephone/fax numbers; Social Security Number (SSN); medical record or health plan beneficiary numbers; account or certificate/license numbers; device identifiers and serial numbers; URLs or IP addresses; and biometric identifiers (including finger and voice prints)
Myth #3: HIPAA Doesn’t Cover Electronic Data
Some patients may think that HIPAA only applies to their paper medical files or written communication. However, HIPAA compliance includes ePHI (Electronic Protected Health Information) which is PHI that has been created, received, maintained, or transmitted electronically. The HIPAA Security Rule, which was added in 2003, requires covered entities to maintain reasonable safeguards to ensure the confidentiality, integrity, and availability of all ePHI data.
The Security Rule ensures that ePHI is confidential by setting national standards for when data should be encrypted, when it should be decrypted to allow authorized access, and which devices can read or write data in an ePHI system. Because ePHI can be used to commit identify fraud, covered entities must protect this information from their employees, subcontractors, and business associates, securing it against theft as it moves in and out of their facility.
Incorporating HIPAA Training at Your Workplace
All covered entity and business associate employees can benefit from a better understanding of how to remain in compliance with HIPAA. Using the customizable HIPAA training courses from EasyLlama, your workforce can learn from our 100% online training courses that are available to stop and restart across any smart device — easily fitting into the busy schedule of a healthcare employee. Access your free HIPAA course preview to learn more today!