The Health Insurance Portability and Accountability Act (HIPAA)’s Privacy Rule focuses on the rights of an individual to control the use of his or her protected health information (PHI).
The Health Insurance Portability and Accountability Act (HIPAA)’s Privacy Rule focuses on the rights of an individual to control the use of his or her protected health information (PHI). According to Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification, PHI “is (A) created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
Under the stipulations of the Privacy Rule, a wide range of organizations such as, but not limited to, insurance providers, clearinghouses, and health care facilities must take steps to safeguard PHI that is being entrusted to them. This includes PHI that is shared electronically, orally, and or copied onto paper. With regards to electronic protected health information, or ePHI, companies must safeguard a total of 18 different types of personally identifiable information.
Companies that store ePHI on their own internal infrastructure must protect their servers against any anticipated threats, hazards or unauthorized disclosures. However, many struggle to do to this, and choose to use a managed hosting provider that is HIPAA Compliant. These companies typically undergo annual audits that look from everything from server security, firewalls, data center access and etc. Those that use hosting providers to store, use and/or disclosure PHI must draw up Business Associate Agreements (BAAs) to protect their confidential patient health information and prevent HIPAA violations. Under HIPAA’s standards for penalties, companies that neglect their BAA requirements may receive significant fines for data breaches.
While the process of complying with the HIPAA Privacy Rule requirements may seem like a chore, companies must not take any chances. Whether they choose to use hosting providers or instruct their in-house IT teams to secure their internal servers, they must ensure the confidentiality of PHI. If they fail to do so, the damage done may be irreversible.