HIPAA is designed to enforce protected health information privacy, security and breach notification rules. While its aims are relatively straightforward, what entities are covered under the law and to what extent is a point of considerable confusion.
HHS released a guide to HIPAA basics. Here are four things to know from the guide.
HIPAA privacy rule
What is PHI?
Any information relating to:
• An individual's past, present or future physical or mental health or condition
• Provision of healthcare to the individual
• Past, present or future payment for the provision of healthcare to the individual
• Common identifiers such as name, address, date of birth and Social Security Number
HIPAA security rule
The security rule relates to specific safeguards that covered entities and their business associates are required to implement to protect the confidentiality, integrity and availability of PHI.
HIPAA breach notification rule
Breaches involving fewer than 500 individuals:
• Must be reported to the affected individuals no later than 60 days after discovery of the breach
• Must be included in a log of all breaches once a year, no later than 60 days after the end of the calendar year, and submitted to HHS
• Do not have to be reported to the media
Breaches involving 500 or more individuals:
• Must be reported to the affected individuals not later than 60 days after discovery of the breach
• Must be reported to HHS as the same time as individuals are notified, no later than 60 days from discovery
• Must be reported to the media no later than 60 days from discovery
Covered entities
HIPPA law pertains to:
• Covered healthcare providers including chiropractors, clinics, dentists, physicians, nursing homes, pharmacies and psychologists
• Health plans including company health plans, government programs, health insurance companies and HMOs
• Healthcare clearinghouses including billing services, community health management information systems, re-pricing companies and value-added networks
• Business associates including accreditation, billing, claims processing, consulting, data analysis, financial services, legal services, management administration and utilization review