What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA mandates the adoption of U.S. Federal privacy protections for individually identifiable health information. It sets national standards in the United States to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. These standards cover electronic health care transactions and code sets, unique health identifiers, and security.
- Privacy Rule - sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.
- Security Rule - sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.
- Enforcement Rule - provides standards for the enforcement of all the Administrative Simplification Rules.
- Omnibus Rule - implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.
The guidance on this page is based on the HIPAA Guidance Materials at U.S. Department of Health & Human Services website
Who Does HIPAA Apply To?
Entities such as health plans, health care clearinghouses, and certain health care providers must comply with HIPAA. The HITECH Act of 2009 expanded the responsibilities of business associates under the HIPAA Security Rule.
What Data Does HIPAA Apply To?
Electronic Protected Health Information (ePHI) is “individually identifiable” “protected health information” that is sent or stored electronically. “Individually identifiable” refers to information that can uniquely identify a specific individual. Thus, ePHI is any such identifier, combined with any of the “protected health information”.
Protected health information refers specifically to these 3 classes of data:
- An individual’s past, present, or future physical or mental health or condition
- The past, present, or future provisioning of health care to an individual
- The past, present, or future payment-related information for the provisioning of health care to an individual
HIPAA defines 18 types of identifiers for an individual:
- Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
When Was HIPAA Enacted?
Effective Date: HIPAA regulations are effective as of April 21, 2003.
- Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
- Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
- Compliance with the Final Rule was required as of April 21, 2005 (April 21, 2006 for small health plans).
Where Does HIPAA Have Jurisdiction?
Covered entities operating in the United States, and which handle ePHI, must comply with HIPAA.
How Must Data Be Protected?
HIPAA Security Rule outlines administrative, physical and technical safeguards that must be implemented to safeguard ePHI.
Specifically, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
- Security Management Process - A covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel - A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
- Information Access Management - Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the "minimum necessary," the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access).
- Workforce Training and Management - A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI. A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation - A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
- Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
- Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
- Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
- Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
How Long Can Data Be Retained Under HIPAA?
HIPAA has no retention requirements for ePHI. However, there may be state-level laws regarding the retention of medical records. Additionally:
Per CFR §164.316(b)(2)(i), Security Standards for the Protection of Electronic Protected Health Information: Covered entities must maintain a record of the policies and procedures implemented to comply with the standards, implementation specifications, or other requirements for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
- HIPAA website at U.S. Department of Health & Human Services
- Summary of the HIPAA Security Rule at U.S. Department of Health & Human Services website
- Summary of the HIPAA Privacy Rule at U.S. Department of Health & Human Services website
- HIPAA Guidance Materials at U.S. Department of Health & Human Services website