Welcome, Today is April 22, 2024


Understanding HIPAA

The Health Insurance Portability and Accountability Act, otherwise known as HIPAA, was established in 1996 by the US Department of Health and Human Services (HHS), for the purpose of having a national standard that protects an individual’s protected health information (PHI). This ensures that their data is private and is not disclosed to anyone without proper consent.

HIPAA requires multiple safeguards to be implemented in order to protect the privacy rights of individuals. These safeguards include physical safeguards, organization-wide standards, and various organizational policies and procedures that may be adopted to protect PHI.

Although HIPAA protects health information that could potentially be used to identify an individual, there are no restrictions for health information that has been de-identified. This means that health data that can not be traced back to a single individual can be used and transmitted without the full consent of that individual. For example, researchers may use the anonymized health-information of many people to conduct a study. The de-identified nature of the information they will be using means that the research may not necessarily need to obtain consent from the individuals’ whose information is being used.

What is PHI?

PHI, otherwise known as protected health information, is any health-related information of an individual that could be used to identify that individual. This includes not only demographic information of that individual, but also any past, present, or future health conditions along with past, present, or future payment methods for health care. The combination of any one person’s identifiers, such as their name, Social Security Number, or address, together with any of that individual’s health-information is what creates PHI.

Protected health information can be stored in a wide variety of formats. A hospital bill, medical record, health insurance information could all be PHI. Until more recent years, PHI was in the form of hard paperwork and documents, but with the rise of digital technologies, came the emergence of ePHI (electronic protected health information).

Introducing ePHI

In light of advancements in healthcare, care providers often utilize electronic systems for storing health records of individuals, which has since coined the term “ePHI”, or electronic protected health information. As the name suggests, ePHI covers any identifying health-related information of an individual that is stored or transmitted in an electronic format. Handling ePHI comes with its own challenges, as organizations now must ensure that their technological infrastructures is properly equipped to store and transport ePHI. Furthermore, the ever-growing concern of cyber-attacks also means that healthcare providers must employ strong cybersecurity practices for their systems. Some of these implementations may include:

  • Risk analysis and risk management
  • Security awareness training
  • Incident response planning
  • System monitoring

Who Does HIPAA Apply to?

The HHS calls organizations that must follow HIPAA regulations “covered entities”. Covered entities include health insurance companies, healthcare providers, and healthcare clearinghouses. Furthermore, contactors, subcontractors, and other external entities of covered entities must also follow some HIPAA regulations. For example, this could include billing or information technology companies that may do business with a covered entity.

It is a common misconception to believe that HIPAA applies to anyone handling any amount of individual health information, as there are many different types of organizations whom HIPAA does not apply to. For example, any health information shared with an employer as a part of your employment records are not protected under HIPAA. Some other organizations that do not have to follow HIPAA include schools, state agencies such as child protective services, some law enforcement agencies, and more.

Meeting HIPAA with Egis

Egis IT Security serves organizations within the Indianapolis metropolitan area and across the United States to help them meet HIPAA requirements. Understanding your organization’s relationship to PHI is the first key step in understanding what implementations your organization may require in order to meet HIPAA standards. Between our extensive expertise and years of experience, Egis can offer tailored solutions to help your business align with HIPAA requirements. Egis can administer a variety of business and security practices to help you reach your compliance goals. These include:

  • Improve upon current IT policies and procedures
  • Meet with your auditors
  • Perform vulnerability assessments
  • Continuously monitor your websites, networks, and servers
  • Recommend, sell, and deploy a variety of products as needed
  • Perform security awareness training
  • Consultations