As promised in my introductory blog post, I will be writing a blog series exploring several issues regarding healthcare data breaches. Specifically, I will address the importance of proactively preventing them rather than reacting to them after the damage is done.
Who Needs PHI to Conduct Business?
Individually identifiable health information held or transmitted by a Covered Entity or Business Associate is protected under the HIPAA Privacy Rule and is formally called Protected Health Information (PHI).
PHI can be any record form or medium: electronic, paper, or oral. PHI can also include demographic information and relate to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the payment status for the provision of healthcare to the individual.
Individuals, organizations, and agencies that fall under the HIPAA definitions of a Covered Entity or a Business Associate must comply with the HIPAA/HITECH Rules in order to adequately protect the privacy and security of PHI while also providing individuals specific access to their PHI.
Below are some of the types of entities that may be subject to the health information privacy rules:
- Covered Entities:
- Health Care Providers (i.e. doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.)
- Health Plans (i.e. health insurance companies, HMOs, company health plans, government programs that pay for health care such as Medicare, Medicaid, etc.)
- Health Care Clearinghouse (i.e. entities that process non-standard health information they receive from another entity into a standard electronic format or data content, or vice versa )
- Business Associates: Any person or entity that has agreed to use and/or disclose PHI on behalf of a Covered Entity
- Functions or Activities (i.e. data analysis, processing/administration, utilization review, QA, billing, benefit/practice management, or the like)
- Services (i.e. legal, consulting, data aggregation, management, administrative, financial, or the like)
A Business Associate Agreement must be executed between Covered Entities and their Business Associates, or Business Associate and Business Associate, where such a relationship exists. The Covered Entity must ensure that the Business Associate, or other Covered Entity, agrees to comply with these rules to adequately protect the privacy and security of PHI.
However, simply executing a Business Associate Agreement is not enough. These entities must follow through and protect PHI as stated in the Agreement. Failure to do so, could result in fines and/or incarceration.
I will continue to post regularly on the topics related to healthcare data breaches until we attend the HIMSS 2016 Convention beginning on February 29th. I look forward to continuing to share my thoughts with the security and privacy community.
If you have any questions regarding the healthcare information requirements or would like a HIPAA or HITECH compliance audit quote, please contact us at firstname.lastname@example.org.
Maria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.