What is HIPAA?

In this tutorial, you will learn about HIPAA, what it is, how it came about, and its role in the telehealth-care.

Prerequisites

A curious mind for health-care technologies.

Introduction

In a data-driven world where data theft and data breaches are on the rise, the need for data protection laws is extremely welcomed. For example, what does a patient do in regards to his or her health information if it is compromised? How can people guard their health information against the myriad of companies needing their data? Are there laws in place to prosecute entities that leaks or share your health information without your consent? Follow this tutorial and all these answers will be addressed.

What is HIPAA?

Firstly, I will tell you what HIPAA is not. HIPAA is not HIPPO! HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act. It is a Federal law designated to protect your health information from unauthorized disclosures.

HIPAA is federal legislation that requires the establishment of national standards to prevent information from being revealed on sensitive patient health without the agreement or knowledge of the patient.

A Brief History of HIPAA

The history of the HIPAA began on 21 August 1996 when the HIPAA Act was signed, but why did it be introduced? HIPAA was established to "enhance health insurance coverage mobility and accountability" for staff across workplaces. The Act also aimed to prevent waste, fraud, and abuse in health and health insurance. The Act also included provisions for promoting the use of health saving bonds through the introduction of tax incentives, the covering of existing medical problems for employees, and the simplification of health insurance management.

The processes for streamlining the administration of health insurance have become a vehicle for promoting the health sector to computerize medical records of patients. That section of the Act led in 2009 to the establishment of the "Managing Use Incentives Program," which leaders in the health sector called "the main piece of health legislation in the previous 20 to 30,' in the Health Information Technology Act on Economic and Clinical Health (HITECH).

HIPAA Regulations

There are about four regulatory acts provided in HIPAA to protect health data and they are as follows.

The Privacy Rule
The HIPAA Privacy Rule sets national standards for the protection of medical records and other personal health information and includes health plans, clearinghouses, and healthcare providers conducting certain digital healthcare transactions.

The Security Rule
The HIPAA security rule establishes national requirements for personal e-health data safeguards created, received, used or retained by a covered organization.

The Enforcement Rule
The HIPAA Enforcement Rule includes laws on the compliance and probe of violation of the HIPAA Administrative Simplification Rules, the application of civil monetary fines, and hearing processes.

The Breach Notification Rule
The HIPAA Breach Notification Rule requires the categorized entities to report an infringement of an unsecured PHI to the impacted person; HHS; and, in some circumstances, the media. An infringement is generally an unacceptable use or disclosure under the Data Protection Rule which jeopardizes the privacy or safety of PHI.

Definition of HIPAA Terms
Image by Robin Higgins from Pixabay

You must be saying, "What are all these acronyms and abbreviations all about?". Don't worry, we got you covered. Below is the definition of terms you must understand when discussing HIPAA.

HIPAA - Health Insurance Portability and Accountability Act.
HHS - Human Health Services, a U.S department for protecting the health of all Americans and providing essential human services.
PHI - Protected/Personal Health Information.
BAA - This means a business associate agreement. It is a contract between a HIPAA-covered entity and a vendor used by that covered entity.
Covered Entities - This is any person, business, or organization that needs to comply with HIPAA.

Use and Disclosure of PHI In HIPAA

When Does the HIPAA Privacy Rule Require Use and Disclosure of PHI?
A covered entity is only required to disclose protected health information in two circumstances, according to the HIPAA Privacy Rule:

  • To people (or their personal representatives) who seek access to, or an accounting of, their protected health information; and

  • To the Department of Health and Human Services (HHS) when it conducts a compliance inquiry, review, or enforcement action.

HIPAA & Telehealth

Some reasons why you should be concerned about your telehealth care, but what is telehealth in the first place?

Wikipedia defines telehealth as the distribution of health-related services and information via electronic information and telecommunication technologies. It allows long-distance patient and clinician contact, care, advice, reminders, education, intervention, monitoring, and remote admissions.

Does HIPAA apply to you and your telehealth practice?
HIPAA applies to you if you are a health care provider who provides personal medical information. If you do, you are a protected organization (covered entity).

Is the information you are transmitting considered PHI?
All that can be used to identify someone is potentially PHI. There are 18 types of identifiers considered PHI. Examples related to telehealth care include name, telephone numbers, anniversaries, IP address, email addresses, device identifiers and pictures.

Do I have business associates?
A Business Associate is any individual who creates, receives, maintains or transmits PHI on your behalf; or who has the ability to communicate with PHI in your practice.

HIPAA Compliance

Physical, administrative, and technical precautions are used to ensure HIPAA compliance. HIPAA compliance cannot be achieved solely through technology. Here are some things you and your business associates should perform and document.

Risk Assessment
Undergo a comprehensive examination of where you store or access PHI and how secure each location is. Take the necessary actions to secure it in a manner that is appropriate for your company. Make a list of your security policies and processes, and record them. Train your personnel on a regular and consistent basis.

Information Systems Activity Review
Perform and document regular checks of access logs or other records for unauthorized activity. If you find any, it may be terrible news, but you want to be the one to find it first. Report the breach and deploy a patch as soon as possible. Consult with a professional about your next steps.

Conclusion

To conclude, we have learned quite a lot of things about the health insurance portability and accountability act (HIPAA) today. We have seen how this law protects users against data theft and breaches and how to address issues arising from patients' data infringements. We have seen how integral HIPAA is to the health industry, especially as regards the growing hybridization of information technology and healthcare/medicine.

Here at CometChat, we are dedicated to sensitizing you on educational topics that will fill the gap in understanding the role of communicative technologies in improving lives. You can check out our products on our site that you can integrate with your website or app such as CometChat SDK and CometChat UI Kit.

About Author

Gospel Darlington is a remote full-stack web developer, prolific in Frontend and API development. He takes a huge interest in the development of high-grade and responsive web applications. He is currently exploring new techniques for improving progressive web applications (PWA). Gospel Darlington currently works as a freelancer and spends his free time coaching young people on how to become successful in life. His hobbies include inventing new recipes, book writing, songwriting, and singing. You can reach me on LinkedIn, Twitter, Facebook, or GitHub.

Key resources to learn more about HIPAA

18