Health Insurance Portability and Accountability Act
Requirements
Who is subject to HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) applies to three main types of entities:
Covered Entities: This category includes healthcare providers who transmit any information in electronic form in connection with transactions for which HHS has adopted standards. Examples of covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. However, these healthcare providers must transmit health information electronically for certain transactions, such as claims or benefit eligibility inquiries, to be considered covered entities.
Covered entities also include health plans like health insurance companies, HMOs (Health Maintenance Organizations), company health plans, and government programs like Medicare and Medicaid. Health care clearinghouses, which process health information from another entity in a manner that allows data to be shared electronically, are also considered covered entities.
Business Associates: This category covers persons or entities who perform certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity. This could include a range of service providers, such as IT providers, billing companies, consultants, or anyone else who might have access to PHI in the course of the work they do for a covered entity.
Business Associate Subcontractors: These are entities that a business associate delegates work to, that involves the use or disclosure of protected health information.
It's also important to note that the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, expanded the obligations under HIPAA to business associates.
Does HIPAA have data residency requirements?
HIPAA does not include specific data residency requirements. In other words, the Act does not mandate that protected health information (PHI) must be stored in the United States.
HIPAA does, however, require covered entities and their business associates to ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit. They are also required to protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
This means that whether data is stored in the United States or elsewhere, appropriate safeguards must be in place to protect the data. These safeguards might include encryption, access controls, audit controls, and data backup plans, among other measures.
Importantly, when a covered entity uses a cloud service provider (CSP) to store or process PHI, the CSP is considered a business associate under HIPAA. This means the covered entity must have a signed business associate agreement (BAA) with the CSP that requires the CSP to appropriately safeguard the PHI.
What data is covered by HIPAA?
HIPAA covers what it terms Protected Health Information (PHI). PHI is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
PHI includes a very wide range of identifiable health and demographic information, including:
- Names
- All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- Dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
In essence, PHI encompasses all information that can be used to identify a patient and that relates to their health status, provision of healthcare, or payment for healthcare. It is important to note that HIPAA rules apply to PHI in any form or medium, including oral communications.
Also, it's worth mentioning that "de-identified" health information, in which eighteen specific identifiers have been removed and the covered entity has no actual knowledge that the remaining information can be used to identify an individual, is not considered PHI and is not subject to HIPAA protections.
What rights does the user (data subject) have under HIPAA?
Under HIPAA, individuals, often referred to as "data subjects" in other contexts but referred to as "individuals" under HIPAA, have several rights regarding their Protected Health Information (PHI):
Right to Access: Individuals have the right to inspect and obtain a copy of their PHI held in a "designated record set", for as long as the PHI is maintained in the designated record set. The designated record set generally contains medical and billing records, as well as other records used to make decisions about individuals.
Right to Amend: If an individual feels that the PHI a covered entity maintains about them is incorrect or incomplete, they may request the entity to amend the information.
Right to Accounting of Disclosures: Individuals have a right to receive an "accounting of disclosures" which provides information about when a covered entity disclosed their PHI to outside parties. This does not cover all disclosures, for instance, disclosures with the individual’s authorization are not required to be listed in the accounting of disclosures.
Right to Request Restrictions: Individuals have the right to request additional restrictions on the use or disclosure of their PHI, beyond the restrictions mandated by HIPAA. However, the covered entity is not required to agree to these additional restrictions.
Right to Request Confidential Communications: Individuals have the right to request that a covered entity communicate with them about their PHI in a certain way or at a certain location. For example, an individual might request that the provider only contact them at work or by mail.
Right to be Notified in the Event of a Breach: If a breach of unsecured PHI affecting an individual occurs, the covered entity is required to notify the individual of the breach.
Right to Complain: If individuals believe their rights are being denied or their health information isn’t being protected, they can file a complaint with their provider, health insurer, or the U.S. Department of Health and Human Services Office for Civil Rights.
These rights are not absolute and there are various conditions and exceptions. Also, note that healthcare providers have a certain amount of time to respond to these requests (usually 30 days) and they may charge a reasonable, cost-based fee for certain activities (like producing copies).
How should data be stored according to HIPAA?
HIPAA doesn't specify exact storage methods for Protected Health Information (PHI). However, it does provide standards for ensuring the privacy and security of PHI when it is at rest, in transit, or in use.
The HIPAA Security Rule identifies three types of security safeguards required for compliance:
Administrative Safeguards: Policies and procedures designed to clearly show how the entity will comply with the act.
Physical Safeguards: Controlling physical access to protect against inappropriate access to data.
Technical Safeguards: Technology and policy and procedures for its use that protect patient health information and control access to it.
Specific to data storage, here are a few key considerations that align with the above safeguards:
Access Control: Implement technical policies and procedures that allow access only to those persons or software programs that have been granted access rights to PHI.
Data Encryption: Although the Security Rule does not require encryption, it is addressed as an addressable implementation specification. This means that if after a risk assessment, the entity has identified that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI, it must implement encryption.
Data Backup: Implement procedures to create and maintain retrievable exact copies of e-PHI. In other words, ensure data is backed up and can be properly restored.
Data Destruction: When no longer needed, all data should be properly destroyed. This applies to all types of PHI, including paper records, electronic files, and even devices that store PHI.
Audit Controls: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to record and examine activity.
Integrity Controls: Implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed.
Transmission Security: Implement technical security measures to guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Remember that compliance with HIPAA is not just about the proper storage of data but also involves risk analysis, staff training, the implementation of a security management process, and more.
How does SlashID help with HIPAA?
SlashID's data residency and encryption posture help companies comply with:
- Data Destruction
- Data Encryption and Backup requirements
- Data Backup requirements
- The Right to Access