HIPAA stands for Health Insurance Portability and Accountability Act which sets the standard for protecting sensitive patient data.
Before understanding what HIPAA is, you need to understand some important terms. In this series of blog articles we will try to introduce you to the world of HIPAA compliance.
- Important Terms To Know In HIPAA.
- The HIPAA Security Rule & Becoming Compliant.
- HIPAA Compliant Application Development & Developer Considerations.
Important Terms To Know In HIPAA
What is PII?
Personally Identifiable Information, or PII, is any data that can be used to contact, locate, or identify an individual.
It includes any information that can be related to a specific individual, whether that data is professional, private, or public in nature. It applies not only to names, addresses, and government-issued documents but anything that identifies an individual (e.g., IP information, geographic location data, etc.).
Some examples:
- Passport, Driving License, etc
- Biometric data — for example, Laptop uses a fingerprint to log on.
- Telephone numbers
- Photographic image - Photographic images are not limited to images of the face but include tattoos, etc.
- Email addresses
- Full face pictures
- Dates related to birth or death
What exactly is Protected Health Information (PHI)?
Any piece of health information accompanied by PII which is exposed to a covered entity during the course of care is considered PHI. It is also referred to as digitally-stored PHI as ePHI.
PHI = (PII + Health Information) -> Exposed to Covered Entity.
A covered entity can be a healthcare provider (e.g., hospitals), healthcare plan (e.g., insurance companies), or healthcare clearinghouse. More on this in the next section.
If data has to be considered PHI and regulated under or by HIPAA it needs to be
- Health information accompanied by personally Identifiable Information (PII) or Personally identifiable to the patient.
- Utilized by or disclosed to a covered entity or its business associates during the course of care.
If you are able to relate an individual with an illness/disease by looking into any medical data then that is considered PHI.
For example, a patient’s medical receipt would be considered PHI because it would contain the patient's gender and name associated with the health data.
- So, if a patient's name is on the hospital bill, it is PHI.
- Email address connected to the hospital app account? it is PHI.
- Phone number gathered? Yes
- Profile picture of the hospital app? You guessed it!
Some Examples of PHI:
- Billing information.
- Emails between individual and doctors.
- Blood results.
Some Examples of Non-PHI:
- Blood sugar readings without personally identifiable user information (PII) (such as an account or user information)
- Heart rate readings without PII
For the complete list of personal identifiers check the 18 HIPAA Identifiers.
Difference between Protected Health Information andConsumer Health Information
If your device or app shares the user’s personally-identifiable health data with a covered entity then you are dealing with protected health information. If you are building a wearable device that collects health information but does not plan to share it with a covered entity at any point in time then it's Consumer Health Information.
For example, data collected by a fitness band that is not shared with any covered entity can be considered Consumer Health Information.
Covered Entity:
A covered entity is anyone who provides treatment, process payment, and handles operations in healthcare. As per HIPAA and Health & Human Services (HHS) standards: A covered entity is defined as a healthcare provider, healthcare plan, or healthcare clearinghouse.
These entities electronically transmit PHI information in connection with a transaction. A transaction includes claims, eligibility inquiries, or any transaction for which HHS has standards under HIPAA.
Healthcare providers
The healthcare providers usually include hospitals, doctors, clinics, psychologists, nursing homes, pharmacies, chiropractors, etc.
Healthcare plans
Healthcare plans include health insurance companies, company health plans, etc.
If an organization had to handle PHI to enrol you in a health plan or to process a claim, it would also fall under the definition of Healthcare plans.
Healthcare Clearinghouses
Healthcare Clearinghouses are more like an intermediary between healthcare plans and healthcare providers.
When a medical bill is filed for a claim in medical billing software by the provider, this claim file is translated to an American National Standards Institute (ANSI) format and will be uploaded to the clearinghouses. Clearinghouses examine and validate the claims (checks for incorrect billing, and treatment accuracy) and raise if any red flags exist.
Then the claim file is sent to the insurance company which checks the raised errors and then securely transmits back whether denial or acceptance of the claim to the provider via clearinghouses. Due to the exposure to PHI data clearinghouses have to be HIPAA compliant.
All covered entities need to be HIPAA Compliant. Please check Covered Entities and Business Associates for in-depth knowledge.
Business Associate Agreement (BAA):
A Business Associate is a person or entity who has access or exposure to PHI on behalf of the covered entity. Some examples of Business Associates are Lawyers, Software firms, Cloud providers, etc. This access can be for data analytics, administration claims processing, etc.
A Business Associate Agreement or Business Associate Contract (they’re really the same !). A written contract between a covered entity and a business associate (vendor). The same language may be adapted for purposes of the contract to the business associate (vendor) and subcontractors.
BAAs satisfy HIPAA regulations and create a bond of liability that binds two parties. If one member violates a BAA, the other can take legal action. If there’s no BAA or it’s incomplete, or if it gets violated, then both parties may find themselves in hot water with HIPAA.
Covered entities must ensure that they have an active HIPAA business associate agreement in place with each of their business associates (vendor) to maintain PHI security and overall HIPAA compliance. Never Have a business associate (vendor) handle PHI Without a BAA.
Does a software vendor have to sign a Business AssociateAgreement(BAA)?
If the vendor does need access to the protected health information, then the vendor would be a business associate of the covered entity and they need to have a Business Associate Agreement (BAA) in place.
Finally,
Just refusing to sign a Business Associate Agreement doesn’t exempt you from HIPAA compliance if your services handle PHI in any way (intentionally or not).
This is just an overview of some important terms and there is a lot more to understand at each point. In the next blog articles, we will discuss the HIPAA security rule and development considerations. For more in-depth understanding please check Health Information Privacy.
Disclaimer
The knowledge and details shared in this article are based on Fission Labs' 10+years of experience in delivering digital healthcare products. We are in no way promoting ourselves to be subject matter experts in HIPAA compliance and/or related topics. Nothing in this article should be considered as or should constitute legal advice.
Content Credit: Samarendra Kandala