HIPAA is a federal law in the US aimed to improve and modernize healthcare across the country, enhanced with the HITECH Act, HIPAA creates privacy, data protection and breach notification requirements for the US healthcare entities and for their suppliers that handle health records.
HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law in the United States that was enacted in 1996. The legislation consists of five Titles that span over 160 pages and was initially designed to improve portability and continuity of health insurance coverage, combat waste, fraud and abuse in health insurance and healthcare delivery, promote use of medical savings accounts, improve access to long-term care services and coverage, and simplify the administration of health insurance.
One of the most significant aspects of HIPAA is its focus on data security and privacy of Protected Health Information (PHI). PHI is broadly defined as any information about past, present or future health or medical condition of an individual including but not limited to diagnoses, treatment information, medical analyses or prescriptions that are attributable to the individual. For example, a medical prescription with a patient’s name is considered PHI, while a prescription without any mention of the patient’s contacts or identifiers is unlikely to be considered PHI.
The protection of PHI is addressed by two key components of HIPAA: the Privacy Rule and the Security Rule. The Privacy Rule covers both digital and paper-based PHI, while the Security Rule applies only to electronically stored PHI (also referred to as “ePHI” or “e-PHI”).
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted with the main purpose of bolstering digitalization of healthcare in the US and encouraging organizations to use Electronic Health Records (EHR). The HITECH Act introduced important enhancements to HIPAA’s data protection regime by expanding the list of non-healthcare entities who must comply with its privacy and security requirements, increasing possible penalties for HIPAA violations, and setting a higher standard for data breach notifications.
The US Department of Health and Human Services (HHS) activated the HITECH’s enhancements with the Omnibus Final Rule passed in 2013.
Overall, compliance with HIPAA/HITECH cybersecurity and data protection requirements is critical for healthcare organizations to ensure the privacy and security of patients’ sensitive information. ImmuniWeb offers solutions to help organizations comply with these requirements and ensure their cybersecurity posture is strong.
HIPAA/HITECH cybersecurity regulations apply to a wide range of healthcare actors in the US. The regulations cover “covered entities” (CE), which include healthcare providers, health insurance companies, governmental programs such as Medicare and Medicaid, and clearinghouses that process healthcare data on behalf of third parties. The HITECH Act expanded coverage to “business associates” (BA), which are suppliers of covered entities that handle, store or process PHI on behalf of the covered entity. Therefore, vendors and companies that provide services to covered entities and have access or process their PHI are also covered by HIPAA.
Even if a vendor merely stores encrypted PHI data and has no decryption key, the vendor is still subject to HIPAA security requirements including the duty to preserve integrity and availability of the PHI. Covered entities should also keep in mind the FTC Act, which prohibits companies from engaging in deceptive or unfair commercial practices. Any misleading, materially incomplete or deceptive statements made to consumers of healthcare services about how their health data will be used, stored or processed may be sanctioned by the Commission under the Section 5(a) of the FTC Act.
Covered entities that handle genetic data of individuals should also consider reading Genetic Information Nondiscrimination Act (GINA), a dedicated US federal law that prohibits certain usage of genetic data. Covered entities shall also attentively examine applicable state laws: HIPAA does not preempt state law that offers a higher PHI privacy protection than HIPAA.
In conclusion, HIPAA/HITECH cybersecurity regulations cover a broad range of healthcare actors in the US. Covered entities include healthcare providers, health insurance companies, governmental programs such as Medicare and Medicaid, and clearinghouses that process healthcare data on behalf of third parties. Business associates that handle, store or process PHI on behalf of covered entities are also covered by HIPAA. Vendors and companies that provide services to covered entities and have access or process their PHI are also subject to HIPAA security requirements. Covered entities should keep in mind the FTC Act and any applicable state laws that offer higher PHI privacy protection than HIPAA.